Blog post

Open Shares in the Trenches

By Jay Heiser | January 04, 2019 | 0 Comments


Today’s open sharing of sensitive files from the public cloud parallels an information warfare problem from 1916. It should remind us that security always takes a back seat when there’s an urgent need to share data, and that there is nothing new about information war.

The fatal addition of 20th century weaponry and logistics to 19th century military approaches ensured that the first world war quickly devolved into a bloody stalemate. As the Allies and Axis dug into ever more elaborate and longer systems of trenches, military leadership was desperate for reliable communications systems that could enable spotters at the front of the lines to feed information on opposition activities back to the field command centers, and to help artillery crews improve their targeting. Human runners and visual telegraphs both proved impractical. Electronic communications systems, originally using Morse code and soon using voice, quickly became indispensable.  Thousands of miles of copper wire were haphazardly pulled through wet Belgian clay.

The primitive communications technology unfortunately emanated signals that were carried through the wet soil by electrical induction, a signals leakage further facilitated by the jumble of barbed wire, rail lines, and abandoned copper wire that littered no man’s land.  The Germans were the first to realize that the field communications could be detected, and they developed amplified equipment for sniffing out the British traffic. It didn’t take English intelligence long to realize that there was a leak, but it wasn’t until they interviewed a British civilian who escaped from the Germans that they learned the surprising source.

The response started with a requirement to change human behavior. A policy to use code words to obscure communications was only partially successful.  The ultimate solution was a new technology.  In 1915,  Algernon Clement ‘AC’ Fuller, a signals Captain in the Royal Engineers, developed a new form of Morse telegraph that was not vulnerable to induction attacks.  Referred to as the Fullerphone, a version was soon introduced that could support voice communications.

It took almost three years of effort to fully plug the leak. Policies restricting the use of the older communication systems, and the use of ‘plain text’ continued to be sidestepped. The first versions of the Fullerphone were considered clumsy and difficult to maintain.  As a result, before the mid-1916 Battle of the Somme, German sigint teams were able to intercept British battle plans.  Thousands of Allied soldiers died because the British were unnecessarily losing the infowar.

Over time, stories about what was actually happening were circulated and believed, creating a culture climate of receptivity to change.  Officers who didn’t follow the new practices, or use Fullerphones, were disciplined, including loss of promotion and pay. It took a sustained multi-year effort involving cultural, technical, and economic controls to fully introduce policy-compliant trench communications systems.

I think its unlikely that thousands of people are at risk of death due to open shares from AWS S3, One Drive or Dropbox—but it is the case that every organization that has attempted to control open shares has discovered far more shared sensitive data than they ever expected.   When people are asked to do a job, they tend to do their job, including using whatever tool ‘works’, especially when their management fails to provide them with a better tool.  Encryption provides collaboration systems that avoid signals leakage, and CASB provides mechanisms to control the use of insecure systems, but history reminds us that it takes a concerted effort to change behavior, and apply secure communications technology.



When I first researched this story in 2002, I spent a couple of days visiting libraries in London, finding a copy of Priestley’s 400 page book, and several other references. Today, a great deal of material can be found online:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed