I recently watched a documentary about the Supermarine Spitfire – Spitfire: The Plane that Saved the World – one of the iconic airframes not only of the Second World War, but of military aviation from its start to the present. In addition to the documentary’s interviews with surviving Spitfire pilots and use of archival footage, the film also noted two critical items enabling the Spitfire’s success: the Rolls Royce Merlin engine and the Royal Air Force (RAF) Fighter Command. Without these two systems (or technologies), the Spitfire (and much else) would have never achieved the success it did, and the Battle of Britain may very well have been lost. While this might seem so much history, an evaluation of how these two systems represented differing trends in technology and coordination reveals some interesting lessons for both information security and the role of communication for operations.
First, the Rolls Royce Merlin engine is to this day regarded as one of the finest pieces of engineering and design put forth by man. Yet this very nature means its beginnings resemble more art than industry, as initial Merlin production took place using methods that would be recognizable to 15th Century Flemish weavers or similar pre-industrial production. Essentially, each Merlin was a hand-made, somewhat unique artifact – making it not only slow to produce, but requiring skilled labor to do so and undermining the ability to create and store reliably replaceable parts that would work for repairs and maintenance in all deployed Merlins. As a result, English production was limited, and although the engine’s performance is unquestioned, its limited numbers undercut usefulness during a time of mass mobilization and industrialized warfare.
In the run-up to war, England knew it needed to increase production – while the United States (then neutral but slowly realizing where matters were heading) needed a high-performance engine. Thus began not only a type of technology transfer and sharing which given the type of equipment involved not only echoes Five Eyes-like sharing of offensive cyber tools, but would lead to a profound change in production methodology. Essentially, through sharing plans for the engine and showing a willingness to allow American commercial entities to experiment (and essentially redesign) the Merlin, rapid, unskilled, assembly-line production of the Merlin became possible. A piece of technology that effectively resided in artisanal production for use had transitioned to effective mass-production to equip Spitfires, Hawker Hurricanes, P-51 Mustangs, and Avro Lancasters (among other airframes) at rates far outstripping engine production in Nazi-occupied Europe. Combining an English engineering feat with American production design and acumen resulted in a “best of both worlds” accomplishment: producing an incredibly powerful and reliable engine but doing so using unskilled, readily available labor at high rates of throughput.*
Yet the mass production of war material and its deployment in large numbers was nothing new in the Second World War. Complex machinery such as high-performance piston engined aircraft may have been unique for the 1940s, but the world (and Europe especially) had already experienced a type of industrialized warfare a few decades prior: The First World War. Yet for all the large-scale production of dreadnaughts and artillery, the First World War was fought under conditions that mirrored conflicts several decades prior from the Crimean War to the American Civil War’s Petersburg Campaign, but with massively increased amounts of men, material, and destruction. Debacles such as the Somme or Jutland☥ brought massive amounts of force to bear, yet achieved no or very limited success in the process.
One of the primary reasons for the failure of massive actions in the First World War is deceptively simple: poor communication. While embracing technological developments in mass production and movement (largely via rail, sufficient in densely-populated Europe, and coal or oil-fired shipping) the actual ability to see, control, or communicate with such forces after the start of action was at best limited, and typically nonexistent. Naval communications over HF radio used fairly basic codes which could easily be intercepted and decrypted, leading to use of visual flag signals. Wireless sets were far too large and required significant power making them nearly impossible for use outside naval installations, while battlefield telephone systems would often be destroyed following the very initial artillery actions designed to clear the way for an infantry attack.
Thus, returning to our initial inspiration, combat in the 1940s represented almost a complete sea-change from the 1910s in the miniaturization of wireless communication and the incorporation of more sophisticated early-warning and detection systems such as RADAR. Public admiration and pride in the fliers who defended the United Kingdom in the Battle of Britain focuses on the pilots responsible for taking on overwhelming odds – yet such heroics would have been futile or pointless had these pilots and their supporting aerodromes used communication and coordination mechanisms from a few decades prior.
Instead, Britain (and her allies such as the Free French and Polish Air Forces that escaped occupied Europe) found a mechanism to maximize the utility and effectiveness of its air power in the face of overwhelming odds. RAF Fighter Command (relying primarily on women plotters and communicators) would leverage visual, audio, and RADAR mechanisms to identify German attacks and their likely tracks, and vector air assets to intercept. When previously each aircraft would be essentially on its own to patrol and identify enemies by sight, now each aircraft was supplemented by an extensive sensor network to detect activity of interest, and allow a concentration of force at the location necessary to repel or at least reduce the effectiveness of a bombing raid.
