💾 Archived View for userfxnet.flounder.online › p-poduslo-informatonsecurity-final.txt captured on 2024-08-18 at 17:13:35.
-=-=-=-=-=-=-
FROM A 12TH SQUADRON SALMSON TO THE ENOLA GAY: INFORMATION SECURITY IN WAR Paul Poduslo PAD 639.61: Cyber Security in Public Administration Dr. Kelly Misata May 7, 2017 INTRODUCTION, AND A 12TH SQUADRON SALMSON On July 5, 1918 in the last months of the First World War, 1st Lieutenant Benjamin Harwood of the United States Army’s 12th Aero Squadron, who flew in a Salmson craft, was honored with the Purple Heart and the Distinguished Service Cross [Gordon 1979.] The description read as follows below. He volunteered, with another plane, to protect a photographic plane. In the course of their mission they were attacked by seven planes (Fokker type.) He accepted the combat and kept the enemy engaged while the photographic plane completed its mission. His guns jammed and he himself was seriously wounded. After skillfully clearing his guns, with his plane badly damaged, he fought off the hostile planes and enabled the photographic plane to return to our lines with valuable information [Gordon 1979, p. 36.] The honor bestowed upon 1st Lieutenant Harwood is an example of the physical protection of valuable sensitive information while in transit. In this particular case, that information was in the form of twelve photographic plates which depicted enemy German movements in a field near Hundom, France [Gordon 1979.] The information contained within the camera was valuable to the Allied cause, as the information could be used in tactical analysis. Because of this, the protection of the photographic plane and the camera it was carrying was of paramount importance to the Allies. Were the photographic plane to engage on its mission solo and attempt to return to base by itself, the risk of losing the data would be too high. Therefore, based on risk assessment protocols, security for the photographic plane was necessary. Hence the dangerous mission of 1st Lieutenant Harwood and his pilot, Lieutenant Fred Luhr was assigned [Gordon 1979.] Just over two decades later, the Allies were embroiled in another World War. The levels of technology had vastly improved since Harwood and Luhr’s flight. As this paper shall explore, the opposing sides were using wireless radio, telephone lines, and radar beacons. New technologies were constantly being developed. Yet with this rapid advance of technology comes an equally fast pacing race for information security. Sensitive information had to be accessed only by those authorized individuals. When that information was sent, the channels the data was traveling by had to be secure. The recipient(s) of that information had to be verified and authenticated as being whom they claimed to be. New technologies which the Allies were creating had to be kept under wraps. Finally, the very fact that the Allies were cumulating information on the enemy Axis powers had to be held in secret. The thesis of this report is as follows: The Allies’ adherence to future protocols outlined by the National Institute of Standards & Technology (NIST) was beneficial to their eventual victory over the Axis powers. Furthermore, this paper will demonstrate that in the events in which the Allied nations failed to meet future NIST protocols, such failure encumbered their strategic positioning in the war and thus hurt their cause. Throughout the course of this paper, modern NIST protocols, along with other security recommendations, will be examined in detail. Special focus shall be placed upon NIST’s five core functions of identify, protect, detect, respond, and recover. As almost all of the information to be protected was classified at the time of the war, the recommendations of the NIST 800-53 shall also be examined, as federal organizations which handle classified information are required to meet the protocols contained therein. On occasion, the NIST-171 report will be examined, which contains guidelines for organizations which handle controlled unclassified information which still may be sensitive. For purposes of comparison, this paper shall treat the “organization” as the collective of Allied forces as a whole. In the instances in which fellow Allied nations withheld sensitive information from each other, the case shall be compared to an organization’s approach to 3rd party vendors. The assets belonging to the Allies which require protection, such as weapons and information systems will be examined. The Axis powers, as their objective was to inflict harm to the organization (i.e. the Allies) shall be treated as threat actors. The Allies will be judged based upon their overall ability to meet or in their failure to meet future NIST protocols. One final note is that the NIST publications are considered to be a “living document” in which the organization is expected to respond to situations as well as evolve to new technologies. Thus, the Allies’ ability to adjust to changing conditions will also be measured. THE OSS’ INDEX CARD SYSTEM In July of 1941 within the backdrop of U.S. involvement in the then strictly European war looming, the Office of the Coordinator of Information (COI) was created. On June 13, 1942, about six months after the U.S. entered the war, the COI was renamed the Office of Strategic Services (OSS) via military order by President Franklin D. Roosevelt [Heaps 1998.] The agency became the main U.S. government organization to handle the bulk of sensitive data during the Second World War. Under the watch of the Joint Chiefs of Staff, the organization’s responsibilities included data collection, analysis, and storage. Various U.S. agencies such as the Department of State, the Federal Bureau of Investigation (FBI), and the Military Intelligence Division sent information to the OSS, as did countries who were allied with the U.S. The information obtained by the OSS included data from physical sources such as letters or telegrams, as well as from information which was transmitted via cables [Heaps 1998.] The OSS contained several branches