“Can the fundamental nature of matter really be lawlessness? Can the stability and order of the world be but a temporary dynamic equilibrium achieved in a corner of the universe, a short-lived eddy in a chaotic current?”
- Cixin Liu, The Three Body Problem
China 2098 (7), Fan Wennan (https://www.artstation.com/artwork/28l9Ra)
Risk Developments this letter:
- Density, Distribution and Shelf Life
- Security Financing & Deals
- IoT Standards
- Space Defender
Beware of Greens Bearing Gifts
Big Shi, the gritty policeman who drove them out to the middle of nowhere, lit his cigar and points at the wheat fields of rural China. The two scientists, Wang Miao and Ding Yi, first notice the locusts crawling on the wheat stalks. Covering the wheat stalks. Oozing across the ground like a thick liquid.
This scene towards the end of “The Three-Body Problem,” the first of Cixin Liu’s sci-fi series and one of the most popular books in modern China, is used to illustrate a point about the struggle for life. Humanity faces an impending invasion by aliens with technology so far advanced from our own that he compares the gap in technology between us and them to the locust and us, and yet the locust have survived.
“The Three-Body Problem” spans the Cultural Revolution era and modern day time periods. Ye Wenjie, the protagonist at the beginning, is a brilliant disaffected youth who is found guilty of sedition for transcribing a policy memo based on Rachel Carson’s Silent Spring. While serving her jail time she is recruited to help a top secret program using radio waves to attack spy satellites. While working at the radio control site, she makes contact with alien lifeforms (called Trisolarians), but cynical and misanthropic, she does not pass along the warning she receives from an alien pacifist. She serves out her time quietly keeping this secret while China begins its process of reform and opening-up. Eventually, she founds the Earth-Trisolaris Organization (ETO), a radical environmental group, with another disaffected misanthrop Mike Evans, an American and son of an oil company CEO.
This brings us up to the present day where we pick up a new protagonist, Wang Miao, a nanotechnology professor who teams up with Shi Qiang to solve the alarming deaths of several top scientists. Wang begins to play a videogame Three Body that models the Trisolarian solar system, ultimately leading him to the ETO, which created the game as a recruitment tool. From here, Wang infiltrates the ETO and discovers the plot to collude with alien invaders in bringing about the mass extinction of humanity. This leads to a climactic global manhunt and desperate race to understand the existential threat to humanity, but I’ll let you read the book to learn what happens.
My interest, and “The Three Body Problem”’s relevance to risk are threefold. First, the ecological themes, from “Silent Spring” to radical environmentalism and agricultural metaphors are relevant for any study of systemic risk whether it’s financial, cyber (more on this in Risk Developments) or geopolitical. Second, the psychological response by various characters, from idealism to nihilism and misanthropy, what kind of risks we face and how we deal with them is also tempered by our individual state of mind. Third, the significance of the videogame and how China views its role in the world. Addressing them in order, we may categorize them “man against nature,” “man against society” and “man against man.”
The first, man against nature, highlights our particular difficulty in dealing with complex systems. In fact, Ye’s own undoing is just such a complex system. Cixin foreshadows her betrayal for transcribing a letter that she did not author when describing her awakening to the environmentalist cause:
“The use of pesticides had seemed to Ye just a normal, proper—or, at least, neutral—act, but Carson’s book allowed Ye to see that, from Nature’s perspective, their use was indistinguishable from the Cultural Revolution, and equally destructive to our world. If this was so, then how many other acts of humankind that had seemed normal or even righteous were, in reality, evil?”
This observation holds insight for any complex system that is involved in the provision of public goods. Natural resources, trust in financial markets or a functioning IT infrastructure are robust, in part, because of hormesis. This is why we do stress tests and war games. Eliminate the stressor with pesticide, bailouts or security software (See Risk Developments below) and the system may become more fragile in the long run. The trick is to distinguish between beneficial stress, or eustress, and distress. When the original author of Ye’s handwritten transcription is discovered he frames Ye, and so environmental idealism fuses with personal betrayal into cynical misanthropy.
That we simultaneously depend on, and wage war against, nature, forces Ye to side with nature, but it is the betrayal by an individual that radicalizes her against society all together. We have discussed the origins of nihilism, born of petty acts of malice, here before, and as Dostoevksy points out many times idealism turned to cynicism produces radical extremism. Insider threats, the most dangerous and pernicious kind of threats, are the result of revelation that undermines naive idealism. One of the biggest dangers of secret keeping is that you risk disillusion among anybody who finds out the secret.
