Blog Post March 30, 2023

Why Compliance is Not Security: The Sinking of the Titanic

Compliance is not security

By: Mark Sangster, VP, Chief of Strategy

About the Author

Mark Sangster, author of No Safe Harbor: The Inside Truth about Cybercrime and How to Protect Your Business, has appeared on CNN Newshour and is a go-to subject matter expert for leading publications and media outlets, including The Wall Street Journal and Forbes, covering major data breach events. Before joining Adlumin, Sangster established his 25-year InfoSec career at industry giants like Intel Corporation, BlackBerry, and Cisco Systems. His experience unites a strong technical aptitude and an intuitive understanding of regulatory agencies, shifts risk trends, and influences thought leaders.

Regulatory compliance is often considered synonymous with security. Compliance is a close relative of security. Yet compliant organizations across financial, healthcare, and other industries fall prey to cybercriminals daily. You can be 100 percent compliant and 100 percent pawned simultaneously.

As we approach the anniversary of the sinking of the Titanic, the greatest maritime disaster illustrates that compliance does not equal security. The historic ship was compliant with contemporary maritime law. And it sank, killing 1,500 people. More than a century later, the great ship’s legend offers warnings and lessons for those of us practicing even cybersecurity.

This post is dedicated to keeping the memory of this great ship ever present, honoring those that perished, and learning as much as we can from the tragic disaster.

What Happened: The Titanic Sinking

On April 10, 1912, the second of three Olympic-class Ocean liners, the RMS Titanic, the largest manmade object on the ocean, set sail from Southampton to New York with an estimated 2,224 passengers and crew. The luxurious ship was the pride of the White Star line with “unrivaled extent and magnificence.” Her designers considered her “practically unsinkable.” Five days into her journey, on Sunday, April 14, 1912, and received six warnings of sea ice, the Titanic struck an iceberg off the Grand Banks. Two hours and forty minutes later, she sank, resulting in the deaths of more than 1,500 people, still considered one the deadliest peacetime maritime disasters in history.

For many reasons, the celebrity passengers, the magnificence of the ship, or the hubris of a ship labeled “unsinkable,” the story of the Titanic remains resident in our history books and repeatedly immortalized in popular culture. Her sinking is often attributed to the damage caused by the collision with the iceberg, blamed on the captain recklessly sailing too fast for the conditions, or an insufficient number of lifeboats needed to rescue all onboard that night. But there is far more to the story. And these overlooked factors play out in an eerily similar chain of decisions that all too often lead to a massive cybersecurity incident like a crippling ransomware outage or sweeping data breach.

Along with the captain’s judgment, the number of lifeboats, and an iceberg, other factors contributed to the disaster. Unusual climatic conditions, crew changes, another maritime accident, economic pressures, cost-cutting, profits from at-sea services, contemporary construction materials and designs, and maritime regulations all played a part. The notion of a chain of factors rather than a single failure in accident causation was coined “the Swiss Cheese Model” by University of Manchester researcher James T. Reason after the notion of holes in slices of Swiss cheese aligning to create a straight path to disaster. Of all the factors, perhaps the simplest and most tragic was a misplaced locker key.

Factor #1: Financial Pressure

Under competitive pressures from the rival line, Cunard, that boasted the fastest ocean liners of the time, the Lusitania and Mauretania, the White Star line commissioned three massive ships with unparalleled luxury. This new Olympic class included three sisters. The first of the class in service, the RMS Olympic, collided with the Royal Naval ship, the HMS Wasp. The subsequent investigation ruled the RMS Olympic at fault, invalidating insurance coverage and leading to massive financial losses for the White Star line. Economic pressure and repairs to the RMS Olympic delayed the completion of the Titanic. She was now destined to sail in April, the height of the iceberg season.

Factor #2: The Arctic Antagonist

About the same time as the Titanic’s keel was laid1, a glacier from 10,000-year-old snow broke free from Greenland, along with an estimated 40,000 icebergs. Carried by the Greenland and Labrador currents, the iceberg started a journey north around Baffin Bay and then circled south along the coast of Newfoundland.

Most icebergs become trapped in Baffin Bay and melt. Only 1-4 percent make it to more southerly shipping lanes, south of the 48th Parallel North. The iceberg made its way south to the Grand Banks. As it crossed into shipping lanes, the iceberg had melted considerably but was still ten times the size of the Titanic, at a mass of 500,000 tons.

Factor #3: Patents, Profits, and People

Although the Titanic boasted of its luxury and modern conveniences, it was equipped with a Marconi wireless radio system, no longer the most sophisticated of its time. Patents and monopoly power had trumped innovation backed by a brand recognized by the wealthy passengers who would pay for its services.

