If you are a cybersecurity professional or interested in cybersecurity at all, you should be familiar with the Cybersecurity Canon. Just what is a Canon? There are lots of definitions but that one that applies here is, “a sanctioned or accepted group or body of related works.” With this definition in mind, the stated goal of the Cybersecurity Canon is:
“To identify a list of must-read books for all cybersecurity practitioners -- be they from industry, government, or academia -- where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete.”
I am a proud member of the Cybersecurity Canon committee and just recently nominated a book that I believe is well worthy of inclusion: Crypto: How the Code Rebels Beat the Government – Saving Privacy in the Digital Age (2001) by Steven Levy.
Okay, I know what you are thinking – 2001 is ancient history in terms of technology and cybersecurity, so why would I nominate a book this old? Well some cybersecurity issues stand the test of time, and this book covers one such topic –data privacy.
Crypto spans a timeframe from the 1970s through the 1990s when these issues gained broad public visibility. In the late 1970s, Whit Diffie and Marty Hellman came up with a theory that two people with no prior knowledge of each other could establish a confidential communications channel by splitting mathematically-related cryptographic keys to encrypt data. Soon afterward, Ron Rivest, Adi Shamir, and Len Adleman (RSA) turned the Diffie-Hellman theoretical model into reality by developing the RSA algorithm for asymmetric cryptography.
These events are well worth understanding as they act as the very foundation of technologies like SSL/TLS which makes electronic commerce possible, but this book is more than a textbook explaining geeky data privacy technologies like PKI. It also explores the human side of data privacy by following the persistent, idiosyncratic, and brilliant characters that created and commercialized the technology. People like Diffie, Phil Zimmermann (creator of PGP), and Jim Bidzos (former CEO and chief evangelist at RSA).
In addition to the technology itself, Crypto also digs into the constant battle that has ensued; namely the balance between data privacy on one side and national security and surveillance on the other. Cybersecurity professionals and policy makers should understand that this dichotomy began long before the recent Apple vs. DOJ episode.
Way back in the 1970s, the NSA silenced IBM in exchange for technical help with its early encryption algorithms. Believe it or not, encryption technology was once classified as an armament so American software companies like Lotus and Microsoft were not allowed to export any crypto. When privacy advocates pushed back, the NSA and the Clinton administration offered a compromise called the Clipper Chip, whereby government agencies would escrow encryption keys and thus have access to cleartext messages for law enforcement and intelligence purposes. This became an extremely contentious and public debate from 1992 through 1996. Data privacy advocates won this battle, giving us secure communications on one hand while impeding law enforcement and intelligence investigations on the other.
Yes, this book is now 15 years old, but I believe that cybersecurity professionals should understand the roots of data privacy technologies and the issues surrounding data privacy that still reverberate today. Besides, Crypto is well written and very entertaining – not quite a beach book for the masses but certainly one for nerds like me.
Here’s a link to my full book review on the Cybersecurity Canon page. In my humble opinion, Crypto is a great book that deserves to be inducted into the Cybersecurity Canon in 2016.