During World War II, the Allied powers intercepted huge volumes of radio communications being used by the Axis powers to coordinate military activity. Many intercepted messages had been encrypted using the most sophisticated algorithms available at the time, and the encryption keys were changed as frequently as every day. Because Allied codebreaking and decryption efforts were too slow in the early years of the war, cracking those codes resulted in information that became irrelevant almost as soon as it was gleaned.
Nonetheless, the Allies were able to derive useful information about the timing, location, and scale of Axis operations by tracking metadata about the transmissions. By triangulating transmissions via High Frequency Direction Finding (HF/DF) and cross-referencing their volume and number against the call signs of transmission stations, Allied forces could locate where enemy forces were assembling, and even infer the order of battle expected for specific engagements.
This whole package of activities was known as Signals Intelligence or SIGINT. The Allies were distinctly better at SIGINT than the Axis, and this was a critical component of many Allied successes in the war.
But it wasn't enough.
Without Decryption, SIGINT Hits A Wall
I promise the infosec lesson is coming soon, but first we need to cover some more history.
SIGINT was around in peacetime before WWII, and the whole time that SIGINT was in play, there were efforts to go beyond it. A U.S. Cipher Bureau was established to decrypt the actual contents of the messages being intercepted, to move from inferrence to direct knowledge of what was being said. That bureau, dramatically known as "The Black Chamber," was shuttered in 1929 by Secretary of War Henry L. Stimson. His comment on the matter was that "Gentlemen do not read other gentlemen's mail."
Thus, after war broke out, Polish and British cryptanalysts were responsible for the bulk of attempts to decrypt intercepted Axis communications. The first major breakthrough had come from the Polish in 1932, well before war even broke out. They were able to decrypt the German encryption machine Enigma using an electromechanical device called a bombe to cycle through potential solutions more rapidly than a human could manage.
However, early iterations of this process were still so slow and arduous that the contents of the messages were stale and of little use by the time they were revealed. By the time the war was in full swing, Alan Turing was working tirelessly at Bletchley Park in the UK to develop faster, better ways to decrypt new, more secure versions of the Enigma. He succeeded, and the rest is history. U.S. President Dwight Eisenhower, who had been Supreme Allied Commander Europe (SACEUR) and a Chief of Staff in the U.S. Army during WWII, credited the Allied victory "in no small part" to the SIGINT and codebreaking work done at Bletchley Park.
TL;DR, decryption helped beat the Nazis.
Why Decryption Mattered In World War II and Still Does Now
If Allied powers were already taking successful action based on the SIGINT before they figured out how to "read other gentlemen's mail," why did they keep trying? Why continue to spend the brainpower of the brightest mathematicians and linguists in the world, not to mention the equipment and operating costs, on decrypting enemy messages rather than relying on SIGINT-enabled inferences?
This question is rarely asked, and in fact may seem ridiculous now, but it's the exact same question that is coming to a head in the infosec space today—and it shares the same answer: message content matters.
When you're making life-or-death decisions, the more information you have, the better. SIGINT wasn't enough, and the folks who beat the Nazis understood that.
The Lesson for Cybersecurity Technology Vendors, Especially in Network Detection & Response
The current cybersecurity market is having the same conversation that the Allies did almost 100 years ago. For network detection and response (NDR) vendors and users, the outcome of that conversation is critical.
NDR is an emerging category of security products that uses behavioral analysis of internal traffic in order to rapidly detect, investigate, and respond to threats inside the perimeter—get a deeper overview here. NDR vendors rely on network traffic analysis, and network traffic encryption reduces their visibility and certainty about what's been observed. They're stuck having to make crucial decisions based on inferences, just like in the early days of SIGINT.
Here's one huge difference. NDR isn't trying to decrypt giant intercepted flows of traffic from military enemies, or even the public internet. NDR is squarely aimed at the east-west corridor inside of large, complex enterprise networks, where cyberattackers thrive once they've surpassed perimeter defenses. Encrypting this traffic is important to prevent those attackers from stealing sensitive data. Safely decrypting the data for security monitoring is equally important. In Stimson's terms, this is akin to gentlemen reading their own mail to make sure there are no bombs in it.
Some NDR vendors are simply unable to decrypt the network traffic they rely upon. These vendors claim that decryption doesn't add value, a message more akin to saying "SIGINT is enough. We don't need to know what the U-Boats are saying. The fact that they're talking more than usual is good enough." This is a fundamentally incorrect, self-serving, and harmful message for NDR and other infosec vendors to transmit to their customers.
While SIGINT-style inference from metadata is certainly useful, there is no defensible argument against decryption in this field. Vendors who argue this just can't do it, which makes them vulnerable.
Decryption Is Necessary for Successful Network Detection and Response
In World War II, decrypting messages meant the difference between knowing "something big was happening in this general region" versus knowing the exact military units, their deployment, and their orders for a particular engagement. Sir Harry Hinsley, a historian who worked at Bletchley Park during the war, asserted that the decryption efforts probably shortened the war by two years, if not four. Any modern cybersecurity team would love that kind of reduction in mean time to resolution (MTTR).
NDR vendors who are able to decrypt network traffic for analysis in real time simply have a better chance of providing the necessary detail quickly enough to actually defend against or prevent catastrophic losses due to advanced cyber attackers.
In other words, as you can see in the video below, it really does matter what's in the box...
Read the white paper to learn about the different types of encryption available today, as well as how ExtraHop Reveal(x), cloud-native network detection and response, provides need-to-know decryption that doesn't impact performance.