Before internet communications took off in the early 1990s, computer security was essentially a matter of physical protection: activities like contingency planning for fire and flood, restricting the number of people who could access terminals or preventing employees from inserting floppy disks that might contain viruses into company PCs. Locks and logbooks were still pieces of hardware.

Online environments presented different challenges and required new methods of authenticating users, verifying transaction data and detecting suspect files. The practice of IT security, indeed, moved online through the introduction of managed services. This archive looks back through the transition years.

Ireland’s software industry made a significant contribution to online security through the development of encryption toolkits, firewalls and identity management applications. Much of the expertise came out of academic research and the participation of Irish organisations in European Union programmes. Other developers entered the field through their practical experience of delivering information or recording payments over the internet.

The archive begins in the early 1990s when the consulting firms that had traditionally advised data centres on how to protect their systems were eclipsed by security product companies. Some developed their own applications. Others sourced and distributed emerging types of security software. It culminates after the turn of the century, when the limitations of technologies for e-mail encryption and digital certificate management were becoming evident and an over-ambitious identity management project was trying to streamline online access to Ireland’s state services.

There is a wealth of information beneath the surface of this timeline. Click on any item to read the story behind it. Some entries also offer external links. Zoom deeper into the frame to view additional items. Choose any icon from the legend to highlight all the entries related to that topic. Or use the search-filter magnifying glass for full-text searches, always making sure that there is a checkmark beside ‘description’.

1990-94: Obscure cryptographers

Ireland held the presidency of the Council of the European Union during the first half of 1990. As part of its preparations for this role the Department of Foreign Affairs purchased cryptography software from a specialist, low profile company based in Dublin’s Fitzwilliam Square. Its technology was mathematically complex and difficult to pull apart, even by other encryption experts. It would thus enable diplomats to safeguard the confidentiality of their EU-related communications. As a department official remarked to the company’s owner, ‘In your line of business obscurity is an asset.’

That company, Baltimore Technologies, was far from obscure in later years.

In 1990 Baltimore had already established a reputation in certain corners of European data networking and telecommunications, mainly for its software development and consulting activities. After a split in its management ranks, however, the company focused more narrowly on network security issues. Public key cryptography and stream encryptors were its core competences. Baltimore was closely linked with academic research in these fields and its owner, Michael Purser, had for many years combined the roles of entrepreneur and college lecturer. His priority now, however, was to channel the company’s expertise into commercial products.

Cryptography is essentially a matter of modular arithmetic and mathematical tricks. It employs ever larger integers to prevent ever faster computers from discovering the secret keys that have encrypted files. By the early 1990s such keys supported various types of digital signature that could protect and validate messages passing around a network. These digital signatures required a trusted certification authority (CA) service to authenticate user identities. CAs represented a product opportunity for Baltimore Technologies.

The company proposed a demonstration project to the European Commission, secured official support and set up a pilot CA in Dublin. This allowed it to analyse the effectiveness of encrypted messaging over the Euronet network, tracking communications among research institutes in several countries. After the study Baltimore won a small number of cryptography assignments from governments and banks around Europe.

Electronic transfers of confidential material from diverse computing equipment in diverse organisations to diverse locations were still unusual. Data security policies and procedures for large computer installations had evolved steadily since the 1960s, but most practitioners had continued to focus on the protection of physical computers, physical storage media and the physical environment in which they were housed.

The biggest computer centres maintained elaborate contingency plans, including special relocation arrangements with Telecom Eireann, and could move their operations into ready-to-run facilities in the event of an emergency. Some had introduced security policies for online transaction processing, using products such as IBM’s Resource Access Control Facility. Smaller organisations tightened their rules on data back-up and invested in off-site file storage.

Auditing the risks inside a computer installation was commonly associated with auditing an organisation’s financial records. IT security specialists were often based inside large accountancy practices. Few businesses had in-house expertise in this area, apart from the larger mainframe users. These included the major banks and the ESB, which had recently appointed its first information security manager.

These pre-internet methods and norms were ill-suited to the new challenges.

 

1995-99: Catching the worms

Until the middle of the decade it was the personal computer, not the internet, that was generally seen as the weakest link in the data security chain. PCs were easy to move and difficult to police. Passwords were seldom as confidential as they ought to be and all too often forgotten. Floppy disks with private information were casually taken out of the workplace and floppy disks with virus infections were casually brought into it.

Most of the security software development in Ireland, therefore, centred on PC administration. Products such as Priority Data Systems’ PD Secure and Rits’ PC Review reflected the priorities of the day.

When commercial internet access began to take off in the early 1990s the service providers seldom spoke about security. Most of their time was spent dealing with availability and performance issues. By the middle of the decade, though, the internet companies and their customers had become aware of two broad categories of risk.

The first arrived with the World Wide Web. Web servers loosened the established barriers between private computer networks and the outside world, posing new challenges for IT administrators. The web required them to introduce more restrictions on information access. More urgently, its potential impact on the performance of systems and network equipment demanded their attention.

Superman’s girlfriend was behind the first scare. In early 1995 the HEAnet academic network service experienced a disruptive – and disturbingly expensive – surge of traffic to a web server in Dublin City University. That machine contained a photograph of Teri Hatcher, who played Lois Lane in a US television series, wrapped in a Superman cape. This was the most frequently downloaded image on the internet at the time.

The Teri Hatcher incident became the catalyst for HEAnet, and the individual universities that used its service, to revise their network access policies and to invest in firewalls. Suitable products were just starting to appear.

