Lessons on Border Walls from Cyber Security

Note to the reader: I hope you will set aside any political bias when you go through this piece. Democrats should not gloat that border walls are evil – because they are not. And Republicans should not ignore my comments as the rantings of a crazed liberal – because I am not one. Rather, this piece is intended to remind readers of a mature and uniformly held belief about the ineffectiveness of network perimeters that offers useful insight to the current debate in the US.

It is an accepted fact across the entire cyber security community that border walls do not work. Originally conceived in the 1990’s using newly-emerged tools called firewalls, people like me tried to construct physical boundaries to keep bad actors from entering our trusted networks. The concept seemed fine at the outset, but serious problems quickly emerged. One might argue that the result is the enormous cyber security mess we find ourselves in today.

The first problem with border walls involved chokepoints. That is, if bad actors could only enter networks across a small number of entry locations, then an effective perimeter was possible. When companies had one or two connections to the Internet, for example, firewalls could mediate access and a perimeter was possible. But with the explosion of ubiquitous, mobile access to the Internet, chokepoints make no sense – and border walls break down.

The second problem with border walls involved insiders. We originally believed that keeping bad actors away from our networks could be achieved by policing the entry points. But with the complexity of modern business, insiders emerged who could be compromised, or who could become disgruntled. Most security experts refer to this insider problem as the most insidious of challenges, and border walls have no impact on the risk.

The third problem with border walls involved shifting business models. In the early days, if the firewall only needed to support simple transactional work, then we could write simple rules to control the boundary. But as businesses began to adopt more complex external engagements including outsourcing and teleworking, the myriad of access exceptions required in firewalls made them far less secure.

The analogy to physical border walls is obvious, because the changes in networking have also occurred at our nation’s border. We have, for example, thousands of miles of physical border access; we have large numbers of undocumented immigrants already inside our country; and we’ve seen increasingly complex business and societal interactions across our border with our neighbors. These changes make perimeters untenable.

The analogy goes further: Non-technical business managers and Luddite board members commonly lament this claim that perimeters do not work. They often demand justification for why company firewalls do not prevent bad actors from entering. The problem is that their security instincts developed at a time when firewalls, and large physical walls, might have been effective. Convincing these leaders to develop new instincts is quite a challenge.

The solution we’ve adopted in cyber security – one that we are now explaining to senior executives – involves creating a virtual perimeter. You can think of this new method as a coordinated system of defenses with no physical border. Instead, protections are shrink-wrapped to match local data and systems. Google’s innovative BeyondCorp approach is an example of a virtual perimeter, one that is often cited as best-in-class for enterprise security.

Our nation should learn from the cyber security community and do something similar. We must turn our attention away from perimeter walls and toward those areas on either side of our border that need immediate security attention. This must include distributed protections that are located within our national boundary, situated closer to our valued national assets. This method is directly analogous to what we are doing in cyber security.

Regardless of your political beliefs and biases, I hope you will recognize that the cyber security community has already answered this basic question of whether an enormous and complex border can be policed by walls. Every cyber security expert on the planet agrees that perimeters do not work, and that any organization trying to build larger walls around their assets will be disappointed with the results.

Dr. Edward Amoroso is Distinguished Research Professor at NYU, Adjunct Professor at the Stevens Institute of Technology, Senior Advisor at the Applied Physics Laboratory at Johns Hopkins University, Founder of TAG Cyber LLC, retired former Senior Vice President and Chief Security Officer of AT&T, and former Member of the NSA Advisory Board.