How the Development of the Atomic Bomb relates to Cybersecurity
First, I should point out that this blog isn’t trying to make some analogous connection between the dangers, power, or destructive forces involved with nuclear weapons and cybersecurity. (Although the parallels are there… but we’ll just put that aside for the moment.)
What I hope to illustrate is the power of curiosity and intelligence, true intelligence – not the kind that is directly correlated to book-smarts, but rather the kind of intelligence that can create something new and useful from little more than a handful of abstract and seemingly unrelated pieces of information.
To that point, I’d like to introduce Richard Feynman.
It’s important to say that this illustration is made without disrespect or diminution of the incredible accomplishments of all who worked on the Manhattan Project. They all quite literally changed the world.
For those who aren’t physics and math nerds like me, Richard Feynman and the Manhattan Project may need some context.
In 1943, Mr. Feynman was a student working on his graduate thesis in theoretical physics at Princeton when he was offered an opportunity to work on a secret project – a project which would eventually come to be known as the Manhattan Project.
Upon accepting the somewhat cryptic offer, he was quickly shuttled off to Los Alamos, NM, home of what would become the nation’s first Nuclear Weapons laboratory.
A Brief History of Los Alamos, home of the Manhattan Project
In early 1943, conditions in Los Alamos were somewhat less than optimal. Much of the town, technical buildings, and security infrastructure hadn’t yet been built. The army was struggling to erect a secret town as fast as they could, with as much security as they were able.
Obviously, the work that took place within these humble, ramshackle quarters were incredibly sensitive. To protect their information, the army installed guards, guns, and gates.
More specifically, there were two distinct barbed-wire fence lines – the largest surrounding the perimeter of the town with a second, smaller fence defining the internal technical areas where research and engineering was conducted.
There was one way in and out of the town, and that was through a military checkpoint.
The same strategy applied to the technical areas. One way in and one way out. Even once inside, there were established safeguards.
One such control was providing every scientist with a lockable file cabinet and desk drawer. These would allow them to store sensitive and secret documents, calculations, and drawings they were developing in private.
Many pieces of information were so secret that they couldn’t be shared between internal groups.
Everything in Los Alamos was subject to a constant heavy security. Even the mail was closely monitored and censored to ensure that even the smallest clue as to their goings-on could not be leaked.
Richard Feynman Goes to Los Alamos
A young Richard Feynman enters this scene as a very junior theoretical physicist. He’s a naturally inquisitive person who also happens to be naturally brilliant.
He instantly notices the security and compartmentalization throughout the city and acknowledges its need. After several weeks of feeling very secure and protected, Richard notices some things that don’t add up.
Each of the secure filing cabinets were the same. They all used the same type of lock, an inexpensive pad lock.
In an exercise intended to figure out how the pad locks functioned, Richard Feynman picked up the practice of locksport – he took it as a challenge to learn how the locks worked and then devise ways to unlock them.
Soon realizing that the cabinets and their locks were providing no meaningful security, he began to raise the issue to high-level managers and Army officers. He eventually was forced to take his concerns to the military commander of the town.
Each time, he was thanked for his concern and dismissed.
Not satisfied, he began switching the contents of various cabinets, each time being careful to re-lock each filing cabinet. The concerns he continued to raise continued to fall on deaf ears, and still no changes were made.
That is, until Feynman opened and emptied the desk of Edward Teller – one of the most preeminent nuclear physicists in the world.
During a staff meeting, Teller extolled the exceptional security of their new town. Feynman then accompanied Teller back to his office, where he had the brief satisfaction of observing Teller discover an empty desk.
Quickly realizing what had happened, Teller demurred to Feynman’s assertion that perhaps some of their security measures were not as effective as they had initially hoped.
As it turned out, the information that Feynman had liberated from Mr. Teller’s desk just so happened to contain early designs for the atomic bomb. Needless to say, filing cabinets that had safe combinations quickly replaced any pad lock across the entire research campus.
The point being this: no one responded to Feynman’s legitimate concerns until he exploited a compromised security angle. He literally had to steal the country’s most sensitive information at the time to stimulate the appropriate protective actions.
Richard Feynman: America’s First Hacker
Richard Feynman might be considered the first hacker, and in a time long before personal computers existed. His many (often cheeky) exploits often highlighted the meaningless security measures implemented by organizations in an effort to safeguard their information.
The initial measures prescribed and implemented for Los Alamos during WWII were effective against a very specific threat, and turned out to be largely obsolete and ineffective when implemented.
Why? The Army’s use of “Guards, Gates, and Guns,” while effective against an advancing military force, were useless against a foe that sought only information… and was able to walk right through the front door of the camp.
Such adversaries intentionally used stealth and went largely undetected by the “state of the art” security mechanisms and systems of the time.
Feynman’s intentional curiosity – challenging the accepted ‘norms’ and ‘experts’ – of the security measures implemented in an early Los Alamos did help to bring about change.
That change unfortunately came too late, as John Carincross and Klaus Fuchs, two of the first Russian nuclear spies, easily managed to steal many of the designs for the Uranium atomic bomb and transmit them to their handlers.
Modern Cybersecurity still Deals with the Same Problems as the Manhattan Project
This storyline sadly parallels many modern cybersecurity incidents. So many of the high-profile (and a larger number of lower-profile) breaches follow the same plot points.
Without the work of Security Researchers – or as the world knows them, Hackers – many vulnerabilities would never come to light. Those vulnerabilities would stay hidden from those which are tasked with securing and mitigating such weaknesses.
Equally important are those tasked with effecting change within an organization – Managers, Executives, and Owners.
Just as in 1943 Los Alamos, if a perceived threat or weakness isn’t acknowledged and investigated, that same vector often is revealed as a contributing factor to an eventual breach.
The division between organizational management, internal defenses, and external security researchers (truly white hats) must be broken down.
Often, executives and owners de-value, dismiss, and de-emphasize the importance or value of the resources and/or information in their custody.
This author believes this practice to be rooted somewhere between ignorance and denial, both of which demand action and self-education in the current cybersecurity climate.
Often a third party or trusted insider can properly quantify the value and possible (mis)use of such resources.
Organizations of all sizes – with an increasing importance for smaller firms – should undertake a regular Information Asset assessment as part of their quarterly or annual planning.
While the modalities that modern adversaries employ differ (slightly) from those in 1942 Los Alamos, the net-result is the same.
An intentional curiosity of ‘why’ security controls are implemented is often more important than following a checklist or prescribed list of security measures.