Board cybersecurity field trips

Maybe this time, what happens in Vegas won't stay in Vegas!

las vegas nighttime
f11photo/iStock

The annual Consumer Electronics Show shifted from geek heaven to a decidedly more serious tone this year as entire Boards of Directors from companies around the country descend on the Strip to learn about cybersecurity, hacking and more.  Hopefully, in breaking from Sin City’s popular tag line, what happens in Vegas will protect a myriad of companies back home.

What happens in Vegas?

The Wall Street Journal reported this week that corporate Board members were taking field trips to the Consumer Electronics Show (CES) in Las Vegas to learn more about cybersecurity.  Coordinated by the National Association of Corporate Directors, members are being treated to specialized programs on technology ranging from a couple of hours to a couple of days.  Though not the kind of party Sin City normally sees, it nonetheless suggests this is a perfect time for CISO’s and other security professionals to get more familiar with their Boards.

Let’s be honest – most Board members for companies outside of the technology industry know exactly nothing about ransomware, quantum computing, or state-sponsored hacking.  The closest many of them will have been to anything close to these subjects was watching the 2014 film The Imitation Game.  But perhaps therein lies an opportunity.

There’s a key point early in the movie where Alan Turing (brilliantly played by actor Benedict Cumberbatch), explains in voiceover the complicated mechanisms of the German Enigma machine

Enigma was Germany’s way of encrypting communications from command centers to ships, submarines, and forward operating areas in World War II.  The Enigma was a complex, though mechanical device, that turned ordinary text into “gibberish,” (as cited in the film).

Cumberbatch, as Turing, narrates a short voiceover describing the difficulty in trying each of the Enigma’s possible settings:  159 million, million, million possible combinations, that changed daily.  Or as British chess master Hugh Alexander (played by Mathew Goode) noted, “1 – 5 – 9, with 18 zeros behind it.”

The law of big numbers

An exorbitant number, one that is difficult to get one’s head around, particularly for the 1940s.  This was an analog device, as computers had not even been thought of yet.  The problem comes from a subsequent scene, one that is indicative of how difficult it is for people to get their heads around these large numbers.

In this now-infamous voiceover, Turing details how the messages were broadcast over AM radio frequencies: “Any schoolboy with an AM (radio) kit could intercept it.  The trick was that they were encrypted.” On the screen, young women from the Royal Navy busily copy down the intercepted Morse Code snatched from the air and transcribe the random letters onto paper, then compile them into files.  The problem comes when Turing explains the math. He says:

“If we had 10 men, trying one combination a minute, for 24 hours a day, seven days a week – how many days do you think it would take to check all the settings?  Well, it’s not days.  It’s years. 20 … million ... years.  To stop a coming attack, we would have to check 20 million years’ worth of settings in 20 minutes.”

The problem is, that math doesn’t work, as has been pointed out numerous times online and in math classes around the world.  Ten men, doing one combination each per minute, would actually take 30 trillion years – a far more imposing number.

Now, I understand creative license in a screenplay. It’s not a documentary of every nut and bolt in the Enigma story.  It’s a two-hour movie, and accuracy must occasionally be sacrificed on the altar of brevity.  I’ve no issue with that.  There are several of these in The Imitation Game and some are kind of funny:

  • The watch Alan Turing wears was not introduced until several years after the war.
  • The Cole Porter song Turing dances to was not written until after the war.
  • Turing’s colleague Hugh Alexander notes he was a two-time British Chess champion. But Alexander didn’t win the second championship until, you guessed it, after the war.

Of men and machines

So, what does this have to do with Vegas and cybersecurity?  Vegas is a city built on numbers, on probabilities – on people’s inability to understand probabilities.  It’s an opportunity for a cyber professional to have a low risk, high return type of discussion with their management. 

I’d even play that short section of the film to a Board, just to show them how complex encryption really is, and how easy it is to get the math wrong.  One could also show what it would have taken to hit the film’s twenty-million-year target. 

It would take 500 people, trying 500 combinations a second, 24 hours a day, seven days a week, to hit that enormous 20-million-year goal. But don’t do the math for math’s sake.  Do it to start a conversation about resources.

That is a lot of time and a lot of resources.  That’s the discussion to have with your Board, your C-suite, and your overall management.  Cybersecurity is an extremely resource-dependent function.  Boards tend to lump it into the overall IT budget as just another line item.  It’s not.  Information technology is for running companies; cybersecurity is for protecting them. 

Ransomware like Wannacry and Petya.  Hardware flaws like Spectre and Meltdown.  State-sponsored attacks against Sony and Yahoo.  Criminal theft against Target and Equifax. These are not problems that standard IT budgets (and staff) are capable of stopping.  And it won’t get better any time soon.

Artificial intelligence is making it easier to custom design attacks.  These are going to require more resources, people and tools, to protect companies.  It requires a completely different mindset – one most Board members have never had to address before.

What are the risks to the company in the event of a hack?  Is the damage restricted to the firm’s own intellectual property, or is the highest risk from customer data?  Knowing what needs to be protected will mandate how it should be protected.  That will dictate how much the Board should allocate to protecting it. 

Should a breach happen, directors (and c-suite management) will be the ones hauled into court, or Congress, to explain why better measures were not in place.  The days of claiming ignorance are over.  Insurance firms are putting directors on notice – standard D&O policies won’t protect their negligence in the future.

The more they can learn from the Vegas experience, the more protected their winnings can be!

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report