Cyber Pioneers Ponder Past as Prologue

Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security Attackers Weaponize RubyGems for Data Dead Drops Attackers Weaponize RubyGems for Data Dead Drops by Alexander Culafi May 13, 2026 4 Min Read Сloud Security LatAm Vibe Hackers Generate Custom Hacking Tools on the Fly LatAm Vibe Hackers Generate Custom Hacking Tools on the Fly by Alexander Culafi May 13, 2026 5 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Cyberattacks & Data Breaches Vulnerabilities & Threats Cybersecurity Operations Сloud Security Commentary Since 2006, Dark Reading has been at the forefront of covering cybersecurity, providing deep insights and analysis beyond the headlines. All those major news events? We were there. Shifts in technology trends? We wrote about them. Enjoy this special anniversary coverage celebrating where we've been and what's next. Cyber Pioneers Ponder Past as Prologue Robert "RSnake" Hansen, Katie Moussouris, Rich Mogull, Richard Stiennon, and Bruce Schneier reflect on how their favorite columns penned for Dark Reading over the past 20 years have stood the test of time. Kelly Jackson Higgins , Becky Bracken May 15, 2026 8 Min Read Source: Mauritius images GmbH via Alamy Stock Photo Cyber Pioneers Ponder Past as Prologue As part of Dark Reading's 20th Anniversary celebration, we asked some of our high-profile cybersecurity industry leaders who wrote blogs or columns for us over the years to look back and select their favorite piece, and then share their reflections on the topic today, through the lens of history. This was no small task. Multiple CMS and platform migrations over two decades at Dark Reading sadly meant that some of our content, including columnists' pieces, were lost to the Internet and left to the whims of Wayback Machine website screenshots. But our creative columnists were able to dig into the Dark Reading archives for their picks and share their thinking at the time, as well as examine how history has treated the topic. So kick back and enjoy these insightful retrospectives from Dark Reading contributing columnists and industry leaders Robert Hansen (aka RSnake), Katie Moussouris, Rich Mogull, Richard Stiennon, and Bruce Schneier. RSnake's Robot Research Comes Full Circle Source: @RSnake on X Robert (RSnake) Hansen, managing director of Grossman Ventures and CTO at Root Evidence, reflects on his groundbreaking Dark Reading column from Feb. 19, 2007, titled, " Die, Robot: If you're going to play with bots, best to know defense and offense ." "Dark Reading for me was the mental equivalent of building in public. I would test ideas with the general public and give them context for why I felt the way I did and therefore, in some respects, it was deeply personal, as in the case of the first really well-built robot scrapers in this article. "I ended up writing an entire book called Detecting Malice on the topic, and how insanely far we have come, where AI is now scraping everything and companies are doing everything they can to make their APIs into MCPs go faster. Even Cloudflare has a single API endpoint to scrape an entire site now, and there are lawsuits against the LLM providers for scraping. Times have both changed and yet stayed exactly the same." Katie Moussouris: AI-Fueled Bug Discovery Could Backfire Source: SPOA Images, Ltd. via Alamy Stock Photo Luta Security founder and CEO Katie Moussouris reminisces on writing about bug bounties for Dark Reading and her notable column from Aug. 13, 2015, " The Truth About Bug Bounties: What Oracle CSO Mary Ann Davidson Doesn't Get About Modern Security Vulnerability Disclosure ." "When I wrote about bug bounties years ago, there was a lot of optimism that crowdsourcing vulnerability discovery would dramatically improve security. The point then was that bug bounties weren't a silver bullet — they were meant to complement secure development, not replace it. "Fast forward to today and AI has poured gasoline on the model. Automated testing and AI-assisted research are making it far easier — and much faster — to find potential vulnerabilities. The problem is that triage is still mostly human, and humans don't scale like GPUs. Programs that were already stretched are now getting flooded. "For organizations already feeling like they're on fire, AI just showed up with a flamethrower. Without major investment in building more secure code and dramatically improving how quickly patches and mitigations can be deployed, many will simply burn down to ash under the volume. "The part that worries me most is open source. Maintainers were already overwhelmed before AI supercharged vulnerability discovery. If that ecosystem buckles under the load, it won't just affect a few projects; it will affect everything that depends on them. Log4j was the wake-up call that exposed how fragile the software supply chain really is. AI is accelerating both discovery and dependence at the same time, and the uncomfortable truth is that the industry may not be ready for what humans have just unleashed." Rich Mogull: 'Simple Doesn't Scale' in Cyber Source: Cloud Security Alliance Chief analyst at the Cloud Security Alliance and CEO of Securosis Rich Mogull explains one of his foundational cybersecurity principles, "Simple Doesn't Scale," which was first introduced in a Dark Reading post back on July 7, 2011. "The main thing I noticed going back into my old Dark Reading posts is that … first, the author images have hair, and second, I really should have been shaving my head sooner. "While I was highly tempted to select my very first cloud security post from 2009 , the one that really resonates the most is my 'Simple Isn't Simple' post, which I think I changed to a tweet as 'Simple Doesn't Scale.' This post has been one of my mantras since I wrote it in 2011, and I think I even described an early version of Wendy Nather's Security Poverty Line. "Why did I pick it? Because as we face waves of automated AI-discovered