The primary purpose of the radio was to send and receive passenger messages, for which the owner, the Marconi Company, was compensated. Passengers paid fees to send communications during the Atlantic crossing and updates such as the morning news and stock report to keep passengers informed.

Weather and marine communications were secondary to privately paid messages which funded both these services and wages of the radio operators, Jack Phillips and Harold Bride, employees of the Marconi Company, not the White Star Line. The Radio operators received six ice warnings from surrounding vessels. The first came on April 14 at 9:00 pm from the RMS Caronia, reporting “bergs, growlers1, and field ice.” Over the following hour, following transmissions provided multiple warnings of ice dangers.

At 11:00 pm, radio operator Phillips was rushing to send passenger messages as the ship moved out of the range of a radio receiver in Cape Race, Newfoundland. Repeatedly interrupted by ice reports from the SS Californian and failing to grasp the significance of the reports, Phillips angrily told the SS Californian to cease transmissions: “Shut up! Shut up! I’m working Cape Race.” In response, the SS Californian’s radio operator, Cyril Evans, turn off its radio for the night. The Californian was the only ship close enough to the Titanic to rescue passengers in the two-hour window between striking the iceberg and sinking.

Factor #4: Lack of Crisis Response Plan

Before sailing, Captain Edward Jones Smith was transferred from the RMS Olympic to her sister ship, the Titanic. He was known as “the millionaires’ captain” since the likes of JP Morgan and Guggenheim wanted to sail with him. On that fateful night, Captain Smith had plotted a southerly course but changed direction from southwest to west around 5:00 pm, assuming they were far enough south to avoid the reported ice region. They remained at full speed, believing he was navigating away from the danger. Three hours later, he retired for the night, leaving officer Lightoller as an officer on watch.

As the Titanic approached her fatal collision, Reginald Lee and Frederick Fleet were stationed in the two lookouts, crow’s nest, about 100 feet above the water line—the same height as the iceberg. Temperatures were near freezing, but the Atlantic was calm. One survivor later wrote, “the sea was like glass, so smooth the stars were reflected.” Given the meteorological conditions, potential icebergs were extremely difficult to make from a distance. At 11:30 pm, the Fleet spotted the iceberg in the Titanic’s path. He rang the lookout bell and telephoned the bridge, “Iceberg, right ahead!”

When the lookouts rang the alarm bell, Lightoller ordered engines reversed and turned away from the iceberg. Confusion over direction orders (changed recently from old tiller navigated ships) and the reversing of engines only hindered the eclectic rudder’s ability to turn the massive ship in time to avoid a collision. When the captain returns to the bridge, he orders the engines to stop to assess the damage. Recognizing the rapid on-take of water, he ordered bulkhead doors closed, trapping 500 crews in the watertight compartments below decks, ultimately sentencing them to death.

Factor #5: Convenience

Cybersecurity policies and controls are often seen as opposite ends of a spectrum, with convenience paying the price for enhanced security and vice versa. In the case of the Titanic, a significant compromise was made by the Chairman of the White Star Line to accommodate one of the Titanic’s most iconic features.

The hull of the Titanic was divided into sixteen watertight compartments to E deck, 11 feet above the waterline. The bulkheads were not sealed at the top because that would cause significant inconvenience to passengers traversing the ship. The watertight compartments stopped at E deck to accommodate the Grand Staircase. The iconic staircase that graced Edwardian celebrities and was immortalized by Kate Winslet as Rose in James Cameron’s epic movie Titanic (1997), in no small part, added to the ship’s rapid sinking.

While the iceberg collision damaged the four forward compartments, the ship’s bow settled lower once water filled the compartment, allowing water to spill into the next compartment, dooming the ship to sink. Within twenty minutes, the captain realized the “practically unsinkable” Titanic was doomed, yet he delayed lowering lifeboats to avoid passengers’ exposure to the weather while awaiting rescue from nearby ships.

By 1:00 am, realizing all was lost, Captain Smith ordered Lightoller to man the lifeboats with the infamous “woman and children first.” Lightoller misunderstood and considered that only women and children should be loaded in lifeboats, leading to further loss of life.

Factor #6: Life Boats

Harland and Wolf, the builders of the Titanic, called for 48 lifeboats, enough for the full complement of passengers and crew. The Chairman of the White Star Line, Bruce Ishmay, reduced the number of lifeboats to 20. Pronouncing the ship “practically unsinkable” was his lesser sin than his boast that “people don’t pay to look at lifeboats.” If that hubris was not enough, Bruce Ishmay was one of the few male survivors who made it to the lifeboats.

Lessons From the Abyss

The discovery and subsequent explorations of the shipwreck over 12,000 miles down at the bottom of the Atlantic Ocean not only stimulated the public’s imagination and led to one of the most profitable movies but also gave a clue to a lingering mystery: why did the Titanic sink so quickly?

