Supl - Thoughts #Security

Whats up with WhatsApp?

Thu, 15 Jun 2023 09:30:53 +0000

With the bruhaha around the status of the government's WhatsApp messages to the Covid Inquiry, we thought it would be good to write another piece about the way organisations manage their information and come to decisions. Whilst the Government is in the spotlight here, in our experience the blight of the little green icon has reached epidemic proportions everywhere: it is shocking how many organisations are run off a series of breathless messaging threads.

Why so shocking, I hear you shout? Well, for a start the Government's own defence of its unwillingness to release the full trove highlights one of the big shortcomings: the messages mix the personal with the professional. There would be a danger of divulging something deeply personal alongside something of national importance. WhatsApp's pervasion is indicative of a "casualisation" of so much of our modern lives, where (perceived) tedious process has given way to (supposed) greater efficiency of an informal network of a coalition of the willing (or a cabal of the favourites). It is a symptom of a drive to blur the distinction between the office (the formal job title) with the officer (the person filling that role). Thus Tony Blair saw nothing wrong with "sofa rule" and Donald Trump can apparently declassify highly sensitive government papers "by thinking about it". This is not an exclusive Political disease: there are plenty of this in other sectors.

Why is this dangerous? I'm sure there will be plenty of people who say that they cannot do without WhatsApp - but that is the point: as we have said before, a series of messages does not constitute an information network. In this, we find ourselves in awkward agreement with Dominic Cummins, who wanted more "data-driven decisions", instead of the gossipy nonsense that passed for a process in government. And we haven't even got to the security bit: when someone leaves office, who is deprovisioning their access to a channel? Of course, building a proper set of information and managing the enterprise according to it is not easy, and requires two principle mountains to climb.

The first is to build a reliable set of information in the first place. The biggest cop out in the world is for businesses to settle on a series of "KPIs", in itself seemingly sensible, but really a way to narrow the information set so far that the hard yards of normalising data sets so as to combine them programmatically is magically avoided and dear old Maureen from Accounts can continue to work her alchemy on the handful of numbers that the management group "needs".

As hard as that first mountain is, it is nothing compared to the second: an acceptance that the enterprise and its information is bigger than anybody in it, especially the boss. Data-driven decisions will, of course, open up the possibility of data-driven shortcomings: we all love to berate the Bank of England for its "failure" to predict the rise in inflation, whilst labouring mightily to avoid any such independent scrutiny of our own work. In this WhatsApp is really only the symptom and not the cause: we are struck when moving new organisations onto systems like Teams, which offer public channels for each business subject, how many new users scurry for the safety of the little bit of the app that allows personal chats. Plenty of our senior clients will complain that "it would be inappropriate for me to write x in a subject channel" - of course HR is a legitimate concern, but most of the angst comes from the fact that public channels do not allow for the selective patronage of private sub groups in an organisation, where advancement comes at the price of uncritical support and acclaim, regardless of what the data said. Leadership is a responsibility, not a privilege.

Sort, Store, Exploit

Tue, 14 Feb 2023 17:06:38 +0000

A few things have caught my eye over the past few weeks. First, the publication of The Big Con by Mariana Mazzucato, where she makes the point that public authorities have become infantilised by dependence on consultants, leaving them unable to innovate (or even operate) on their own. Second, some of the more thoughtful analyses of the Ukraine conflict have highlighted the extent to which the ability to manage and exploit information is the critical difference, and not just in the ethereal realm of cyber warfare, but also in the world of blood, earth and iron. Third, the much heralded launch of ChatGPT, the first tech truly to give white collar workers the heebie-geebies.

In my world of enterprise IT, I am struck by how blighted my clients are with a particular form of this dependency so colourfully described by Mazzucato: they believe that they cannot survive without the constant support of another type of external specialist, the IT department. As a soldier (years ago!), I started in the world of paper files. There was a file for everything important and common across the unit, and a settled (internal) group responsible for their upkeep. Thus, continuity and the ability to find things I wasn't looking for: as a newbie Operations Officer, I could unearth not only the documents relating to previous operations, but all the messages sent and received by my predecessors.