vulnerabilities, as just highlighted by Anthropic's Mythos, our ability to scale simple will define the state of our security like never before." Richard Stiennon: Why PCI DSS Revolutionized Cyber-Risk Source: Richard Stiennon Chief research analyst at IT-Harvest Richard Stiennon back in November of 2006 was praising the payment card industry's adoption of PCI Data Security Standard in a Dark Reading column titled " Finally, A Standard With Teeth ." "In 2006, the payment card industry started to get serious about the two-year-old PCI Data Security Standard. I must have been triggered to write about it when they announced the creation of the PCI Security Standards Council (PCI SSC), a governing council to oversee further changes to the standard. By December, they announced stronger enforcement action as well. "I still feel that PCI DSS is one of the most effective security standards because it has teeth. It also gave rise to an entire industry to provide continuous security scans (which is still with us today) — and even evolving into third-party risk scoring, breach and attack simulation, and agentic red teaming. "The standards and regulations that I implied were toothless have grown their own incisors with significant enforcement actions recorded for each of them. The scariest fangs belong to the SEC, which evolved from wishy-washy Sarbanes-Oxley enforcement to prosecuting the CISO of SolarWinds. "The surest sign that the security industry is maturing is the plethora of regulations that have arisen in the last 20 years. Those regulations shape the industry. Of the 4,029 active vendors that I track, the largest category (587 vendors) is governance, risk, and compliance. " Schneier on the Intersection of Encryption and AI Source: Bruce Schneier Renowned technologist and author Bruce Schneier contributed a column on June 20, 2010, warning about cryptography's inability to secure modern networks , a point he says he has been trying to argue since 2000. "For a while now, I've pointed out that cryptography is singularly ill-suited to solve the major network security problems of today: denial-of-service attacks, website defacement, theft of credit card numbers, identity theft, viruses and worms, DNS attacks, network penetration, and so on. "Recently, I talked to a former NSA employee at a conference. He told me that back in the 1990s, he had a copy of my book Applied Cryptography by his desk, as did many other cryptographers working at Ft. Meade. People were allowed to refer to it, but they were not allowed to cite it. "The 1990s were an important decade for cryptography. This was before the internet went mass market, when cryptography was just emerging from a niche academic discipline to a mainstream engineering one. There wasn't much that programmers could read. The NSA used my book for the same reason it became a bestseller: because it collected all the academic cryptography of the time in one place and made it understandable to people who weren't mathematicians. They feared it for exactly the same reason. "I've been thinking about that conversation as I revisit a 2010 essay I wrote for Dark Reading, ' The Failure of Cryptography to Secure Modern Networks .' Cryptography has inherent mathematical properties that greatly favor the defender. Adding a single bit to the length of a key adds only a slight amount of work for the defender but doubles the amount of work the attacker has to do. Doubling the key length doubles the amount of work the defender has to do (if that—I'm being approximate here) but increases the attacker's workload exponentially. For many years, we have exploited that mathematical imbalance. "Computer security is much more balanced. There'll be a new attack, and a new defense, and a new attack, and a new defense. It's an arms race between attacker and defender. And it's a very fast arms race. New vulnerabilities are discovered all the time. The balance can tip from defender to attacker overnight, and back again the night after. Computer security defenses are inherently very fragile. "That isn't a new idea. I said much the same thing in the preface to my 2000 book, Secrets and Lies : "'Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, real security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers.' "I especially like how I phrased it in 2016: 'Cryptography is harder than it looks, primarily because it looks like math. Both algorithms and protocols can be precisely defined and analyzed. This isn't easy, and there's a lot of insecure crypto out there, but we cryptographers have gotten pretty good at getting this part right. However, math has no agency; it can't actually secure anything. For cryptography to work, it needs to be written in software, embedded in a larger software system, managed by an operating system, run on hardware, connected to a network, and configured and operated by users. Each of these steps brings with it difficulties and vulnerabilities.' "It's a lesson we have all learned over the decades. Cryptography is still necessary for cybersecurity — although I wouldn't have used that word back then — but is not sufficient. There are particular attack and forms of mass surveillance that cryptography prevents. But as computers have infused throughout our lives, and networks have connected all those computers, those aspects of cybersecurity have become increasingly important, and vulnerable. "Today, the cybersecurity world is changing yet again, this time due to the capabilities of artificial intelligence. AI isn't advancing cryptography, but it's changing cybersecurity. AI has demonstrated a superhuman ability to find vulnerabilities in software and to write exploits. A similar ability to write patches is probably coming. This has profound implications for both attackers and defenders, and it is unclear who will win the particular arms race in a world of what I call instant software." Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems More Webinars