How one question and two movies shaped cybersecurity history

Try to picture this – it is Wednesday morning and an older gentleman at the office is vividly explaining to everybody how he saw a great movie over the weekend. In fact, it was more scary than great, some kid almost started World War 3 with just a computer, and to make long story short, can that happen in real life? What would you do? Give one “yeah, sure” and walk away thinking you have enough problems of your own?

But what if that older gentleman was your boss? And your boss is US President Ronald Reagan?!

Could something like this really happen? – Ronald Reagan, US President (1983)

Ronald Reagan announcing SDI

Old guard

When Ronald Reagan was elected President of the United States he was 70 years old. He wasn’t young, he didn’t handle technology all that well. In March 1983 he talked about SDI, Strategic Defense Initiative, project that people jokingly calling Star Wars, so Reagan’s reputation as technology leader wasn’t all that great.

But the man loved movies. So, on Saturday, June 4, 1983 he was watching WarGames, a movie starring Matthew Broderick; it was almost a science fiction movie where young Broderick hacks into NORAD computer, and unintentionally brings the word to the edge of nuclear war. The movie didn’t sit well with the President.

WarGames, a movie where movie magic was almost real

Few days later in highly classified meeting that should have been about new type of nuclear missile, Ronald Reagan summarized the movie plot for the people in the room and turned to General John Vessey, the chairman of the Joint Chiefs (basically military’s top officer) and asked one question: “Could something like this really happen?”

Vessey promised he’ll look into it. To his amazement, when he met with the President a week later, he had to report that “the problem is much worse than you think.” In just 15 months, which is lightning fast for a government, on September 17, 1984 the world saw the directive NSDD-145. People who wrote it acknowledged that new devices in high tech industries are susceptible to hacking and that foreign intelligence agencies are already doing that, plus if they can do it, it was only a matter of time when terrorist groups will be able to do it as well!

NSA, shadowy agency that not many in 1984 knew even existed, was tasked to secure all computers and networks in the United States, but in the end it all fizzled out due to politics and inter-agency rivalry. The problem with cybersecurity was buried and will not reemerge for some time.

Silver screen

But how did one movie get so many things right? The hacking, the war-dialing, serious lack of security, it was all real.

Two guys who wrote the movie, Lawrence Lasker and Walter Parkes, felt their movie needed some gravitas, some real-world experience. Lasker picked up the phone and called RAND Corporation, think-tank backed by US Armed Forces, where Willis Ware was in charge. Willis Ware was the author of what could be described as the first ever cybersecurity report. And Willis Ware was still mad as hell because at the time nobody has listened to him.

In April 1967 he wrote “Security and privacy in computer networks” – ARPANet, the network that morphed into what we know today as the Internet, was just starting to make plans to connect its first nodes and Ware was there with this report. He described risks associated with file sharing, dangers of on-line systems, putting classified and unclassified files on the same system, in general terms he described everything that is still relevant today!

But it was early. They just wanted to hook everything up, to see what will work. They would worry about security and privacy later. Plus, it was just a few nodes, you could probably put the names of everybody connected to ARPANet on one sheet of paper.

So, when Lasker called, Willis Ware was ready. And he told him enough to write a doomsday scenario that actually could have happened.

Willis Ware, an original cybersecurity expert before that was even a thing

Every man will communicate through a computer whatever he does. It will change and reshape his life, modify his career and force him to accept a life of continuous change. – Willis Ware, computer security pioneer (1966)

Rudderless NSA

The whole security thing, at least on a high level, didn’t come into play until 1992 when Rear Admiral John Michael McConnell became the head of the NSA. NSA at that time had a major problem – SIGNIT (Signals Intelligence) Directorate had an “A Group” and a “B Group”. A Group were rock stars of spying because they were sniffing out USSR. But when USSR fell apart, and signals started to go digital, the NSA was lost.

McConnell was tasked to give the NSA a new direction, direction for a new era. He was given briefings, shown how high-speed fiber optic cables transfer incredible amount of data, but it still didn’t quite click in McConnell’s mind. To ease his burden, he went to see the movie Sneakers, and he has only done that because somebody told him it was about the NSA.

John McConnell in 1990, just two years before he took over the NSA

Sneakers was, and still is, a great comedy-thriller with incredible cast, but the most important thing, at least for McConnell, was a speech at the end where the bad guy says: “There’s a war out there, old friend. A world war. And it’s not about who’s got the most bullets. It’s about who controls the information. What we see and hear, how we work, what we think… it’s all about the information!”

Sneakers, a great movie that gave the NSA an idea to reinvent itself

In that moment, the NSA wasn’t lost anymore. McConnell knew the NSA has to control the information, get the data by any means necessary and thanks to the lax security standards around the world, it did just that.

And you know what is funny? Two guys who wrote WarGames, the movie that scared Ronald Reagan, were the same two guys who wrote Sneakers!

The modern age

The private sector is the key player in cyber security. Private sector companies are the primary victims of cyber intrusions. And they also possess the information, the expertise, and the knowledge to address cyber intrusions and cyber crime in general. – James Comey, FBI director (2013)

Well, that was then. When nobody knew better. Unfortunately, not quite.

We at Infigo IS are all about security – we hack, we consult, we build SOCs (Security Operation Center), we build big data powered security solutions, we deal with financial institutions, governments, utility companies, smart cities, IoT, oil refineries, media companies, you name it, we’ve done it. We live security. And we are often troubled by what we see.

Some industries are more secure than others, and much has been done to remedy the sins of the past. Unfortunately, the area of attack is greater than ever, and while a good defense needs incredible amount of work, an exploit can have just a few lines of code. Or is just a one fake e-mail away. In the end, we are still living in a world that has a facade of security; maybe the hardware is great, but the software isn’t. Maybe the software is great, but the implementation isn’t. Maybe the implementation is great, but the people aren’t. Maybe the people are great, but the hardware isn’t. And around we go.

Long, long time ago corporations usually had to be on a lookout for a lone hacker, but today we have highly trained teams, government backed groups, military units dedicated to cyberwarfare, terrorist cells, hacktivists, if you have data on a network, somebody is interested in seeing it. It is a scary world out there, but we are not powerless.

Infigo IS does offer a range of services and products to mitigate the danger; the problem of security will never go away, but we can keep it under control. Even if a corporation has internal security teams it is always good, from time to time, to have somebody else take a look. That is why doctors go to see other doctors – self assessment can create blind spots.

So, to circle back to the beginning – if somebody asked us, as Roland Reagan did back in 1983, “Could something like this really happen?” we would have to say, “not if we can do anything about it!”

Goran Racic, Infigo IS – Head of corporate communications

Infigo IS

Infigo IS | Your data. Our responsibility.