Fast forward to the "improvements" brought by personal email inboxes, where the shared reality of the filing cabinet was replaced with an atomised shambles of point to point messages. Not only is this new tech worse that what it replaced (although it felt whizzy and modern), it was so flaky that it needed a specialist team to manage. Soon not only the tools, but the information itself gets put in the hands of people who, whilst being able to write code, have neither the skills nor the mandate to exploit this lifeblood of the organisation. And, instead of thinking strategically about their information, organisations descended into a language of "project deliverables", "tech packages", thinking that the action of apportioning a budget to something is the same as addressing a problem.

The interesting thing is that tech has evolved to a point where it no longer needs the constant intermediation of people for whom Star Wars is the last word in culture. Whisper it quietly, but the WFH revolution showed how employees could have a direct relationship with their organisation's information, often using their own kit. The much-feared avalanche of cyber intrusions did not transpire in this scandalously unfettered world: quite the reverse, where the damage was actually in systems that remained on premise, under the loving care of the network guys. So what? With the tech taken care of (“as a service”, as they say), then perhaps organisations can regain control of their own information, understanding their digital heartbeat so that they can respond as it changes.

And how important is that in Ukraine. I have worked with many Ukrainian organisations before the war, and was impressed by how they got it: sort the disparate data, store it in proper relation to each other, and exploit the insights. Works just as well interdicting a column of Russian tanks as it did analysing bank transaction flows. Sadly leveraging native UK skills would result in what The Hitchhiker’s Guide to the Galaxy retold: it would be fine if a perm or a meeting was needed, but bugger all else.

…which brings us to ChatGPT. If all you do is have meetings and write narrative messages, or perhaps really push the boat out and use excel to list things, then look out. AI will always do this sort of thing better. To survive, (or at least to earn a human wage), you’ll need to do more than express a few nice words: you need to be able to inspire, to disagree with courage and tact, to build alliances and actually do something. Oh, and speak digital, the language of the machines. Sort, store, exploit.

Vertical v Horizontal

Mon, 17 May 2021 15:51:17 +0000

Looking at the world in the early 21st Century, it's possible to see things in two different ways: on the one hand, you have the vertically-delineated world of nations. Indeed, many of the recent developments in politics can be seen as the reinforcement of the age-old relevance of the nation-state - Brexit, Trump, Chinese sabre-rattling etc. On the other hand, however, there are plenty of things that seem to work horizontally, cutting across national boundaries: environmental measures, pandemics, financial markets and technology.

The issue comes when you try to square the vertical with the horizontal. And it's an issue that gets ever bigger, as the horizontal forces grow stronger. I wrote in an earlier blog about the risks that populism pose for the cloud architecture, depending as it does on borderless access. The risk flows the other way too, as the supranational challenges of the environment, financial stability, the pandemic and the internet could render a national government superfluous, save for the assiduous execution of multilateral accords. Wriggle as it might, the UK government's efforts to "take back control" have simply highlighted how little room for manoeuvre there is to plough its own furrow - its trade, welfare, and fiscal policies all look remarkably similar to its neighbours'. The danger is that governments try to camouflage their limited power by popinjay politics, picking fights with those aspects of the multilateral norms that suit domestic opinion polls.

It is interesting that, as horizontal influences strengthen, so do our powers of denial. I have written before about the extraordinary sniffiness many in the UK have towards technology and numbers: it's a badge of honour to be pap with machines. We also call this horizontal march "globalisation", as if conveniently to label it as a conscious (and deliciously reversible) policy. Our talking shop parliaments, filled with talkers, wish for a world controllable by talk. Sadly, the logic of global capital markets and technology do not listen to talk, and certainly not national talk. Much as we would like to define our own versions of these things, it is doomed and as parochial as those in English regions and cities who fought to keep local time in the face of the march of the railways in the Nineteenth century.

