Security Lessons from History
How Old Ideas Strengthen Modern Cybersecurity
What do encryption, security through obscurity, operational security (OPSEC), principle of least privilege (PoLP), segregation of duties, defense-in-depth, user awareness and education, separation of duties, compartmentalization, and access control all have in common? They are all security concepts or principles from hundreds of years ago. Some have been drastically altered while most have adapted due to technological advances. PoLP and segregation of duties have only changed minimally — a remarkable statement in modern security. How is this possible? How can the premise for modern security be so old, and why do we keep hearing and reading about new ideas and ways of securing our organizations?
“as innovation is the child of necessity, so too is security the child of society”
The table above outlines chronologically how security practices from times gone relate to each security principle. Not every principle is included — and may be a very interesting area for further research. What this research tells us, in part at least, is that if you want new ideas you should read old books — not because they give us the silver spoon of ideation but because they validate a broader, more enduring purpose. As innovation is the child of necessity, so too is security the child of society. Let’s explore ten old-school security concepts to see how they apply in modern cybersecurity.
1 The Scytale: Encryption. The Scytale was a cryptographic tool used by the Spartans as simple yet effective encryption method that involved a cylinder and a strip of parchment or leather. The Spartan messenger would wrap a strip of parchment around the cylinder and write a message along the length of the strip. Once the message was written, the parchment was unwrapped from the cylinder, appearing as a jumbled set of characters. The recipients had to wrap the parchment around a similar cylinder with the same diameter, aligning the characters to reveal the original message. (Ancient Greece, 5th Century BCE)
Adapted. The Scytale might be handy for passing notes in physical form, but we now wrap our datagrams and networks in layers of complex mathematical algorithms to help identify issues with integrity, ensure confidentiality, and provide a basis for non-repudiation. The Spartans would be amazed to see the impact of improved communication security.
2Egyptian Hieroglyphics: Security through Obscurity. In ancient Egypt, hieroglyphs were a system of writing that combined logographic and alphabetic elements. They were used to record a wide range of information, from religious texts to historical records. However, some inscriptions were written in an encrypted or obfuscated manner, using symbols and codes that were not immediately understandable to those who were not initiated into the knowledge of the specific hieroglyphic script. By using complex hieroglyphic symbols and encoding methods, ancient Egyptians aimed to protect the secrecy of certain inscriptions, making it difficult for unauthorized individuals to decipher and understand the content. (Ancient Egypt, 3rd Century BCE)
Drastically Altered. Quite literally — no longer a recommended security practice: OWASP Principle 8 states that we should “avoid security by obscurity.” I wonder if anybody has told the Open Worldwide Application Security Project that they’ve had a once-in-three millennia impact on security practices.
3Silk Road Trade: Operational Security. The Silk Road was a network of trade routes connecting eastern and western worlds where the protection of trade secrets and routes used operational security (OPSEC). Ancient Chinese traders and merchants applied OPSEC to safeguard the routes, valuable cargo, and the production methods of silk, porcelain, and other commodities. This included other practices like compartmentalizing trade knowledge, using code languages among traders, and minimizing the disclosure of specific routes and resources. OPSEC in the context of the Silk Road trade helped Chinese merchants and traders maintain a competitive advantage and protect valuable trade secrets from being appropriated by rivals. This secrecy ensured Chinese dominance over the lucrative silk trade. (Ancient China/Han Dynasty, 2nd BCE to 3rd century CE)
Adapted. I suspect that the lucrative Belt and Road Initiative (BRI) has a significant portfolio using OPSEC, and its application in the digital world protects an organization’s profit. OPSEC is not the sexiest security principle, but it significantly alters what we identify as a security risk and how we treat that risk. The method remains unchanged but how often might this concept be overlooked in commercial cybersecurity strategy?
