We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Jon Oltsik: Crypto: How the Code Rebels Beat the Government – Saving Privacy in the Digital Age (2001) by Steven Levy
Executive Summary
The essayist and philosopher George Santayana is often attributed with the quote, “Those who cannot remember the past are condemned to repeat it.” Unfortunately, this is exactly what the United States is doing right now with regard to the ongoing debate between national security (surveillance) and data privacy – a political hot potato exemplified by the recent, highly visible confrontation between Apple and the Department of Justice.
As Santayana would easily understand, this debate is nothing new. In the 1990s, a sundry group of visionaries, idealists and technologists took these issues head-on by tapping into esoteric mathematical formulas and developing new cryptographic methods for protecting the confidentiality and integrity of digital identities and data. These innovations led to commercial and grass-roots constituencies dedicated to spreading cryptographic technology to the masses as well as a disparate group (led by the U.S. government) focused on containing and controlling cryptography.
Steven Levy’s wonderful book Crypto: How the Code Rebels Beat the Government – Saving Privacy in the Digital Age chronicles these opposing forces during the 1990s, an era of rapid growth in personal computing and network connectivity. Crypto’s strength comes from its comprehensiveness. It covers a number of seminal data privacy events including the development and commercialization of PKI, early progress with digital currency, and even the now infamous U.S. government’s Clipper Chip, an effort to establish monopolistic control of international cryptography. Beyond innovations and events alone, however, Levy also provides rich, detailed stories of an assortment of idiosyncratic characters like Jim Bidzos, Whitfield Diffie, and Phil Zimmermann who drove the development, commercialization and proliferation of cryptography to the mass market.
In retrospect, the 1990s seem like a prehistoric information technology era, but Levy’s thoughtful description of the issues, innovations and deliberations around data privacy make Crypto a timeless and worthwhile read for cybersecurity professionals circa 2016. Besides, Crypto personifies data privacy by following the trials and tribulations of assorted individuals who gave us the technologies and policies (for better and worse) that we live with today. This elevates Crypto from a historical review to an entertaining read. Based upon these qualities, Crypto deserves a permanent home in the Cybersecurity Canon.
Review
Early in 2016, a single cell phone initiated a national debate. The phone in question, an Apple iPhone 5c, was used regularly by Syed Rizwan Farook, one of the shooters in the San Bernardino terrorist attack. Local law enforcement and the FBI wondered whether this single phone contained any data that might expedite the investigation or provide clues about other pending attacks.
Like all other iPhone 5c models, Farook’s phone was encrypted by default, which led to an FBI request that Apple hack into the phone and disable certain security features so it could investigate the data residing on the phone itself. Apple refused, citing its policy to avoid undermining the security features of its products. This led the FBI and U.S. Department of Justice to issue court orders and file applications to force Apple to comply with its requests. Apple steadfastly opposed these legal maneuvers and launched a public and legal fight of its own to protect its customers’ privacy.
This solitary phone highlighted on ongoing issue – the precarious balance between surveillance (i.e., national security) and data privacy. Republican presidential candidate Donald Trump called for a boycott on all Apple products while former NSA and CIA Director Michael Hayden publicly proclaimed that Apple was operating well within its rights. Several popular polls offered mixed feelings around these contentious issues. A Reuters poll indicated that Americans favored Apple’s position while a Pew Research poll reported opposing results. Meanwhile, a CBS News poll conducted in March 2016 revealed a polarized population as 50 percent of Americans took the FBI’s position while 45 percent sided with Apple.
While the San Bernardino incident highlighted the passionate dichotomy between surveillance and personal privacy in an era of pervasive mobile devices and wireless networks, this debate is nothing new. In fact, a small group of technology visionaries not only foresaw these issues starting in the 1970s but also took it upon themselves to challenge the technology and legislative status quo in an attempt to protect binary data privacy moving forward as technology grew more and more prevalent.
This band of privacy advocates, technologists and visionaries are highlighted in Steven Levy’s timeless book Crypto; and, although their stories may be considered ancient history in proverbial “internet time,” their combined effort is at the heart of the surveillance vs. data privacy debate that still rages today.
Crypto covers some of the seminal data privacy events and technology developments from the 1970s through the end of the 1990s, so it certainly serves as a good overview for students of cybersecurity history. Nevertheless, what stands out about this book is its intriguing storytelling. Levy does a great job in capturing the times, developing characters, and journaling their data security and privacy journeys and contributions.
For example, the book starts by following a colorful character named Whitfield Diffie pondering the challenges and possible solutions related to data privacy in an increasingly digital world. Growing up in an era when time-sharing large computers was the rule, Diffie recognized that a central authority, like a system administrator, could abuse his or her power to discover user passwords or peruse confidential files without user permission to do so. He imagined a system of decentralized authority where all users had the power to protect their data. He also longed for a way for two strangers to share private information without the need for a prearranged common secret, such as a symmetric encryption key.
Driven by this growing problem, Diffie proceeded on a true quest to seek out any and all information he could on the dark art known as cryptography. Much to his chagrin, however, there was very little publicly available information on cryptography in the mid-to-late 1970s. This situation would have confounded most researchers, but Whit Diffie was a different kind of guy – the kind who persevered to win over his wife after several negative encounters, or the type of person who would purchase multiple Datsun 510s in order to master the car’s workings and use spare parts from one Datsun to keep another one on the road.
