Seems that Zero Trust is NOT a new phenomenon when it comes to information technology. Today it is hard not to hear or see any number of vendors talking about it with great excitement. What is Zero trust? Where did this idea come from? Is there any basis for this concept?
The source of the challenge for all of us is the Worldwide Web or the Internet, as we call it today. The birth date of the internet is widely considered to be Jan. 1, 1983, but the road to creating it started long before the technology required for the internet even existed. In the late 1960s, with the creation of the Advanced Research Projects Agency Network, which was funded by the U.S. Department of Defense, the “first workable prototype of the Internet” was born. The point to remember and critical piece is that the internet came from a laboratory and academic research.
For reference on technology in this time frame check out: 1964 | Timeline of Computer History | Computer History Museum (One example is below and yes, being able to fit in a car was a big thing.)
The takeaway here is that academics and the government, at the time, did not see a need to impede the acceptance and use of this new technology. The free exchange of ideas and technology leads to hyper-adoption. Countries around the world started making changes, improvements, and more. Everything was open and trust abounded.
In the 1970’s John Draper, also known as Captain Crunch, earned the title of “first-ever hacker.” His initial claim to fame was rather than having lots of high-tech hacking tools at his disposal, he managed to do it all with a toy whistle from a cereal packet.
One of the first internet hackers, and certainly the first to gain mainstream media attention, was Robert Morris back in 1989. His was the first “Denial of service” attack in history and it was caused by a worm Morris had developed at Cornell University the year before
The Morris worm was not a destructive malware, only meant to slow the processing of computers, though nobody knows what Robert’s intentions were in creating it. Morris was the first individual to be tried under the new Computer Fraud and Abuse Act of 1986, where he was tried, convicted, and sentenced to three years of probation, 400 hours of community service, and a fine of $10,050. When the case was appealed, the Defense Advanced Research Projects Agency (DARPA) of the Computer Emergency Response Team (CERT) was created to coordinate information and proper responses to computer security. For the purposes of this article, it was the conviction of Morris that marks the degradation of “trust.”
The first organization to realize that trust was not part of the internet was the US Federal Government and they started to build what we now call the “Dark Web.” Dark web history is packed with government influence. “Onion routing” – the core principle that enables Tor to retain its users’ anonymity – was developed and funded in the mid-1990s by the U.S. federal government. After onion routing was patented, additional computer scientists joined the original development team in 2002 and created the biggest project for onion routing yet: The Onion Routing Project, now commonly known as the Tor Project. The Navy would later release the code for Tor under a free license.
The brief history present here shows that the internet was not designed with security as a requirement. The Onion Project acknowledges that, and the creation of the TOR Project demonstrates that no one saw a method to make it secure. Zero Trust in IT Security is not a new concept but has recently become a buzzword in the world of IT best practices. Dr. Stephen Paul Marsh from the University of Stirling in Scotland coined “Zero Trust” almost 30 years ago when he wrote his doctoral thesis on the computational security strategy.
In a follow-up post, I will talk about the impact this is having on each and every business that is connected to the internet with a focus on knowing the risks and vendor-neutral mitigation strategies. The details will reflect numerous conversations over the years with clients, vendors, experts, and more which formed and drive the ever-changing models we at Lead IT share with customers. Please reach out if you have concerns about the security of your business and would like to discuss how we might be able to help.