4Medieval Guilds and Trade Secrets: Segregation of Duty. Worshipful Company of Goldsmiths in London, which is still active today as a livery company, was a goldsmiths’ guild known for its strict protection of trade secrets, especially in the crafting and marking of precious metals and jewelry. Members of the Worshipful Company of Goldsmiths were involved in various aspects of the precious metals industry, including the production of gold and silver items, jewelry, and coinage. They had well-defined rules and practices to protect trade secrets related to metallurgy, jewelry-making techniques, and hallmarking. One of the key practices for protecting trade secrets within the guild was Secrecy Oaths. Goldsmiths and apprentices within the guild were required to take secrecy oaths, promising not to disclose the methods and techniques they used in their trade to outsiders. This oath was enforced to maintain the exclusivity and quality of their products. The guild’s strict protection of trade secrets was not only for the benefit of its members but also served to uphold the integrity and quality of gold and silver products in the market, practicing the segregation of duties, ensuring that different individuals were responsible for various aspects of their trade or craft. This principle aimed to prevent fraud and abuse of power and remains relevant in modern security practices, focusing on role-based access and responsibilities. (Medieval London, 5th -15th Century)
Adapted. The use of Non-Disclosure Agreements (NDAs) and efforts to limit undue influence within an organization is a small industry across cybersecurity. Segregation of Duty proves time and again to be a method helping avoid harm to business operations. This old-school principle remains a routine practice in modern security for good reason.
5Krak des Chevaliers: Defense-in-Depth. The Krak des Chevaliers is an exemplary representation of the defense-in-depth strategy. It features multiple layers of defenses, including: 1. Outer Walls: The castle is surrounded by high, thick walls that are difficult to breach, serving as the outermost layer of defense. 2. Machicolations and Battlements: The walls are equipped with numerous machicolations (openings for dropping objects on attackers) and battlements (parapets for archers), allowing defenders to repel attackers from various angles. 3. Moat and Drawbridge: A deep moat surrounds the castle, providing an additional physical barrier, and a drawbridge could be raised to hinder access. 4. Inner Walls: Within the outer walls, the castle features a series of inner walls, towers, and courtyards, each with its own set of defensive features. 5. Keep: The innermost core of the castle is the keep, which served as the last line of defense. It was heavily fortified and difficult to access. The Krak des Chevaliers is a remarkable example of how medieval architects and builders applied the defense-in-depth principle to create a formidable fortress. Its design ensured that any attacker would have to overcome a series of obstacles and defenses, making it one of the most secure and well-protected castles in history. (Medieval Syria, 12th — 13th Century)
Adapted. Industry experts have thrown a lot of shade at this principle. Zero Trust is the accepted term of art. But, actually, the concepts of Krak des Chevaliers stand their ground digitally even in today’s high-velocity, contested space. Network firewalls, VPNs, DMZs, and even port security are relevant. What argument might the Zero Trust crowd make to contest the notion that Krak des Chevaliers’ Defense-in-Depth principle has only marginally adapted in modern security?
6Hanseatic League Guilds: Training & Awareness. The Hanseatic League was a powerful confederation of merchant guilds, with a significant presence in Scandinavian cities like Bergen in Norway and Lübeck in Germany. The league’s guilds played a vital role in trade and the economic life of the region. Journeyman and Master: After completing their apprenticeships, individuals would become journeymen, allowing them to travel and work in different cities and regions under the umbrella of the Hanseatic League. User Awareness and Education: Guilds within the Hanseatic League followed a system of training and education similar to other medieval guilds. They provided structured apprenticeships to aspiring merchants and craftsmen. Young individuals interested in becoming traders or craftsmen would be apprenticed to experienced members of the guild. Members were trained not only in the practical skills required for their trade but also in the business practices and economic principles of the league’s operations. While the Hanseatic League was primarily focused on trade, its guilds had a profound impact on the development of skilled workers and traders in the medieval Scandinavian context. (Medieval North Sea, 12th to 17th centuries)
Adapted. This may be an area where the old world teaches us an important aspect of why we do what we do and how we might be more effective as a profession. The Hanseatic League used proficiency levels to drive training and conversely training drove proficiency in a truly symbiotic relationship. How many cybersecurity professionals feel that their training drives a professional cadre of staff within their organization?
