Behavioral Cyber Security History Lesson: Enigma

A large part of why we founded Pythia Cyber was the rueful recognition that human behavior plays a huge part in whether or not Cyber Security is effective. Many of us who work in the trenches find this observation painfully obvious, but to everyone else this claim seems far from obvious. Examples help, but we have to be careful not to publicize our colleague's or our client's mistakes in the name of clarity. Luckily there is an example from history where all the people who might be embarrassed are dead (and were on the losing side in World War II).

Behold! The mighty encryption engine known as "The Enigma Machine." This was the best that early-to-mid 20th century technology had to offer in the way of data protection. It was used to keep private communications private, mostly by governments to secure diplomatic messages or intelligence reports which were being transmitted home from abroad.

If you are interested in encryption, it is well worth the research to get the details. If you are not interested in encryption, all you need to know is that the Enigma Machine was a kind of mechanical computer with a variable encryption key. You set the encryption key, typed your message on the keyboard and presto! Encrypted data came out. You sent the encrypted data to whomever was supposed to receive it. Upon receipt, the authorized person entered the same key, typed in the string of characters that you had sent and presto! Your original message was revealed. Even though the underlying technology was mechanical, the possible keys were large, creating a vast "search space" for possible decryption. It was essential unbreakable in its day if used properly.

To quote the Breaking Enigma section of the machine's Wikipedia page:

Though Enigma had some cryptographic weaknesses, in practice it was German procedural flaws, operator mistakes, failure to systematically introduce changes in encipherment procedures, and Allied capture of key tables and hardware that, during the war, enabled Allied cryptologists to succeed.

Yep. That expensive lock on your heavy-duty door only provides protection if you remember to close and lock the door behind you. And if you keep track of the keys. And remember to change the lock every time you lose track of a key. Every time. Every single time.

This is a large part of why Pythia Cyber focuses on human behavior as much as we focus on Cyber Defense. Technology has bugs, sure, but people are inconsistent. Even smart, motivated, reasonable people make mistakes. We all know this, but for some reason most of us do not apply this knowledge to applying technology. People apply technology. Both sides of that equation need attention when creating a system to keep your data safe and your systems secure.

Given that technology has flaws and that people make mistakes, monitoring both is a critical part of trusting your Cyber Security program. That monitoring provides evidence. That evidence either assures you that things are currently OK or tells you what needs to be improved. For about moving to an evidence-based Cyber Security program, check out this blog post.