What ARPANET’s History Can Teach Us About Cybersecurity
[Editor’s note: This is part of a series examining the internet’s first 50 years and predicting the next half century. Join Xconomy and World Frontiers Forum on July 16 for [email protected], an event exploring the internet’s past and future.]
The internet nearly came with built-in caller ID.
The year was 1972: three years after the first messages were firing across the US military-funded research network ARPANET, the precursor to the internet, but still more than a decade before the internet’s architects settled on rules for how information would be transmitted across the network.
Computer scientists gathered at the University of Colorado in January 1972 for a seminar on operating systems. Participants in a town hall session debated the question of what, if any, credentials should accompany information as it moves across computer networks.
Peter Denning, an American computer scientist with a background in operating systems, says his interest in the discussion came from a security need to know who, or what, was on the other side of incoming requests to access his computers.
“There are people who can try to log in to my system from some other place, but I don’t know who they are because the network doesn’t tell me,” Denning says. “What mechanism do I use to authenticate somebody coming in across the network when all I can see is the packets [of data] they are sending me?”
If Denning and others could know who was contacting their computers—not just where the information packets were coming from—it would go a long way toward growing trust in the network with an early form of built-in security.
But the proposal to inject authentication into the networking rules didn’t gain traction, and no such identification process was included when the internet’s framers in 1983 agreed on what’s known as Transmission Control Protocol/Internet Protocol, the standard programming rules that devices still follow for communicating via the internet today.
“The majority of the people in the room were against the idea of having ‘caller ID,’” Denning recalls. The idea that people have a right to be anonymous won out.
“We had a moment of history where this was up as a proposal, and it was turned down,” he adds. “A lot of the issues we have today with hackers going into things, many of those attacks would be thwarted if we knew who was initiating them.”
Although internet security concerns swirled in the air even then, the potential threats weighed too little on the engineers who pioneered the internet, according to Denning and others who worked on the ARPANET. They had little clue the interconnection of a scant two dozen nodes in 1972 would metamorphosize decades later into a web of billions of devices and critical infrastructure that underpins everything from banking to communication, commerce, politics, and entertainment.
Some working on the test network, which launched as a Defense Department experiment in 1969, watched its growth and evolution for decades and waited for it to be replaced by some next-generation internet with more safeguards built into it. That also never came to pass, and governments, companies, and civilians are now accustomed to paying for additional products and services to make up for the gaps in security. More than $124 billion will be spent worldwide on information security this year, according to an estimate from research firm Gartner. The alternative to investing in cybersecurity solutions that bolt onto networks could be even more costly, with the average breach costing $3.86 million to companies, according to a 2018 report from Ponemon Institute. The internet has proven to be a fierce battlefield for political misinformation, too, as shown in the Russian campaign to influence the 2016 US presidential election.
Understanding just how the internet got this way—and how its earliest architects watched it grow beyond even their expectations—is critical to the conversation about whether the internet can be reworked or whether it needs a complete replacement to meet the demands being placed on it now and in the future.
“Lo” Was All He Said
The first message sent across the Defense Department’s Advanced Research Projects Agency Network, known as the ARPANET, was a happy mistake.
In October 1969, the first two host computers were connected to the network with special-made routers called Interface Message Processors, or IMPs. The IMPs separated messages into slices called packets that carried the address information for what computer the information should travel to and how to reassemble the slices back into a whole message once they arrived. The IMPs also were responsible for finding the fastest, least congested path for the packets to travel through the network to the destination computer. The first IMP was delivered to Leonard Kleinrock at UCLA, and the second one was sent to the Stanford Research Institute in Menlo Park, CA.
An undergraduate in Kleinrock’s lab, Charley Kline, tried to log in to the computer 300-some miles north in Menlo Park with a simple message, “LOGIN.” He typed the letters, but the computer at Stanford crashed before Kline could send the whole request.
“Lo,” the entire first message read.
Kleinrock recalls how ill-prepared he was to craft a historic first statement to cross the internet. “We didn’t have a good message ready,” he laments.
Samuel Morse had “What hath God wrought?” for the first telegraph; Neil Armstrong had his “small step” speech, Kleinrock says. “They all had great messages. They knew publicity. They knew public messaging. We didn’t have that.”
“We were lucky,” he adds. “We had a prophetic, powerful ‘Lo,’ as in ‘Lo and behold.'”
The ARPANET’s first four nodes were connected by the end of 1969, as IMPs hooked up computers at the University of California, Santa Barbara and the University of Utah. By 1971, the network had 15 nodes, and by 1973 there were 37 nodes connecting computers across the country.
The thinking then about security on the still relatively closed network seems almost naive compared to the hyper vigilance that marks the sector today.
“If somebody had misbehaved or done something wrong at one of the sites, that would have been pointed out and somebody would have been fired,” says David Walden, a member of the team at Bolt Beranek & Newman (BBN), the Cambridge, MA, research and high-tech consulting firm that won the ARPA contract to design and build the IMPs. “My own view was I thought it was an interesting engineering problem.”
Walden says it wasn’t until networked email was added to the system in 1971 that he knew it would take off.
“I said, ‘Whoa, we are all going to be talking to each other,’” he says. “We knew computers were getting faster and smaller. We said that someday there would be a packet switch in every toaster and door knob.”
More networks cropped up, and in 1981 the University of Wisconsin, University of Delaware, Purdue University, and Rand Corp. landed a $5 million grant from the National Science Foundation to link their computer science research departments and labs. Denning led the push at Purdue and helped stand up what would become the next stage of the internet: CSNET.
“You had to keep in mind: ARPANET was an experiment being run by the Department of Defense,” Denning says. “It was a relatively small number of places that could even qualify to connect to this thing. … It was closed. You couldn’t get in.”
The computer scientists convinced the National Science Foundation to fund the new network for five years while they tried to find a way to pay for it themselves. The group also won approval from the ARPANET’s overseers to let non-government contractors route packets through the ARPANET.
By 1985, the National Science Foundation decided to take over CSNET. It renamed the network NSFNET, opened it to all federally funded researchers, and funded the expansion of a high-speed backbone that connected other regional networks—becoming the internet that we know today. In 1990, the ARPANET was decommissioned.
Security, though, still hadn’t found a way into the fabric of the fledgling internet.
Alex McKenzie, who worked for the IMP team at BBN, says that even then it wasn’t clear … Next Page »