I'm using this page to host some artifacts from "ancient history" and the stories that go with them.
In mid-2025, the National Academies published the "Cyber Hard Problems" report. The report, sponsored by the Office of the National Cyber Director (ONCD), documents problems in cybersecurity that are important targets for research.
The 2025 report is the third "hard problems" report that the US Government has sponsored. In 2005, the Infosec Research Council sponsored the creation of a "Hard Problems List" that can be found on the website of NITRD. (The Infosec Research Council or IRC was founded in the mid-1990s to facilitate collaboration and coordination among government sponsors of information security research. NITRD is a government-wide body that facilitates collaboration and coordination of Information Technology research and, among other things, succeeded the IRC.)
The original Hard Problems List, also sponsored by the IRC, was created in 1999. At that time, I was working for Mitretek Systems and serving as the execuitve agent for the IRC. In that role, I led the team that created that original report. The other team members were the late James P Anderson, Steve Kent of BBN, and Bob Meushaw of NSA.
The 1999 Hard Problems List seems to have been lost to history, or at least lost to the Internet. The National Academies report refers to it as "not easily found." Both the ONCD Statement of Task to the Academies and the report misstate its date as 1995. The 2005 Hard Problems List refers to it as having been developed between 1997 and 1999 and includes only summary descriptions of the problems on the list.
When I read the National Academies report, I searched the files on my computer and found that I had a Word document version of the 1999 report. That version describes itself as a 21 September 1999 draft and includes a handful of tracked minor changes attributed to Carl Landwehr who succeeded me at Mitretek as the IRC executive agent. (I left Mitretek to join Microsoft in September 1999 - my first day at Microsoft was September 20.) I compared the list of hard problems in the Word document to the summary list of 1997-1999 hard problems in the 2005 document and they are identical, so I'm pretty confident that the Word document is extremely close to the final version of the 1999 document.
I've accepted the edits in the Word document, added Jim's, Steve's, Bob's, and my names, and converted the document to a PDF. With the exception of those changes, the document is as it was in late September, 1999. I hope it's of interest to some people who are interested in the history of cybersecurity and cybersecurity research.