Cyber Pioneers Ponder Past as Prologue

Cyber Pioneers Ponder Past as Prologue

Newsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesVulnerabilities & ThreatsCybersecurity OperationsСloud SecurityCommentarySince 2006, Dark Reading has been at the forefront of covering cybersecurity, providing deep insights and analysis beyond the headlines. All those major news events? We were there. Shifts in technology trends? We wrote about them. Enjoy this special anniversary coverage celebrating where we've been and what's next.Cyber Pioneers Ponder Past as PrologueRobert "RSnake" Hansen, Katie Moussouris, Rich Mogull, Richard Stiennon, and Bruce Schneier reflect on how their favorite columns penned for Dark Reading over the past 20 years have stood the test of time.Kelly Jackson Higgins,Becky BrackenMay 15, 20268 Min ReadSource: Mauritius images GmbH via Alamy Stock PhotoCyber Pioneers Ponder Past as PrologueAs part of Dark Reading's 20th Anniversary celebration, we asked some of our high-profile cybersecurity industry leaders who wrote blogs or columns for us over the years to look back and select their favorite piece, and then share their reflections on the topic today, through the lens of history.This was no small task. Multiple CMS and platform migrations over two decades at Dark Reading sadly meant that some of our content, including columnists' pieces, were lost to the Internet and left to the whims of Wayback Machine website screenshots. But our creative columnists were able to dig into the Dark Reading archives for their picks and share their thinking at the time, as well as examine how history has treated the topic.So kick back and enjoy these insightful retrospectives from Dark Reading contributing columnists and industry leaders Robert Hansen (aka RSnake), Katie Moussouris, Rich Mogull, Richard Stiennon, and Bruce Schneier.Click here for all of our DR20 content, which will be rolling out across the month of May. Keep checking back for new items! RSnake's Robot Research Comes Full Circle Source: @RSnake on X Robert (RSnake) Hansen, managing director of Grossman Ventures and CTO at Root Evidence, reflects on his groundbreaking Dark Reading column from Feb. 19, 2007, titled, "Die, Robot: If you're going to play with bots, best to know defense and offense.""Dark Reading for me was the mental equivalent of building in public. I would test ideas with the general public and give them context for why I felt the way I did and therefore, in some respects, it was deeply personal, as in the case of the first really well-built robot scrapers in this article."I ended up writing an entire book called Detecting Malice on the topic, and how insanely far we have come, where AI is now scraping everything and companies are doing everything they can to make their APIs into MCPs go faster. Even Cloudflare has a single API endpoint to scrape an entire site now, and there are lawsuits against the LLM providers for scraping. Times have both changed and yet stayed exactly the same."Katie Moussouris: AI-Fueled Bug Discovery Could Backfire Source: SPOA Images, Ltd. via Alamy Stock Photo Luta Security founder and CEO Katie Moussouris reminisces on writing about bug bounties for Dark Reading and her notable column from Aug. 13, 2015, "The Truth About Bug Bounties: What Oracle CSO Mary Ann Davidson Doesn't Get About Modern Security Vulnerability Disclosure.""When I wrote about bug bounties years ago, there was a lot of optimism that crowdsourcing vulnerability discovery would dramatically improve security. The point then was that bug bounties weren't a silver bullet — they were meant to complement secure development, not replace it."Fast forward to today and AI has poured gasoline on the model. Automated testing and AI-assisted research are making it far easier — and much faster — to find potential vulnerabilities. The problem is that triage is still mostly human, and humans don't scale like GPUs. Programs that were already stretched are now getting flooded."For organizations already feeling like they're on fire, AI just showed up with a flamethrower. Without major investment in building more secure code and dramatically improving how quickly patches and mitigations can be deployed, many will simply burn down to ash under the volume."The part that worries me most is open source. Maintainers were already overwhelmed before AI supercharged vulnerability discovery. If that ecosystem buckles under the load, it won't just affect a few projects; it will affect everything that depends on them. Log4j was the wake-up call that exposed how fragile the software supply chain really is. AI is accelerating both discovery and dependence at the same time, and the uncomfortable truth is that the industry may not be ready for what humans have just unleashed."Rich Mogull: 'Simple Doesn't Scale' in Cyber  Source: Cloud Security Alliance Chief analyst at the Cloud Security Alliance and CEO of Securosis Rich Mogull explains one of his foundational cybersecurity principles, "Simple Doesn't Scale," which was first introduced in a Dark Reading post back on July 7, 2011."The main thing I noticed going back into my old Dark Reading posts is that … first, the author images have hair, and second, I really should have been shaving my head sooner."While I was highly tempted to select my very first cloud security post from 2009, the one that really resonates the most is my 'Simple Isn't Simple' post, which I think I changed to a tweet as 'Simple Doesn't Scale.' This post has been one of my mantras since I wrote it in 2011, and I think I even described an early version of Wendy Nather's Security Poverty Line."Why did I pick it? Because as we face waves of automated AI-discovered vulnerabilities, as just highlighted by Anthropic's Mythos, our ability to scale simple will define the state of our security like never before."Richard Stiennon: Why PCI DSS Revolutionized Cyber-Risk  Source: Richard Stiennon Chief research analyst at IT-Harvest Richard Stiennon back in November of 2006 was praising the payment card industry's adoption of PCI Data Security Standard in a Dark Reading column titled "Finally, A Standard With Teeth." "In 2006, the payment card industry started to get serious about the two-year-old PCI Data Security Standard. I must have been triggered to write about it when they announced the creation of the PCI Security Standards Council (PCI SSC), a governing council to oversee further changes to the standard. By December, they announced stronger enforcement action as well."I still feel that PCI DSS is one of the most effective security standards because it has teeth. It also gave rise to an entire industry to provide continuous security scans (which is still with us today) — and even evolving into third-party risk scoring, breach and attack simulation, and agentic red teaming."The standards and regulations that I implied were toothless have grown their own incisors with significant enforcement actions recorded for each of them. The scariest fangs belong to the SEC, which evolved from wishy-washy Sarbanes-Oxley enforcement to prosecuting the CISO of SolarWinds."The surest sign that the security industry is maturing is the plethora of regulations that have arisen in the last 20 years. Those regulations shape the industry. Of the 4,029 active vendors that I track, the largest category (587 vendors) is governance, risk, and compliance. "Schneier on the Intersection of Encryption and AI  Source: Bruce Schneier Renowned technologist and author Bruce Schneier contributed a column on June 20, 2010, warning about cryptography's inability to secure modern networks, a point he says he has been trying to argue since 2000."For a while now, I've pointed out that cryptography is singularly ill-suited to solve the major network security problems of today: denial-of-service attacks, website defacement, theft of credit card numbers, identity theft, viruses and worms, DNS attacks, network penetration, and so on."Recently, I talked to a former NSA employee at a conference. He told me that back in the 1990s, he had a copy of my book Applied Cryptography by his desk, as did many other cryptographers working at Ft. Meade. People were allowed to refer to it, but they were not allowed to cite it."The 1990s were an important decade for cryptography. This was before the internet went mass market, when cryptography was just emerging from a niche academic discipline to a mainstream engineering one. There wasn't much that programmers could read. The NSA used my book for the same reason it became a bestseller: because it collected all the academic cryptography of the time in one place and made it understandable to people who weren't mathematicians. They feared it for exactly the same reason."I've been thinking about that conversation as I revisit a 2010 essay I wrote for Dark Reading, 'The Failure of Cryptography to Secure Modern Networks.' Cryptography has inherent mathematical properties that greatly favor th