Introduction
In the late 1960s, computer technology and its commercial systems, even
though then based on conventional mainframe designs, had advanced to the
point at which remote access over telephone lines was possible and several
jobs (i.e., programming tasks, each with its data) could be present in a
machine concurrently. For economic reasons, this situation inevitably led
defense contractors to consider putting both their internal classified work
and external non-classified work in one machine at the same time.
Such a request from a contractor in the mid-West triggered the Department of Defense to realize that it had no policy or regulations to deal with the situation. Accordingly, the Advanced Projects Research Agency (then ARPA, but now DARPA) was tasked to organize a committee of in-government and private sector recognized experts to examine the issue and provide appropriate recommendations for a DoD position.
As a result of RAND's already established relationship with and work for ARPA, the activity led to an agreement for RAND participation, including the chairman, a chairman of a sub-committee, and other staff members from time to time throughout the study.
During the progress of the committee deliberations, it was decided to move sponsorship of the activity from ARPA to the Defense Science Board for greater visibility and impact. Accordingly, the presentation of the final report was made to the DSB with an overview briefing [January, 1970].
Initially, the document [R-609] was classified CONFIDENTIAL for reasons stated in the preface of the report; but nearly ten years later at ARPA's instigation, the report was declassified [R-609/1, 10 October 1979]. In both forms, the report was widely distributed and became an early but definitive treatment of "computer security" -- a topic more recently known as "information security" or "information system security" and most recently as "critical information infrastructure security."
Even today, the committee report is pertinent and readable, and has become the classical work that launched the field. It also reflects the deep understanding and insight of the committee for an issue that had not been here-to-fore methodically studied. Its "Figure 3", which depicts the committee's conceptual model of the vulnerabilities of a computer network, was frequently used by subsequent authors on the topic. The report has an unusual feature, in that it contains "comments" that elaborate the intricacies of various recommendations, and explain the committee rationale for its position.
In the classified form, the report had a unique distinction of being reviewed and summarized (with official permission) in a non-classified publication [Communications of the ACM]. Originally available only as a printed document, the online version below was scanned into computer form and converted to HTML format through the courtesy of John Young, architect and archivist of the online Cryptome collection of computer-technology and policy-related documents and materials [http://cryptome.org, or http://jya.com].
Link to the complete HTML Version of R-609.1.