What Mary, Queen of Scots, can teach today’s cybersec royalty

Opinion Mary, Queen of Scots, was a hapless CEO, even by the standards of 1600s Europe. Mother of the first Stuart King of England, James I (and VI of Scotland; let’s not go into that), she was herself the first Stuart monarch to lose both throne and head. She wasn’t the last. The family had issues.

There is much to educate, inform and entertain about Mary, but above all she is an early example of the consequences of the politics of data forensics, and the limits of data security.

Let’s start with the loss of that throne and the role of data forensics. Mary’s second husband, the heir apparent to the Earldom of Lennox, was murdered in a chaotic event that implicated the Earl of Bothwell. Bothwell was cleared and immediately married Mary, a poor move in retrospect given it caused a rebellion, her imprisonment, and her abdication. She fled south to England and asked her cousin Queen Elizabeth for help.

Liz was very reluctant to commit, for reasons which make Game of Thrones look like The Muppet Show. Catholic Mary could focus any number of plots to overthrow Protestant Elizabeth, or be a partner through blood ties to calm things down. Family, eh?

When in doubt, hold an inquiry: did Mary have a part in the murder of Darnley? This question swiftly resolved into the authenticity of a cache of data, the Casket Letters. Apparently in Mary’s handwriting and apparently linking her and Bothwell in love and plotting. Investigators said they were probably genuine, with modern opinion split but tending towards a mix of genuine, altered and fake. Either way, Queen Elizabeth decided the case couldn’t be decided – the forensics had done their job of buying time and raising more doubts than answers. The lesson? In politically uncertain times, make sure data doesn’t box you in.

Mary stayed in limbo for nearly two decades, as plots and conspiracies came and went. Although sandboxed like a suspect server, Mary did establish covert communications with supporters at home and abroad.

The system that finally sealed Mary’s fate had the best crypto of the time, a mixture of letter transposition and symbol substitution. It was vulnerable to frequency analysis, as enciphered text kept a similar fingerprint count of vowels and consonants as the clear text, and contextual identification of symbols that referred to specific people. It had some strength, the real issue was channel vulnerability.

By use of double agents and control of messengers, Elizabeth’s security chief Sir Francis Walsingham could intercept and duplicate messages before passing them on as apparently untouched. One of the key technologies of the time was letter locking, a form of anti-tamper origami, with increasingly clever locks testing the technicians of the Black Chamber, the Tudor Bletchley Park, whose job was to invisibly defeat them once intercepted.

The problem of knowing whether a message has been intercepted has only just been decisively solved by quantum encryption, a system sadly unavailable in the mid-16th century. Conversely, the poor cipher used to try and hide the content of messages could have been rendered totally uncrackable, even at the time, by one-time pads, which just need dice, paper and pencil. Alas, they weren’t to be invented for another 300 years. Key security, then as now, would have been the hardest part, but not impossible.

In the end, Mary sealed her fate by authorizing a plot to usurp Elizabeth using a channel compromised, in fact controlled, by Walsingham. One with letters in a known cipher wrapped in a leather pouch and hidden in the bung of a beer barrel delivered to Mary’s prison – a combination of encryption, packetisation and steganography. It looked like security in depth. It was entirely pwned.

Mary had previously been careful in what she wrote, even via ostensibly secure channels, as the recent publication of a new cache of her secret letters shows. The excitement of finding and decoding them was not justified by their contents: Mary must have known that the resources of the English state were equal to her defences. In the end, though, if you’re getting nowhere, you take a punt.

Mary’s crypto was weak and she operated in the most hostile of environments, but even so her opponents relied heavily on compromising humans. What kept Mary alive was her circumspection, but that also limited what she could do.

This encapsulates so many rules of data security in the real world. The equation of how much of what sort of security to employ, when and how, depends not only on the quality of the tools but the value of the data, the motivation and resources of those who would defeat that security, and the degree to which that security impedes your intentions. Motivation, resources and good old-fashioned people politics count for just as much as careful application of innovative tech.

Fortunately for most of us, we don’t literally risk our necks or the fate of nations when we make security decisions. We also don’t create secrets that attract attention four hundred years later. Understanding risk and reward is the final truth of security engineering – that, and never working with family. ®

READ MORE HERE