Fort Pulaski was completed in 1847. Built as a response to the War of 1812, it was a state-of-the-art fort built to protect the port of Savannah. Its walls were 11 feet thick and the moat was eight feet wide. But the real genius lay in its location. On an island in the middle of the Savannah River, it was a full mile from the nearest land on Tybee Island. It could not be approached by land. The smoothbore cannons of the time had a range of about half a mile, therefore land-based cannons could not be brought to bear. By sea, no ship’s guns could hope to affect the fort’s walls before being sunk.
Confederate forces quickly took control of this key asset at the beginning of the Civil War to protect Savannah. In December 1861, they ceded Tybee Island to Union forces, deeming it too difficult to defend. The Union began building batteries on the island, occasionally issuing a surrender offer to the forces in the fort. All were declined.
On the morning of April 10, 1862, one final request for surrender was sent. As with all the others, it was laughingly denied. Union forces then opened fire, their experimental guns firing bullet-shaped shells from rifled barrels. The new shell shape, combined with the spin generated by the corkscrew design in the cannons’ barrels, gave the new guns a range of over four miles and significantly improved accuracy. 30 hours later, with the fort’s main powder magazine in danger of breach, Fort Pulaski was surrendered.
As defenders, relying on the past is a dangerous way to predict the future. Innovation, it seems, tends to favor the attacker.
I began thinking of what “Pulaski Moments” might lie in our future.
Supply Chain – I know we’ve seen some of this, but I think it gets far worse. These attacks take some time to lay, but they are extremely effective. It is my belief that there are many of these floating downstream toward us.
Artificial intelligence may not immediately provide Matrix or Terminator-style smart attacks, but it is going to scale the most effective attacks. Attacks requiring significant time and investment will now be available at a massive scale for little cost. We can expect the kind of persistent, intelligent attacks seen occasionally at our most valuable targets to appear everywhere, all at once.
Imagine a system that uses available data about your company, titles, and reporting schemes. It harvests social media (such as Facebook and LinkedIn) in these targets as well. Finally, it adds in current news about your company. Throw that into a large language model and you have excellent spear phishing risks, at scale, across your entire organization.
Imagine a bot as a payload that has basic learning around lateral movement and discovery, prepared to move quickly and quietly to get complete control. Again, at scale, without the need for high-level hacking resources. And I’m sure there are more.
But the most important Fort Pulaski lesson isn’t to be ahead of the attackers. The most important lesson is humility. And how do we expect the unexpected?
Resiliency.