The Queen’s Gambit and the Science of Hacking

As I watched the new Netflix show, The Queen’s Gambit, it brought back a great deal of memories as to why I was always good at chess, but never great. I won school championships, but the closest I came to greatness was beating the older sister of Grandmaster Joel Benjamin. Whenever I was moved on to play other champions in New York City, I did not fare nearly as well. When I got to college, I went to a few chess club meetings, and they gave me some pointers on how I could become much better with a little bit of work. They showed me different options of standard openings to set up a defense, beyond my normal “just go out and attack” strategy.


I should have known a lot of this before, as I bought several books and magazines—but I never bothered to read them. In short, I had some natural ability and taught myself basic skills that I relied upon, but I never put in the investment to be better. I rarely needed to be better. To be clear, though, I have no delusions that I could have ever beaten Joel Benjamin himself, even if I put in that investment. There are some people who just have raw ability that is unparalleled in chess. And without going into too many details, what I saw in The Queen’s Gambit was a woman with incredible ability, who did not reach her full potential until she fully accepted the help and wisdom of others.


While I and many people play chess as an art, it is a science. Ironically, Joel Benjamin worked with IBM to program Deep Blue to beat then world champion, Garry Kasparov. The fact that you can program a computer to play chess consistently well demonstrates that there is a repeatable pattern to making decisions in chess. Clearly, grandmasters have the raw ability that puts them well into the top .00002% of the world’s population, but they still need to apply that ability as a science.


With this in mind, I consider the recent Twitter hack and the absurdity of many saying that the 17-year-old who compromised Twitter through phishing attacks should be hired by Twitter to fix the problems. This ignorance has long extended into the concept of hiring computer criminals in general. Yes, to a certain extent, these people might have some natural ability and taught themselves basic skills. However, the reality is that when you are applying yourself against poor security, it doesn’t say whether you are a grandmaster at hacking or just a minimally skilled player who got lucky against poor competition.


Even as Beth Harmon, the lead character in The Queen’s Gambit, learned early in her chess career, she had to play 40 other ranked players before she received a ranking. This allows for a continuum of comparisons while also accounting for luck, such as if you accidentally beat a grandmaster that showed up drunk to a tournament. While I was able to go undefeated, and become locally revered with what I was told was an estimated 1600 rating, I was nothing in the big league. Most computer hacking is exactly like this.


Yes, you can appear to be competent, if not good, at breaking into computer systems, but at the end of the day, compromising a system doesn’t say whether you were “hacking” good or bad systems. It doesn’t say whether or not you got lucky against the better systems. The problem arises when people perceive computer criminals as being the equivalent of the chess grandmasters that are among the .00002% in not just abilities, but in the science of the subject as a whole.


I was admittedly lazy at chess. I did not have to do much to beat the people I normally came into contact with, so I never had to read the books or magazines I purchased. I just took the losses at real tournaments in stride and learned to avoid them. I approached chess as an art, and just played to the audiences where I didn’t need to be better. Hacking is the same. It is easy for criminals to appear to be grandmasters, even though they never learned the science of computer security, because they can pick and choose the poorer competitors and seem like geniuses. Some may be among the .00002%, but being a successful computer criminal is no indication of that being the case. Frankly, if you know they committed the crimes, it is pretty much a guarantee that they are not.


Share With Your Community:

NotPetya, COVID and Cybersecurity-Enabled Business

Todd Inskeep on

Analytics Intelligence & Response
Cloud Security & Virtualization
C-Suite View

*** This is a Security Bloggers Network syndicated blog from RSAConference Blogs RSS Feed authored by RSAConference Blogs RSS Feed. Read the original post at: