Security Experts:

Digital Barbarians at the Gate: Learning from History

Like the Romans, We are Highly Trained and Hold Technological Superiority to Most of the Threats We Face, Yet We are Beaten by the Digital Equivalent of the Germanic “Barbarian” Tribes....

In 9 AD the Roman Governor of Germania, Publius Quinctilius Varus, led three Roman legions, six Auxiliary Cohorts and three Cavalry squadrons into an ambush resulting in the total annihilation of his troops, his own death, and effectively ending Imperial Rome’s expansion into Northern Europe.

Estimates of Varus’ forces range from 14,000 to 20,000 fighting men, in addition to the usual entourage accompanying an ancient army, such as families, servants, prostitutes and merchants. Total estimates top out around 36,000 men, women and children .

Roman Empire LessonsThese numbers are of course meaningless unless a context is provided. It is estimated that during the 1st century AD, the Imperial Roman army had a total of 28 Legions(1). The Battle of the Teutoburg Forest, or The Varian Disaster (Lt. clades Variana), cost Rome almost 10 % of its legionary manpower in one quick, brutal and bloody event. If we take the United States as an example, with 1,458,219 active military, it would be equivalent to losing over 145,000 men in one battle.

The Roman army at the time was arguably the most powerful war-machine in the world. Modern (in the sense that we would recognize familiar structures and concepts, as well as the fact that much of what we do even now is still based on the roman pattern), professional (these were no part-time soldiers and full-time farmers, like many of their opponents), highly disciplined, well-trained and equipped with high quality arms and armour. Add to this century old tried and tested tactics, strategies and technologies and a century old martial tradition and history.

To cite one example, in 52 BC, just over 50 years earlier, at the battle of Alesia in Gaul(2) (Modern France), Roman forces numbering around 60,000 troops under Gaius Julius Caesar built 18 kilometers of fortifications, with 4 meter high walls and two over 4 meter wide ditches in 3 weeks. When Gaulish reinforcements neared and threatened to break the siege, the Romans built a second set of fortifications outside of the first, 21 km long, to build an outer wall effectively creating a firewall and DMZ.

 The average Roman Legionary wore metal armour, including a helmet and often also metal or leather greaves to protect the limbs, a large shield, and was armed with the gladius, a short sword, several Pillum, throwing javelins, and a short dagger. It was like facing a wall of metal, especially when facing hundreds if not thousands of legionnaires.

The Germanic force on the other hand is estimated to have been around 12000 man strong. Germanic tribal combat was based on individual, close-quarters man to man combat with little to no regimental discipline, formations or tactics. Essentially, they attacked as a horde. The average Germanic tribesman garnered protection via a large, round wooden shield and a short woollen cloak and trousers(3). Offensive capabilities were primarily gained by light spears and javelins, swords, heavy lances, and metal armour, and worked metal in large quantities in general, were rarities and subsequently did not figure prominently in their warrior culture.

This all begs two questions; 1. What does this have to do with Information Security and why are you reading it on SecurityWeek? 2. How could the Romans lose?

It really all comes down to following, or, as in this case not following, best practices.

As noted above, the Roman army, with its technological, material and strategic superiority should have emerged victorious in any normal engagement against the Germanic tribes. But that presupposes that these advantages could be drawn upon.

The Ambush was planned and executed by a Cheruscan tribal chief, whose name has been carried down to us as “Armenius” (which in turn was later Germanized as “Hermann”). Written sources are few and far between, much like for the entire event, but suffice to paint a picture of a Germanic noble sent to Rome as a youth as essentially a hostage and to be Romanized in the process. He rose to the rank of Equestrian (a lower aristocratic title) in the Roman Auxiliary Cavalry, and was considered a close friend by Varus. Here was a man educated in Roman ways and experienced in Roman war making.

Cassius Dio has the following to say about Varus’ relationship to Armenius:

Among those deepest in the conspiracy and leaders of the plot and of the war were Arminius and Segimer, who were his constant companions and often shared his mess. He accordingly became confident, and expecting no harm, not only refused to believe all those who suspected what was going on and advised him to be on his guard, but actually rebuked them for being needlessly excited and slandering his friends.

Roman sources indicate that Varus saw his mission in Germania as one of consolidation. Rome was ready to incorporate it as a Province and were readying to begin raising taxes and infrastructure, as a consequence. As far as Varus was concerned, the population was pacified for the most part and he could now go on to the next stage; business.

