Looking at the world in the early 21st Century, it's possible to see things in two different ways: on the one hand, you have the vertically-delineated world of nations.  Indeed, many of the recent developments in politics can be seen as the reinforcement of the age-old relevance of the nation-state - Brexit, Trump, Chinese sabre-rattling etc.  On the other hand, however, there are plenty of things that seem to work horizontally, cutting across national boundaries: environmental measures, pandemics, financial markets and technology.

The issue comes when you try to square the vertical with the horizontal.  And it's an issue that gets ever bigger, as the horizontal forces grow stronger.  I wrote in an earlier blog about the risks that populism pose for the cloud architecture, depending as it does on borderless access.  The risk flows the other way too, as the supranational challenges of the environment, financial stability, the pandemic and the internet could render a national government superfluous, save for the assiduous execution of multilateral accords.  Wriggle as it might, the UK government's efforts to "take back control" have simply highlighted how little room for manoeuvre there is to plough its own furrow - its trade, welfare, and fiscal policies all look remarkably similar to its neighbours'.  The danger is that governments try to camouflage their limited power by popinjay politics, picking fights with those aspects of the multilateral norms that suit domestic opinion polls.

It is interesting that, as horizontal influences strengthen, so do our powers of denial.  I have written before about the extraordinary sniffiness many in the UK have towards technology and numbers:  it's a badge of honour to be pap with machines.  We also call this horizontal march "globalisation", as if conveniently to label it as a conscious (and deliciously reversible) policy.  Our talking shop parliaments, filled with talkers, wish for a world controllable by talk.  Sadly, the logic of global capital markets and technology do not listen to talk, and certainly not national talk.  Much as we would like to define our own versions of these things, it is doomed and as parochial as those in English regions and cities who fought to keep local time in the face of the march of the railways in the Nineteenth century.

How are the horizontal influences strengthening?  In addition to culture, the existence of the nation state owed much to its necessity: To do something, you needed to be somewhere.  That is rapidly becoming unnecessary.  Even internet access, hitherto dependent on local infrastructure (and so local control) will increasingly be available anywhere you can see the sky, which is frightening the heebiegeebies out of the Russian and the Chinese governments.  Travelling?  The infrastructure needed to do so internationally inevitably invokes a border trigger (bar the odd smuggler).  What happens when a VTOL drone can move you 300 miles? Ordinary (if wealthy) people can then make their travel arrangements free of government purview, in the same way as the advent of the eurobond market created "moneyland" for people's financial arrangements.  My point is not that these developments are good or bad (and, in the case of money, it has definitely caused issues), but that they will come, and will necessitate a reaction better than denial. 

How do hyper-vertical organisations react?  The history of national tax agencies in the teeth of moneyland shows how hard it can be.  Even the Americans now see the benefits of international cooperation on tax, which perhaps shows the way for other agencies.  The UK's first attempt at carbon pricing will mean nothing until it builds the links to the European equivalent, for instance.  Perhaps the most interesting challenge lies with those vertical institutions whose role is at least in part, the opposite of cooperation: national armed forces.  Possessing an ancient hammer, there is a danger that everything continues to look like a nail - cyberspace becomes just another vector of battle, they might say.  Except that it isn't: warfare in this space is like a competition to chuck the most powerful brew down a communal well - everyone ends up poisoned.  Almost all the most damaging cyber incidents that we know about that have affected the West - Notpetya, Wannacry - contained major elements actually first built by Western Cyber Agencies.  They are on the horns of a particularly difficult dilemma.  They are paid to be the State's ultimate insurance, standing up to threats and possessing the nation's monopoly of violence.  In that context, they are pushing back against authoritarian regimes like Russia and China.  But in so doing, they unwittingly become those nations' accomplices in the strengthening of national boundaries that cut across the global technology commons, a commons profoundly dangerous to authoritarianism.  And in so doing, they might find themselves more at home with their adversaries' social and patriotic values than those of the people they are paid to defend.

I thought I would put pen to paper about this SolarWinds attack. As ever with Supl posts, this is not designed for the IT community, but rather its business masters: trying to put the attack into some sort of historical context, and offering some thoughts as to how we should move forward.

