Gartner Blog Network


Open Shares in the Trenches

by Jay Heiser  |  January 4, 2019  |  Comments Off on Open Shares in the Trenches

Today’s open sharing of sensitive files from the public cloud parallels an information warfare problem from 1916. It should remind us that security always takes a back seat when there’s an urgent need to share data, and that there is nothing new about information war.

The fatal addition of 20th century weaponry and logistics to 19th century military approaches ensured that the first world war quickly devolved into a bloody stalemate. As the Allies and Axis dug into ever more elaborate and longer systems of trenches, military leadership was desperate for reliable communications systems that could enable spotters at the front of the lines to feed information on opposition activities back to the field command centers, and to help artillery crews improve their targeting. Human runners and visual telegraphs both proved impractical. Electronic communications systems, originally using Morse code and soon using voice, quickly became indispensable.  Thousands of miles of copper wire were haphazardly pulled through wet Belgian clay.

The primitive communications technology unfortunately emanated signals that were carried through the wet soil by electrical induction, a signals leakage further facilitated by the jumble of barbed wire, rail lines, and abandoned copper wire that littered no man’s land.  The Germans were the first to realize that the field communications could be detected, and they developed amplified equipment for sniffing out the British traffic. It didn’t take English intelligence long to realize that there was a leak, but it wasn’t until they interviewed a British civilian who escaped from the Germans that they learned the surprising source.

The response started with a requirement to change human behavior. A policy to use code words to obscure communications was only partially successful.  The ultimate solution was a new technology.  In 1915,  Algernon Clement ‘AC’ Fuller, a signals Captain in the Royal Engineers, developed a new form of Morse telegraph that was not vulnerable to induction attacks.  Referred to as the Fullerphone, a version was soon introduced that could support voice communications.

It took almost three years of effort to fully plug the leak. Policies restricting the use of the older communication systems, and the use of ‘plain text’ continued to be sidestepped. The first versions of the Fullerphone were considered clumsy and difficult to maintain.  As a result, before the mid-1916 Battle of the Somme, German sigint teams were able to intercept British battle plans.  Thousands of Allied soldiers died because the British were unnecessarily losing the infowar.

Over time, stories about what was actually happening were circulated and believed, creating a culture climate of receptivity to change.  Officers who didn’t follow the new practices, or use Fullerphones, were disciplined, including loss of promotion and pay. It took a sustained multi-year effort involving cultural, technical, and economic controls to fully introduce policy-compliant trench communications systems.

I think its unlikely that thousands of people are at risk of death due to open shares from AWS S3, One Drive or Dropbox—but it is the case that every organization that has attempted to control open shares has discovered far more shared sensitive data than they ever expected.   When people are asked to do a job, they tend to do their job, including using whatever tool ‘works’, especially when their management fails to provide them with a better tool.  Encryption provides collaboration systems that avoid signals leakage, and CASB provides mechanisms to control the use of insecure systems, but history reminds us that it takes a concerted effort to change behavior, and apply secure communications technology.

 

NOTES:

When I first researched this story in 2002, I spent a couple of days visiting libraries in London, finding a copy of Priestley’s 400 page book, and several other references. Today, a great deal of material can be found online:

Category: cloud-computing  policy  security  

Tags: cloud-security  collaboration-security  cyberwar  fullerphone  history-of-infowar  infowar  open-shares  policy  security  world-war-i  wwi  

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of SaaS and public cloud risk and control. Current research areas include SaaS governance, cloud provider transparency and digital business risks.Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.