BKHISCCH.RVW 20081020 "The History of Information Security", Karl de Leeuw/Jan Bergstra, 2007, 978-0-444-51608-4 %E Karl de Leeuw karl.de.leeuw@xs4all.nl %E Jan Bergstra %C 256 Banbury Road, Oxford, OX2 7DH %D 2007 %G 978-0-444-51608-4 %I Elsevier Advanced Technology %O +44 865 512242 Fax: +44 865 310981 books.elsevier.com %O http://www.amazon.com/exec/obidos/ASIN/0444516085/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0444516085/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0444516085/robsladesin03-20 %O Audience i Tech 1 Writing 2 (see revfaq.htm for explanation) %P 887 p. %T "The History of Information Security: A Comprehensive Handbook" Chapter one, which stands in for an introduction to the papers in this volume, already notes that the title is inaccurate. The editor admits that this work is not a history, as such, but an overview from the perspective of different disciplines related to information security, taking a historical approach in examining the socio-political shaping of infosec. The authors ask whether technology influenced public policy and politics, and look for information security strategies (or the lack thereof) in politics. I found the selection of references disquieting, noting that the editor responsible for the choice of papers complained that there was no historical material addressing industrial espionage, administrative practices, disruption of communications with criminal intent, or other areas. No mention is made, in the references, to the works of Stamp (cf. BKINSCPP.RVW), Winkler (cf. BKCRPESP.RVW, BKSPAMUS.RVW), or Denning (cf. BKDENING.RVW) to name just a few. I can agree with the emphasis on social aspects of security: security is, and always has been, a people problem. Information security, however, necessarily involves technology, and the authors of most of the papers included in this collection have concentrated so much on history (mostly in the form of dates and political rivalries) that the questions of influence of technology on politics, or politics on technology, can't really be analyzed. Additionally, enormous topical areas relevant to information security (such as risk management, intrusion detection, cryptographic infrastructure (PKI), physical security, computer architecture, application development, and malware) are notable by their absence. Part one addresses intellectual property. Essay subjects include various forms of censorship and self-censorship (with no mention of the "full disclosure" debate), the German patent system, copyright, and the application of copyright and patent to software. Part two looks at items related to identity management, with a highly abstract and impractical philosophy of identity, notes on document security, a review of identity cards, and a recent history of biometrics. Although entitled "Communications Security," part three is about cryptography. The papers on Renaissance (1400-1650) and Dutch (up to 1800) cryptography, British postal interception up until the 1700s, the KGB crypto office, and the NSA (US National Security Agency) are of primarily political interest. The articles on rotor cryptography, Colossus, and the Hagelin machines have points of curiosity, but are still very thin on technical details. A final essay attempts a very terse overview of modern cryptographic concepts. Computer security is in part four. Early US military evaluation standards, some of the basic formal information security models, an academic look at application security and auditing, a rough division of recent information technology into decade "periods," an equally unpolished history of Internet security, and a scattered review of computer crime make up this section. For some reason questions of privacy and regulations governing the export of cryptography are seen to fit together in part five. Three papers present US cryptographic export restrictions, a random and not completely successful attempt to define privacy, and various US undertakings at regulating the use of encryption. Part five can't have been lumped together simply due to a lack of articles, since part six is a single piece providing a limited and incomplete overview of information warfare. As a book this volume is disappointing. It is not "a history," merely a collection of papers, with little structure or linkage. The topics relate to security, but a work on infosec should have more technical content and understanding. It is certainly not comprehensive. And, at several kilograms in weight, it bears little resemblance to a handbook. That said, a number of the essays do provide interesting historical points, anecdotes, and references. Therefore, those with the stamina to work through the material may be rewarded with historical nuggets, and pointers to further sources of information. copyright Robert M. Slade, 2008 BKHISCCH.RVW 20081020