One way to conceptualize a videogame is a ladder of secrets. Even multiplayer games enlighten players with each revelation of tactics and strategy. Sometimes these the “in-game” levels can even spill over into the real world. The fictitious Three Body videogame in the book is a Trojan horse of sorts:
“The main path of spreading Trisolarian culture to society was the Three Body game. The ETO invested effort to develop this massive piece of software. The initial goals were twofold: one, to prosthelytize the Trisolarian religion; and two, to allow the tentacles of the ETO to spread from the highly educated intelligentsia to the lower social strata, and recruit younger ETO members from the middle and lower classes.Using a shell that drew elements from human society and history, the game explained the culture and history of the Trisolaris, thus avoiding alienating beginners. Once a player had advanced to a certain level and had begun to appreciate Trisolarian civilization, the ETO would establish contact, examine the player’s sympathies, and finally recruit those who passed the tests to be members of the ETO.”
The creation of videogames is world (or solar system) building, which necessitates a world view. The ETO world view is sympathetic to Trisolarians, so they created a game that reflects that. This is why it is not only fun, but useful to examine concept art. The concept artists communicate the vision of the game designer, both to programmers who must implement the vision and players who interact with the game.
If China was developing a game to proselytize and recruit Americans to their world view, the result would look like Fan Wennan’s China 2098 (7). Your eye is drawn by perspective, lighting and size, to three pieces of text. The first and most prominent reads, “Tragedy of the Marine Civilization,” the second, “Leek Museum,” and the third and final is “Celebrating the 30th Anniversary of the People’s Union of America.” If the end goal were not clear enough, the celebration banner is displayed below a hammer and sickle flag hung on the former New York Stock Exchange (NYSE) building. The “Leek Museum” meaning is less clear. Leek is slang for a dupe. Below the large font, next to the arrow pointing at the NYSE, the sign reads “the old site of the NYSE” suggesting that financial extraction led to the People’s Union of America. That link is clear, but how does the prominent “Tragedy of the Marine Civilization” connect to financialization?
The comparison of maritime or river based society is a deep concept in Chinese consciousness. In 1988 the controversial documentary “River Elegy'' provoked outrage by suggesting that China’s inward looking, river based, dictatorial, agrarian society had to become an outward facing, sea based, quasi-democratic, mercantile society. This set of a flurry of protests and responses, both liberalization of market policies and a crack down on free speech. To return to the depiction of the People’s Union of America, the subtitle under the marine tragedy sign reads, “Analysis of the deep-rooted, bad habits of ocean culture.” This is as if to say, “you ocean people have some advantages that we assimilated (capitalism), but your democractic, open, ocean based society led to exploitation, which was your downfall.“
There is no greater example of how the West’s openness has been a blessing and a curse than the internet. Created, in part, to bypass totalitarian governments and increase the flow of information, the internet has been turned back on the West. The Chinese learned the lessons of the Soviet Union (market reforms without openness) and the lessons of the Trojans (beware of Greeks bearing gifts). Just like Wang infiltrating the ETO through the videogame intended as a Trojan horse, the Chinese have inverted the openness of the internet stealing information around the world, but tightly controlling it at home with the Great Firewall. Maybe it shouldn’t be such a surprise than that the Trojan horse was likely a ship, not a horse. It as if the Trojans, instead of taking that vessel full of Greeks into their inner sanctum, commandeered it and chased the Greeks all the way back to the Peloponnesus.
Density, Distribution and Shelf Life
Information about the FireEye/Treasury hack continues to come out as we find out the cause and scale of the breach. Sticking with the solar theme, Solar Winds, a network management software serving some 18,000 customers, was found to have a back door. The extent of the breach is yet unknown, but FireEye’s stock is already recovering while Solar Winds’ drops. We will continue to learn more about this specific breach, but what is more important is whether we are any closer to understanding the well posed question, “Are vulnerabilities in software dense
One industry that should care a lot about density of vulnerabilities is insurance. Aon just launched a new “digital cyber insurance for SME,” which translated from insurance speak means cyber insurance sold via websites to small businesses. If vulnerabilities are sparse, the diversity of software and configurations coupled with some level of patching should be plenty to keep companies safe. If vulnerabilities are dense, Aon is essentially betting that small businesses have such bad cybersecurity, they’ll never even know that they got hacked.
