YOU are the WEAKEST LINK
Hackers thrive on that chink in cybersecurity armor: human beings
We live on wireless. This didn’t begin in 2020, but the pandemic made it inescapable. We sit in corners of our homes, talking to our colleagues, our sisters-in-law, our book club on Zoom. Nearly half of American workers now work from home. We order groceries and gifts and tap in credit card numbers.
We depend on encryption to keep our secrets. And yet cybersecurity fails; cybercrime accelerates; privacy is fragile. A recent study found that your robot vacuum cleaner could be hacked from afar to eavesdrop on you.
This battle between encrypters and hackers isn’t simply a product of our computerized age, however. The tech fight dates to the days of telegraph lines, undersea cables and “wireless” — that is, radio. Once information was transmitted by electrical pulses, it was exposed to the world. Who knew who might be working at the cable company, or who might listen in, uninvited, to wireless transmissions?
Code makers and code breakers had existed for centuries. But the communications leap of telegraph and radio made the need for convenient, unbreakable encryption far more pressing, both for businesses and governments.
So the technology of encryption made its own leap. “If you have no good coding system, you are always running a considerable risk ... your correspondence will always be exposed to every spy ... your intended or settled contracts, your offers and important news to every inquisitive eye,” read a mid-1920s sales brochure from the Chiffrier maschinen (Cipher Machines) company of Berlin, advertising its new business device, the Enigma.
Arthur Scherbius, Enigma’s inventor, built what looked like a close relative of a typewriter. Behind the keys was a lamp board showing the letters of the alphabet.
In this story, the people we’d now call hackers were the good guys — heroes who helped defeat the Nazis. Since then, the technology of encryption has been utterly transformed. It pervades our lives, and we want it to work. Yet the Enigma saga remains relevant because human beings have not been transformed. The more complicated the security rules designed to protect access, the more likely that people — tired, hurried, bothered — will take shortcuts that make the system vulnerable.
At the back, three wheels stuck out. When you typed a message, the turning wheels and the web of wiring inside them scrambled it. A meaningless stream of letters lit up on the lamp board, ready to be radioed. When a clerk at the receiving end set her Enigma to the same starting position and typed the gibberish, the original text appeared.
The only way to break the code was to know the starting settings and internal wiring of the wheels. But the original design had nearly 2 billion possible settings. Upgrades raised this into the quintillions — a small figure compared to the possible ways to wire the wheels, which came out to a number written as five, followed by 92 zeros. Traditional code-breaking methods appeared useless against the new technology.
In 1926, the Weimar Republic’s Navy began using Enigma machines for its communications, followed by the German army in 1928. Nazi Germany’s air force, the Luftwaffe, adopted the machine in 1935.
The key to blitzkrieg, Germany’s new form of warfare, was “speed of attack through speed of communications.” The only way to direct fast-moving units was by radio — but to send battle plans by radio was to shout them out to the world. Enigma, small and portable, was the solution. Obviously, the Nazis thought, no code breaker would ever be able to look at messages and figure out the internal wiring, not in a trillion years.
Marian Rejewski did it in less than three months.
Rejewski, a 27-year-old mathematician, worked for the Cipher Office of Polish intelligence. He developed his equations to crack Enigma in the autumn of 1932 and solved the puzzle by January 1933. He got an assist in the form of German documents, pilfered by a spy employed by French intelligence. The papers gave Enigma settings for particular dates. French code-breakers were still stymied, but they shared the finds with their allies, the Poles. Rejewski found that they filled in several variables in his equations and speeded his work.
But the real key to Rejewski’s success was that he looked at a seeming insoluble problem from a different angle than anyone else. Rejewski applied the branch of mathematics devoted to permutations to the problem — an approach that would look obvious only after he used it. Afterward, he and two even younger colleagues exploited a flaw in a German security measure to figure out the new settings for Enigma each time the Germans changed them. As the Germans prepared for war, they upgraded Enigma and moved to changing settings daily. Rejewski’s tiny team couldn’t keep up. In July 1939, they shared their methods with two visitors from Britain’s code-breaking agency, the Government Code and Cipher School (GC&CS). British code breakers’ eventual successes against Enigma — including those by mathematician Alan Turing loosely portrayed in the film “The Imitation Game” — were built on Rejewski’s breakthroughs.
As the Germans continued to upgrade security for Enigma, GC&CS recruited additional mathematicians to keep breaking in.
One was Cambridge University student John Herivel. One night in February 1940, after a fruitless day attacking the cipher, Herivel fell asleep in an armchair in front of his fireplace. He woke suddenly from a dream with a picture of a German Enigma operator in his mind.
Herivel’s dream told him that the flaw in the machine was the man. The “wretched” Enigma operator, adjusting his machine to the new day’s settings at midnight or dawn, halfawake, under the strain of war, was likely to skip one critical security step — so Herivel guessed. Herivel designed a method to look for that mistake and to use it to find the new day’s settings.
Day after day, the mistake didn’t show up. Yet Herivel kept searching for it. Later, he wouldn’t be able to explain why, except to say, “I may simply have felt in my bones that such a beautiful theory . . . must be right.”
Suddenly, in mid-May, Herivel’s idea worked. Nazi Germany had just launched its invasion of the Low Countries and France. The pressure on Enigma operators rose drastically; some took shortcuts. The volume of German radio traffic rose as well, making it easier for code breakers to find the pattern they sought — and then decipher messages.
Herivel’s method was essential until the introduction of “bombes,” massive machines designed by Turing that searched for the Enigma setting that had produced an intercepted German message. The bombe depended on knowing phrases that were likely to repeat in messages. The Germans should have avoided such repetitions, if they’d followed basic code security. But human beings, conveying similar information daily, alternately bored and overworked, were careless.
By the summer of 1942, a torrent of Ultra intelligence — information deciphered from Enigma — played a decisive role in Britain’s victory at El Alamein, a turning point in World War II. After that, the flood of intelligence kept rising. The Germans had such confidence in Enigma that they explained away evidence that their messages were being read. Technological hubris was one more flaw in their security.
In this story, the people we’d now call hackers were the good guys — heroes who helped defeat the Nazis. Since then, the technology of encryption has been utterly transformed. It pervades our lives, and we want it to work.
Yet the Enigma saga remains relevant because human beings have not been transformed. Encryption systems are meant for people to use. The more complicated the security rules designed to protect access, the more likely that people — tired, hurried, bothered — will take shortcuts that make the system vulnerable. The very procedures meant to keep a system safe may provide a way in.
As Rejewski showed as well, encryption systems can be very safe — until one person looks at them differently, cracks the code and launches the next phase of the battle between encrypters and hackers.
Gorenberg is an Israeli historian and journalist. His books include The Accidental Empire: Israel and the Birth of the Settlements, 19671977 and The Unmaking of Israel. He is a senior correspondent for The American Prospect and has written for The Atlantic Monthly, the New York Times Magazine, and The New York Review of Books.