Outside of Tempe is a place called Sahuarita, Arizona. Sahuarita is the home of Air Force Silo #571-7 where a Titan missile, that was part of the US missile defense system and had a nine-megaton warhead that was at the ready for 25 years, should the United States need to retaliate against a Soviet nuclear attack. This missile could create a fireball two miles wide, contaminate everything within 900 square miles, hit its target in 35 minutes, and nothing in the current US nuclear arsenal comes close to its power. What kept it secure for 25 years? You guessed it…four phones, two doors, a scrap of paper, and a lighter.
Photo Credit: Renee Murphy
Technology has grown by leaps and bounds since the cold war. When these siloes went into service, a crew supplied by the Air Force manned them. These men and women were responsible for ensuring the security and availability of the missile. Because there was no voice recognition, retinal scanning, biometric readers, and hard or soft tokens, the controls that were in place were almost entirely physical controls. All of the technology that we think of as keeping our data and data centers secure hadn’t been developed yet. It is important to note that there was never a breach. Ever.
It might be an occupational hazard, but I can relate almost anything to security and risk management, and my visit to the Titan Missile Museum at AF Silo #571-7 was no exception. The lesson I took from my visit: there's room for manual controls in security and risk management.
In this silo, it took two people to do everything. Launching the missile required two people to turn the keys at the same time (within three seconds of each other); launch keys are over 80 inches from each other, so it would take two people to execute the launch sequence; the only places combat crew members were permitted to go alone were the bathroom, the kitchen, and bed; and the crew members had three minutes to get from the first phone outside the gated parameter to the second phone at the silo entrance or they spent a large part of their day explaining to MPs why they couldn't get to the door in the allotted time. All of those manual controls were meant to reduce the risk of unauthorized access to the silo door, sabotage of the missile or the silo by a crew member, and illegal access to the command center. To enforce all of this, each crew member was armed and prepared to kill, if necessary, to ensure the availability and security of the weapon.
Manual controls are valuable when they are simple, concise, repeatable, and measurable. (Enforcing them with the threat of death is extremely helpful, but not practical in the corporate environment.) Think about the controls in your environment. Think especially hard about the processes that are manual and meant for oversight and figure out if they are as simple, concise, repeatable, and measureable as they can be. Review the data you collect and be sure that what you collect has a purpose, and if it doesn’t — don’t collect it. And above all, be sure that there is consequence for deviation from the process. Its success depends on it.
And, for my friends who are fans of authentication technology, here’s some food for thought. The scrap of paper had a passcode on it, and after a crew member picked up the third phone and read the code to the crew member in the command center; the scrap of paper was set on fire and dropped into a tin can to destroy the “data.” Would you feel safe today with four phones, two doors, a scrap of paper, and a lighter? I would.