The point is that we have built our Networks the wrong way round. Rather than groupings of computers, our networks should be built around trusted people and the information they need and share. 

There has been some excellent technical analysis of what we know of the hack so far: the consensus is that whilst the attackers were sophisticated (particularly in the way they kept their tracks hidden), the methods by which they gained access were probably age-old and pretty basic, requiring no degree in computer science to understand. Somewhere in the SolarWinds estate sat a server that had missed being fully patched, and a bit like a careless zebra getting itself separated from the herd, it was brought down by the marauders. Other parts of the hack were also age-old: in the 1970s British Intelligence had the sense to recruit the IRA's head of internal security, giving him the perfect cover, he had access to all areas and was able to act with broad impunity - would you question the ultimate hardman? Likewise the KGB were clever enough to position Kim Philby as the head of the section in M16 to counter the Soviet threat. Wind forward to the 21st century, and SolarWind's Orion product was the virtual equivalent: Designed with counterintelligence in mind, it had access to all areas, and impunity to execute.

What's the prognosis? Pretty awful, if truth be told. Although the Wannacry ransom ware attack was, on the face of it, more disruptive, at least such disruption was its obvious exhaust. In this case, the objectives were likely to be more insidious (information not a ransomware attack), and so there will never be a point when these networks can be considered "clean". If that sounds apocalyptic, perhaps it is the opposite. Finally the risk of doing things differently might be lower that muddling along as usual.

What does doing things differently look like? Spoiler alert: I have no special abilities to know the future, nor am I trying to sell a tech product that fixes things - that is how we got into this mess in the first place. Rather I see my job as asking the stupid, fundamental questions to tease out those answers, free from the shackles of narrow, deep technical knowledge, or (I hope) bound by the prevailing orthodoxy. 

It is interesting to note that just as the past offered a good guide to the attackers, so it does to the defenders. Many years ago soldiers learnt that to build a thin protective crust that did not distinguish between low and high value assets was asking for trouble: rather they learned to defend in depth, accept and exploit the inevitable enemy incursion, and make sure that the dominant hill in your terrain was the one you concentrated most of your defensive resources on. The digital world, not overly stuffed with historians, has singularly failed to learn this lesson. I give you the Network, a collection of connected computers: a digital crust. 

Interestingly, even the soldiers I talk to do not question this digital orthodoxy, equipped as they are with centuries of relevant (and clashing) experience. Perhaps their cultural conservatism leads them to favour something where there is a "them" and "us". The Network provides such topography, but it is an illusion. In technology (as in financial markets and the environment), in the words of one cultured West Coast executive, "we all use the same shit". Thus the challenge more akin to managing a global commons than manning the trenches.

It is good to go back to first principles. What is technology for? Essentially, it is to ensure that trusted people can find stuff out to do their jobs. They don't require stuff that they don't need for their job, and if they don't have a job to do, then they should have no access to anything. Simples. Once you bring it back to those two things - people and stuff - you realise that computers are just the support act. Except the Network is predicated the opposite way around, as it is a design that places computers at the centre, pushing people and stuff to an afterthought. With computers at the centre, you need other computers to manage them, using ever-sophisticated (and impenetrable) means to do so. You only need to corrupt one computer to allow it to potter about among all the other computers, asking questions that would be impossible for a person to pull off if not accredited.

So, to the stuff. Too much stuff is parcelled into documents, managed by little programmatic actors that may or may not be corrupted (word, excel etc). This is because most companies pay little strategic heed to how their stuff is organised and described, leaving it to each generation of middle management to reinvent the wheel. Converting stuff to a long-term home in a secure data store will not only improve confidentiality, it will ensure that the business learns as it goes, becoming wiser. 

Then, onto the people. Once the stuff is safely inside a datastore (somewhere that allows for the storing of data and the recording of interaction about those data in context), then it becomes possible to organise it such that people have access only to that part of the datastore that they require to do their jobs - let’s call it need-to-know.

What of the computers? Given the stuff is in one place, and the groups of people connected through their access to the stuff, then computers can be relegated to acting as binoculars and so do not need to be connected to other computers. 

