recommended reading

What World War II Code Breaking Tells Us About Cybersecurity

The Enigma machine, right, once used by the crews of German U-boats is shown in a British museum.

The Enigma machine, right, once used by the crews of German U-boats is shown in a British museum. // Alex Dorgan Ross/AP file photo


By Jean Gordon Kocienda Cisco February 3, 2014

recent posts

World War II may seem like an unlikely place to go looking for the origins of data analytics or insights into building predictive cyber intelligence programs, but the lessons of the past can help inform even a digital future. British code breakers who deciphered the encrypted messages of the German Enigma machines during World War II not only made breakthroughs in mathematics, but also in understanding and predicting the behavior of German code clerks. The success of Bletchley Park’s code breakers stemmed in part from their insight into human behavior.

The British cryptanalysts had an advantage that we do not always enjoy today – they knew who their enemy was. They could analyze linguistic and cultural patterns within the encrypted messages – searching for recurring communications such as weather reports, or common phrases such as Heil Hitler, to identify patterns. Predicting cyberattack behavior on a global, 21st century scale is more complex. Networks are under constant bombardment from communications that may have hopped numerous times before arriving at their destinations. Malicious actors are always innovating and morphing. Still, human ‘fingerprints’ are bound to appear within the network data to help us identify them, and hopefully to predict and safeguard against future attacks.

Imagine there is a government agency called SHIELD. Its networks are under attack, and administrators suspect that data is being stolen. Information security analysts start with the agency’s risk profile: What critical information is at risk, who might want it, and what might they do with it?

SHIELD’s critical data and national secrets may be targeted by run-of-the-mill criminal hackers, but they also may be very valuable to foreign governments—valuable enough that some actors might go to surprising lengths to obtain them. The geographies associated with unusual network activity are one piece of the puzzle, and so are tactics. Defacement and DDoS (Distributed Denial of Service) attacks occur more frequently than espionage and theft and are often driven by ideology. On the other hand, the most sensitive and highly-guarded intellectual property is likely to be targeted through a combination of social engineering (phishing or insider attacks) and sophisticated malware.

Initial indicators allow SHIELD’s analysts to track and monitor cycles of attacks over specified timespans, looking for patterns. For example, let’s say that SHIELD was hit by a DDoS attack on an election day. It would be in SHIELD’s interest to follow the Internet and social media buzz leading up to future election days.

SHIELD analysts also monitor fluctuations in the amount of suspicious activity correlating to certain times of the year or specific political events. Depending on the evolving theory of the malicious actor, analysts may start monitoring social media or other news outlets for signs that their theory may be supported by geopolitical evidence.

This sort of approach gives clues to politically or ideologically motivated attacks, but does not address financially-motivated criminal activity or espionage. Moreover, making generalizations around political, geographic or cultural factors could lead to reputational damage and is often misleading. Attackers may position cultural references in malware code as decoys in order to cover their tracks. An organized crime group in one country may be acting on someone else’s behalf. Code written by a state-backed hacker may be copied and repurposed by a novice activist motivated by ideology on the other side of the world. Not to mention, our understanding of others’ worldviews or motives are often distorted.

Ultimately, human context is only one piece of the puzzle. The fingerprints on data may cast some light onto the path in front of us as it did for the code breakers at Bletchley Park. Given the attackers, targets and threat vectors we face today, our conclusions and actions must begin and end with the data itself. Developing a resilient cyber threat intelligence program calls for proactive analysis of human behavior, network traffic and, ultimately, letting the truth in the data take us where it will.


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.