Where is Epaminondas When You Need Him?
By MT:15 on May 14, 2007
I went to Israel on a business trip recently, a trip that was pretty jam packed with customer meetings, a couple of talks, meetings with venture capitalists, and generally a full schedule. They don't call it the Promised Land for nothing; Oracle Israel promised me I'd have a full schedule, and they were right! I am grateful to customers and others who took time to explain their positions, concerns, use of Oracle, and provide feedback as well as those who enlightened me on their business models and markets. I continue to be amazed -- but I shouldn't be -- that regardless of the customer interaction, I inevitably get more out of our customers' time than they do.
I should explain that statement before people are left with the impression that I am a professional security sponger (though in a way, I am a sponge). Talking to customers and listening to what they say is one of the best ways I learn what is really on someone's mind and what they are really struggling with. The vendors who approach me (the power of a 'C' level title, every sales guy on planet earth wants to sell you latest combination floor wax and firewall product that also eliminates split ends), are obviously focused on what they can sell and are convinced the "problem" their product addresses is Absolutely Critical; I talk to customers about what they are really worried about in security and how badly they worry about it. Some of their feedback is, of course, about Oracle. What we are doing well, what we could do better. (There is always something you could do better.) I got some really good and helpful thoughts from customers that I will duly be parsing through and parceling out to those who can take a look at it to see what we can do. "Todah rabbah" (thanks very much) to Oracle Israel and to the many articulate and interesting customers and partners I met there.
I have to travel for business reasons, but I always try to have some appreciation for the place I am visiting and, if possible, to do something unique when I travel. I picked up a few more words of Modern Hebrew and was even able to crack a joke (I was pleased at that, though I don't know if people laughed at the joke or my pronunciation). On this trip, I fulfilled a long-held dream and was able to visit Lachish. Several Israelis asked me why on earth -- in a couple of free hours -- I'd want to visit a place that was so obscure, instead of one of the better known sites in Israel?
It's a long story why I wanted to see Lachish. My favorite story in the Bible -- which happens to be one of the best-attested in terms of extra-Biblical evidence that the story is true -- is the story of Sennacherib, King of Assyria. The Assyrians were the scourge of the ancient world: much feared, they practiced cultural genocide upon those who they conquered, the ones they let live, that is. Captives were routinely dispersed to the far corner of the Assyrian empire and were forbidden to practice their faith or keep their language and customs. Ten of the twelve original tribes of Israel vanished into a historical black hole, courtesy of the Assyrians who conquered and disbursed them.
To make a long story short, Lachish was the last of the fortified cities of Israel conquered by Sennacherib before he laid siege to Jerusalem. If you ever go to the British Museum, there is a relief from the palace at Nineveh (Sennacherib's palace in what is now modern Iraq, excavated in the 19th century) that shows the siege of Lachish: the prisoners being led off into captivity, others being flayed alive, others with their throats slit by their Assyrian captors. If it were a video, it would be X-rated for violence. It is nonetheless haunting in its depiction of the barbarity and cruelty of Assyria.
You can read the full account of Sennacherib's siege of Jerusalem in the Bible; specifically, in the book of the prophet Isaiah (chapters 36 and 37), Chronicles (2 Chronicles 32) and the book of Kings (2 Kings 18 and 19). As for the denouement of the story, the Bible says that "the angel of the Lord slew 185,000 Assyrians in the night," and Jerusalem never fell. The annals of King Sennacherib boast, "I locked up King Hezekiah like a bird in a cage and made him pay me tribute" (in other words, Hezekiah paid off the Assyrians). While Sennacherib's annals and the Biblical accounts differ somewhat, they agree on principal items, such as the fact that Jerusalem never fell to the Assyrians. And that's why I find the story so interesting.
If Jerusalem had fallen, an entire culture, people and language would have been destroyed and history would have been entirely different. There would be no Jews in the world today, nor Christians, either, for obvious reasons. I wanted to see Lachish because it represents part of a fulcrum on which history turned, much like the battle of Salamis wherein the west (Greece) defeated the east (Persians), allowing western values we take for granted to flourish and take root (democracy, for one). Although Lachish has not been heavily reconstructed, just being there and hearing the story again, and seeing where the Assyrian siege ramp was made history real for me. It's humbling.
For those who are not students of ancient history, the reprieve from the Assyrians was relatively short-lived, for in 586BC/BCE the Babylonians sacked Jerusalem and carried off the Jews into captivity. Unlike the Assyrians, the Babylonians allowed their captives to keep their language, religion and culture. In a perverse way you could argue that the first galut (diaspora, or exile) enabled the Jewish people to survive, because the religion became portable (that is, not tied to the physical temple in Jerusalem). This first diaspora was followed by a second, much longer diaspora after the Romans sacked the second temple (so-called Herod's temple) in 70AD/CE, a diaspora that ended with the recreation of the state of Israel by the United Nations in 1947. For all those centuries, a unique culture (and religion) survived and endured in exile, in no small part because it was internalized and portable.
