Published March 12, 2014
On a mid-summer day in 1935, Boeing engineers rolled out a prototype bomber christened “Model 299”.
Sporting four engines, bristling with five 0.30 caliber machines guns, and with the capability of carrying nearly 5,000 pounds of artillery, the assembled crowd marveled at its size and menacing payload. Seattle Times reporter Richard Williams, so awed by the sight of the Model 299, referred to it as a “Flying Fortress”.
And thus the legendary B-17’s name was born.
The arrival of the B-17 gave U.S. Army Air Corps leaders visions of victory through aerial domination. Reality, however, sharply intruded on those dreams. Small early successes with B-17s in bombing runs gave way to horrendous losses—with at one point nearly 25% being lost on missions. Even beefing up the B-17’s defensive payload to 13 heavy machine guns, and changing defensive tactics, only made marginal differences.
Only when escort fighters were equipped with long-range external fuel tanks, and the German Luftwaffe was ground down, did the B-17s become strategically relevant. Even then German Wunderwaffe—or “wonder weapons”—like the Me-262 jet nearly pushed the B-17 back into marginal effectiveness.
What relevance does the lesson of the Flying Fortress have for the world of cybersecurity? After all, we are talking about a propeller plane with an unpressurized cabin, a laughable top speed, and guns that couldn’t keep up with much faster Luftwaffe fighters.
Plenty, actually, when you think about it.
The great misconception with the Flying Fortress was that a few vicious looking machine guns pointing in various directions would be enough to scare off, much less shoot down, enemy fighters. The reality was that enemy aircraft were so fast, and coming from so many different directions, that the bomber’s defensive armament proved inadequate.
The same holds true for cybersecurity in the 21st century. Cyberattackers are fast, well-armed, and strike from almost every direction. Two excellent illustrations of this come from recent high-profile attacks. The Target data breach, for instance, hit the company from a relative “blind spot”, namely outside contractors who had unsecured access to Target’s information systems. This vector of attack allowed the cyber criminals to slip past Target’s significant data security investments and successfully pull off one of the larger data thefts in recent history.
Consider too the recent attack on the U.S. Navy and Marine Corps by Iranian-aligned interests. In that case, the cyberattackers were able to penetrate into the Navy and Marine Corps’ intranet system, burrowing so deeply into the network that it reportedly took nearly four months to fully dig out the malware. According to published reports, the attackers were able to find entry points that had been unsecured (some say to due to contractual oversights) and use that as a way to implant their malware.
This leads to the larger point, namely that security in any context—including cyber—has to consist of multiple layers, not just one visually fearsome, but ultimately a marginally useful deterrent.
Even more importantly, it is critical to remember that the last line of defense cannot be the only line of defense. American bombers were only truly successful when they fighter planes could escort them to and from the target, and the German war machine was ground down to the point where there were insufficient planes and pilots available to fend off bombing raids.
Just like magnetometers and x-ray machines are not our only line of defense for passenger aircraft, so too must we think in a layered manner when it comes to cybersecurity.
To that end, here are a few thoughts on what might make a good overall cybersecurity strategy:
Ultimately a company’s cybersecurity level is not going to be measured by the types of software and hardware it uses, but rather its overall approach to defending itself. A holistic solution is required from corporate executives to this complex problem, as is a grand strategy. Without that, they may well enjoy the same life expectancy as a B-17 crew member.