within it which held several important wartime roles. After sorting out and analyzing the data, the OSS’s Research and Analysis branch would create reports, maps, or charts. These items would then be referenced by top officials when making tactical decisions during the war. The Central Information Division (CID) held the paramount task of controlling the information that was obtained. The OSS also had its own Map Division which was of course responsible for cartography, as well as the Interdepartmental Committee, which coordinated information between the agency’s departments. Finally, the Secret Intelligence Branch (SI) handled much of the highly classified information [Heaps 1998.] As much of the files the OSS created were in physical form, a complex filing system was implemented using index cards. The OSS employed future NIST protocols, particularly the 2nd core function of “protect”, in the sorting of their increasingly high volume of documents. The indexes were always secure, and the availability of the data which the cards contained was regulated. The OSS also was fully aware that the files containing classified information required special care. To this end, a classification known as the Limited File (codenamed “L”) was created. The OSS protected “L” classified documents in several ways. First, they only authorized certain people with the clearance to access them. Secondly, “L” documents could only be read within the “Reference Reading Room” [Heaps 1998.] In terms outlined by the NIST 800-53, this not only physically regulated access to classified data, but also hindered its tampering. Files which contained unclassified information were given the “regular” classification. Starting in 1943, the OSS saw it necessary to create a third classification specifically for up to date information on the advances, retreats, redirections, and tactical strengths of both Allied and Axis forces. These files were given the Order of Battle “OB” classification [Heaps 1998.] OB files allowed military leaders to have quick accesses when deciding wartime strategy. In addition, some of the more important documents were kept track of by memory personally by CID head Wilmarth S. Lewis during his tenure. By the second full year of the war (1943), the CID was handling over 57,000 files. The following year that number would increase to 85,000 [Heaps 1998.] The OSS, especially its all-important CID division, also followed future NIST protocols in the destruction of the sensitive data they had. Lieutenant Raymond Deston, a Navy veteran who followed Lewis as CID head, required a “signed statement” by the person whom destroyed a file. This was followed even in the event of accidental destruction [Heaps 1998.] Deston’s policy can be compared to NIST protocols concerning the sanitization of data systems. When these NIST protocols are properly followed, an information system or part of an information system is destroyed in a manner in which retrieving the data is impossible or near impossible. Deston also implemented what was known as the “Third Agency Rule” to help restrict access to files. Under this policy, documents that contained information provided by one agency or division could not be accessed by a different agency or division without permission from the agency that originally supplied the information. For example, if the Navy wanted access to a file that contained information provided by the Army, the Navy would need to seek the permission of the Army before being granted access. This procedure was adapted by the entire OSS [Heaps 1998.] This matched NIST protocols involving restricting the information in which 3rd party vendors are allowed to access. Future NIST protocols were also met in the very hiring of OSS staff [Heaps 1998.] This would be in accordance with NIST 800-53 guidelines within the personnel security family (subsection PS-3) concerning personnel screening. To comply with adequate personnel screening, the organization (i.e. the OSS) carefully screened individuals before they were allowed access to the information system (i.e. the index cards.) The limited selection of personnel whom were authorized to access the classified “L” documents followed the “position risk designation” of the NIST 800-53 (subsection PS-2.) In the position risk designation procedure, a position which designated the level of access an individual was authorized access to was granted based upon the screening. The higher the access, the greater the risk [NIST 800-53 2015.] In summation, the entirety of the index card system employed by the OSS can be compared to a modern digital information system. Those individuals whom were given clearance to access classified “L” documents were the equivalent of modern privileged accounts which are granted high access within a computer system. The OSS can be said to have been highly complaint in meeting future NIST protocols. A “GUTERAL” CODE & SCRAMBLED PHONE LINES NIST security protocols require sensitive information to be protected both in storage as well as in transit. In World War II, the Allies were well aware long before the start of the war that messages transmitted by radio of any kind, regardless of whether they were between an Allied nation’s own departments or between Allied nations, had to be encrypted. When relating the Allied need for secrecy to future NIST protocols, the movement of troops and the planned offensive assaults were highly sensitive information which would surely need “protecting.” To this end, the Allies employed encryption machines. The United States used an electromechanical device called the SIGABA, or M-143-C. Messages to be transmitted were coded into ciphertext language prior to being broadcasted. First, the receiving radio operator would transcribe the message. The still coded message would then be sent to a cipher expert, whom would retranslate the message via a key he or she held. The entire process proved time consuming, and the equipment needed required a fair deal of space. Yet the Allies believed the system was secure, and it to