This begs so many questions, of course. It cuts across so many cultural mores - surely the Network is an Asset that is in physical form, “here” as opposed to “there”? It also shows up a glaring skills gap in most large enterprises: add up the Network engineers and the IT security people, and divide them by the number of specific information specialists, and you probably have a number in excess of 100. Too difficult? SolarWinds tells us we have no alternative. 

Oh no, I hear you say.  Another exhortation from someone in IT about how I should not write passwords down/have unique ones/not click on dubious emails.  Not so fast!  It's actually to make the point that the risk picture for information is much more nuanced than IT would have you believe.

Notice that I use the word information, not the acronym IT: they are two different things.  For a start, most security policies start and stop at the frontiers of the technology: how many businesses properly have controls on what papers can be carried out of the office?  In many ways, more dangerous - they can be read without a password and cannot be remote-wiped.  Secondly, mistaking IT for information means that businesses have outsourced the management of their information to computer people, who (typically) prefer the binary of the motherboard to the ambiguities of real life.  Thus they have built networks of technology into The Network, centered around the needs of those who manage that Network, not those for whom technology is supposed to serve.  Everything becomes deliciously un-nuanced: things are either On the Network or Off It, trusted or not.  The only risk becomes one of penetration.  Simples.

Except it's not in the real world.  Even before this COVID emergency, being in a different place from The Network was not exactly unheard-of: salespeople on the road, and the awkward presence of business partners in a value chain that did not sit inside a Network.  Still, configure a VPN and offer people the chance to get their emails on their phone should do the trick.  Er no.  A Network makes the mundane internal communication easy, the valuable inter-company connection really difficult. 

The point I am trying to make is that there are more risks to information than just penetration.  If you put the word information in front of the word security you typically mean the challenge of preventing unauthorised access to that information: if you put the word energy in front instead you are often talking about the challenge of maintaining supply.  And it is this risk of non-supply of information that is the one suddenly confronting businesses as they realise that, for all their trumpeting about twenty-first digitisation, they are really no less dependent on the analogue infrastructure of the office than their nineteenth century counterparts, whizzing internal memos about through compressed air tubes. 

Ironically it is those businesses most obsessed with the first risk of penetration that have made themselves most vulnerable to the second: IT bods have obsessed themselves with the "risk" of putting stuff in the cloud.  It is now obvious that it has been hugely risky not to.  The risks of confidentiality in the cloud can be managed: the absence of a proper network (with a small n) of information outside the office cannot be fixed with the sticking plasters of a VPN and a hurried subscription to Zoom.

When (I hope) things return to a more normal footing, and after thanking the IT department for their heroics in working all hours to apply emergency measures, perhaps a question or two needs to be addressed to the IT headshed as to why the business was so vulnerable in the first place to risks that were obvious (and mitigatable) way back in the SARS emergency of 2003.

If your search engine has thrown this up in the pursuit of salacious stuff surrounding our dearly-beloved elected representatives, sadly I have to disappoint you.  What I have to say concerns the rather more mundane world of IT systems.

Still, it is flippin' important.  Given the lamentable levels of tech understanding among our politicians, if you say the word "IT" to them, they immediately think "security/privacy".  Now, I'm not saying that those things are not important, of course they are: but they are not the only things to be considered.  The threats need to be balanced against the benefits of IT investment.  Sadly, there are good reasons for things being as they are: politicians know little about tech, and so cannot enunciate much in the way of the "why", save for some nebulous "cost savings" figure plucked out the ether by some obliging civil servant.  Second, their constituents tend not to have much clue either, and are change averse: it's no surprise that this is front of mind for the politicians.

Mind you, I malign politicians unfairly: a vanishingly small number of senior business people (including in the tech sector, interestingly) and senior public servants have any sense of the transformative potential of great technology either.

So what? I hear you say.  It's good to be cautious….Er, no, it's not.  The consequences of such caution are that technology projects are judged exclusively on their ability to withstand penetration, and on their progress on delivering against budget.  Thus a system designed to be invulnerable can be pretty difficult to do anything in, spawning an explosion of the use of bootleg apps by users actually trying to get things done.  And the best way to ensure a system delivers against budget is to inflate the budget, especially with all the paraphernalia designed to, you've guessed it, …..check on progress against budget.

So we have stuff built at multiples of their real cost, designed more for invulnerability than utility: no wonder IT has such a rubbish reputation.