Diffie’s persistent personality is an important component of his story. In pursuit of cryptographic truth, Diffie searched far and wide to read anything or speak to anyone who could educate him on his cryptographic quest. This led him to MIT, IBM and, eventually, chance meetings with like-minded academics, including Marty Hellman (Stanford) and Ralph Merkle (UC Berkeley). All of his pondering finally paid off one night when Diffie had an epiphany once considered as blasphemy in the world of cryptography: he would split an encryption key between a message sender and receiver in order to protect data confidentiality and integrity in an ad-hoc fashion. In this way, Diffie’s doggedness and intellectual curiosity led inevitably to the now famous Diffie-Hellman algorithm and major developments in data security and privacy, including asymmetric encryption and public key infrastructure (PKI).
Whit Diffie is just one individual in a cast of data privacy characters described within Crypto. The book also details:
- The trio of Ron Rivest, Adi Shamir and Len Adleman (RSA) from MIT. After reading the theories posed in the Diffie-Hellman papers around 1978, Rivest obsessed about developing useable mathematical algorithms to turn PKI from concept to reality. He quickly recruited Shamir and Adleman to help him in this pursuit. Their collaboration led to an ultimate breakthrough where public and private encryption keys were derived from one-way functions and factoring of large prime numbers.
- Phil Zimmermann, an unlikely pioneer of modern cryptography. After learning about PKI, Zimmermann became interested in cryptography, but it was an overly zealous U.S. Senate bill that really drove him to dedicate his time to develop and distribute useable PKI software for the masses. Through a series of events, Zimmermann teamed up with assorted other programmers, mathematicians, and fellow cryptographers and released actual useable code on the nascent internet in 1999. Zimmermann first named his PKI software the “bass-o-matic” after an early Saturday Night Live skit, featuring Dan Aykroyd, but later settled on another name based on the radio show Prairie Home Companion, Pretty Good Privacy (PGP). While Zimmermann’s effort made him a hero with the proletarian data privacy crowd, he also faced years of industry litigation, government harassment, and threats of incarceration for his efforts.
- Jim Bidzos, a brash and cocky business executive who became the CEO of RSA as well as the company’s chief evangelist. It was Bidzos who made PKI a reality by convincing large customers like Lotus (now part of IBM) and Microsoft to add RSA crypto to their increasingly popular software. To commercialize cryptographic software, Bidzos was forced to fight off government interference every step of the way along with a host of software visionaries, like Ray Ozzie (Lotus) and Nathan Myhrvold (Microsoft). Bidzos’s in-your-face style certainly created a number of enemies (including one NSA agent who threatened him in a meeting), but his tenacity helped make PKI and data privacy a market reality.
The book ends by detailing the role of another group whose contribution to data privacy and PKI remained under the covers for years, but I promised a fellow Canon committee member that I wouldn’t give any details about this away. You’ll have to read the book yourself to uncover this surprise.
All in all, Crypto does a great job of describing the idiosyncrasies of a multitude of characters while remaining true to the subject at hand: data privacy through the era of personal computing and the dawn of the internet. Yes, the individuals covered in this book have grown from impetuous visionaries to senior citizens, but the issues raised in this book remain as timely as ever.
For example, Levy does a great job describing the rise and fall of the Clipper Chip in the 1990s. Younger readers may be unfamiliar with Clipper so it is worth reviewing this episode as it presages today’s surveillance/national security vs. data privacy polarization. Clipper, the brainchild of the U.S. National Security Agency (NSA), was intended to act as a compromise solution. The chip provided strong crypto based on a government-created algorithm called Skipjack but was also designed with a built-in backdoor whereby some undefined government agency would act as an encryption key escrow service so it could use its stash of keys to decrypt messages, if need be.
Just like today, the feds tried to sell Clipper with national security concerns and scare tactics. The NSA, FBI and Justice Dept. were even able to use this pitch to gain support from the newly elected Clinton administration in 1992, recruiting techno-savvy Al Gore as a Clipper cheerleader. Once again Levy does a great job of introducing characters, issues and tactics used on both sides of the aisle throughout the Clipper lifecycle from 1992 through its demise in 1996. In this way, Crypto serves as a rich history lesson for cybersecurity professionals while also outlining delicate and serious issues that should be useful for today’s policymakers.
IT technology evolves quickly, so it would be easy to dismiss Crypto as ancient history; but, while the technology developments described in this book are over 20 years old, the fundamental debate between surveillance/national security and data privacy remain as topical today as it was when Whit Diffie was pondering this conundrum while pacing in Harvard Square. Levy’s book is also more than just a historical review. It is also a fanciful story about quirky, passionate and brilliant people willing to challenge established practices. Ultimately, this ragtag group of characters actually changed the world, making it a bit safer and more secure.
For these and a host of other reasons, I believe that Crypto: How the Code Rebels Beat the Government – Saving Privacy in the Digital Age would be a worthy addition to the Cybersecurity Canon.