that end it was the best option available at the time [Singh 1999.] However, the United States still sought to improve on their means of sending secure transmissions. One suggestion was put forth by an engineer by the name of Philip Johnston, whom had been raised on a Navajo Reservation in the State of Arizona. Johnston’s idea, as he presented to Lieutenant Colonel James E. Jones, was to employ members of the Navajo tribe to use their native tongue as a means of transmitting code. Johnston believed the language would serve as a secure code as it consisted nearly entirely of spoken words which were rarely written down. Several test messages were sent using the Navajo code. The Navajo “code talkers” were able to translate messages at a rate of around two hundred and seventy seconds (4 ½ minutes) per message, which was a vast improvement on the two hours per message rate previously experienced with the use of encryption machines. Cryptanalysts employed by the U.S. Navy referred to what they heard on the transmission signals as “nasal” and “guttural” [Singh 1999.] It wasn’t long before the Navajo “code talkers” were regularly used. As an added measure of protection for the code talkers, they were even given private bodyguards to accompany them. After the code language was declassified in 1968, a list became available of some of the words used. Some translation examples include “ayeshi” for “bomb” (the Navajo word for egg), “dahetihhi” for “fighter” (the Navajo word for hummingbird), and “lotso” for “battleship” (the Navajo word for whale.) “Great Britain” was referred to using the Navajo term for “bounded by water.” A slew of other words were translated into Navajo code letter by letter, using the native Navajo equivalents [Singh 1999.] As the method proved unbreakable, the system allowed for superb information security of data in transit. Of course the communications which required the most security were the individual conversations between the two main Allied leaders. U.S. President Franklin D. Roosevelt and British Prime Minister Winston Churchill were in constant contact with each other throughout the duration of the war. On the American end, calls from F.D.R went to a switchboard located in a secure room in New York which was run by AT&T. The secure room was protected by guards, and words were scrambled by a machine known as the A-3, which was made by Bell Telephone. As a further precaution against the possible tracing of the calls, the operators were trained to randomly alter the frequency of the line. Churchill himself had a private telephone booth in his War Bunker [Brown 1975.] This procedure, aimed to prevent eavesdropping, matches the “access control for transmission medium” protocols (subsection PE-4) within the “physical and environmental protection” family of the NIST 800-53 report. The section recommends protection of lines of transmission. It also recommends physical safeguards for both the communications locations and for its wiring [NIST 800-53 2015.] NONESENSE FROM BLETCHLEY PARK Meanwhile, America’s ally of Great Britain was developing a high quality information security system of its own at Bletchley Park. The Government Code and Cypher School (GC&CS) was created in the immediate years after the First World War when two agencies which had served Britain in WWI, the Admiralty’s Cryptanalytic Bureau and the Military Intelligence Bureau, merged together. The agency transferred its headquarters to their now famous Bletchley Park location at the onset of Britain entering WWII in 1939 [Smith 2017.] The beautiful estate at Bletchley contained fine fields of grass and a grand Victorian mansion. Those who worked at the park told area residents that they were there for a hunting expedition [Singh 1999.] This was of course all a camouflage to the campus’ true operations, which in itself was information to be protected. NIST’s 4th core “respond” function requires the organization to respond to a detected security breach and to make appropriate adjustments. There were multiple ways in which the GC&CS facility at Bletchley was highly innovate in its response to a detected weakness in their existing transmission system. Top British officials were aware of the fact that messages which lacked proper enciphering had already been intercepted and had been read by enemy forces. In 1942, British intelligence sought to overcome this weakness. The GC&CS’s Rockex Cipher System that was created utilized a technique which was molded off of Western Union’s Telekrypton System. It used tape to scramble two data streams. One stream contained the actual information that was to be transmitted. The second stream simply contained random jumble. The two sets of data were then blended into one, and the message was transferred. In the event of the transmission being heard by enemy forces, it would appear to be meaningless nonsense [Smith 2017.] The intended receiving station had their own copy of the nonsense tape. Once the transmission was received, another Telekrypton machine would separate the duplicated section of the transmission, i.e. the nonsense stream. The end remainder would be the actual real message, safely and securely read by friendly forces. As an added measure of security, each nonsense tape (or section of it used) was only used once. This tactic of course made the understanding of messages and information by the enemy a challenging task in both cable and wireless transmissions. The Rockex System that evolved from the Telekrypton System bore improvements in speed while maintaining all the security measurements. All in all, the device was a light years’ worth of improvement over the SIGABA [Smith 2017.] The cryptanalysts at Bletchley also succeeded in cracking the codes of enemy cryptanalytic machines, such as the German Enigma and the Japanese Purple. Thus Bletchley became a valuable source of intelligence for Britain. Security protocols for the information which was gained was put into place. Effort was made to separate the code breakers from the actual enemy messages they