Over 80 years later, researchers from Johns Hopkins began a forensics investigation into the material and methods used to rivet the 1.5-inch-thick steel plates together. First, evidence from the wreck showed an advanced breakdown of the ship’s hull that impurities could only explain in the iron used to make the steel plates and rivets.

Records from the shipbuilder documented the order of iron for the rivets was demoted from No. 4 “Best Best” iron ore to NO. 3 “Best” iron, confirming part of their theory. The White Star Line approved lower-quality iron to save money during financial pressure.

Researchers reproduced some hull steel plates and subjected the replica to various stress levels, simulating the Collison. They found that the plates moved during impact and that a movement of 5.0-mm caused the rivets to fail and literally “pop” like a zipper opening. That’s why a glancing blow with the iceberg was fatal. The hull plates separated under the force of the collision and exposed more than four watertight compartments to the ocean. Ironically, a head-on collision would have done less damage and likely been survivable (or at least delayed sinking to allow rescue ships to arrive on the scene).

Regulations are No Substitute for Self-Governance

The British Board of Trade governed maritime operations during the sinking. Under the pressure of competing lines, White Star and Cunard, the Board consented to larger, grander ships, increasing passenger capacity. Yet, as ships quadrupled in size, regulations remained the same. For example, the number of lifeboats and lifesaving equipment required was predicated on the vessel’s cargo, not its passenger capacity. It seemed technical know-how outpaced our notion of safely operating cutting-edge technology—sound familiar?

Further, there were no procedures for navigating through ice in the North Atlantic. Some captains, such as the SS Carpathian, elected to stop for the night with limited visibility of proximal icebergs. Captain Edward Smith elected to steam at 21.5 knots (700 yards/minute) through the field to reduce the time spent in the risk area. Both approaches were considered sound by experienced seafarers.

Outraged by the loss of life, the Americans and British convened their board of inquiry. Each found the ship traveling excessively in the ice region but did not hold the crew to blame since this was standard procedure. Outdated regulations, the low number of lifeboats, nor maritime regulations were considered. Bruce Ishmay, the Chairman of the White Star line, was exonerated, and his decisions that impacted the vessel’s safety were overlooked. No maritime rules were called into question.

As the highest-ranking surviving officer, Charles Lightoller gave witness at both the American and British boards of inquiry. As a footnote, his autobiography made his feelings about subsequent investigations. He labeled the American inquiry as a “farce,” and of the British inquiry, he wrote, “it was necessary to keep one’s hand on the whitewash brush.” It seems that no matter the generation, or the circumstances, nothing changes. Evolving technology, competing interests, and waning focus mean we move the ball up the field but always seem short of a touchdown. Nonetheless, several significant changes came in response to the Titanic sinking and the resulting loss of life.

The first International Convention for the Safety of Life at Sea (SOLAS) convened in late 1913 to establish minimum safety standards for the construction and operation of merchant ships. These standards persevere today, with additions to modern technology and maritime laws. For example, ships must carry enough lifeboats for everyone onboard and mandatory lifeboat drills. Red rockets are a sign of distress, requiring immediate response and standardization of distress communications. Ship radios must be operated 24 hours a day to maintain constant contact, powered by a secondary, independent power source.

In the wake of the Titanic tragedy, the ice patrol was established to monitor for iceberg danger in the North Atlantic after the first International Conference on the Safety of Like at Sea in London in late 1913. The International Ice Patrol continues today, with 13 nation members. Albeit, they use modern ships, aircraft, and satellites.

The Key to Understanding Compliance

Oh yes, the key. At the beginning of this article, I mentioned a locker key. Before departure, Captain Smith’s trusted first officer William Murdoch was transferred to the RMS Titanic from her sister ship, the RMS Olympic. Titanic’s equivalent rank, Charles Lightoller, was demoted to second officer and was responsible, amongst other functions, for the lookouts.

The lowest-ranking Titanic officer, David Blair, was asked to leave the ship. In haste, he accidentally kept the only key to a storage locker that was believed to contain the binoculars intended for the crow’s nest lookouts. The night of the sinking, a flat-calm sea was darker than usual on this moonless night. The lack of wind, waves or swells, and dark conditions made it more challenging to spot icebergs using the phosphorescent line created by waves breaking over them.

Since Lightoller took charge of lowering lifeboats, he survived the sinking. As the highest-ranking surviving officer, he later testified during a public inquiry by the Board of Trade that he was aware of the locker key oversight but did not supply lookouts with glasses assigned to other crew members, such as spare binoculars on the bridge. He also admitted that binoculars would have certainly increased the ability of the lookouts to spot the iceberg sooner. Perhaps in time to evade the collision.

