Skip to content

Cybersecurity: Threats and Defences

From public key cryptography to GDPR. Major incidents, encryption standards, and the regulatory frameworks that shape modern security.

Cybersecurity: Threats and Defences guided path map

An ordered sequence of 7 events covering 90 minutes.

Cybersecurity: Threats and Defences guided path An ordered sequence of 7 dated stops covering 90 minutes. Each card lists a stop number, the year, the title and the publisher. The final stop is emphasised in brand red. CYBERSECURITY: THREATS AND DEFENCES Source: Computer History Museum From cryptographic primitives to assurance frameworks. next row STOP 1 1976 Diffie-Hellman keyexchange ieee.org STOP 2 1977 DES standardised (FIPS46) csrc.nist.gov STOP 3 1988 Morris worm; CERTfounded cert.org STOP 4 1999 TLS 1.0 (RFC 2246) datatracker.ietf.org STOP 5 2001 AES standardised (FIPS197) csrc.nist.gov STOP 6 2014 NIST CybersecurityFramework 1.0 csrc.nist.gov STOP 7 2020 Zero TrustArchitecture, SP csrc.nist.gov 7 stops, in chronological order Arrows mark the next stop in the path, not direct historical causality. The final stop is emphasised in brand red.

Arrows mark the next step in the path, not direct historical causality. Source: Computer History Museum.

1. New Directions in Cryptography

November 1976 to February 1978.Cybersecurity.Invention.Event page

All practical encryption required both parties to share a secret key in advance. This 'key distribution problem' made secure communication difficult at scale. Meeting in person or using trusted couriers was impractical for electronic communication. Symmetric encryption could not enable secure communication between strangers.

Diffie and Hellman introduced the concept of public key cryptography in 1976, enabling secure key exchange over insecure channels. In 1977-78, Rivest, Shamir, and Adleman (RSA) created a practical public key system that also enabled digital signatures. For the first time, secure communication was possible without pre-shared secrets.

Whitfield Diffie and Martin Hellman published 'New Directions in Cryptography' in November 1976, describing key exchange and the concept of trapdoor functions. Ron Rivest, Adi Shamir, and Leonard Adleman at MIT discovered a concrete implementation (RSA) in 1977, publishing in February 1978. The RSA algorithm's security relies on the difficulty of factoring large prime numbers.1, 2

2. FIPS 46, DES

15 January 1977.Cybersecurity.Standard published.Event page

There was no standardised encryption algorithm for protecting sensitive government and commercial data. Different organisations used different proprietary methods, hindering interoperability. The lack of a vetted standard meant uncertain security guarantees.

The National Bureau of Standards (now NIST) published DES as FIPS 46, the first publicly available, government-endorsed encryption standard. DES became the de facto standard for commercial encryption for over two decades, establishing the model for government cryptographic standardisation.

IBM developed the Lucifer cipher in the early 1970s. NBS sought a standard encryption algorithm in 1973. IBM submitted a modified Lucifer, which NSA helped refine (reducing key size from 128 to 56 bits, modifying S-boxes). After public review, DES was adopted in January 1977. Despite controversy over NSA involvement and key length, DES became ubiquitous.3, 4

3. Morris worm

2 November 1988.Cybersecurity.Major incident.Event page

The internet was a trusted academic network with minimal security. Systems assumed good faith from network users. There was no coordinated incident response capability. Security was an afterthought in most Unix systems.

Robert Tappan Morris, a Cornell graduate student, released a self-replicating worm that infected an estimated 6,000 Unix machines (10% of the internet). The worm exploited vulnerabilities in sendmail, fingerd, and rsh. It demonstrated that the internet was vulnerable to widespread automated attacks.

Morris created the worm ostensibly to gauge the size of the internet. A bug in the reinfection check caused it to spread uncontrollably, overloading machines. The worm was released from MIT on 2 November 1988. Within hours, it had spread across the country. Administrators scrambled to disconnect systems and develop patches.5, 6

4. FIPS 197, AES

26 November 2001.Cybersecurity.Standard published.Event page

DES was demonstrably broken by brute force in 1998 (EFF's Deep Crack). Triple DES was slow and inelegant. The internet's growth demanded a modern, efficient encryption standard. No successor had been officially standardised.

NIST selected Rijndael as the Advanced Encryption Standard after a five-year public competition. AES provided stronger security (128/192/256-bit keys), better performance, and modern design. It became the global standard for symmetric encryption.

NIST initiated the AES selection process in 1997. Fifteen algorithms were submitted, narrowed to five finalists in 1999. After extensive public analysis, Rijndael (by Joan Daemen and Vincent Rijmen) was selected in October 2000 and published as FIPS 197 in November 2001. The open competition model set a precedent for cryptographic standardisation.7, 8

5. Road to TLS 1.3

1995 to August 2018.Cybersecurity.Standard published.Event page

Early internet communication was unencrypted. Anyone could intercept data in transit, including passwords and financial information. E-commerce could not develop without secure communication. HTTP transmitted everything in plain text.