This combination of events – the mass production of Spitfires (and Merlin engines, among other items) combined with enhanced real-time command and control of operations – represents an inflection point in military history. Prior to the Second World War, so much military innovation focused on identifying means to enlist, equip, and deploy more men and material in the field for longer periods of time to overwhelm the opposition through sheer force of arms. After the Second World War, the overall size of combatant forces has largely declined, as the incorporation of greater mechanisms of communication and increasing effectiveness of munitions (to say nothing of atomic weapons) meant that smaller, but better informed and coordinating, forces could be as or more effective as the mass armies used from the Napoleonic Wars through the First World War. Given the time and circumstances of mass industrial total war, the ability to combine extensive, reliable production with information dominance (awareness, communication, and command) produced a winning formula such that, though matters were still difficult, the Axis would never win a protracted conflict.
So, what does this historical digression say about information security? Essentially, we are at First World War levels of operation at present: a focus on bringing overwhelming force to bear on threats, without having the means or mechanisms to coordinate or direct such forces which would enable both greater effectiveness and greater efficiency. At the same time, information security also remains wedded to an idea of artisanal level expertise and development, leading to the constant hand-wringing over “workforce shortfalls” and similar items.
Looking at history, these problems are neither unique nor unsolvable. A combination of enabling greater numbers of less skilled individuals to complete a task through standardization or direction with greater informed control and information dispersal to decision-makers can produce a winning formula in information security similar to that which enabled an isolated, outnumbered RAF to win the Battle of Britain. Yet within information security, many remain wedded to an idea where personnel must be unique and hard-to-find unicorns capable of reverse engineering malware while possessing a CISSP (essentially, the hand-crafted Merlin), while operating in relative isolation (either as a stand-alone individual, or an organization isolated from others) expected to both identify risks and mitigate them independently (air defense operations absent Fighter Command). While we may laud and praise “rock stars” within the industry that can miraculously combine technical ability with situational awareness to combat threats independently absent any support, such is not a winning formula – just as an RAF fighting for its life using pre-industrial practices with no conception of bigger-picture communication and queueing would have been doomed.
Within information security and cyber defense, the threats are only increasing between a proliferation of state-sponsored, criminal, and other actors. Meanwhile, although there is a definite “call” for more bodies and experience in this field, there is only so much one can do to produce multi-talented, technically adept stars for every available position. In many respects, we as security practitioners find ourselves in the same place as the British government in 1940 – seemingly alone, outnumbered, and under-resourced. Yet at the same time, there are mechanisms that can be used to close this gap, or to even turn the current position (defensive) into an advantage against aggressors. A combination of greater strategic planning, workforce development, process creation, and communication can be used to maximize available resources – both technical and human – to meet this issue. But simply wishing for magical GREM/CISSP/CHFI individuals with five (or more) years of experience and a computer science background to suddenly materialize is not only unlikely – it is also not addressing the core problem.
Thus, instead of perpetual hand-wringing over personnel shortfalls or budgets that fall short of desires, we as professionals within this space need to first identify what equipment, capabilities, and mechanisms are already at hand. Based on this evaluation, we can then work to gain greater efficiencies from that which already exists by defining procedures, checklists, and standardization to increase the capability and effectiveness of our “non-rock stars”. Then, to maximize the ability to bring efforts to bear on problems and intrusions, improve both intra- and inter-organizational communication – security working and communicating with IT, similarly-situated organizations establishing robust sharing and tipping networks. While there is still value in fancy EDR solutions and expensive threat intelligence feeds, building up these processes and methodologies can significantly increase efficiencies and allow network defenders to gain an advantage over attackers, in mechanisms similar to how the RAF saved the United Kingdom.
*Those interested in this specific topic are recommended to pick up Arsenal of Democracy. While the book maintains a pro-management, anti-labor stance throughout, it nonetheless does a very good job in covering the combination of business and engineering revolutions that powered American wartime production that enabled the United States to supply itself and multiple allies on at least four fronts (Western Europe, Eastern Europe, Pacific, China) for several years.
☥For more information on Jutland and its relationship to communication, culture, and battlefield control, I highly recommend the underrated (if long) Rules of the Game. If you can make it through detailed discussions of late 19th century British naval culture, you will be rewarded with a masterful analysis of how culture and training combine with technological limits to produce operational failures (or at least, sub-optimal outcomes).