Two other factors that should matter a lot to cyber insurance besides density are distribution of losses and shelf life. U.S. Federal bank regulators are considering a 72 hour rule for breach reporting to clarify the “as soon as possible” language last updated in 2005. This would be a big improvement, but what is really needed is full transparency around distribution of losses and postmortems similar to an NTSB investigation. The second factor, shelf life, is how long a vulnerability remains in the wild before being fixed. If vulnerabilities are sparse, but their shelf life is long, it won’t do us much good. If vulnerabilities are dense, focusing on mitigating the vulnerabilities on the high end of the distribution becomes important. Either way, the question is not so much “how many hacks do we not know about?”, but “how dense are vulnerabilities?”
Security Financing & Deals
You might think with all of the bad security news investor appetite for cybersecurity would be waning. You would be wrong.
Northrop Grumman sold its federal IT business to Veritas Capital for $3.4B. One read is that hardware and software businesses don’t really have that much in common except the government buys lots of both, so once you hit scale on both sides they make sense as separate businesses. This is the second government services business related to cybersecurity that Veritas has spun out. The first being PWC’s government consulting business, now Guidehouse. That one made sense because it freed PWC from some conflicts of interest in going after audit work. Similarly this deal should free up Northrop, which ran this play before in 2009 when they shed TASC to avoid conflicts on programs where it provided advisory and oversight services. Yet, it seems that for every oversight head of the hydra that gets cut off, a new one grows.
Meanwhile, the bidding for british security services G4S is getting hot. GardaWorld, a Canadian firm backed by BC partners and Allied, an American firm backed by Warburg Pincus. G4S is the largest private employer in Europe and Africa, an attractive footprint for North American companies. This would bring the Wackenhut assets back under North American control.
Thoma Bravo, a perennial buyer of software companies is in the news twice this week. First for selling shares of Solar Winds along with investors Silver Lake, before the news of the breach broke. Both investment firms control board seats, and it’s unclear if there is any significance to the timing of the sale of stock. At the same time, Thoma Bravo did not seem deterred from deploying fresh capital into Venifi, the machine identity management company that orchestrates cryptographic keys and digital certificates.
In startups, ex-Microsoft founded cloud security company Wiz landed $10 million from Sequoia, Index Ventures, Insight Partners and Cyberstarts while industrial control systems and operational technology (ICS/OT), Dragos, scooped up $110 million in funding from strategic investors like National Grid, Koch Industries, Saudi Aramco and Hewlett Packard Enterprise. These two very different models of venture funding reflect the business models and stages of the companies they backed. Wiz founder exited his last company in just under three years. Dragos was founded in 2013. Small ball exits (sub $100M), even if they are a high IRR, are not what VC’s are chasing. Getting that big IPO often means waiting longer and greater dilution, but with binary outcomes, the hit to IRR doesn’t usually matter much. The question for the Wiz is whether their cloud security solution is a nice feature that gets bought too early, or a product worth building a company around. The question for Dragos is whether their capital intensive business can provide the eye popping margins at scale of a traditional software company.
Speaking of ICS/OT, the U.S. Government is using the power of the purse to set new IoT standards. With USG being the biggest buyer of IoT in the world, this is going to mean a whole heck of a lot more than previous attempts to set standards by convening industry groups. There are a lot of supply chain and public good risks in IoT, from embedded chips with vulnerabilities to botnets run by internet enabled cameras, it’s an important problem to solve, and one related to the inverted Trojan horse discussed above. One challenge, whenever standardizing is that monocultures don’t allow for hormesis, as mentioned before. Devices built to USG specs will have fewer (one hopes), vulnerabilities, but the vulnerabilities they do have will be all the same.
Russia and Chain have already developed weapons capable of taking down satellites that are eerily familiar from “The Three Body Problem.” In completely unrelated news, I’m sure, former Isreali Space chief claims Aliens have contacted the governments of Israel and the U.S. The odds there are aliens somewhere in the universe are pretty high. The odds they have contacted us are pretty low. The number of times Trump is mentioned in these stories makes me suspicious, but I’m filing this away in my draw with all the other 2020alienclaims.
Back on earth, the U.S. is looking to shore up space defenses by shrinking the size and growing the number of U.S. satellites. Defense is always going to be a harder problem than offense, but one thing that can help is reducing dependencies and impact of a given failure. The difficulty with security by obscurity is that it often concentrates risk, because secret keeping is by definition concentrated. It works great to put all your best soldiers in the Trojan horse, until the adversary figures out that all your best soldiers are in the Trojan horse.