recommended reading

What World War II Code Breaking Tells Us About Cybersecurity

The Enigma machine, right, once used by the crews of German U-boats is shown in a British museum.

The Enigma machine, right, once used by the crews of German U-boats is shown in a British museum. // Alex Dorgan Ross/AP file photo


By Jean Gordon Kocienda Cisco February 3, 2014

recent posts

World War II may seem like an unlikely place to go looking for the origins of data analytics or insights into building predictive cyber intelligence programs, but the lessons of the past can help inform even a digital future. British code breakers who deciphered the encrypted messages of the German Enigma machines during World War II not only made breakthroughs in mathematics, but also in understanding and predicting the behavior of German code clerks. The success of Bletchley Park’s code breakers stemmed in part from their insight into human behavior.

The British cryptanalysts had an advantage that we do not always enjoy today – they knew who their enemy was. They could analyze linguistic and cultural patterns within the encrypted messages – searching for recurring communications such as weather reports, or common phrases such as Heil Hitler, to identify patterns. Predicting cyberattack behavior on a global, 21st century scale is more complex. Networks are under constant bombardment from communications that may have hopped numerous times before arriving at their destinations. Malicious actors are always innovating and morphing. Still, human ‘fingerprints’ are bound to appear within the network data to help us identify them, and hopefully to predict and safeguard against future attacks.

Imagine there is a government agency called SHIELD. Its networks are under attack, and administrators suspect that data is being stolen. Information security analysts start with the agency’s risk profile: What critical information is at risk, who might want it, and what might they do with it?

SHIELD’s critical data and national secrets may be targeted by run-of-the-mill criminal hackers, but they also may be very valuable to foreign governments—valuable enough that some actors might go to surprising lengths to obtain them. The geographies associated with unusual network activity are one piece of the puzzle, and so are tactics. Defacement and DDoS (Distributed Denial of Service) attacks occur more frequently than espionage and theft and are often driven by ideology. On the other hand, the most sensitive and highly-guarded intellectual property is likely to be targeted through a combination of social engineering (phishing or insider attacks) and sophisticated malware.

Initial indicators allow SHIELD’s analysts to track and monitor cycles of attacks over specified timespans, looking for patterns. For example, let’s say that SHIELD was hit by a DDoS attack on an election day. It would be in SHIELD’s interest to follow the Internet and social media buzz leading up to future election days.

SHIELD analysts also monitor fluctuations in the amount of suspicious activity correlating to certain times of the year or specific political events. Depending on the evolving theory of the malicious actor, analysts may start monitoring social media or other news outlets for signs that their theory may be supported by geopolitical evidence.

This sort of approach gives clues to politically or ideologically motivated attacks, but does not address financially-motivated criminal activity or espionage. Moreover, making generalizations around political, geographic or cultural factors could lead to reputational damage and is often misleading. Attackers may position cultural references in malware code as decoys in order to cover their tracks. An organized crime group in one country may be acting on someone else’s behalf. Code written by a state-backed hacker may be copied and repurposed by a novice activist motivated by ideology on the other side of the world. Not to mention, our understanding of others’ worldviews or motives are often distorted.

Ultimately, human context is only one piece of the puzzle. The fingerprints on data may cast some light onto the path in front of us as it did for the code breakers at Bletchley Park. Given the attackers, targets and threat vectors we face today, our conclusions and actions must begin and end with the data itself. Developing a resilient cyber threat intelligence program calls for proactive analysis of human behavior, network traffic and, ultimately, letting the truth in the data take us where it will.


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.