On NPR today they were talking about cybersecurity. The host made a throwaway remark along the lines that with private businesses, you couldn’t expect a full-throated response to the threats his expert guests were discussing, because they responded to the profit motive and it “wasn’t like Los Alamos.”
Here the host was referring to the famous lab where physicists and other scientists worked on the atomic bomb during World War II, and then continued to work on nuclear weaponry. His point, of course, was that the military engaged in state-of-the-art security to protect such critical secrets, whereas you couldn’t expect Visa to do the same thing for its customers.
This statement was immediately ironic, because the very discussion of the episode centered on the “hacks” of Sony and Target, yes, but also Centcom. So it’s clear that the U.S. military (if we take the press accounts at face value) was not immune to the very threats they were discussing on the show. To repeat, one of the news hooks for their discussion was the fact that U.S. Central Command’s twitter account had supposedly been hacked by ISIS.
Yet beyond that irony, there is the problem that Richard Feynman–a Nobel laureate in physics–recounts the famous tale in his wonderful memoir that he had discovered a huge security flaw while working on the atomic bomb. Specifically, Feynman had discovered that if someone left his or her office safe open (during the day while everyone was working), Feynman could “casually” read the combination from the interior of the exposed lock. Then he would go to his office and write it down, such that he had the ability to open the safes of a growing number of employees.
At one point Feynman visited the office of a colonel, and boasted that he could crack the colonel’s safe. Here’s how Feynamn tells the story:
“The only reason you think they’re safe in there is because civilians call it a ‘safe.’” (I put the word “civilians” in there to make it sound as if he’d been had by civilians.)
He got very angry. “What do you mean—it’s not safe?”
“A good safecracker could open it in thirty minutes.”
“Can you open it in thirty minutes?”
“I said a good safecracker. It would take me about forty-five.”
“Well!” he said. “My wife is waiting at home for me with supper, but I’m gonna stay here and watch you, and you’re gonna sit down and work on that damn thing for forty-five minutes and not open it!” (Surely You’re Joking Mr. Feynman, 145-146)
Feynman naturally cracks the safe (because he had read the combination while the colonel was looking at paperwork and the safe door was open), and astonishes the military man. Then he candidly explains the security vulnerability.
In response, guess what the colonel did? Maybe he contacted the company and had them alter the design for their huge client, namely the U.S. federal government? Nope.
Instead what he did was send out a memo telling everybody whom Feynman had visited, to change the combination on his or her safe.
One last thing: The Soviets did steal the secrets to the atomic bomb, and one of their spies was at Los Alamos. (Historians dispute the importance of the Soviet spy or spies at Los Alamos, but the Soviets definitely had spies and they definitely built the bomb faster than if they had had to rely on their own scientists.) So contrary to the NPR host, it’s probably good that private businesses rely on the profit motive, rather than the incentives facing State officials.
UPDATE: After I posted this, it occurred to me that I really don’t know what considerations the colonel and his superiors may have gone through, once Feynman alerted them to the security vulnerability. For example, it’s possible they considered sending a memo to everyone, warning not to leave the safes open during the day, but then rejected this plan because people wouldn’t obey it, and the memo would give the idea to would-be spies who were not as clever as Feynman. And I suppose it’s possible that they did contact the safe manufacturers, but Feynman had gone back to civilian life before seeing tangible results from his warning. In any event, as far as Feynman could tell (and as he reported in his memoirs), the only change the military made was to do a one-off reset of the combinations for the safes of people with whom he had had contact.