Last summer, Internet guru Vint Cerf proclaimed that the Internet is moving from its Stone Age to its Iron Age. Soon after, Internet guru Paul Mockapetris slightly altered that sentiment and said that, at best, the Internet has reached a figurative Bronze Age, which filled the two millennia between the Stone and Iron Ages.
Still, the two gurus were making the same point: In no time, today's Net will be an antediluvian relic, replaced by an unimaginably advanced network that controls all communication everywhere. Cerf talked about connecting the Internet to other planets. Mockapetris told the BBC, "Ten years from now, we will look back at the Net and think, How could we have been so primitive?"
Primitive? Bronze Age? Well, not exactly. After digging a little -- and talking to an archaeologist who dug a lot -- we discovered that our ancestors from the literal Bronze Age were, in fact, quite sophisticated, at least when it comes to security. In many ways, their security philosophies and designs were smarter and more efficient than ours today.
Barriers to easy entry: a narrow, hard-to-find portal requiring enemies to run uphill and clamber over a high threshold. Once inside, high, confining walls forced invaders to take a path that exposed their weapon-carrying hands.
To prove it, we offer Dun Aengus, an awe-inspiring hill-fort on Inis Mór, one of the Aran Islands, off the west coast of Ireland. The fortified structure there dates to the Bronze Age, 3,000 years ago, and it was used at least up through the late medieval period, past the year 1000. We will examine features from the fort that were built at many stages of its working life -- some as early as 1100 B.C. and others as late as the year 800. These features helped keep Dun Aengus both secure and productive for thousands of years. We also invite you to enjoy the site's magnificence -- which is itself a security feature. (We'll explain.)
Irish archaeologist Claire Cotter led the most important digs at Dun Aengus and has graciously offered her knowledge from those efforts, as well as her knowledge of defensive structures in ancient fortifications in general.
If the Internet is primitive, then its security is prehistoric. Cerf's and Mockapetris's future visions of the Internet will rely on that changing. Read on to see what Bronze Age wisdom Dun Aengus can impart that will help security evolve in the Digital Age.
Open your perimeter only when and where necessary
Dun Aengus ranges over 14 acres; if laid out in a straight line, its walls would stretch more than a mile. Yet Cotter says there would have been only one or two doorway openings in the walls. In terms of security, entrances are obviously weaknesses since they require the least effort to penetrate. Fewer portals meant fewer weak points, or, if you prefer, vulnerabilities.
Compare that to today, when many damaging worms succeed simply because ports, the virtual equivalent of doorways, are unnecessarily left open.
Sometimes security must trump efficiency
Dun Aengus's location was highly inconvenient for people whose business was the business of survival. Fishing and trading (requiring access to boats) meant long trips down the sloped land, far from the protection of the fort (and then long trips back); the lack of a fresh water supply forced inhabitants to collect rainwater; metals and other raw materials used to make tools and weapons, or jewelry and other goods for trading, were mined far away and then transported to be forged or crafted locally.
Dun Aengus was configured to anticipate the likeliest path of attack and to force attackers into positions of weakness. For example, an opposing army would have to cross the maximum expanse of chevaux-de-frise to reach an entry point.
Why did they make it so hard on themselves? Security. It is, after all, part of the business of survival. The inconveniences of the site are offset by the security it creates (more cost-benefit risk management). The Aran Islands, Cotter says, required particular attention to security because they lay on the frontier between Connaught and Munster, and thus were prone to attack from both sides. Dun Aengus itself sits on Inis Mór's high ground, allowing for the longest sight lines for spotting potential invaders; it was built on the precipice of a 300-foot cliff, literally sheering off an important potential attack route. The hilly topography allowed terracing of walls so that the walls towered over people approaching from the outside but only reached the defenders' waists, allowing easy aiming and firing. "Always have the high ground," Cotter says. "It's actually a good rule for life."
In today's information world, security consistently loses to every conceivable efficiency or convenience. The high ground of the Internet -- visibility beyond the perimeter -- is rarely taken. Applications are built as rapidly as possible, shoved onto the network landscape wherever they fit, and secured only afterward, when vulnerabilities are discovered. In the Bronze Age, people could accept the sacrifice of some efficiency if it benefited security.
Dun Aengus sits at the edge of a 300-foot-high cliff on the Aran island of Inis Mór. Its location affords a panoramic view of anyone approaching by sea and also provides the high-ground advantage over any landward assault.
Build secure structures, not security structures
"Dun Aengus would have been a center of Bronze Age life, a tribal capital," Cotter says. Seasonal rituals, important feasts, administrative tasks, forging, trading and any number of other daily activities all transpired inside the fort. Yes, sometimes security trumped efficiency, but security was not the application, rather one woven in with many others. So while the outer enclosure made attacking the fort harder, it also created a space for secure commerce, for cattle and sheep grazing, for forging bronze (and, later, iron), and for trading. The site also faces southwest so that, on a clear day, Cotter says, you can see 75 miles down the Irish coastline. That gives locals fair warning if marauders approach, but it also would allow elites to establish sovereignty over what was a primary trading highway.
Today we build software applications and then security software applications to wrap around them. Not only is this less efficient but it's also not as secure as stitching security into the main application, the way Dun Aengus had security woven into the fabric of what was essentially a small but active city.
In its time, Dun Aengus's grandeur was a security feature. "You were making a statement to anyone who was thinking about attacking you that you had the best defense and attacking would not be in their best interest," says Cotter. She adds that as much as the defenses were meant to deter you, they were also an offensive, imperial impulse, "sort of like when American jets used to fly into Soviet airspace -- because they could."
Companies today rarely brandish information security -- perhaps because they have little confidence in it. But letting the world around you know some of the more aggressive steps you're taking to prevent attacks can be a powerful deterrent, especially in a world littered with less secure "forts." Invaders attack the less secure structure.
Since the architects of Dun Aengus assumed attacks would come, they designed the fort so that attacks would be as difficult as possible. Fort entrances faced downslope, forcing enemies to charge uphill. Doorways were narrow, hard to find and, when you did find them, had high stone thresholds. You couldn't just run through. Once you did get through, more walls would force you to turn right, thus exposing your weapon-carrying arm to attack. If you managed to keep going, you'd eventually reach the massive band of chevaux-de-frise (upturned stones jutting in every direction), which would certainly slow you down. Cotter found that the chevaux-de-frise at Dun Aengus was mapped out with flat stones before it was created, and its distance from the inner enclosure was consistent with chevaux-de-frise at other sites -- 40 meters. "Forty meters," Cotter says dramatically, "is a human's missile-throwing range."
The whole fort was a honeypot. If you can't stop 'em, slow 'em down. Yet many information security breaches that result in lost data are a result of perpetrators having free range to explore and attack at will once they get into the network. Notice that the features of Dun Aengus applied to friend and foe equally. Information security needs to treat the network like Dun Aengus and control the traffic at every stop; move people in the way you want them to be moved. Make it as difficult as possible for even an insider to get around and wreak havoc.
Prepare for the unknown
One of the challenges of information security today is that new attacks are constantly being invented. Part of defending networks is defending against unknown adversaries. We like to think this is a thoroughly modern problem.
Yet, every day at Dun Aengus the sun would sink behind the crisp horizon of the vast sea, "and they literally didn't know what, if anything, was behind the sun, and what may come from beyond to attack them," Cotter says, imagining Bronze Age souls sitting at the cliff's precipice, staring out in wonder.
"And they prepared in that way. Knowing they had to defend against the unknown. Knowing," she says in a diluted County Cork accent, "there be monsters!"
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.