decoded. At times the team that broke the codes was a different team than the one that actually decoded the intercepted messages. In the event codebreakers did read or otherwise hear of a secret message, they were instructed to erase it from their minds [Holdzman & Lee 1995.] Intelligence deciphered from cracked Axis codes was given the codename “Ultra.” Such information was only reported to certain members of Britain’s War Cabinet and high ranking military officers [Singh 1999.] Those in positions of high command in Britain were well aware that were the enemy Axis powers to be aware that Enigma was cracked, Ultra’s ability to function would severely be impeded. At the suggestion of Chief of Air Intelligence Frederick W. Winterbotham, the Special Liaison Unit (SLU) was created under the MI-6 security umbrella. The SLU, made up of a team of trusted military officers, cipher clerks, and wireless operators, handled all Ultra transmissions [Singh 1999.] A main goal of the SLU was to ensure that information provided by Ultra would never be handled carelessly, or used in a way which would further any individual ambitions. But stealth was the SLU’s main objective. Above all else, no one outside the circle was to be aware or find out that Axis communications were being read [Brown 1975.] In addition, the secrecy amongst fellow workers at Bletchley Park itself was high. A dance which happened to be scheduled the day before D-Day (the Allied Normandy invasion) was still held, for its cancellation would arouse suspicion amongst the teams that something might occur, even though it was the Bletchley crew’s intelligence which helped plan the attack [Singh 1999.] The work done at Bletchley Park would succeed in meeting future NIST protocols. The 2nd NIST “protect” core function was met when the GC&CS employed strict safeguards concerning whom was authorized to know what. As demonstrated, the very fact that the data from the enemy was being accumulated was treated with secrecy. The team which collected the data remained unaware of how their work was being used. The 3rd “detect” core function was followed when British leaders became aware of the fact that Germany (i.e. the threat actor) had penetrated their system. NIST’s 4th “respond” core function was met when the workers at Bletchley Park created the improved Rockex System as an improvement to their previous system. Finally, the implementation of the Rockex system followed NIST’s 5th “recover” core function, as it allowed Great Britain to recover secure transmission abilities. This is also a demonstration of the organization (i.e. Britain) making adjustments based upon changing conditions. Finally, as with the earlier case of the OSS, once again we see a high level of personnel screening as well as position risk designation as per the NIST 800-53 publication. The 3rd protocol was also followed after it was “detected” that Germany had managed to unscramble the phone calls between Roosevelt and Churchill from a telephone station near The Hague. The British Royal Air Force then once again triggered the future 4th NIST “response” protocol. Their “response” … bomb The Hague. The German station which housed the unscrambling technology was obliterated. This in part allowed the Allies to follow the 5th “recover” NIST core function, as communication security capabilities were restored. But of course the A-3 scrambling system was used with caution [Brown 1975.] INTERNATIONAL ACCORDS As stated in the introduction, the Allied Forces at times took precautions with the level of sensitive information that they shared with each other. The United States and Great Britain did enjoy a good working relationship with each other. In 1941 even before the U.S. entered the war, the two nations entered into an information sharing agreement concerning technology. Both of those nations, however, had reservations with sharing information with the Soviet Union. Top political and military leaders debated what if anything to share with the U.S.S.R. for the better part of the war. Chief of Army Intelligence George Strong held special concerns as to the ramifications of a similar agreement with the Soviets due to the fact that it could obligate the U.S. to release classified information with little useful data received in return [Beardley 1977.] In August of 1942, Prime Minister Churchill made a special accord with the Soviet Union concerning information sharing. The information that was to be exchanged included weapons development. However, the accord contained a clause which stated that either nation reserved the right to withhold information even after it was requested by the other nation, provided the nation that refused the exchange of information supply a reason for doing so [Beardley 1977.] Yet this agreement offered to the U.S.S.R. by Great Britain caused the U.S. to reconsider its previous deal with Britain. One major reason for these new concerns was that the Soviets were granted access to British factories and service stations at any time. Many of these locations held not only British technologies but American equipment and ideas as well. The U.S. also feared that any technology the Soviets had may later be seized by Germany or Japan. However, the United States gained their biggest reason for caution concerning the deal once the Manhattan Project became a reality in late 1942 [Beardley 1977]. The U.S. responded in several ways. They urged Britain to adopt a policy in which no information was to be offered to the U.S.S.R. Rather, the Soviet Union had to first specifically ask. The U.S. also gave Britain a special catalogue which listed things which were not to be disclosed. These items included data on missiles, sights, jamming devices, radar, as well as “experimental” devices. Were the Soviets to request data on any of the “not to be disclosed” items, a reason for refusal of information would be manufactured [Beardley 1977.] In carefully crafting these international agreements, the Allies, specifically the United States, heavily practiced NIST’s 1st “identify” core