...
I used to think I understood copyright law. The laws were straightforward and, for the most part, reasonable, and the fair use provisions clear and unambiguous. But of course, over the last couple decades, the copyright holders of Big Content have had little difficulty convincing the courts to support an increasingly arbitrary and even draconian interpretation of those laws. One of the shining examples of this willful manipulation of the laws governing a consumer's use of legitimate IP is the case of UMG vs. MP3.com, where the determination was made that you could legally purchase a song, and you could legally purchase some online storage where you could keep your files, but you could not legally store that song in that online storage. That, you see, amounted to piracy. Absurd.
But absurd though it was, it became the conventional wisdom that the concept of a cloud-based file "locker" for a consumer to keep his or her music, so that it might be accessible from any device anywhere, was dead on arrival without a license and the accompanying payments to every major record label. And while the labels have gotten on board with streaming services and even digital distributors, there has been no path to a legitimate online storage system that could earn their approval. Of course, MP3 files are just another collection of bits, so consumers have been storing their music in the cloud if they wished for years, but obviously an approved system could be optimized for that purpose.
Which brings us to Amazon. Clearly, they viewed the court's decision in UMG v MP3.com as silly and indefensible, so they announced their Cloud Drive music locker service and Cloud Player software that allowed you to stream your music from the Cloud Drive to most any internet connected device. The service has been up and running for weeks now, and so far all we've heard from the ordinarily highly litigious record labels has been some muttered condemnation and a bunch of crickets. Could it be that they don't think they could win this argument in court? Yeah, I think so too. To ask a Federal judge in 2011 to prevent people from using online storage for their music library would be significantly over the top, and a loss in court would announce to the world that an online music locker service was a business model that could operate unfettered by music industry legal harassment.
Both Apple and Google have been planning to roll out a similar service, but they have been restrained by their belief that they would have to win approval from and pay licensing fees to the copyright owners before it could be deployed. Now, they are both watching closely to see what the response of the industry will be to Amazon's service. And the labels are faced with a real quandary. If they don't challenge Amazon in court, at some point both Apple and Google, and probably a number of others, will decide that there is no real legal risk in providing a similar service, and the genie will be well and truly out of the bottle. But if the labels DO sue Amazon and lose, then they have no basis for threatening at least the smaller players - really, they'd have no potential revenue stream at all from cloud storage.
Which, in the end, offers the only truly valuable insight from the whole ugly rear-guard fight the music industry has put up against technological change. The labels should have owned the whole market. They should have been iTunes, Rhapsody, Amazon - the whole digital distribution ecosystem, just as they have always owned all phases of physical distribution. They could have led the way on R&D, partnered with electronics companies to build music players, built data centers - in short, they could have leveraged the technology to increase their revenues and control, rather than see all those pieces go into different, non-traditional hands while the record companies find themselves with an ever-shrinking piece of the pie.
Of course, the cloud comes with its own special challenges. Last week a problem with Amazon's EC2 cloud compute platform knocked a whole bunch of web - based businesses off line. The explanation is that an error caused a great deal of the associated storage to start to re-mirror, and this used up all the processor cycles and all the available storage and bandwidth in that zone. So everything stopped. Of course, the non-technical press (and to be fair, a decent portion of the technical press) ran stories with headlines like "The Cloud: Not Ready for Prime Time?" and "Is The Cloud Just Too Risky For Your Business?", without the slightest sense that these are not only stupid questions, they represent a category error of the first order.
Two points have to be made about utilizing a cloud infrastructure. First, it's absolutely necessary to understand that this is an economic decision, rather than a technical one. That is, there is a minimum baseline amount of IT infrastructure necessary to run the core business. Beyond that, there is development, new features, surges in demand, special events, any number of things that can bring that baseline infrastructure to its knees. Today, you just add fifty or a hundred servers in the cloud and manage demand and resources dynamically. Obviously, in the past, businesses didn't have, and couldn't justify procuring, those hundred servers, so the site just crashed anyway. The cloud changes the equation, and makes it easier for smart people to deploy innovative new services, because the barrier to entry isn't buying and maintaining five hundred or a thousand computers anymore.
Second, if you put your business in the cloud, the cloud is your datacenter. Treat it as such. Redundancy, multiple points of failure, failover
But no matter how many of these silly scare stories about the risks of cloud computing infrastructure you hear in the coming months, you need to understand just how stupid, pointless and without meaning they truly are. The web already is entirely dependent upon cloud based compute and storage capacity, and it would be economically impossible to return to the days when all your server metal was in your building. This "compute elasticity" is actually a very good thing, both from the standpoint of allowing innovations on the web that let you do cool stuff you like to do, and from the standpoint of giving all of us consumers a better option for storing and accessing our digital stuff.
