A Vulnerable System: The History of Information Security in the Computer Age
Book written by Andrew Stewart
Book review by Ben Rothke
Bottom Line Statement
Hall of Fame Candidate
I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.
By the time they finish chapter 3, I think anyone who reads A Vulnerable System: The History of Information Security in the Computer Age (Cornell University Press) by Andrew Stewart will think of George Santayana’s aphorism that “those who cannot remember the past are condemned to repeat it.” An alternate title to this book could have been Santayana on information security.
I saw an advanced manuscript of the book some time back and knew then that the book would provide an excellent blend of history, business, and technical understanding. It is an excellent read for anyone involved in information security and is a compelling book from start to finish.
In some ways, the book is similar to Unsafe at Any Speed: The Designed-In Dangers of the American Automobile, the Ralph Nader classic from 55 years ago. Nader wrote that automobile manufacturers resisted the introduction of safety features, such as seat belts. They wanted to keep costs low as possible, and seatbelts did not make the bean counters happy. Nader showed that the automobile manufacturers focused on looks and comfort, even at the cost of safety.
While they do not align perfectly, auto safety and computer security history are relatively in parallel. Stewart details how many of the information security pain points we are feeling today were first identified as risks in the 1950s and 1960s. The focus on end-user ease of use over security and privacy
The book is more than just a history of computer security from the first mainframes until today (which is, in fact, a story that has been told many times already). Moreover, like a good historian, Stewart gives the reader a comprehensive understanding of people, events, and contexts from the last 70 years of information security. The book, in fact, could be summed up in 10 words: the more things change, the more they stay the same.
The reader should not think that Stewart is simply doing a Chicken Little about information security. While he does spend much of the book detailing how we got into the predicament we are in now, he also spends time detailing what proactively can be done to fix this mess. He writes that there needs to be a concerted effort to understand better how complexity affects information security and how that complexity can be managed.
Stewart closes with the observation that after the Napoleonic Wars, Prussian general Carl von Clausewitz wrote that a strategic military strategy requires insight into the great mass of phenomena and of their relationships, then to leave it free to rise into the higher realm of action. This is the case also with information security, where the substantial must replace the superficial, the essential must replace the ephemeral.
This is a foundational text for anyone involved in information security. Stewart has written an important book where he articulates the history of information security in a non-technical, readable, and engaging format. Those who cannot remember the past are condemned to repeat it, both in world history and information security. The book details the past of how we got here. Furthermore, only by understanding that can the industry truly put security in place.
For those that take security seriously or consider their privacy necessary, A Vulnerable System is a superb book and a worthy entrant into the Canon.