The other day I was staying in Roslin Castle, south of Edinburgh. Very nice location, above a bend of the river Esk, down the hill from Rosslyn Chapel. And in the old days, defensible: shoot your arrows from across the river or up the bank, we don’t care! Or try climbing the cliff and walls while we’re dropping rocks on you!

And then gunpowder came. Much of the castle is missing, due to Henry VIII of England’s troops in 1544. Nearby heights that were formerly only good for viewing the castle suddenly became ideal launching points for cannon balls, which, unlike arrows, could knock down castle walls. There are a few towers and part of the curtain wall left, as well as three quite dank dungeons, but most of the superstructure is gone. The livable part was built in 1622; very recent by Scottish standards.

What has this got to do with the Internet?

A second threat is a softening, if not disappearing, of the network perimeter. For a long time, we were able to get some semblance of securing the enterprise by establishing firewalls and [demilitarized zones] and maintaining the somewhat guarded perimeter. Now with BlackBerries, PDAs, wireless, executives traveling and using the Internet in hotel rooms, and people with VPN access from home systems, the perimeter is an illusion. But security policies and technologies have not kept up with that change. A big vulnerability in many environments is that you still have policies and people viewing the enterprise as protected with a firewall, and that’s simply not the case.

Security expert recommends ‘Net diversity By Carolyn Duffy Marsan, Network World, 05/30/06

This is from an interview with Eugene Spafford. Internet curtain walls, also known as firewalls and perimeters, are also obsolete. Not completely, of course; they can still keep idle tourists out, but they want stop a determined enemy.

There’s much more; the whole interview is well worth reading.

Spaf goes on to recommend diversity for resilience.

He doesn’t seem to talk much about collective action, although he does talk about reputations:

To battle criminals, you have to be concerned about customer data and remote control of systems that can be used for spam. You have to think about the exposure to your reputation if your systems are used as bots for something like kiddie porn. As far as I know, no companies have paid damages yet if their resources were used in an attack, but suits have been filed and settled out of court.

Collective action is what it is going to take. Just as no single castle could stop the army of Henry VIII, no single company can effectively stop criminal zombie botnet armies. And trying to fortify each computer enough to stop that is like trying to produce plate armor sufficient to stop a cannon ball: it just ain’t gonna work. The Internet was built by collective effort, and it will only be secured by collective action.

-jsq

PS: Wendy Nather found this interview, but neither she nor spaf are responsible for my interpretation of it.