There are some security takeaways from what has evolved into a rather long history lesson. One of them is that internalizing a culture so that it can survive, thrive and endure means not tying it to physical structures. Security is like that: to the extent we are wedded to "structures" -- the security products like firewalls, anti-virus, the anti-spam, security is not "portable," and it is not an ubiquitous culture, and it may not survive the destruction of the structures that represent "security." Putting it differently, if all these security products are so great, why do we still have data breaches, attacks, and on and on? And the answer is that security isn't merely a product. If it were, everyone would have Bought Security, Installed It, and we'd be done.
The reason security matters now more than ever is that the model of defense (in IT terms) that Jerusalem and the fortified cities like Lachish represented is largely gone. Wherever you turn, people pontificate about the deperimeterization of the network and the abandonment of bastion defenses. Data is not locked up behind portcullises and multiple walls anymore. Web 2.0, we are told, is the triumph of the collaborative and metamorphic over the monographic and static. It's as if, instead of data living in fortified cities, it strolls out of the city gates and camps with other data in "mashup tents" that fold or are rolled out elsewhere with apparent ease. We create larger encampments, if not exactly on the fly, nonetheless in a more "pre-fab" way using web services.
Everyone understands the value and collaborative appeal of Web 2.0 or "Web Improv," as I like to call it, but few understand that if the network is going to be deperimeterized and more of what we do will be improvisational and collaborative, security can't just vanish. The Assyrians -- or their 21st century IT equivalents -- haven't gone away, they are still just as ruthless as ever. We might even need to recreate the Greek phalanx, where your shield covered the person to your left, and thus security itself was collective and collaborative and not merely "singular."
Maybe we are long overdue for the culture shift associated with the "data diaspora" that Web 2.0 represents and that is that security truly becomes a culture, portable, and "internalized" so it no longer tied to a few arbitrary defensive structures. The Marine Corps understands this shift very well. Whether you are an admin clerk or an IT person, every single Marine is a Marine first, and that means Every Marine Fights. Every Marine goes through boot camp and every Marine officer goes through Basic School. The Marines have a unique culture that has endured and thrived as long as there has been a Marine Corps, and it starts with their training. (One of many things to love about Marines: every Marine knows and can recite the great deeds of other Marines. I've never met anybody in the other services who can, for example, rattle off the name of a Medal of Honor winner and what he received it for. Marines know their heroes.)
If we are going to think differently and defend differently, we need to start reinforcing cultural security values in training, just like the Marines do. And maybe every product needs to self-defend, instead of assuming that someone else or something else with a full magazine is standing guard. There are a couple of places to start in terms of reinforcing security culture. One of them is creating a "Marine corps ethos" in the development world. SANS has taken a stab at this by creating a certification for secure coding practice, for which I salute them. (SANS is a force for good in the universe, right up there with NIST on my hit parade.) You'd like to think that nobody in computer science graduates from a university without being able to pass the SANS certification on secure coding practice and maybe, just maybe at some point in the future, this exam or one like it will be the equivalent of the Engineer-in-Training exam I had to take.
Returning to my classical world example, everyone has heard of the "Hippocratic Oath" that doctors swear fealty to ("First, do no harm.") Hippocrates, of course, was a Greek physician considered to be the father of medicine. I would like to propose a similar oath for computer science graduates, to help cement security as a cultural value, and that would be, "First, assume an enemy." Assume that your code, your product, your cyber-what-have-you will be attacked, and both think and code defensively. You should know not just how to handle good input, or bad input, but "evil input" (thanks to our release manager for this term) and deliberate attacks. We could name it after any one of a number of great Greek generals or admirals. Themistocles, winner of the battle of Salamis. Alcibiades, an Athenian general during the Peloponnesian War. Perhaps Epaminondas, who freed the helots (slaves) from their Spartan overlords.
If we adopt the "Epaminondasic Oath," maybe we can free security from its physical limitations and engender the collaborative defense we need to go with the collaborative Web 2.0. It's worth a shot.
For more information:
SANS Secure Coding Initiative:
There is a lot of security writing out there in varying degrees of confundity. I appreciate those who can write plainly for the non-expert about important security issues, like Pete Wood in the following:
Online access to Biblical accounts of Sennacherib's campaigns at:
Sennacherib's account of his dealings with Hezekiah:
Various accounts of Sennacherib's campaigns against Israel:
More on Sennacherib:
One of my absolutely favorite books, on 19th century excavations of Assyria (who ever said history was boring?):