function. Items and technologies which the organization (i.e. the United States and Great Britain) had, such as missiles, jamming devices, and other items listed above were identified and inventoried. The risk in allowing a 3rd party vendor (i.e. the Soviet Union) access to such items was analyzed. In cases of developing technology such as some types of radar, the very knowledge of their existence was identified as something that required protection. Of course this was especially so concerning the Manhattan Project. OPERATION TICOM The Allies also employed heavy security measures in the technology they acquired from the enemy. In the closing days of the war, Army Chief of Staff George Marshall sent a memo to General Dwight D. Eisenhower detailing Operation TICOM. TICOM, or the Target Intelligence Committee, would be a secret joint American and British venture under the Combined Intelligence Objectives Subcommittee. It involved several Allied agencies such as the aforementioned British GC&CS, America’s Army Security Agency (ASA), and the U.S. Navy. The purpose of the mission was to capture German signaling and codebreaking devices upon their defeat or retreat. These types of devices, which fell under the codename “Fish”, included the T-52 Secret Writer (“Geheimschreiber” in the German tongue) [Rezabek 2012.] The T-52 Secret Writer was a teletype encryption machine which was very much the equivalent of the British Rockex described above. With such equipment, Germany and its agencies such as the Navy Signals Intelligence Agency and the Research Bureau had succeeded in breaking many British and Soviet codes, as well as some American codes [Rezabek 2012.] The plan was to parachute within the weakened German lines, penetrate into the German Naval Signals Intelligence Agency, retrieve whatever valuable items of note that they could, and wait for rescue from Allied ground troops. The landing teams scored success in Burgscheidungen, Pfunds, and Berchtesgaden, where several devices including a Secret Writer were captured. They also seized Laboratory Feurstein. The TICOM teams’ biggest score, however, came in Rosenheim when captured German prisoners of war agreed to talk as part of an effort to make a deal with the TICOM teams to agree to not turn them over to Soviet authorities (whom of course would be ruthless to captured Germans.) Readily grabbing shovels, the prisoners of war undug and assembled together several examples of a new signal splitting device the Allies were previously unaware of at all [Rezabek 2012.] The prisoners were secretly shipped to London for harsh interrogation [Bamford 2002.] The equipment (which was now codenamed “Russian Fish”) was sent to Bletchley Park [Rezabek 2012.] The captured devices revealed several new ways of cracking codes that enabled the United States to unscramble the communications of many nations, including those of an ally they did not fully trust, the Soviet Union. It was confirmed that the Germans had tapped into AT&T’s telephone lines, unscrambled the messages, and listened in on many personal conversations between Prime Minister Churchill and President Roosevelt [Rezabek 2012, Brown 1975], a fact which Ultra had previously reported to Churchill several years earlier [Brown 1975.] Germany had also intercepted British messages since before the outbreak of war. Germany had tracked British transmissions since the Munich negotiations when Neville Chamberlain was Prime Minister [Rezabek 2012.] The data obtained from the TICOM mission included classified Allied codes and messages which were cracked and collected by Germany. New technology and methods which the Germans employed could also prove valuable to the allies. However, the German methods could be used against the Allies were they to fall into unfriendly hands, including the Soviets. Because of these reasons, the data retrieved from TICOM could impede the Allies’ ability to defend themselves, thus diminishing the Allies’ capabilities. Therefore, even though the data and technology that was captured came from outside the organization (i.e. the Allies), it could still fall under NIST’s “sensitive information” definition. The information could also fall into the NIST 800-53’s category of “security relevant information”, as the German methods which were discovered could hinder the security functions and policies of the Allies [NIST 2015.] As previously stated, Operation TICOM was top secret. Aspects of the operation remained classified by the National Security Agency (NSA) all the way until 2012 [Rezabek 2012.] The Combined Intelligence Objectives Subcommittee and the TICOM teams practiced strict security protocols which if analyzed would very much comply with the NIST security protocols outlined in the NIST 800-53 regarding an organization’s handling of classified sensitive information. First, we see another example of stringent personnel screening. Great care was employed in the selecting of TICOM team members. This complies with the NIST protocols regarding authorizing agents to receive information. The actual devices retrieved were secured, and only authorized agents were given access to them. A larger overview of TICOM reveals that the entire operation can be seen within NIST’s core functions. When Germany cracked Allied codes and tracked Allied messages which were intended to be sent through secure channels, a part of the Allies’ ability to function was hindered. When the Allies suspected that their codes had been cracked, a security breach was detected (with “detect” being NIST’s 3rd core function.) When the TICOM operation was planned and their teams assembled, the Allies were practicing NIST’s 4th “respond” function. The actual carrying out of the plan was the act of the Allies carrying out NIST’s 5th “recover” function. It is of important note that this core not only involves the recovery of capabilities, but also of public trust. Were American or British civilians to know the extent of Germany’s ability to crack allied codes, public confidence in the government’s abilities