How are the horizontal influences strengthening? In addition to culture, the existence of the nation state owed much to its necessity: To do something, you needed to be somewhere. That is rapidly becoming unnecessary. Even internet access, hitherto dependent on local infrastructure (and so local control) will increasingly be available anywhere you can see the sky, which is frightening the heebiegeebies out of the Russian and the Chinese governments. Travelling? The infrastructure needed to do so internationally inevitably invokes a border trigger (bar the odd smuggler). What happens when a VTOL drone can move you 300 miles? Ordinary (if wealthy) people can then make their travel arrangements free of government purview, in the same way as the advent of the eurobond market created "moneyland" for people's financial arrangements. My point is not that these developments are good or bad (and, in the case of money, it has definitely caused issues), but that they will come, and will necessitate a reaction better than denial.

How do hyper-vertical organisations react? The history of national tax agencies in the teeth of moneyland shows how hard it can be. Even the Americans now see the benefits of international cooperation on tax, which perhaps shows the way for other agencies. The UK's first attempt at carbon pricing will mean nothing until it builds the links to the European equivalent, for instance. Perhaps the most interesting challenge lies with those vertical institutions whose role is at least in part, the opposite of cooperation: national armed forces. Possessing an ancient hammer, there is a danger that everything continues to look like a nail - cyberspace becomes just another vector of battle, they might say. Except that it isn't: warfare in this space is like a competition to chuck the most powerful brew down a communal well - everyone ends up poisoned. Almost all the most damaging cyber incidents that we know about that have affected the West - Notpetya, Wannacry - contained major elements actually first built by Western Cyber Agencies. They are on the horns of a particularly difficult dilemma. They are paid to be the State's ultimate insurance, standing up to threats and possessing the nation's monopoly of violence. In that context, they are pushing back against authoritarian regimes like Russia and China. But in so doing, they unwittingly become those nations' accomplices in the strengthening of national boundaries that cut across the global technology commons, a commons profoundly dangerous to authoritarianism. And in so doing, they might find themselves more at home with their adversaries' social and patriotic values than those of the people they are paid to defend.

Information Security

Thu, 09 Apr 2020 14:36:01 +0000

Oh no, I hear you say. Another exhortation from someone in IT about how I should not write passwords down/have unique ones/not click on dubious emails. Not so fast! It's actually to make the point that the risk picture for information is much more nuanced than IT would have you believe.

Notice that I use the word information, not the acronym IT: they are two different things. For a start, most security policies start and stop at the frontiers of the technology: how many businesses properly have controls on what papers can be carried out of the office? In many ways, more dangerous - they can be read without a password and cannot be remote-wiped. Secondly, mistaking IT for information means that businesses have outsourced the management of their information to computer people, who (typically) prefer the binary of the motherboard to the ambiguities of real life. Thus they have built networks of technology into The Network, centered around the needs of those who manage that Network, not those for whom technology is supposed to serve. Everything becomes deliciously un-nuanced: things are either On the Network or Off It, trusted or not. The only risk becomes one of penetration. Simples.

Except it's not in the real world. Even before this COVID emergency, being in a different place from The Network was not exactly unheard-of: salespeople on the road, and the awkward presence of business partners in a value chain that did not sit inside a Network. Still, configure a VPN and offer people the chance to get their emails on their phone should do the trick. Er no. A Network makes the mundane internal communication easy, the valuable inter-company connection really difficult.

The point I am trying to make is that there are more risks to information than just penetration. If you put the word information in front of the word security you typically mean the challenge of preventing unauthorised access to that information: if you put the word energy in front instead you are often talking about the challenge of maintaining supply. And it is this risk of non-supply of information that is the one suddenly confronting businesses as they realise that, for all their trumpeting about twenty-first digitisation, they are really no less dependent on the analogue infrastructure of the office than their nineteenth century counterparts, whizzing internal memos about through compressed air tubes.

Ironically it is those businesses most obsessed with the first risk of penetration that have made themselves most vulnerable to the second: IT bods have obsessed themselves with the "risk" of putting stuff in the cloud. It is now obvious that it has been hugely risky not to. The risks of confidentiality in the cloud can be managed: the absence of a proper network (with a small n) of information outside the office cannot be fixed with the sticking plasters of a VPN and a hurried subscription to Zoom.

