On a mid-summer day in 1935, Boeing engineers rolled out a prototype bomber christened “Model 299”.
Sporting four engines, bristling with five 0.30 caliber machines guns, and with the capability of carrying nearly 5,000 pounds of artillery, the assembled crowd marveled at its size and menacing payload. Seattle Times reporter Richard Williams, so awed by the sight of the Model 299, referred to it as a “Flying Fortress”.
And thus the legendary B-17’s name was born.
The arrival of the B-17 gave U.S. Army Air Corps leaders visions of victory through aerial domination. Reality, however, sharply intruded on those dreams. Small early successes with B-17s in bombing runs gave way to horrendous losses—with at one point nearly 25% being lost on missions. Even beefing up the B-17’s defensive payload to 13 heavy machine guns, and changing defensive tactics, only made marginal differences.
Only when escort fighters were equipped with long-range external fuel tanks, and the German Luftwaffe was ground down, did the B-17s become strategically relevant. Even then German Wunderwaffe—or “wonder weapons”—like the Me-262 jet nearly pushed the B-17 back into marginal effectiveness.
What relevance does the lesson of the Flying Fortress have for the world of cybersecurity? After all, we are talking about a propeller plane with an unpressurized cabin, a laughable top speed, and guns that couldn’t keep up with much faster Luftwaffe fighters.
Plenty, actually, when you think about it.
The great misconception with the Flying Fortress was that a few vicious looking machine guns pointing in various directions would be enough to scare off, much less shoot down, enemy fighters. The reality was that enemy aircraft were so fast, and coming from so many different directions, that the bomber’s defensive armament proved inadequate.
The same holds true for cybersecurity in the 21st century. Cyberattackers are fast, well-armed, and strike from almost every direction. Two excellent illustrations of this come from recent high-profile attacks. The Target data breach, for instance, hit the company from a relative “blind spot”, namely outside contractors who had unsecured access to Target’s information systems. This vector of attack allowed the cyber criminals to slip past Target’s significant data security investments and successfully pull off one of the larger data thefts in recent history.
Consider too the recent attack on the U.S. Navy and Marine Corps by Iranian-aligned interests. In that case, the cyberattackers were able to penetrate into the Navy and Marine Corps’ intranet system, burrowing so deeply into the network that it reportedly took nearly four months to fully dig out the malware. According to published reports, the attackers were able to find entry points that had been unsecured (some say to due to contractual oversights) and use that as a way to implant their malware.
This leads to the larger point, namely that security in any context—including cyber—has to consist of multiple layers, not just one visually fearsome, but ultimately a marginally useful deterrent.
Even more importantly, it is critical to remember that the last line of defense cannot be the only line of defense. American bombers were only truly successful when they fighter planes could escort them to and from the target, and the German war machine was ground down to the point where there were insufficient planes and pilots available to fend off bombing raids.
Just like magnetometers and x-ray machines are not our only line of defense for passenger aircraft, so too must we think in a layered manner when it comes to cybersecurity.
To that end, here are a few thoughts on what might make a good overall cybersecurity strategy:
- Recognize the enemy: If you don’t know who the bad guys are, odds are you won’t be able to stop them in time. In the case of cyber defenses, this means that constantly updating threat information and profiles is critical. Companies have to regularly update their systems to protect against the latest threats and vulnerabilities (including through techniques such as automated threat sharing) in order to avoid being blindsided by a new threat.
- Don’t be afraid to profile: Profiling is usually a dirty word in America, especially when it comes to identifying potential bad actors. In the world of cybersecurity, however, it is a critically important and useful tool. I’m not talking about profiling people to see whether they could be hackers, but rather examining files and websites to see whether they pose a potential threat is an excellent defensive layer. So-called behavioral or heuristic defenses are excellent at spotting previously unknown malware and quarantining them.
- Use your head: For some reason, common sense seems to go by the wayside when it comes to cybersecurity measures. Leaders tend to panic and forget that certain simple steps can be immensely helpful. For instance, when entering into contracts with any other party, whether for security or just technology, security should be a primary consideration. Buyers need to clearly set forth who is responsible for security, and what kind of security is being offered. Think of it this way: if a company is negotiating a lease for office space, it would bargain over who provides security, maintenance, pays for utilities, etc. Negotiating cybersecurity is functionally the same thing—negotiate and define responsibilities. Overall, companies need a smart battle plan. Find weaknesses, stay abreast of threats, and most importantly have plans to defend your systems and fix them when penetrated.
Ultimately a company’s cybersecurity level is not going to be measured by the types of software and hardware it uses, but rather its overall approach to defending itself. A holistic solution is required from corporate executives to this complex problem, as is a grand strategy. Without that, they may well enjoy the same life expectancy as a B-17 crew member.
Brian E. Finch (@brianefinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP, where he focuses on cyber security issues. He can be reached at firstname.lastname@example.org.