Ain't technology wonderful?
...
Monday, April 25, 2011
Sunday, April 24, 2011
Dispatches from Silicon Valley - My Week in Unemployment
...
Friday morning. A week ago. Got up, went to work. By nine I was home again, without a job or an income. The dark grey kind of déjà vu that leaves you gut punched, shoulders sagging and that voice in your head asking if you truly ever expected any other outcome. I made another pot of coffee and stood, staring out the window, doing the one thing in the world I am the very best at - dwelling.
That's the question, ain't it? I LIKED this job - well, no, let me try that again. I like the idea, the product, the industry segment, the customers, the buzz. It was exciting, and people were overwhelmingly willing to talk with me about their plans and requirements. This is THE hot segment right now - they call it "Big Data". The realization that if you could just capture all the data that went by, you could learn important things from it. But that's a LOT of data. But in the meantime, they were building Facebook and Twitter and Google and Flickr and YouTube - in essence figuring out how to deal with amounts of data that only existed in theory a decade ago. As Gigabytes gave way to Terabytes that are now starting to be Petabytes, much of it in small snippets, messages and tweets and status updates and text messages and blog comments, metadata and location data and clickstreams, the biggest companies were having to invent entire new technologies to capture, store, index and analyze all this digital stuff. Technologies like Map/Reduce and NoSQL, all resident in a set of robust open source communities figuring out how to scale up the web. And it's captured everybody's attention, because they've been struggling with existing tools to keep up with the amount of data they have to deal with, not even considering the data they want to capture.
But ultimately, you have to do something, don't you? It's paralysis that will kill you. You can do something stupid, but the only way to ensure failure is to do nothing. So I updated the old resume, sat down and called every company that we had considered the 'competition' in our segment.
A lot of what I actually DO for work is talk on the phone. So I'm not much for phones on my own time. I like email, and I tend to frustrate people by not answering the phone, then answering their voice mail by email. So for the last several years, I have watched the iPhone and Android smartyphone revolution sweeping the world, I have kept my stupid little LG phone that really couldn't do anything other than be a phone, and I was happy. But when I went back to work in December, the company issued me a Sprint EVO. Damn. Amazing - perfect voice recognition, Google maps, all three email accounts, NPR and BigR Radio, GREAT music player software, decent camera...you get the point. I was hooked. So after I had to turn it in I only lasted a couple days of pretty serious jonesing before I couldn't stand it another minute and went to Verizon and got the Droid X. Frankly, the EVO was better, faster and friendlier, but all we're talking here is degrees of greatness. I find it very painful to be away from my smartyphone for very long, even though I still don't use the phone part very much. It's nice to take it to bed and check get the NPR hourly news summary whenever I wake up. I think I'm in love with Lakshmi Singh.
So it was while I was setting up my Google Calendar on the smartyphone that I noticed that I had tickets for the Roger Clyne and the Peacemakers show in San Juan Capistrano on Friday. I bought them one night in February when I was drunk (as opposed, I suppose, to the night in February when I wasn't). I had completely forgotten about it. But here it was, a couple days away. And me without an income. Ah well, it's better to spend a few hundred bucks than throw away fifty, right? So I got up Friday morning at 4am and headed off to the South coast. It's 430 miles, so it's an eight hour run. I got in on Friday afternoon and went for a nice walk on the beach (I have a bunch more pictures, but you can see a few on here.) The show was fantastic, but then, if you've seen Roger and the Boys play then you knew that, and if you haven't, well, I've never understood that kind of asceticism. He is one of those very special entertainers that forms a powerful and emotional bond with the audience, and the band is so tight and polished that it looks entirely effortless, even as the love flows both directions, from the crowd to the stage, but also back from the band.
The response from those companies has been positive in general, but once again its the same startup ethos and chaotic atmosphere as the previous, so I don't read too much into any of this so far. But it's positive in its own right, and that sense of something positive sustains me into the second week.
And it still makes me smile when it occurs to me that I don't have to go to that weird and oppressive place tomorrow morning...
...
Friday morning. A week ago. Got up, went to work. By nine I was home again, without a job or an income. The dark grey kind of déjà vu that leaves you gut punched, shoulders sagging and that voice in your head asking if you truly ever expected any other outcome. I made another pot of coffee and stood, staring out the window, doing the one thing in the world I am the very best at - dwelling.
How did it come to this? Don't try to blame anybody else, you need to own this shit, buddy. If you knew how to act like a regular person, like everybody else, if you were something other than this weird combination of eccentric granny and murderous biker you could function in the world with other people. But waitaminute - they hired me, didn't they? Yeah, sure they did, but it sure didn't take 'em very long to figure out that mistake, now did it?. Ok, fine, whatever. Just what the HELL are you going to do now?