When (I hope) things return to a more normal footing, and after thanking the IT department for their heroics in working all hours to apply emergency measures, perhaps a question or two needs to be addressed to the IT headshed as to why the business was so vulnerable in the first place to risks that were obvious (and mitigatable) way back in the SARS emergency of 2003.

The Huawei Problem

Fri, 03 May 2019 14:05:34 +0000

Despite the title of this piece, the problem isn't actually really Huawei: it's how we are approaching this issue.

What's the issue? Technology meets sovereignty, or perhaps the Twenty-First Century meets the Twentieth. There is a fundamental disconnect between what global technology represents - a horizontal, global reality, and what a country does - a vertical, local reality. And whilst we might think it's only technology that is causing this horizontal/vertical farrago, it's not: the same is present in financial markets and the environment. Despite what some nationalists might wish, we all live in the same pond, and the ripples from a pebble chucked into the middle will affect all. To illustrate the point, think of three rather delightful pebbles thrown into the global pond by Russia over the past 40 years. The Chernobyl accident sent plumes of contamination into Scandinavia, the debt default of 1998 almost destroyed US financial markets, and its gentle export of the NotPetya virus into Ukraine forced Maersk, the global shipping company, back into the stone age to continue operating, also causing $10bn of damage in the wider global economy.

So, back to Huawei. The knee jerk reaction is to think of it in terms of "us" and "them", "here" and "there". Huawei, so the script goes, is in hock to its government, so "letting them in" risks a concerted effort at government espionage, shout the Americans. Well, they would know. Whilst have no doubt that Huawei is indeed a risk for the reasons identified by the Americans (and others), it is simply the wrong way to look at all of this. There is no "us" and "them, "here" and "there" in technology: in the words of one senior tech exec, "we all use the same sh*t". Whilst there is a risk of a Huawei backdoor, so there is at Cisco. Buying "western" stuff may sound a good plan until you realise it's all assembled in China.

Where am I going with this, given that it's meant to be a blog to help companies with their IT? Well, the Huawei problem is a high profile example of the dangers of the perimeter illusion: that somehow you are "in" and others are "out". First, it is simply not how the world works. A company network cannot be impermeable, because if it was, it would be useless. Holes have to be opened up to receive stuff from "outside". Companies have spent gazillions on fancy vendor products to police the holes, which is good for the vendors, but will never fix anything properly (which of course is also good for the vendors). The second pernicious consequence of the perimeter illusion is that we falsely mistrust too much from the "outside" and wrongly trust too much on the "inside". Too much mistrust in the outside is bad for business, and too much trust on the inside is disastrous. To take a non-tech example of this, just look at Guy Burgess, the Russian spy in the heart of the British Establishment. He was allowed to get away with it as people felt he was one of "us". To bring it back to tech and to Maersk, NotPetya was so devastating as the computing environment inside the network pre-supposed trust among the machines, facilitating the flow of the virus (delivered using a mechanism designed by the Americans, ironically).

This is not to criticise Maersk particularly: whilst they could have been better at upgrading their PCs, their network architecture reflected the same fundamental illusion as almost everyone else: that there is a "here" and "there" in technology, and you base your trust judgement on whether they are one or the other. So, what is the advice? For this we need to go back to another horizontal horse of the apocalypse, pestilence. We have long understood that whilst quarantine and other physical measures can help, the best defence against infection is good personal habits wherever you are - hygiene, diet and inoculation. To take that back into the tech space, do not base your precautions on "where" you are, but navigate by a simple set of standard rules: keep operating systems up to date, connect not to other machines but to independent cloud-based apps and manage your credentials carefully, avoiding duplicate passwords and your mother's maiden name.

The "Huawei Problem" is not the vendor, but the way we look at technology. Huawei is not "them" whilst, say, Ericsson, is "us". Network kit should be managed and monitored, wherever it's "from".