Supl - Thoughts #cyber

Vertical v Horizontal

Mon, 17 May 2021 15:51:17 +0000

Looking at the world in the early 21st Century, it's possible to see things in two different ways: on the one hand, you have the vertically-delineated world of nations. Indeed, many of the recent developments in politics can be seen as the reinforcement of the age-old relevance of the nation-state - Brexit, Trump, Chinese sabre-rattling etc. On the other hand, however, there are plenty of things that seem to work horizontally, cutting across national boundaries: environmental measures, pandemics, financial markets and technology.

The issue comes when you try to square the vertical with the horizontal. And it's an issue that gets ever bigger, as the horizontal forces grow stronger. I wrote in an earlier blog about the risks that populism pose for the cloud architecture, depending as it does on borderless access. The risk flows the other way too, as the supranational challenges of the environment, financial stability, the pandemic and the internet could render a national government superfluous, save for the assiduous execution of multilateral accords. Wriggle as it might, the UK government's efforts to "take back control" have simply highlighted how little room for manoeuvre there is to plough its own furrow - its trade, welfare, and fiscal policies all look remarkably similar to its neighbours'. The danger is that governments try to camouflage their limited power by popinjay politics, picking fights with those aspects of the multilateral norms that suit domestic opinion polls.

It is interesting that, as horizontal influences strengthen, so do our powers of denial. I have written before about the extraordinary sniffiness many in the UK have towards technology and numbers: it's a badge of honour to be pap with machines. We also call this horizontal march "globalisation", as if conveniently to label it as a conscious (and deliciously reversible) policy. Our talking shop parliaments, filled with talkers, wish for a world controllable by talk. Sadly, the logic of global capital markets and technology do not listen to talk, and certainly not national talk. Much as we would like to define our own versions of these things, it is doomed and as parochial as those in English regions and cities who fought to keep local time in the face of the march of the railways in the Nineteenth century.

How are the horizontal influences strengthening? In addition to culture, the existence of the nation state owed much to its necessity: To do something, you needed to be somewhere. That is rapidly becoming unnecessary. Even internet access, hitherto dependent on local infrastructure (and so local control) will increasingly be available anywhere you can see the sky, which is frightening the heebiegeebies out of the Russian and the Chinese governments. Travelling? The infrastructure needed to do so internationally inevitably invokes a border trigger (bar the odd smuggler). What happens when a VTOL drone can move you 300 miles? Ordinary (if wealthy) people can then make their travel arrangements free of government purview, in the same way as the advent of the eurobond market created "moneyland" for people's financial arrangements. My point is not that these developments are good or bad (and, in the case of money, it has definitely caused issues), but that they will come, and will necessitate a reaction better than denial.

How do hyper-vertical organisations react? The history of national tax agencies in the teeth of moneyland shows how hard it can be. Even the Americans now see the benefits of international cooperation on tax, which perhaps shows the way for other agencies. The UK's first attempt at carbon pricing will mean nothing until it builds the links to the European equivalent, for instance. Perhaps the most interesting challenge lies with those vertical institutions whose role is at least in part, the opposite of cooperation: national armed forces. Possessing an ancient hammer, there is a danger that everything continues to look like a nail - cyberspace becomes just another vector of battle, they might say. Except that it isn't: warfare in this space is like a competition to chuck the most powerful brew down a communal well - everyone ends up poisoned. Almost all the most damaging cyber incidents that we know about that have affected the West - Notpetya, Wannacry - contained major elements actually first built by Western Cyber Agencies. They are on the horns of a particularly difficult dilemma. They are paid to be the State's ultimate insurance, standing up to threats and possessing the nation's monopoly of violence. In that context, they are pushing back against authoritarian regimes like Russia and China. But in so doing, they unwittingly become those nations' accomplices in the strengthening of national boundaries that cut across the global technology commons, a commons profoundly dangerous to authoritarianism. And in so doing, they might find themselves more at home with their adversaries' social and patriotic values than those of the people they are paid to defend.

The Huawei Problem

Fri, 03 May 2019 14:05:34 +0000

Despite the title of this piece, the problem isn't actually really Huawei: it's how we are approaching this issue.

What's the issue? Technology meets sovereignty, or perhaps the Twenty-First Century meets the Twentieth. There is a fundamental disconnect between what global technology represents - a horizontal, global reality, and what a country does - a vertical, local reality. And whilst we might think it's only technology that is causing this horizontal/vertical farrago, it's not: the same is present in financial markets and the environment. Despite what some nationalists might wish, we all live in the same pond, and the ripples from a pebble chucked into the middle will affect all. To illustrate the point, think of three rather delightful pebbles thrown into the global pond by Russia over the past 40 years. The Chernobyl accident sent plumes of contamination into Scandinavia, the debt default of 1998 almost destroyed US financial markets, and its gentle export of the NotPetya virus into Ukraine forced Maersk, the global shipping company, back into the stone age to continue operating, also causing $10bn of damage in the wider global economy.

So, back to Huawei. The knee jerk reaction is to think of it in terms of "us" and "them", "here" and "there". Huawei, so the script goes, is in hock to its government, so "letting them in" risks a concerted effort at government espionage, shout the Americans. Well, they would know. Whilst have no doubt that Huawei is indeed a risk for the reasons identified by the Americans (and others), it is simply the wrong way to look at all of this. There is no "us" and "them, "here" and "there" in technology: in the words of one senior tech exec, "we all use the same sh*t". Whilst there is a risk of a Huawei backdoor, so there is at Cisco. Buying "western" stuff may sound a good plan until you realise it's all assembled in China.

