We are the experts. The controlling minds of the institutions of the state, of society and the economy; and those who offer them sage counsel. The technocratic elite of computing, and of cyber security.
We are Generation X. Our grasp of the levers of power and influence is temporary, and we have been served our notice by Generation Y. These Millennials are impatient for control. We have a finite and diminishing period in which to contribute to the solution of the problems of our time and so control our legacy. Our context was forged during the Cold War. The world we made, the time and space we lived in, and the ways in which we sought to make sense of it all were given their shape and form by a context. A context within which we were simultaneously subjects and objects; we made it as much as it made us.
We are beginning to apprehend the enormity of the transformations of the Information Age. Now, belatedly, we catch our first true glimpse of the gaping chasm separating us from the Millennials. We are easy prey to the collective paralysis of future shock. The symmetry, clarity, predictability and certainties of the Cold War appear comforting. A world of clear and certain binary choices; of absolutes of right and wrong. Of survival or total destruction. Bunkers of the mind are as real as those of steel and concrete. The one the tomb of the intellect as the other was the tomb of hope.
The UK and US governments constituted the dominant protagonists in the NATO alliance, the anchor points of the economically and culturally dominant Atlantic axis, and the powerhouses of the post war development of computers. Across the span of the Cold War, US and UK government spending in general, and defence and intelligence spending in particular, dominated and shaped computing. The computers of the Cold War were an intrinsic and indispensable part of the existential struggle that defined the twentieth century. These governments spent according to their established patterns, within the dominant macro-economic structures of the age, and according to the imperatives of the Cold War.
The business of computing followed the pattern of the age. The supply chain for computers was vertically integrated. Narrow, short and almost entirely knowable. Little of the work went beyond the commercial boundaries of the principal players and when it did, it did not stray far. The entire supply chain, should, and could, be mapped. From research and development, through to specification, implementation, testing, integration, operation and disposal; the system life cycle was predictable. The supply chain a part of the deterministic system as a whole. The idea of a complex matrix of volatile, recursive and nested sub contracts and outsourced obligations, if it occurred at all, would have been a nightmare of apocalyptic proportions.
The vertical integration of the sort common across the military industrial complex of the Cold War has gone. Outsourcing, globalisation, just in time disciplines, the emergence of what were once developing economies as principal actors in shifting patterns of geo-political power; have all converged to produce a supply context of bewildering complexity. The supply cartography of our context is essentially unknowable, partly because of its intrinsic and accumulated complexity, and partly because of its volatility. Whereas the commercial relationships of the vertically integrated constructs of the Cold War prized stability and longevity, those of the Information Age thrive on velocity. In the Machine Age we etched company names in stone, inscribed job titles in brass plates and kiln fired enamel adverts with retail prices emblazoned in ceramic permanence. Now, our advertising hoardings are computer monitors; facets of the cyber phenomenon. Our Millennial staff, entangled in patterns of loyalty utterly different to ours.
Cyber is about far more than computers and computer networks, however vast, far reaching and powerful they are. It is about far more than the Internet; whether of information or of things. It is about far more even than the laggardly realisation that the great interconnectedness of everything encompasses ICS and SCADA systems and, therefore, the totality of the critical infrastructure of every nation on earth. Humanity is existentially reliant upon cyber.
Micro fabrication will, within decades, destroy, disrupt and recreate entire swathes of economic activity; whilst creating entirely new ones. Our lack of understanding of the cyber supply chain is already scaring us and yet we only have a few years until computers will be manufactured in homes around the globe as easily as we now print off airline boarding passes. We have only begun to experience the first tingling of what will become abject terror at the prospect of the impact on structures of warranty, indemnity and liability of a supply chain where spare and replacement parts for critical systems are locally fabricated using binaries downloaded from the Internet and so utterly devoid of provenance or attestations of fitness for purpose.
There are three established streams of our concern about the supply chain. The first, and most acute, is that we see the supply chain itself as a source of vulnerability and risk to the operation of the critical computer systems themselves. The whispered fear is that of malware lodged deep in silicon by a powerful nation state adversary. A legion of cyber sleepers invisibly infiltrated in to every one of the computing devices upon which we know we depend. The hidden menace. Living undetectably amongst us, silently awaiting remote activation. Alien invaders capable of bringing about our total destruction.
