It’s strange how some mediocre stories stick tenaciously in your mind for decades while other, better stories don’t leave much behind after they last page or final frame. It’s almost enough to make you start believing in predestination and fate: how an old, inconsequential story can suddenly come to mind at just the right time to serve as an optimal analogy for a completely unrelated problem.
Case in point: I was catching up with a former squad mate last week. We were sharing stories of funny and weird things that had bedevilled us since we’d held since we’d last talked. As the pints came and went, we got to swapping funny workplace stories and got onto the subject of frustrating on-boarding protocols. My buddy related how he spent three days sitting idle at one new employer while he waited for his company network account to be created. I countered with a story about how I was forced to wait in an empty cubicle with nothing to work on for over two weeks at a new employer because my new boss had ‘forgotten’ to request my company account.
In between bouts of laughter, my old Army buddy (who is not an IT person by trade) asked why it’s always so damned difficult to provision new user accounts and deploy basic IT equipment. Showing up at a new job only to find that your employer is inept at handling basic on-boarding seems daft. Before he finished his gripe, I had my answer ready in the form of a really obscure movie allusion.
So much of mankind’s pop cultural wisdom was lost when crappy video stores went extinct.
‘Think Gray Lady Down,’ I said. ‘Proper account provisioning involves a lot of careful planning. The company has to ensure that critical systems and information are protected from lateral compromise during a breach, by restricting your access to the absolute minimum required to do your job.’
My mate looked at me like I’d suddenly launched into a frothing diatribe about secret cabals of lizard people controlling reality television. He feigned courtesy for a second, while trying to hide his desperate eye-flicks towards the exits. I realising that I’d have to explain my chain of connections quickly, before my dinner guest ‘had to take a call’ and disappeared for another ten-year stretch.
First things first: Gray Lady Down was a 1978 Navy-themed disaster movie. It featured a star-studded cast, including Christopher Reeve (of Superman fame, in his film debut), Charlton Heston, David Carradine, Stacy Keach, Ronny Cox, and Ned Beatty. In the proud tradition of 1970s epic disaster movies, Lady features a U.S. Navy submarine that gets rammed by a freighter one dark and foggy night. The sub sinks before the sailors can abandon ship, coming to rest on the seafloor on the edge of a canyon. The Navy scrambles to rescue the surviving sailors before their stricken boat  falls off its precarious ledge into the nearby abyssal trench where it will surely be crushed.
Lady is a rock-solid 1970s disaster movie through-and-through: it has well-known movie stars, loud over-acting, drama, lots of emotional secondary character deaths, guilt, self-doubt, and heroism, all hinging on a reasonably-plausible premise. It was a story that tugged at contemporary audience’s anxieties, since it invoked real-world things to be legitimately terrified of. That made it very different from modern, utterly-implausible, pseudo-disaster films like the recent box office bomb Geostorm.
Pity the poor office worker who – while waiting for his new network account to be provisioned – went to the cinema to see THAT godawful bomb.
Anyway. To the analogy! Early on in Lady there’s a scene that applies to my (tenuously connected) cyber security point: the stricken submarine gets rammed and hulled by the unsuspecting freighter. Terrified sailors struggle to reach a safe compartment while seawater floods their space. In desperation, a sailor closes and secures an inner bulkhead hatch between the damaged and undamaged sections, condemning a number of sailors to death by drowning. We’re told later in expositionary dialogue that if the one sailor hadn’t sealed off the flooding compartment, the fast-moving water would swiftly have filled the boat, killing everyone aboard.
The connection between naval ship construction and cyber operations isn’t as crazy as it might seem. Consider how similar a ship is to computer network: They’re both designed to keep something precious (people on a ship, information on a network) safe from a relentlessly dangerous outside environment that always pushing against it, looking for a way in (the sea and the Internet, respectively). If the ‘perimeter’ of a network is breached, outsides threats will immediately and relentlessly probe as far into the compromised net as it can.
Ships use watertight interior bulkheads to prevent water entering through a hull compromise from flooding the vessel.  In a similar vein, security boffins use network segmentation, internal network traffic barriers, user account restrictions, drive and directory permissions, and other ‘bulkhead’-like tools to restrict access to hosts, networks, and data within a large company network. In a poorly-designed network, a user can authenticate into the network once and thereafter have access to every resource and record on the company-side of the firewall. When a user ID is compromised, a hacker can pillage the entire shebang, downloading, destroying, or corrupting the network owner’s previous data. Hence the notion that if the hacker gets in to your network at all, you’re sunk (so to speak).
Forget torpedo strikes, explosions, and screaching alarms … Real-world cybercrime isn’t even as exciting as stock photos make it out to be.
In a well-designed network, a hacker who compromises a user account can only reach those servers, shares, and records that the individual user was allowed to see and interact with; everything else on the company network is locked down behind the metaphorical equivalent of watertight bulkheads and actively-guarded hatches. Therefore, when (not if) a hacker gets in, he or she can only do so much damage. The network remains semi-operational and semi-secure until such time as the company’s security team can launch a ‘rescue-and-recovery’ operation to set everything right.
That’s often why it takes so long to set up a new user account in a large company. A responsible IT department doesn’t just give the new user a PC and a domain account that can reach everything. They have to build and test a hardened, locked-down, fully-patched and –configured PC that’s bristling with integrated defensive components. They also have to determine which servers, services, applications, and data shares the user will be allowed to access based on his or her department, function, and assigned roles. All of those permissions then need to be ‘unlocked’ individually, since new accounts are universally locked down by default, able to access nothing without deliberately-assigned exceptions. All of those ‘delays’ that people experience starting work at a new company are annoying, but necessary for the integrity and security of the company’s information systems.
I’ll be the first to admit that it’s not a perfect analogy; you can’t ‘sink’ a network.  That’s okay, though; cyber security can be darned complicated sometimes, and difficult to explain. A good analogy or metaphor gets enough of an idea across to provide some useful context. In this case, my old Army buddy grasped the essentials of what I was trying to argue (and didn’t bolt for the exit), so … mission accomplished? He learned something new, so I’m calling it a ‘win.’
 I learned that submariners call their vessels ‘boats’ rather than ‘ships’ when I was a little kid. Another useless fact that stuck around for future allegory construction purposes.
 Interesting side-note: one of the contributing factors in the sinking of the RMS Titanic appears to have been the inadequate design of her interior watertight bulkheads. They blocked horizontal water movement from compartment to compartment, but not water flowing over them.
 I refuse to make the obvious sink ≠ synch pun here. You’re welcome.
Title Allusion: David Lavallee (novel), and James Whittaker, Howard Sackler, and Frank Rosenberg (screenplay), Gray Lady Down (1978 film)
POC is Keil Hubert, firstname.lastname@example.org
Follow him on Twitter at @keilhubert.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.