would be hurt. Thus TICOM’s secure handling of captured equipment and data not only gave the Allies new technology, but also helped the governments protect their reputations. This fact also serves as a further explanation as to why the operation remained classified as long as it did. MADELEINE’S CONFISCATED NOTEBOOK Modern organizations who wish to employ information security within an increasingly technological age are faced with a challenge. An average of 82% of team members use their own personal devices for business purposes. Many of these devices, such as mobile or cell phones, for example, contain data that is the property of the organization, some of which may be proprietary. Thus a security breach would occur were the personal device to be lost, misplaced, or stolen. Prior to the advent of the mobile age, organizations still faced issues in the event of sensitive or other confidential information being contained in physical form on an item personally owned by an employee. Unfortunately, the Allies encountered one such issue in October of 1943. “Madeleine” was the codename given to Indian Princess Noor Inayat Khan. She had been living in Paris as an author when the war broke out. She then fled to Britain, disguised her name as Norah Baker, and joined the Woman’s Auxiliary Air Force. As she was bilingual, her skills were valuable. She was given “special duty” clearance and sent to a wireless post which was part of the “Cinema” network near Le Mans, France. She was later transferred to the Cinema headquarters near Versailles [Brown 1975.] “Madeleine” knew wireless radio. Covertness, however, was not her forte. While she was cautious enough to never reveal to even her close workers her real name, certain habits outed her as a foreigner. It was noted by those whom observed her that she mixed milk and tea the British way as opposed to the French way. A simple thing such as this was capable of arousing suspicion in the closely watching Germans in Vichy France. However, the Germans had been observing the network for some time. After much of the Cinema staff had been arrested by the German Sicherheitsdienst (SD), Madeleine radioed the London office from a wireless station in Rue de la Faisanderie to inform them of the incident. London instructed her to lay low. However, on October 13, 1943, SD officials arrested her within her home, as she had returned to Paris [Brown 1975.] It was what was seized within her apartment which struck a huge dent in the security of Allied operations. As she had been an author, Princess Noor (a.k.a. “Madeleine”) had become accustomed to jotting down notes in a personal notebook, which she kept right on her bedside table. When the SD flipped through its pages, they freely read through lists of contacts and cipher keys. There were even written notes of some of the transmitted messages themselves [Brown 1975.] Data meant to be very secure was compromised. The SD then devised a plan to impersonate “Madeleine” and continue communications with London. They would, however, need her help to pull the caper off in a believable manner. Every wireless operator had their own unique way of delivery, known as a personal “fist”. In modern NIST terms within the 800-171, the “fist” exemplifies the difference between identification, where someone is simply claiming to be a certain person, versus authentication, where the person proves to be whom they claim. The fist would be recognized by the person on the other end as a means of verifying that the individual is authentic and the transmission is secure [Brown 1975.] The Princess refused to cooperate in any way. Yet the SD attempted to operate the Cinema station and execute the impersonation. This placed the British officials in a tight spot when the SD used the network to ask, several times, for sizable parachute drops of weaponry for the Résistance. Were the British to go ahead with the arms drop, the weapons would obviously fall into enemy hands and be used against the Allied cause. Yet if the drop would not proceed as it normally would, the Germans would have a clue that the British were aware that the Cinema station had been seized. The British chose to protect information security at a possible cost of lives, and several arms drops were provided to the Cinema even though the wireless station had been taken over by enemy hands [Brown 1975.] As stated above, the act of “Madeleine” keeping sensitive information in her personal notebook can be compared to an employee of an organization keeping sensitive data on a personal mobile device. The ramifications of the theft of a personal item containing such data are demonstrated in this case. Its seizure by Nazi German forces allowed that information to be obtained by a threat actor whose objective was to use that information against the organization. In addition, as the personal data of other agents was also lost in Madeleine’s notebook, the privacy of other individuals was also compromised. In short, the security breach hurt the Allied cause. Sadly, Princess Noor was transferred from Gestapo headquarters to SD headquarters and eventually to a series of concentration camps. There she spent most of her confinement enchained until she was executed on September 14, 1944. She was posthumously awarded the George Cross for heroism in her refusal to cooperate with the Germans [Brown 1975.] EUREKA! WE HAVE A SECURITY BREACH The incident described above was due to the actions of one person. There was an occasion, however, where the entire Allied cause failed to respond to a detected breach, thus failing to meet future NIST protocols. Unfortunately, it also came at a cost. Such was the case with Britain’s Eureka-Rebecca program. Initially, Great Britain did take security precautions with their Eureka-Rebecca program. Eureka was a radar system operated by Britain’s Telecommunications and Research Establishment (TRE) [Burton 2005.] The equipment was battery operated and bore a lightweight design to allow easy carry by paratroopers [Radar Nomenclature 1945.] The procedure usually