The second is that we see the supply chain as a vector for the execution of the intention of hostile actors such as criminals and intelligence agencies. Here the recent thefts from the Port of Antwerp stand as the exemplar. The third is the damage sustained if the supply chain itself ceased to operate and the supply of computing technology was threatened.
In addition, there is now an emerging stream of concern about the vulnerability of the supply chain to infiltration by counterfeits and forgeries of the products of established and trusted brands. This will mature rapidly to reciprocate and magnify the first and foremost of our concerns.
Our anxiety is amplifying, edging us closer to a ‘something must be done’ response to a sense of impending crisis. We must now pause and ask ourselves this; to what extent is this sense of crisis borne out by evidence and analysis? Or, from a different direction; to what extent is our sense of crisis the result of a panic reaction to a new context that we neither understand nor control? To what extent are we victims of future shock? Are we holding ourselves prisoner in Cold War bunkers of the mind?
There is no doubting either the complexity of our supply chains or the fact of the existence of manifest vulnerabilities. Computers are artefacts of profound and increasing supply chain complexity. Supply chains are atomised, fragmented, volatile, unpredictable and unknowable. Key components are, and will continue to be, designed and manufactured across the globe. And so in areas where those with hostile intentions towards liberal democracy can operate with greater tolerance and latitude than would be possible in the established heartlands of these democracies. The location of assembly of the components in to a finished market ready device, is in terms of the assurance of the supply chain, irrelevant. Assurance models predicated on the susceptibility of devices, let alone systems, to code or component level recursive analysis are, at best, redundant.
Assertions of the abstract fact of the existence of vulnerability devoid of context, data, or substantive rational argument, are as useless in generating meaningful utility as they are attractive to those with something to sell. Even in the most benign of circumstances they are an insufficient basis for action. In times of limited resources they can easily become the cause of costly and unproductive failures. When the subject of concern is itself a societally critical phenomenon then the raising of defences that will inevitably reduce the beneficial effects of the thing being protected should not be lightly undertaken. To destroy a thing in order to protect a thing is an unacceptable price to pay when we depend upon that which we defend for our very existence.
As I write this, the British Prime Minister, David Cameron, has just returned from leading a delegation of senior business leaders on a trade mission to China. He returned for the debate in Parliament on his coalition government’s Autumn Statement. Whilst in China, the Prime Minister faced down criticisms that he was sacrificing a commitment to human rights, asserting that he was “unapologetic” about his emphasis on the economy. Britain, he observed, is a “trading nation”, and as such, whilst “some in Europe and elsewhere see the world changing and want to shut China off behind a bamboo curtain of trade barriers. Britain wants to tear those trade barriers down”. During his trip, the Prime Minister pressed the Chinese authorities openly for a “proper cyber dialogue” whilst at the same time choosing to highlight that “we need … to up our investment in cyber security and cyber defence” because “there is an enormous amount of work to be done”. The “Global Times”, a nationalist leaning tabloid owned by the Communist party ran an editorial arguing that “the Cameron administration should acknowledge that the UK is not a big power in the eyes of the Chinese. It is just an old European country apt for travels and study”.
These stories encapsulate much of the difficult realities of our age. David Cameron travels toChina to bid for business. China needs access to the economies of Europe and America if it is to continue to grow just as it holds the old world in aloof contempt. David Cameron returns to the UK for a debate on a bill that legislates for further austerity in order to counter the effects of a financial crisis precipitated by a failure of the US and UK banking systems. The financial crisis itself revealing that a longer term strategic shift in the axis of geo-political and macro-economic power had been underway for many decades; masked latterly by a credit fuelled boom in consumer spending. Chinese concerns continue to invest heavily in overseas infrastructure of every sort; including the next generation of the UK’s nuclear power stations and the new high speed train system. The Internet would simply not exist without equipment of Chinese manufacture.
China and the world of which it is a part are locked together in indivisible interdependency. The rise of a middle class has been both predicate and consequence of the Chinese economic miracle. The Chinese middle class enjoy less direct political and societal power and influence than their equivalents in the liberal democratic heartlands. The key to the continued, relative, dormancy of the Chinese middle class is sustained and substantial economic growth. Affluence a necessary palliative to the frustrations of political impotence and essential to the deflection of the middle class from the leadership of populist protests. History teaches that an alienated and disenfranchised middle class make formidable leaders of those similarly alienated and disenfranchised elsewhere across society and that the exercise of such leadership is far more likely during periods of extended economic contraction. The political leadership of China has no rational interest in crippling or even seriously degrading the economies of the world upon which it depends for its very survival.
