Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/18/2020
10:00 AM
Eyal Benishti
Eyal Benishti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What the Battle of Britain Can Teach Us About Cybersecurity's Human Element

During WWII, the British leveraged both technology and human intelligence to help win the war. Security leaders must learn the lessons of history and consider how the human element can make their machine-based systems more effective.

The theme for this year's RSA Conference was the "Human Element," which explored the role of humans in the context of machine intelligence. The RSA Conference organizers described this year's theme as follows:

New technologies like artificial intelligence and machine learning promise to fight the bad actors more efficiently than we ever could. And the wider, cheaper availability of advanced nefarious tools has democratized cybercrime. Humans, it seems, have been forgotten as key elements in this global fight.

Indeed, as our world grows more automated and our machines achieve greater intelligence, it's only natural to wonder: What role will humans play in the cyber battlefield of tomorrow?

Which made me recall a seminal moment in world history with an analogous theme: The Battle of Britain, a turning point in World War II as well as one of the first and perhaps finest examples of how an emerging technology was paired with human intelligence that, in turn, changed the course of history.

Defending a Sprawling Perimeter
By the spring of 1940, Hitler's army had run roughshod over much of Western Europe due in large part to the overwhelming superiority of the Luftwaffe, the largest and most powerful air force in Europe. Because the Nazis had taken considerable amounts of territory, the prospect of an invasion of the United Kingdom was no longer a question of if, but when.

The Nazi generals understood that occupying Britain would be far more challenging than the rest of the European continent because it was afforded protection by the English Channel. For a seaborne invasion to be viable, the Luftwaffe would have to soften the target through sustained air attacks with the goal of destroying the British Royal Air Force, its formidable Navy, and other critical infrastructure.

Meanwhile, the British forces were faced with a still more daunting challenge: How do you defend thousands of miles of unprotected coastline and quickly communicate verified air attacks back to central command in a coordinated fashion?

Machine + Human Intelligence
Unbeknownst to the Nazis, British intelligence had been secretly building and deploying a new early-warning radar system known as the Dowding System, named after Hugh "Stuffy" Dowding, the Commanding Officer of the Royal Air Force and the architect of Britain's first fully coordinated air defense system.

The Dowding System comprised three interconnected layers, two of which were based on the latest innovations in radar while the third was perhaps the most crucial, yet also the most primitive. The first layer, dubbed Chain Home, consisted of a series of 360-foot radar masts that dotted the southern and eastern coasts and could detect enemy aircraft from 120 miles away. A second array of co-located smaller radar, Chain Home Low, was deployed to spot aircraft flying below the sight line of the taller Chain Home system.

While early radar systems were effective in providing advance warning of an approaching formation, they couldn't provide important contextual information such as the altitude at which enemy aircraft were flying, or most critically, the types of planes being deployed.

To provide this critical context, the first two layers of radar were reinforced by the "human element" — a reconnaissance corps of 30,000 volunteers manning observation posts day and night, up and down the entire coast.

These observers were responsible for spotting and reporting enemy planes, providing essential intelligence to central command, including the distance and height of observed aircraft, their approximate bearings, and the types of planes in formation. This enabled confirmed reports of enemy raids to be relayed back to command headquarters in under 40 seconds, a remarkable feat that provided ample time for central command to scramble an appropriate response.

The genius of the Dowding System was not in its sophisticated radar capabilities but its ability to orchestrate these disparate machine and human intelligence feeds into a unified early-warning system. While the Germans were well acquainted with radar and were themselves utilizing it, they did not fully appreciate how the British were applying it within the context of an integrated air defense system.

Applying the Lessons of the Dowding System
So, what does all this have to do with cybersecurity and how might we as security leaders employ these lessons? There are a number of parallels that can be drawn from the Dowding System and applied to the modern application of real-time threat intelligence:

  1. Humans excel at providing context: Modern artificial intelligence (AI) engines can pattern match at a scale that humans simply cannot. But understanding context is something that even the most sophisticated AI struggles with.

  2. Orchestration enables self-learning: The ability to synthesize human insight and feed it back into the machine in an orchestrated manner is foundational for building a self-learning system.

  3. Crowdsourcing threat intelligence: A number of leading network and email security tools today are discovering the power of crowdsourcing threat intelligence by providing a mechanism to automatically share real-time threat intelligence across the network.

  4. A multilayered approach is key: No single system should be relied upon to protect your network. A defense-in-depth approach requires the layered application of multiple tools to ensure resiliency.

Interestingly, when we talk about cybersecurity, humans are often considered the "weakest link" in the cybersecurity chain. Whether it's the user who carelessly clicks on a phishing link or a network admin who applies the wrong software patch, we are imperfect by nature and bound to make mistakes. By the same token, those individuals with specific domain expertise are able to understand and interpret nuance in a way that even the smartest machines cannot.

Some 80 years ago, the British leveraged a combination of technology and human intelligence to turn the tide of the war. Security leaders would be wise to learn the lessons of history and consider how the human element can make their machine-based systems smarter, more responsive, and ultimately, more effective.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Eyal Benishti has spent more than a decade in the information security industry, with a focus on software R&D for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11565
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.