Where am I going with this, given that it's meant to be a blog to help companies with their IT? Well, the Huawei problem is a high profile example of the dangers of the perimeter illusion: that somehow you are "in" and others are "out". First, it is simply not how the world works. A company network cannot be impermeable, because if it was, it would be useless. Holes have to be opened up to receive stuff from "outside". Companies have spent gazillions on fancy vendor products to police the holes, which is good for the vendors, but will never fix anything properly (which of course is also good for the vendors). The second pernicious consequence of the perimeter illusion is that we falsely mistrust too much from the "outside" and wrongly trust too much on the "inside". Too much mistrust in the outside is bad for business, and too much trust on the inside is disastrous. To take a non-tech example of this, just look at Guy Burgess, the Russian spy in the heart of the British Establishment. He was allowed to get away with it as people felt he was one of "us". To bring it back to tech and to Maersk, NotPetya was so devastating as the computing environment inside the network pre-supposed trust among the machines, facilitating the flow of the virus (delivered using a mechanism designed by the Americans, ironically).

This is not to criticise Maersk particularly: whilst they could have been better at upgrading their PCs, their network architecture reflected the same fundamental illusion as almost everyone else: that there is a "here" and "there" in technology, and you base your trust judgement on whether they are one or the other. So, what is the advice? For this we need to go back to another horizontal horse of the apocalypse, pestilence. We have long understood that whilst quarantine and other physical measures can help, the best defence against infection is good personal habits wherever you are - hygiene, diet and inoculation. To take that back into the tech space, do not base your precautions on "where" you are, but navigate by a simple set of standard rules: keep operating systems up to date, connect not to other machines but to independent cloud-based apps and manage your credentials carefully, avoiding duplicate passwords and your mother's maiden name.

The "Huawei Problem" is not the vendor, but the way we look at technology. Huawei is not "them" whilst, say, Ericsson, is "us". Network kit should be managed and monitored, wherever it's "from".

Cyber - Improving the Company's Hygiene

Wed, 03 Oct 2018 12:44:18 +0000

There's been a lot of talk about cyber security recently, with the hack at British Airways and the constant refrain from the Government to company boards about their experience in this area.

With more and more valuable interactions happening in the digital space, it follows that the impact of any cyber-whoops is therefore greater. But you've got to feel for the average board, recognising the rising risks in this area, understanding the need to engage, but struggling to know how to go about it.

It's easy to get lost. "Cyber" (weird word, really) is an odd concept: at one level it is generally descriptive, defining the digital space as a whole. On the other, it is a narrow, threatening warning, often followed by an equally aggressive word like "security", "hacker", "warfare" etc. Think Arnie. Like so many technical terms, it has been coined by vendors hoping to define a space and sell into it. The medieval practice of selling indulgences involved blood curdling warnings of the dire consequences of not paying. Those consequences would play out in a dimension beyond human analysis, so there was no point in being rational. Just pay up. Sound familiar? For eternal damnation, read zero day exploit.

OK, a little harsh. How does a board become more able to take a rational view of this risk, as it does with other kinds of operational, market and financial risks? The problem, of course, is that the cyber piece is so new. With the explosion in connectivity (which is what the internet really represents) has come an attendant rush of value, and of risk. However, our culture has not had time to digest the risks it represents and specifically clock the behavioural catalysts to cyber trouble in the future. To a board, running a stretched balance sheet at the turn of the credit cycle is an obvious risk: as is running down the R&D budget in an environment of tight market competition. Equally, that charity sword-swallowing session proposed by Kevin in Accounts would not be great for the firm's health and safety record. These are obvious catalysts to particular risks, because our culture is full of cautionary tales: Dickens writes colourfully on the risks of an over extended balance sheet (!) and presumably sword swallowing has, for some time, been viewed with caution.

So how do we start to build this new consciousness? The secret, we think, is to break out of vendor-land and treat "cyber" as merely one facet of information management. "Information" is the poor relation to its spoilt sibling, "technology": when people talk of IT spend, they really mean T spend, where a tactical effort is made to organise the information simply as part of a project to install a system. It really should be the other way around: information is the most valuable resource in any company after its people, and a coherent plan for its management really ought to be the first thing companies do. Can we define our inputs? What are our key value-add processes? What are our outputs and who needs them? Notice not a system in sight at this stage.

Once this has been started, companies start to understand that information is different from the departments, systems, and documents that contain it, rather like energy is not the same as a piece of coal. Once that is understood, the company can start to organise around the management of that information, not the other way around. What do we mean by management? The development of a company-wide classification scheme ("filing" to you and me), the establishment of a single source for each item, and the efficient maintenance of the system of entitlement together with the matching of security environment with the sensitivity of the information: details of a customer's payment methods? Really sensitive. Details on the toilet cleaning roster? Not so much. In short, a plan to ensure the supply of reliable, consistent and discreet information to all those who need it, and only those that do.

OK, so where does that relate to cyber? Well, a successful attack is just a symptom that you've got your information management wrong. Did a vengeful former employee retain access after their departure? Why did finance keep a copy of client records on "their" systems, away from all the GDPR controls on the CRM database? Why was a third party allowed to export a bundle of data to their systems, when they should have been permissioned on the company's own systems? Why was data needed by the client teams only available on an internal network, forcing those teams to carry paper and excel on the train? Why was the company dependent on bespoke software that ran on Windows 1875, preventing any patching? Why did an employee click on the attachment offering the usual accounts report, when they should have had independent access to those reports from a central system?

It's helpful to think of this in terms of hygiene. If you never wash your hands, leave your house dirty and not get enough sleep you'll probably need recourse to some fancy drugs from time to time. Attend to good habits, however, and the chances of catching something nasty are materially lower. It's those good habits in general that the board should focus on, not second-guessing the IT department with stuff read in the Daily Telegraph over the weekend. Focusing on those good habits will also highlight exceptions to these, developing a sense of the informational risks the company is running in the same way they do for other types of risks.