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) provided encrypted, authenticated communication over the internet. HTTPS became the standard for secure web traffic. TLS 1.3 (2018) modernised the protocol with improved security and performance.

Netscape developed SSL 2.0 (1995) and SSL 3.0 (1996) for secure web browsing. IETF standardised TLS 1.0 (RFC 2246, 1999) as an open standard. Subsequent versions addressed vulnerabilities: TLS 1.1 (2006), TLS 1.2 (2008), and the major revision TLS 1.3 (RFC 8446, 2018). Each version deprecated insecure algorithms and improved the handshake.9, 10

6. NIST Cybersecurity Framework

12 February 2014.Cybersecurity.Standard published.Event page

Organisations lacked a common language for discussing cybersecurity risk. Multiple frameworks existed but none was universally adopted. Executive Order 13636 (2013) mandated development of a voluntary framework for critical infrastructure protection. Boards and executives struggled to understand security posture.

NIST published the Cybersecurity Framework (CSF) providing a common taxonomy and approach to managing cybersecurity risk. The five core functions (Identify, Protect, Detect, Respond, Recover) became widely adopted vocabulary. The framework enabled communication between technical and business stakeholders.

Following Executive Order 13636 (February 2013), NIST led a collaborative process with industry stakeholders. After workshops and public comment, version 1.0 was published in February 2014. The framework drew on existing standards (ISO 27001, COBIT, NIST SP 800-53) to create an accessible structure.11, 12

7. GDPR enters force

27 April 2016 to 25 May 2018.Cybersecurity.Regulation enacted.Event page

The 1995 Data Protection Directive was outdated for the digital age. Data protection laws varied across EU member states. Large-scale data breaches were common with limited consequences. Individuals had little control over their personal data held by organisations.

GDPR established comprehensive data protection rights for EU residents with significant enforcement powers. It introduced requirements for consent, breach notification, data protection officers, and data subject rights. Penalties up to 4% of global revenue transformed corporate attention to privacy.

After four years of negotiation, GDPR was adopted on 27 April 2016 with a two-year implementation period. It became enforceable on 25 May 2018. The regulation applied directly across all EU member states without requiring national implementation. Its extraterritorial scope affected organisations worldwide.13

Sources

1Whitfield Diffie, Martin E. Hellman. "New Directions in Cryptography". Stanford University, 1976-11.peer reviewedieeexplore.ieee.org/document/1055638
2Ronald L. Rivest, Adi Shamir, Leonard Adleman. "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems". MIT, 1978-02.peer revieweddl.acm.org/doi/10.1145/359340.359342
3"FIPS PUB 46: Data Encryption Standard". National Bureau of Standards, 1977-01-15.authoritativecsrc.nist.gov/publications/detail/fips/46/archive/1977-01-15
4"NIST Withdraws Outdated Data Encryption Standard". NIST, 2005-06-02.authoritativewww.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
5"Computer Security: Virus Highlights Need for Improved Internet Management". US General Accounting Office, 1989-06.authoritativewww.gao.gov/products/imtec-89-57
6Eugene H. Spafford. "The Internet Worm Program: An Analysis". Purdue University, 1988-12.peer reviewedspaf.cerias.purdue.edu/tech-reps/823.pdf
7"FIPS PUB 197: Advanced Encryption Standard (AES)". NIST, 2001-11-26.authoritativecsrc.nist.gov/publications/detail/fips/197/final
8"Advanced Encryption Standard (AES) Development Effort". NIST, 2000-10-02.authoritativecsrc.nist.gov/projects/cryptographic-standards-and-guidelines/archived-crypto-projects/aes-development
9Tim Dierks, Christopher Allen. "RFC 2246: The TLS Protocol Version 1.0". IETF, 1999-01.authoritativewww.rfc-editor.org/rfc/rfc2246
10Eric Rescorla. "RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3". IETF, 2018-08.authoritativewww.rfc-editor.org/rfc/rfc8446
11"Framework for Improving Critical Infrastructure Cybersecurity". NIST, 2014-02-12.authoritativewww.nist.gov/cyberframework
12"NIST CSWP 1: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0". NIST, 2014-02-12.authoritativecsrc.nist.gov/pubs/cswp/1/cybersecurity-framework-v10/final
13"Regulation (EU) 2016/679 (General Data Protection Regulation)". European Parliament and Council, 2016-04-27.authoritativeeur-lex.europa.eu/eli/reg/2016/679/oj