Blaming the Typewriter, Not the Typist

My favorite cybersecurity anecdote is from a time when cybersecurity wasn’t even a word. During the Cold War, the Soviet Union found a way to intercept freight shipments of IBM Selectric II and III typewriters headed off to the U.S. Embassy in Moscow and Consulate in Leningrad. Once intercepted, the Soviets replaced the comb bar inside the typewriters with a significantly impressive “eavesdropping” bug that stumped the NSA for years. The bugs' technology is fascinating, not just because of where technology is now, in 2022, but in its own right. The typewriter itself was an advancement in technology, doing away with type bars in favor of a large spinning ball that could be switched out when a new font was required. Like the computer today, typewriters were ubiquitous in offices around the world. Unfortunately for the employees at the U.S. sites, sixteen of them had been hacked.

If you can tell that I’ve always been impressed by this story, it’s because these bugs are the world’s first example of a keystroke logger, transmitting data in short bursts over radio frequencies close enough to a nearby television station that it flew, quite literally, under the radar. Now, I could go on with general lessons from this story about how underestimating the technology of bad actors could land anyone in hot water. Or how any piece of technology, no matter how “low grade” it is, can be a way for data to be breached. Or even blindly trusting detection tools, which can lead to that biting back in the future, isn’t what I always take away, either.

The number one lesson I take from this is to stop blaming those who use the technology instead of the technology itself, blame the typewriter, not the typist. I’ve been seeing for years in many different companies one of the main sticking points for security conversations is about phishing emails or other employee-dependent security measures. If in the 1970s, Soviet agents could install a bug within a non-digital typewriter to send data over radio waves to essentially “hack” the U.S. Embassy, threats will always exist, no matter the technology, industry, or data. Of course, training employees to be wary of social engineering techniques and keeping them up to date on the latest scam trends is important, don’t get me wrong. But what I want to see more of is a holistic view of cybersecurity for companies of all shapes and sizes.

Cybercriminals are good at their jobs. Creating phishing emails that avoid most of the obvious signs of insincerity and look authentic is becoming the norm and is a major security issue. According to Proofpoint’s 2021 State of the Phish, 74% of US organizations experienced a successful phishing attack in 2020. Someone in your organization clicking a rouge link is going to happen. And it’s as blameless as consulate employees using the wrong typewriter back in 1976. What happens next, the response to such a mistake, is crucial.

Between strict compliance requirements, unpatched and aging equipment, and the constant threat of malicious attacks, cybersecurity is complicated. You need a security solution that uncomplicates things. Don’t just seek out a one-off product or a supplied service or even rely on training your employees to be hyper-aware. Nothing is foolproof. Email was never designed to verify senders and it’s extremely easy to create fake emails. Firewalls can’t always detect malicious email and computer applications don’t have blocks in programming to keep out bad code. Narrow-minded policies such as “avoid clicking on anything” and “remember to create a strong, unique password” miss the mark constantly because they just aren’t realistic. Having a holistic and tailored security solution complete with monitoring and updating is the only answer. There is always going to be a hacked typewriter, blame that instead of the user, and find a better solution.