We’re still struggling to learn forty year old lessons about cyber security

I just finished re-reading The Cuckoo’s Egg, by Clifford Stoll. It’s a classic of cyber security, telling how Stoll, as an astronomer-turned-reluctant-sysadmin, attempted to resolve a 75 cent computer billing discrepancy, only to be drawn into a story of hacking, surveillance and theft, involving the FBI, CIA and NSA.

The action in the book takes place in 1986 and 1987, so it is full of references to technology which was modern at the time, but seems quaint and old-fashioned today: 1200-baud modems, pagers and daisy wheel printers. What is striking, though, is how much of the hacking activity uses techniques which are still in use today. I won’t spoil the book for anyone who hasn’t read it, but will say that it contains examples of identity theft, credential compromise, dictionary attacks, supply chain attacks, vulnerabilities in commonly used software and privilege escalation. The pattern of behaviour would suit a cyber criminal working today: probe for assets which aren’t properly secured; gain access; take over an unused account; escalate privileges; move laterally; exfiltrate data; erase evidence. And keep on coming back and doing the same thing over and over again.

What is even more striking, though, is that the response to news of the hack within organisations is also familiar: denial, complacency and a lack of accountability. Stoll got three common responses when he tried to let organisations know that they had been compromised: you could hear those responses in many organisations today.

What’s the harm?

Stoll was working on academic networks which made data publicly available to researchers. It was natural, therefore, to ask what the harm was of someone accessing these networks in an unauthorised way. Indeed, did the notion of authorisation even make sense in such a context? How could the hacker steal what was publicly available?

It might seem that no-one would be as naive as this in 2026. We understand that all of our systems need to be protected, don’t we? In practice, every organisation divides its systems into those which are higher risk (for example, those which hold customer data or process payments) and those which are lower risk (for example, those which show the staff canteen menu for the week). And they apply their protection accordingly. Unfortunately, this is a mistake which puts everything at risk.

In Stoll’s book, the hacker uses open academic systems to connect to research establishments, to connect to the defence contractors they work with, to connect to the government organisations that they work for, and so on. Today, attackers will take exactly the same approach: they will attack the weakest, most poorly defended targets first, knowing that they will lead to something more valuable and more interesting.

We’re secure

As Stoll follows the trail, he believes that it is his duty to let people who have been hacked know that they have been hacked, even though they might take action that would tip off the hacker and compromise the investigation. Sometimes he is met with gratitude, but he is also often met with scepticism and incredulity. How could we have been hacked? We’re secure.

I doubt that many cyber security teams today would dare to say, we can’t be hacked: we’re secure. They know the threats too well, as well as their own vulnerabilities. However, cyber teams are not the only people who get to make assertions about the security of their organisations. Executives and business leaders may state that their organisation is taking all reasonable measures with respect to cyber security, or that they are operating within risk appetite. And they probably believe what they say: they look at the existence of a cyber security team, at the money they spend on defences every year, and conclude that they must be doing enough. Until a hacker takes unreasonable steps to overcome their reasonable measures, or serves them a dish of disruption which exceeds their appetite for risk.

It’s somebody else’s problem

In the book, Stoll spends at least as much time trying to persuade official agencies to do something about the attack as he does running network traces, setting up monitoring and reading activity logs. But no-one is quite prepared to accept that is their problem. The FBI won’t act unless the damage is over a million dollars. The CIA can’t act because the hack appears to be domestic. The NSA is so secretive that they won’t say what their response is. And the National Computer Security Centre will only offer guidance on how to build secure computers, not how to deal with an ongoing attack on insecure ones.

This was forty years ago, and I expect that these and government agencies in other countries have figured out by now who does what in the event of an attack. But finding the people within an organisation who are responsible for cyber security is still difficult. It might seem obvious that the CISO and the cyber team are responsible, but a smart CISO will explain that they cannot possibly secure every piece of software and data managed by other people: the development and operations teams have to take accountability for what they build and run. But those teams will say that they don’t have the training, budget, guidance or resources to do everything that the cyber team expects. Furthermore, most of their vulnerabilities come from their partners and software vendors. And those software vendors insist that they issue patches regularly, but it’s up to the organisation to apply them.

The sophistication of cyber attackers has evolved over the last forty years: hackers have many more tools available to them than those used in Stoll’s book. But the ability of organisations to understand their own risk, admit and address their vulnerabilities, and make sure that everyone takes accountability, do not seem to have evolved as fast. It’s still worth reading about and learning lessons from all the way back in 1986.