Security in the 2000s

Lately I've been obsessing over this ProPublica article which talks about Microsoft's involvement in the SolarWinds hacks, specifically due to a design weakness in Microsoft's Active Directory Federation Services (ADFS). It's a great article, highly recommended.

Anyway, the wiki page for ADFS says it first appeared around 2003, which made me wonder: what did the cybersecurity field look like in the early 2000s? Since the field still sucks today, surely it must have been really bad then, right?

Well I came across a document from 2003 called "The National Strategy to Secure Cyberspace" which was the security strategy of the Bush administration. Despite its age, it's pretty... normal actually. When you fast-forward 20 years later to 2023 and read the Biden administration's "National Cybersecurity Strategy", the technical differences are kinda minor. I'm happy to see "secure by design" mentioned a few times in 2003:

The Nation must seek to ensure that future components of the cyber infrastructure are built to be inherently secure and dependable for their users.

Some new technologies introduce security weaknesses that are only corrected over time, with great difficulty, or sometimes not at all.

But there is one major difference: One was written by a presidential administration that dropped anti-trust charges against Big Tech, and one was written by a presidential administration that is leading anti-trust charges against Big Tech.

Here are two illustrative quotes of the difference in regulatory philosophy:

(2003) Federal regulation will not become a primary means of securing cyberspace. Broad regulations mandating how all corporations must configure their information systems could divert more successful efforts by creating a lowest-common- denominator approach to cybersecurity, which evolving technology would quickly marginalize. Even worse, such an approach could result in less secure and more homogeneous security architectures than we have now. By law, some federal regulatory agencies already include cybersecurity considerations in their oversight activity. However, the market itself is expected to provide the major impetus to improve cybersecurity.

(2023) While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes. Today’s marketplace insufficiently rewards—and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents. Regulation can level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience. Our strategic environment requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation.

Now go back to the ProPublica article. It's a story about Microsoft prioritizing greed over security, leading to one of the biggest hacks to ever affect the US government—a government that turned a blind eye to their growing unaccountable power for almost two decades.

Another point was that the 2003 document wanted to use the government procurement process to incentivize security, all carrot and no stick:

(2003) With respect to investment in cyberspace security, government can lead by example by fostering a marketplace for more secure technologies through large procurements of advanced information assurance technologies.

And look where that strategy got us:

(2024) The federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. Not only could Microsoft lose a multibillion-dollar deal, but it could also lose the race to dominate the market for cloud computing.

Halfway through writing this article, I saw someone who is much more qualified already wrote a much more thorough analysis of presidential cybersecurity stratigies over the years, which I highly recommend:

I struggle to conclude articles, so I'll just quote that one:

The authors of those earliest strategies never expected success to take more than 25 years ([the Clinton administration] called for success "no later than five years from today"), yet here we are. With the important changes in the 2023 National Cybersecurity Strategy—and the implementation plan currently being drafted in the Office of the National Cyber Director—hopefully, success won’t take another 25 years.