There is no doubt that bad things are happening and no doubt that they will continue to happen. Individuals, companies, social constructs and nations compete; using any and all means at their disposal. We need to gather more evidence than we currently possess about the nature of these bad things as they are manifest in the cyber domain. We must quantify and analyse data exfiltration rather than simply assert its, undoubted, existence. We must contextualise our analysis and root it in the reality of the world as it is, rather than the world we once knew. We must learn a far more nuanced way of thinking and a far more agile and responsive way of acting. We must relinquish the use of two dimensional categories such as ‘User’, and ‘State’, and ‘Non State’. They conceal more than they reveal; expose more than they protect.
In a minute number of cases it will be necessary to entirely internalise the cyber supply chain. To design and manufacture the silicon wafers themselves and assemble the finished computing devices under the tightest controls possible. To render every aspect of the process the subject of full disclosure and trusted hands. The costs of this, in every sense, will be astronomical; unsustainable beyond the tiny portion of the overall requirement for which they will be essential. System capability will be degraded, agility will be compromised, and any notion of a financially prudent return on investment will be laughable. Such efforts, necessary though they will be, must be confined to the absolute minimum. Any attempt to generalise such extreme remedial counter measures as a response to the great supply chain fear would represent an attempt at economic autarky. History repeatedly teaches that attempts to pursue such a strategy as anything other than a narrow and exceptional response to extreme conditions is doomed to fail, often precipitating crisis worse than that which it sought to avoid. Lessons that Kim Jong-un would do well to re-visit as he continues the practice of the Juche ideas he inherited from his father.
We must relinquish the legacy of the deterministic systems thinking that won us the Cold War and embrace instead the more subtle and less certain arts of the management of complex systems through the observation of effects and the generation of perpetual feedback cycles. We must actively enable the core structures of our systems to depend upon continuous modification of their own states. At the root of our fears about the vulnerabilities of the supply chain specifically, and of cyber more generally, is the apprehension that our adversaries have proven better able to exploit the true form of cyber than we have, and even less comfortably, the darker fear that the deep cause of our failure to counter the success of our adversaries is us.
The systems of the cyber domain are unimaginably complex and inextricably interconnected. Every nation, every society, every institution of the state, every individual, our entire global civilization, depends upon this new phenomenon. Thus arise a paradox deep at the heart of our primal fears about the security of the cyber supply chain. Given precisely this complexity, and interconnectedness, and existential dependence; then, if the core silicon is infected, the execution of the attack will destroy those who perpetrated the atrocity just as surely as it destroys those against whom it was aimed. Because of the atomised, fragmented and volatile nature of the modern supply chain, it is in principal possible to plant a latent attack capability at such a low level within systems that detection is indeed impossible. However, the execution of such an attack is, literally, a zero sum game. Or perhaps more accurately; an extinction level event.
The chaos of our cyber systems is a function of their complexity. Both complexity and chaos are at the heart of the transformative and empowering qualities of the cyber phenomenon. We must emerge from our deep state of shock and denial and use the very power we have come to fear. Cyber is not amenable to command and control. Rather it must be existed within; its effect observed and unceasingly managed. Cyber is a transformation in human affairs of at least equal significance to that of the Neolithic Revolution, the Reformation, the Enlightenment and the Industrial Revolution; combined. To the extent that the computer systems upon and within which cyber exists were once ours; they are no longer so. Cyber belongs to society. Cyber is society. Our job is now to enable and empower the evolution of society through the development of a safer human experience of cyber.
Victory in the Cold War was a beginning; not an end.
Author: Colin Williams
 Quoted in the “Financial Times”, December 4th 2013, UK edition, p.3.
 Quoted in the “Financial Times”, December 3rd 2013, UK edition, p.2.
 Quoted in the “Financial Times”, December 4th 2013, UK edition, p.3.
 Quoted in the “Financial Times”, December 4th 2013, UK edition, p.3.