Chainmail IT Security Strategy

According to the few sources for the battle, the army was on its way to suppress a minor uprising in northern Germany, a ruse initiated by Armenius. Ancient sources such as Tacitus, Cassius Dio and Josephus lay the blame squarely at Varus’ feet. Some hint at an insecure, incompetent commander, but that seems to be more public relations damage limitation than actual truth. Adrian Murdoch makes a strong case that Varus was a very experienced and efficient governor. He had governed both Syria and Judea, one, the crucial border to the Parthian empire, Rome’s great counter-empire to the east, the other, a hotbed of dissent and rebellion, and he was an intimate member of the emperors inner circle, by marriage.

Yet despite his experience and prior stellar track record, he made a fatal mistake. Instead of marching his forces in battle readiness and being wary, historical chroniclers state (and archaeological finds have corroborated this) he let them march disordered and drawn out over kilometres, with the added burden of a large civilian and administrative contingent.

The surviving records and the evidence at the dig-site paint a harrowing picture of the ambush. Unable to organize themselves, weapons and armour not at hand, hindered by baggage and civilians, the Germans funnelled the Romans into a narrow corridor between marshes and woodland, previously prepared with fortifications and traps and over the next days annihilated the forces utterly.

There were of course several attempts to regain order and enforce best practices by the Romans, but the chaos of the battlefield, the initial shock of the ambush and the sheer difficulty of the terrain made these attempts short-lived and futile. Even after the successful construction of a fortified camp, by which time the civilians and baggage train had long been left to fend for themselves, for reasons unknown to us, Varus made the fatal decision to leave the camp the survivors had hastily constructed to make an attempt to break out, and by leading them back out into the open sealed the fate of the Roman forces.

Best practices do not just apply in times of crisis. They must be followed always, because attempting it when the crisis has already hit is too late. 

Best practices would have dictated under the circumstances to maintain the fortified position. Only Varus and his immediate Staff will have known why they disregarded this, or why they did not maintain some semblance of alertness and caution, they took these reasons with them to their grave; some committed suicide when they recognized that the situation was hopeless (or they had their servants do it for them, if they lacked the courage). Others were sacrificed in bloody rituals by the victors, if the records are to be believed.

Today too, we believe that the world has been pacified and all that is left is the task of focusing on business. We are not in a state of readiness or alert. The barbarians have been civilized with any unrest or evidence to the contrary isolated exceptions. Best practices are not being followed.

Like the Romans, we are highly trained and professional, we hold technological superiority to most of the threats facing us (even though some may object on account of government sponsored hacking or cyber warfare, but the assumption that most governments have more resources or have a better pool for recruitment than a global corporation does not reflect reality). Yet we are being beaten by the digital equivalent of the Germanic “barbarian” tribes. There are kids out there using off-the-shelf SOHO kit to take down security systems often costing millions of euros, dollars, or yen, manned and operated by very expensive specialists. They do not have processes, procedures, or policies, nor can they do this full time with someone footing the tab. But they know how to hit us hard, where the weaknesses are and where to attack us. If we do not follow best practices.

The truth is that following best practices would have saved Varus and his 20 thousand men. And the same is true of many security breaches. Best practices do not just apply in times of crisis. They must be followed always, because attempting it when the crisis has already hit is too late.

It is this, most of all, that the security department and the CSO, have to ensure. That, and to realize and create awareness, that the world, especially the digital, have not been pacified.

When Emperor Augustus heard of the disaster, the Roman Historian Suetonius writes that he was so shaken, that he butted his head repeatedly against the palace walls shouting, “Quintilius Varus, give me back my legions!” (Quintili Vare, legiones redde!). History does not repeat itself; that is a just a saying. But it does rhyme, and we would be wise to learn from the mistakes of others.

Otherwise we may soon see many CEO’s butting their heads against their office walls, shouting “CSO, Give me back my Data!”

Related ReadingChainmail - A Great Model for a Solid Security Strategy

Related Reading: Best Practice: Can You Really Define 'Best' Security?

1Peter Connolly, Greece and Rome at War (Greenhill Books, London, 1998)

2Julius Caesar, Commentaries on the Gallic Wars

3Adrian Murdoch, Rome’s Greatest Defeat, The History Press

Oliver-Christopher Rochford works for Tenable Network Security and lives in Germany. He has over a decade of Information Security experience garnered from such diverse companies as Integralis, Qualys, Secunia and HP ESS, and has frequently written and and given interviews on the topics of Information and Offensive Security, as well as Cyber-Terrorism and Hacker Culture.