involved the dangerous step of parachuting a friendly agent behind enemy lines while carrying the Eureka equipment. The agent would then turn on the beacon on a certain frequency. When friendly planes patrolled over the area, a Rebecca device on board would emit an identical frequency. It would only be then that the beacon would transmit a signal to the friendly plane containing valuable tactical or location information [Burton 2005.] Once Rebecca “found Eureka”, the plane would then have pinpoint accuracy (azimuth) for situations such as a landing invasion [Radar Nomenclature 1945.] The theory was that the act of Eureka only transmitting after receiving the signal from the overhead Rebecca would prevent the beacon from sending a continuous signal, which would have an increased likelihood of being detected by the enemy. Thus information security was practiced. Highly classified at the time of the war, American agencies such as the Office of Strategic Services (OSS) would not even be aware of the Eureka project until December of 1942 when America’s Signal Corps started investigating the beacons that were obtained via means that are still classified [Burton 2005.] This once again shows Great Britain taking precaution about protecting knowledge of a project even from their own ally (thus initially treating even the U.S. as a 3rd party vendor.) However, as actual beacons were obtained by the U.S., it shows a breach in the system. Poor security was also demonstrated in the instances of Eureka beacons becoming outright lost during the parachuting while being intended for already landed agents. This was sometimes due to the wind. One report told the tale of a French Resistance team combing the area for hours to locate a lost beacon while German forces were at close range [Burton 2005.] Yet these cases would not be the worst of security issues with Eureka. It would not be long before enemy forces would breach the system as well. In early 1943, a British plane containing the Eureka-Rebecca equipment would crash land in the Netherlands. The German Luftwaffe Air Force within the vicinity obtained the devices. The Germans then cracked the frequency and used the system to send false information to throw off Allied forces. Before the year was out, Japanese forces had also obtained the system [Burton 2005.] By this point in the war, the British were fully sharing Eureka technology with the U.S. But the Allies by this point also knew that the system was breached. As mentioned earlier, modern NIST protocols recommend that once a breach is detected, an organization should respond to the breach and then make attempts to recover their abilities, as per NIST’s 5th core function. In this case, “recovery” meant the recovery of tactical security abilities. The Allies put forth what proved to be a mediocre response in the end. A plan was implemented to make adjustments to the system which increased the number of megacycles per second in the signal from 214 to 234. This widened the frequency range to five possible channels in which Allied Eureka equipment could detect a signal from a beacon [Burton 2005.] This had the aim of making it harder for the enemy to use the system to send a false message (as it was assumed enemy forces only knew the old original single frequency.) A new policy was also instituted at the insistence of the Signal Corps in which the beacon would transmit a Morse Code key signal via flashing lights that would only be known by friendly agents. In terms of NIST protocols, this would serve as a means of the agent on the ground verifying his identity via transmitting the Morse Code. Finally, beacons would be equipped with a self-destruct feature to avoid enemy capture of the equipment [Burton 2005.] This of course would adhere to NIST 800-53 sanitization protocols of leaving little remaining traces of residue out of which information could possibly be obtained. The Allied Combined Communications Board (CCB) was of the opinion that the increased frequency range provided sufficient security despite being fully aware that the enemy had captured parts of the system and recommended its continued use. Eureka did prove extremely valuable in the invasion of Normandy, serving as a directive for where Allied troops would land. However, the system became heavily compromised in June of 1944 when German newsletters began publishing articles heavily detailing the Eureka program, even down to its use of Morse Code flashes. Despite this, as late as December of 1944 American agents were deployed in Italy as well as Yugoslavia still using Eureka, and with equipment that was only capable of transmitting two frequencies at that. The policy of the signaling beacon also emitting a Morse Code key via flashlight was also abandoned out of fear of attracting the attention of possible enemy forces in the area and even in some cases out of laziness by the operating beacon agent [Burton 2005.] Of course, this paper and its accompanying analysis has the luxury of reflection after the fact. Those involved in the war endured situations in real time and were aware of what had to be done. Being directly involved, agents in the field knew what worked best to accomplish orders. However, in the context of a comparison to modern security systems in compliance with NIST protocols, the Eureka case can be viewed as an example of a grossly insufficient response to a breach in security systems. Vulnerability scanning protocols are listed by the 800-53 within the “risk management” family (RA-5.) The organization is to asses (or scan) a system in search for a vulnerability or potential vulnerability. Once a vulnerability has been detected, the organization should judge its potential ramifications, or its “vulnerability impact” [NIST 800-53 2015.] The main reason why the Eureka system saw continued use even after its compromise was due to the fact that the Allies did not believe enemy forces had the ability to duplicate the frequencies, which were high [Burton 2005.] Yet the biggest probable reason was that no better system