You probably read the recent shocking story of how American military members, entrusted with nuclear access codes, are alleged to have compromised them. To do so, they are accused of having used an online study application designed to help memorization. By so doing, they apparently hoped to help themselves memorize various nuclear code entries. Shock, however, is not truly a vocabulary word for most security officers who are aware of history. Rather, the shock should be what took adversaries so long to figure out this potential compromise, and security professionals not to anticipate it.
What do we know about targeting of codes? What is done to secure our codes from the adversary? For that matter, who is the adversary? After all, if you know who is after what you have, you have a better chance of protecting it, no? Let’s review.
Nuclear Codes in World War i
In World War I, a British SPAD aircraft chased a German Zeppelin across northern France. The airship had just returned from a bombing mission over England. Realizing his aircraft was going down after piercings by dozens of machine gun bullets, the German pilot made a desperate decision. He directed his colleague to start tearing up their code book. With the advent of wireless technology, such a code book was invaluable. So away he went, tearing out page after page of the book, then tearing each sheet again and again. He then tossed the shreds out the bomb-bay. As the Zeppelin began its slow but inevitable glide downward, the torn pages floated over miles of contested land. In the end, the last page was ripped to shreds and cast out the bomb-bay after all the others. With a smile, the navigator knew that his code was never to be compromised. Indeed, most of it fell behind German lines. Except for the blue pages. There were four blue pages in the almost hundred fifty page text. These blue pages were so marked for those using the code book. This is because the blue pages held the required keys to all use of the code, such as when it is changed, why, and under what circumstances. Find those pages, and you’ve got the whole access! Once the Allies figured this out, they put the word out to soldiers on the front to ‘Find those blue pages!” Enterprising French officers told their men, through whose district the wounded Zeppelin flew, that it would be relief from the trenches for whoever could find blue pages scattered around their trench works. In short order, parts of the book’s white pages were recovered from miles around, and indeed all the blue pages were discovered! The Allies had what they wanted. The German code was compromised, and the Kaiser’s men never knew.
Codes in the Cold War
In the Cold War, a Western Allied soldier was recruited by the Soviets. He was a bright young man, but with limited access to classified information. So his Soviet handlers directed him to seek a position with NATO. He accomplished this, and found himself after several requests posted as a guard to a NATO Headquarters. A patient man, he watched and discreetly memorized while safes’ combinations within his purview were opened by colleagues. Indeed, these were safes with special-weapon code data. Then, after hours, he opened them himself, stealing documents which delighted his handlers. They met him in the dead of night, copied the documents, and each was returned to its proper place before dawn.
See the Whole Lifecycle in the Strategy
Stories like these raise the hair on security officers’ necks. So much so, that corrections to these and other discovered compromises have long since been implemented. And the same happens today.
Now we have the case of the study apps. Still we have adversaries looking for our nuclear codes. Strategies don’t change. Still, however, we don’t patiently walk each and every use of these codes through their entire ‘life’. We must always consider ‘what if’. What if a German asked what could happen if only the blue pages fell into adversarial hands? What if someone at NATO simply suggested we should change the guard who watches over access to the code safe regularly, and at erratic intervals? What if we briefed our own personnel today they should not ever write down the information they are to memorize, not on paper and especially not online. What if we reviewed, and reminded, and noticed each and every way such codes were used? If we walked our code uses through their entire ‘life cycle’, these compromises would have been precluded.
Know the Adversary
Codes remain targets for those who want to know what we’re up to. Adversaries will do anything to get them. We need to ask ourselves, who is out to get them? Simple, dated answers from yesteryear will not suffice. Yes, our international adversaries are there aplenty, and are always active in pursuit of our secrets. But nowadays security companies, information brokers, criminals, and public news service organizations are combing the internet, seeking ways to get at us. Let’s not pretend we are safe. It is said this recent reported compromise was discovered by a friendly research company, Bellingcat. This company does great service identifying from metadata people and places which others try to hide. They, for example, identified as of Russian origin the ‘anti-aircraft artillery’ and its supporting soldiers presence in the Ukraine conflict.
We always come back to first principles. Know your adversaries’ goals. Know his capabilities to achieve those goals. Know who is, after all, an adversary.