Galway was one of the places where firewalls were designed. In 1994 Digital Equipment had established a development unit there for internet security products. This group focused on firewalls and subsequently created products for Digital’s AltaVista family. Meanwhile, the PC management software companies started to extend the capabilities of their applications by adding new controls on network access.

The second risk surfaced was when internet e-mail superseded the floppy disk as the most common vehicle for computer viruses.

Internet malware had been around for years. Indeed, it began to generate publicity when the internet was still confined to research community and to the US. Back in November 1988 the Morris worm alerted network administrators to the way that a computer could be infected multiple times by malicious code, slowing down its performance and eventually making it unusable.

While computer worms upset machine performance, viruses could attach themselves to software applications and then corrupted users’ files. Before the rise of the internet, viruses spread through the exchange of floppy disks, the distribution of shareware or bulletin board systems. Starting in 1999 with the Melissa macro virus, malware authors took to distributing their handiwork via e-mail attachments. Each incident that grabbed public attention, often through alarmist news reports, boosted the demand for anti-virus software. Most, though not all, of these products addressed vulnerabilities in Microsoft’s operating systems and messaging applications.

The trade in security applications accelerated as the 1990s drew to a close. The prevalence of macro viruses and the vigilance required to catch new worms were not the only security problems facing information systems managers. There were also risks associated with the rapidly approaching year 2000 – and especially with older applications that might not work properly on the first day of the new millennium. Any code that identified years with just two digits was suspect. User authentication for commercial transactions was an additional concern. So was cyber-crime. And cyber-espionage became a reality with a politically motivated attack on the servers operated by Dublin service provider Connect Ireland. The company had assisted the independence movement in East Timor to promote its cause via the internet.

By the end of the decade internet security was established as a distinct sector of the technology products trade and as a distinct skills category for IT personnel. A supply chain of distributors, resellers, consultants and support services was now in place. Companies like Entropy, Priority Data Systems, Renaissance Contingency Services, Rits and Systemhouse Technology carried accreditations from international vendors that had also grown and thrived on the back of the internet.

A few security specialists in Ireland were already offering managed services.

 

2000-02: Reality check

In November 2000 the Hilton International hotel chain awarded a worldwide network security contract to Baker Communications. Its staff in Dublin would use Lucent’s VPN Firewall Brick technology to configure and manage firewalls on Hilton premises in 110 locations around the globe. The company already provided centrally managed internet security to around a dozen private networks in Ireland.

The way to deliver protection for computers in the new millennium would be through the internet. Baker Communications was not alone in embracing this model.

EuroKom had built up a customer base for protected e-mail services and was supporting all of the country’s local authorities and several government departments. Hush Communications made encryption a core function of a managed e-mail service. Buytel launched Voicevault, a verification service that identified people by their voice over the internet or the telephone. Voicevault was designed for worldwide availability, using interconnected and mirrored systems in different locations to identify a speaker anywhere in less than half a second.

By now, however, Baltimore Technologies was Ireland’s digital security giant. The company had grown rapidly since a change of ownership in 1996. This came about after the firm landed a contract with a bank in Geneva. The bank introduced it to Dermot Desmond, a Dublin-based financier who had funded a succession of software product ventures. He proceeded to invest in Baltimore and assembled a new team to market its CA technology in the guise of a product called UniCert.

The company’s strategy now assumed that digital signatures were about to become ubiquitous on the internet and that any developer which dominated the market for the enabling technologies would reap massive rewards. It therefore acquired rival products and firms with complementary capabilities, hoping to propel itself to the top of the trade.

Baltimore Technologies reported annual revenues for 2000 of $110 million, much of which was generated by recently acquired businesses. In early 2001 the company employed 1,200 people in 38 cities around the world. It also announced net losses for the year of $138 million. Those figures were a sign of the times. Baltimore had reached the peak of a boom-to-bust trajectory that other internet technology vendors followed in those years. The downslide that followed was a harsh reality check. By the middle of 2001 it had started to shed personnel and was seeking buyers for some of its business units. In 2003 it completed a divestment programme by selling off its core technology for certification authorities.

Other companies that majored in encryption, digital signatures or identity management saw their fortunes decline as well.

Dublin-based Software and Systems Engineering (SSE) was part of Siemens. The company had focused on online access rights after it discovered that its previous speciality in OSI applications development was no longer viable. In 2000 Siemens repositioned SSE as a global centre of competence for secure e-business. Less than two years later, though, it offloaded the operation to a security software firm in Munich.

Danu Industries, which built applications based on encryption algorithms from a sister company in Moscow, shut down in 2001. So did Viasec, a Donegal e-mail encryption company that had opened offices in London, Munich, Boston and San Jose to sell public key infrastructure applications.

The most ambitious online identity management initiative of these years was not a commercial venture. It aimed instead to create a common access route over the internet into the services run by government departments and state agencies. This ‘public services broker’ concept also envisaged secure data sharing across multiple services.

In 2000 the government entrusted this project to a new agency called Reach. It soon became evident that the development of the broker would take much longer than originally planned. Reach scaled down the project’s operational objectives and technical complexity accordingly. In 2007 a Special Report by the Comptroller and Auditor General found that only a small number of services had actually used the public services broker.

The turn-of-the-millennium carnival of internet-based empire building had come to a halt. The future belonged to modest, sustainable online security ventures and projects rather than big-spending dealmakers who wanted to rule the world.

Last edit: June 2016

© Newsmail 2016