7The Medici Bank: Separation of Duties. The Medici Bank, established by the Medici family in Florence, Italy, was one of the most influential and successful banks of the Renaissance period. The bank played a pivotal role in the financial and political landscape of Renaissance Italy and beyond. The Medici Bank employed the principles of separation of duties, with different individuals and departments responsible for various aspects of banking and finance, including accounting, bookkeeping, money lending, and investment. This practice aimed to prevent fraud, conflicts of interest, and abuse of power, and it remains relevant in modern financial and banking institutions. (Renaissance Italy, 14th to 17th centuries CE)
Minimal. While the separation of duties only experienced minimal change, the example touches on why separation of duties is so important: fraud, laundering, and other Human-Domain Security challenges are often offset through the application of this principle. As practitioners, we know the challenge with staffing good people. We can understand why there is both little need to alter this concept and why it still remains highly relevant. And yet, it is remarkable that an eight-hundred-year-old security principle still plagues most organizations in modern cybersecurity.
“Repackaging may never end, but repeating mistakes could save us all a lot of money — and heartache!”
8Fort of São Sebastião: Compartmentalization. The fortress on the Island of Mozambique featured a design that emphasized compartmentalization. The fort was divided into different sections, each with its specific functions and defense mechanisms. These compartments included areas for housing soldiers, storage of supplies, and defensive structures. The concept of compartmentalization was crucial for defending against attacks and securing the fort. If one part of the fort was breached by attackers, the compartmentalization allowed defenders to retreat to more secure areas while maintaining the ability to resist and repel invaders. (16th Century Mozambique)
Adapted. Probably one of the weaker examples, Fort of São Sebastião represents a concept more commonly viewed through the context of data classification and containerization in the cloud.
9US & UK Telegraph Network: Access Control. Operators of 19th-century telegraph networks controlled access to equipment and messages. Electric Telegraph Company (later the British Telegraph Company) and Western Union were leaders in access control at the time. The most related industry to modern cybersecurity saw challenges to the integrity of their systems that would be the first to connect the world through binary code. This was even more relevant for handling wartime messages and criminal prosecution in the wild, wild western United States. The Telegraph network is thought to be among the first ever to be “hacked” in historical terms. (19th Century)
Adapted. Morse code and telegraph line operators were quick to realize the importance of managing access control. It was the first over-wire binary code transmission that may have otherwise appeared to have incredible security. The confidentiality, integrity, and availability of the telegraph network was age appropriate but administrators realized that humans could be the weak link in the chain. It turns out they were correct…more than once. The Human-Domain will always present among the hardest challenges to solve — but in a 19th Century world it was a priority.
10 Scientific Method and the Advent of Artificial Intelligence. You might be wondering why this tenth feature of security is neither a principle of modern nor ancient security. Perhaps there is an argument for the latter. The use of the scientific method and related research techniques in modern times has fatigued, collective critical thinking skills faltered, and modern technology continues to atrophy our creativity and meticulous approach to problem solving. Enter Artificial Intelligence (AI). We now have libraries of pure text at our fingertips from which to use generative AI to rapidly compile and research topics that might otherwise take weeks or months of research and compilation.
Adapted. You might challenge me on this example. I accept that. A large proportion of this research was initiated through generative AI solely because researching across so much of history required too many fragmented queries. Research conducted, as I did here, through the formation of a hypothesis and prosecution of the converged history of security is ONLY enabled by AI. Many of the initial findings were vague, repetitive, or false (hallucinations). What AI has and will continue to provide is an unmatched ability to scale our inquisitiveness.
Modern principles standing the test of time are not unique to the cybersecurity industry. It’s remarkably validating, but what is important here is the oft overlooked solutions that have existed for millennia. When we are recalculating Pi, have we stopped to wonder how many before us did the same? The solutions found in history provide enormous value in helping focus where we apply resources, why and the impact we can expect. Repackaging may never end, but avoiding repeated mistakes could save us all a lot of money — and heartache! What will history help you invest in and where might you avoid an undue burden? Stay tuned…