A key. A three-inch, one-ounce piece of brass potentially cost the loss of a ship over 900 feet long and weighing over 46,000 tons. Not to mention the lives of 1,500 people on that freezing night, and none of these factors were considered material in the findings of both investigations.

And that’s the point. Regulations result from macro issues and often miss minor oversights or micro details. Regulators walk a line between operators and those affected by those operators. Regulations like emergency signals, lifeboat requirements, and so on come from disasters. While not life-threatening, cybersecurity regulations lag cyber risks and current threats, requiring a material stimulus to instill change. In other words, regulations are the consequence of events rather than designed to prevent them in the first place, and that’s why cybersecurity regulations won’t necessarily save you.

We’re not all sailors. So, here’s a metaphor that’s closer to home. You can’t drive your car safely by focusing 100 percent on the rearview mirror. Imagine people in the 70s thinking you could use a phone to steal billions from banks and organizations on the other side. Now look forward and predict how we live, interact, and work 50 years from now.

The point is that we are better at looking at history than predicting the future. As Warren Buffet said, “In the business world, the rearview mirror is always clearer than the windshield.” So why would we expect regulators to future-proof industries against yet-to-be-experienced cyberattacks?

Meeting Cybersecurity Compliance is Not Enough

I am not proposing that because regulations lag risk that we should ignore jettison compliance entirely, far from it. It’s not good enough to assume that you are safe from today’s cyber threats because you meet today’s compliance, designed for yesterday’s risks. (Follow me? *Time machine not included.)

Take the Security Exchange Commission’s (SEC) latest cybersecurity rules, for example. The rules were proposed in March of 2023, with a call for comments from industry constituents, and are scheduled to go into rule sometime in 2024. These rules came as a response to the increase in ransomware attacks and fraudulent wire transfers over 2020-2021. That was over two years ago, and ransomware is again morphing as law enforcement infiltrates ransomware gangs, insurance coverage gets tougher and more expensive to purchase, and geopolitical invasions and trade wars take the gloves off a cyber cold war.

Healthcare compliance rules (HIPAA Security) were introduced in 1998 and heavily modified through 2013. Major manufacturing operates without broad regulations. Even government agencies operate under Cybersecurity Maturity Model Compliance (CMMC), proposed in 2021, which is in its second iteration and scheduled for publication around mid-2023. CMMC was supposed to replace the older Federal Acquisitions Regulations (FARs) regulations years ago and verify CMMC-certified operators’ compliance. The point is that regulations are hard to establish given the time it takes to come to an industry accord, normalize standards, and give organizations enough time to update their operations. All the while, criminals keep on attacking organizations. In financial jargon, criminals have a first-mover advantage. They innovate, and we try to be fast followers.

So, what do we do? How do we secure our organizations?

The Lesson: Illuminating Cyber Threats in the Darkness

Coming back to the Titanic, here is the lesson. You must navigate a digital ocean full of cyber icebergs. You are the captain and designer of your ship and determine your own cyber rules of operation. Consider regulations and compliance as the baseline. Remember, while Information Sharing and Analysis Centers (ISACs), Cybersecurity and Infrastructure Security Agency (CISA), and others are, to some degree, the corollary of the International Iceberg Patrol (IIP), you still need your shipboard lookout and to know how to take evasive action when a threat appears on the horizon.

And that’s what Adlumin does. We light a moonless night. Our job is to provide air cover to identify icebergs with plenty of time to avoid them. We are your iceberg patrol. We ensure your cybersecurity program can withstand a collision. If you strike a small one, our job is to patch the hull and ensure the organization remains afloat.

Our platform and MDR services are built on today’s threats, as our threat intelligence team works to predict when the criminal icebergs will enter the cyber shipping lanes tomorrow.

On April 14, spare a moment to think of those lost at sea. Years back, I visited the Titanic grave site in Cobh, Ireland. It was a reminder of human loss. But that’s the problem with most breach stories. There aren’t memorials, only eroding headlines. It lacks personal context. Having witnessed numerous companies fall victim to cybercriminals, I’ve learned it’s not about statistics in the history books. It’s emotional. It’s about people. And loss. So, ask yourself: will compliance keep your organization afloat in a cyberattack? If you do, I hope you have enough lifeboats for all involved.

Illuminate Threats. Eliminate risks. Command Authority.

See how Adlumin’s Security Operations Platform and 24/7 Managed Detection and Response Services can become your IT team’s foundation. Schedule a demo, experience a free trial, or contact an expert for more information.

References:
[1] Laying the keel is the first stage in the construction of the ship.
[2] Growlers was a term used to describe small, low-to-the-surface icebergs that are difficult to spot.