existed which could guide troops was available to the Allied Forces. Either way, a system which was known to be compromised was continued in use, largely out of convenience. In addition, the response as far as attempts to restore security to the system once multiple breaches were detected were minimal and not even fully adhered to at that. It can thus be concluded that not adhering to future NIST protocols hurt the Allied cause. This can be evidenced in the fact that a large amount of the signals the Allied forces received were actually German in origin using stolen equipment. Thus, it can be said the Allies had a flawed assessment of the breach’s vulnerability impact. CONLCUSION, AND THE ENOLA GAY The information contained on photographic plates flying on a plane in our opening example can be compared to sensitive data contained on a flash drive. Both have to be protected in storage and in transit. In relation to future NIST protocols, the organization being examined (i.e. the Allied Forces) met future NIST protocols for most of the war’s duration. The 1st core function of NIST was practiced when the Allies (or some individual nations within the Allies) identified what assets they had in their possession of value, such as weapons, jammers, and radar systems. The consequences of items falling into the hands of threat actors or even allied 3rd party vendors were identified. Items and technologies captured from enemy forces were also identified for protection. NIST’s 2nd core function was met in the protection of sensitive and classified information both in storage and in transit. Additional steps were taken to ensure the identity of the party on the receiving end, and strict personnel screening was practiced many times. NIST’s 3rd core function was practiced when the threat actors (the Axis powers) were detected to have compromised information transit systems. The 4th NIST core function was adhered to when the Allies responded to such breaches by means of creating new technologies to further mask communications. The 5th core function was met when the Allies took steps to recover both their systems as well as maintain their public reputation by keeping breaches classified. However, in instances in which the Allies failed to physically secure information or discontinue a breached system, sensitive data was compromised. In these cases, the organization (i.e. the Allied Forces) and its abilities were hindered. This report both begins and ends with the story of a plane. The organization (in this case, the United States) employed information security in the very last days of the war involving the pinnacle of all top secret projects. The project involved position risk designation of the highest order. A secret code was devised which only two people on the planet knew the meaning of. Both of these men were personally selected by the Manhattan Project. Those two men were Captain William S. Parsons of the Enola Gay and Brigadier General Thomas F. Farrell, whom was stationed at the American base at Tinian in the Northern Mariana Islands. On August, 6, 1945, two signals were transmitted from the Enola Gay. Not even the radio operator was aware of the meaning of either message. The first transmission was made when a radio aboard the plane started to emit a continuous tone. This was a message that the plane was approaching its target [Kato 2016.] Meanwhile, a second radio transmitted a message using a system in which a letter or a number represented a word. The actual code sent was “A1269” [Kato 2016.] The translation, known only by Farrell, read as follows below. As a sidenote, “Trinity” was the secret name given to the atomic bomb test in New Mexico earlier that July [Kato 2016.] Clearcut: successful in all respects; visible effects greater than Trinity; Hiroshima primary target; conditions normal in airplane following delivery, proceeding to regular base [Kato 2016, p. 72.] When the continuous tone of the first radio ceased, Farrell knew that the bomb had been released. REFERENCES Bamford, James (2002). Body of Secrets: Anatomy of the Ultra Secret National Security Agency. New York: First Anchor Books, a division of Random House, Inc. Beardsley, E.H. (1977, Nov.). Secrets Between Friends: Applied Science Exchange between the Western Allies and the Soviet Union during World War II. Social Studies of Science, 7(4), 447-473. Brown, Anthony Cave (1975). Bodyguard of Lies. New York: Harper & Row Publishers, Inc. Burton, Chris (2005, Winter). The Eureka-Rebecca Compromises: Another Look at Special Operations Security During World War II. Air Power History, 24-37. Gordon, Dennis (1979, Summer). Montana’s Birdmen of World War I. Montana: The Magazine of Western History, 29(3), 28-41 Heaps, Jennifer Davis (1998, Fall). Tracking Intelligence Information: The Office of Strategic Services. The American Archivist, 61(2), 287-308. Holtzman, Golde & Lee, John A.N. (1995). 50 Years After Breaking the Codes: Interviews With Two of the Bletchley Park Scientists. IEEE: Annals of the History of Computing, 17(1), 32-43. Kato, Hiroki (2016, April). The Radios that Started and Ended World War II in the Pacific. ARRL, the National Association for Amateur Radio, 70-72. National Institute of Standards and Technology (2014.) Framework For Improving Critical Infrastructure Cybersecurity Version 1.0. National Institute of Standards and Technology. Radar Nomenclature (1945, Dec.) American Speech 20(4), 309-310. Rezabek, Randy (2012, August). TICOM: The Last Great Secret of World War II. Intelligence and National Security, 27(4), 513-530. Singh, Simon (1999). The Code Book: The Evolution of Secrecy from Mary Queen of Scots to Quantum Cryptography. New York: Doubleday, a division of Random House Inc. Smith, Christopher (2017). Bletchley Park and the Development of the Rockex Cipher Systems: Building a Technocratic Culture, 1941-1945. War in History, 24(4), 176-194. U.S. Department of Commerce. (2015). NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations. NIST: National Institute of Standards and Technology.