That's the question, ain't it? I LIKED this job - well, no, let me try that again. I like the idea, the product, the industry segment, the customers, the buzz. It was exciting, and people were overwhelmingly willing to talk with me about their plans and requirements. This is THE hot segment right now - they call it "Big Data". The realization that if you could just capture all the data that went by, you could learn important things from it. But that's a LOT of data. But in the meantime, they were building Facebook and Twitter and Google and Flickr and YouTube - in essence figuring out how to deal with amounts of data that only existed in theory a decade ago. As Gigabytes gave way to Terabytes that are now starting to be Petabytes, much of it in small snippets, messages and tweets and status updates and text messages and blog comments, metadata and location data and clickstreams, the biggest companies were having to invent entire new technologies to capture, store, index and analyze all this digital stuff. Technologies like Map/Reduce and NoSQL, all resident in a set of robust open source communities figuring out how to scale up the web. And it's captured everybody's attention, because they've been struggling with existing tools to keep up with the amount of data they have to deal with, not even considering the data they want to capture.
But ultimately, you have to do something, don't you? It's paralysis that will kill you. You can do something stupid, but the only way to ensure failure is to do nothing. So I updated the old resume, sat down and called every company that we had considered the 'competition' in our segment.
A lot of what I actually DO for work is talk on the phone. So I'm not much for phones on my own time. I like email, and I tend to frustrate people by not answering the phone, then answering their voice mail by email. So for the last several years, I have watched the iPhone and Android smartyphone revolution sweeping the world, I have kept my stupid little LG phone that really couldn't do anything other than be a phone, and I was happy. But when I went back to work in December, the company issued me a Sprint EVO. Damn. Amazing - perfect voice recognition, Google maps, all three email accounts, NPR and BigR Radio, GREAT music player software, decent camera...you get the point. I was hooked. So after I had to turn it in I only lasted a couple days of pretty serious jonesing before I couldn't stand it another minute and went to Verizon and got the Droid X. Frankly, the EVO was better, faster and friendlier, but all we're talking here is degrees of greatness. I find it very painful to be away from my smartyphone for very long, even though I still don't use the phone part very much. It's nice to take it to bed and check get the NPR hourly news summary whenever I wake up. I think I'm in love with Lakshmi Singh.
So it was while I was setting up my Google Calendar on the smartyphone that I noticed that I had tickets for the Roger Clyne and the Peacemakers show in San Juan Capistrano on Friday. I bought them one night in February when I was drunk (as opposed, I suppose, to the night in February when I wasn't). I had completely forgotten about it. But here it was, a couple days away. And me without an income. Ah well, it's better to spend a few hundred bucks than throw away fifty, right? So I got up Friday morning at 4am and headed off to the South coast. It's 430 miles, so it's an eight hour run. I got in on Friday afternoon and went for a nice walk on the beach (I have a bunch more pictures, but you can see a few on here.) The show was fantastic, but then, if you've seen Roger and the Boys play then you knew that, and if you haven't, well, I've never understood that kind of asceticism. He is one of those very special entertainers that forms a powerful and emotional bond with the audience, and the band is so tight and polished that it looks entirely effortless, even as the love flows both directions, from the crowd to the stage, but also back from the band.
The response from those companies has been positive in general, but once again its the same startup ethos and chaotic atmosphere as the previous, so I don't read too much into any of this so far. But it's positive in its own right, and that sense of something positive sustains me into the second week.
And it still makes me smile when it occurs to me that I don't have to go to that weird and oppressive place tomorrow morning...
...
Sunday, April 17, 2011
A Few Observations
...
So I’ve recently spent a few months working in a very young software startup. It’s utterly fair to say that I was not successful, although there are a variety of reasons for that, it doesn’t help, and for the purposes of post mortem examination, I won’t examine those that are external. In the final analysis I had a pretty profoundly exciting opportunity and was unable to make the management team see me as a valuable contributor to the effort.
A great deal of that is nothing more than my unfamiliarity with the whole startup ethos, and that’s the focus of this particular examination. Because it’s not at all what I thought it was, but rather something a good bit seedier, less honorable and and quite a bit less admirable than what I previously believed.
First, the concept that this is some kind of small, narrowly focused team is not only false, but actually flies in the face of the psychological makeup of the participants. It’s chaos. Not a team so much as a loose affiliation of desperately greedy and hopeful players, most of whom have ridden this treadmill multiple times and have lost sight of any normal approach to business in favor of chasing that magic billion once again. They operate independently, and while they speak highly of one another, there is an endless process of preening and positioning as they try to be one of the people with a seat at the table when the music finally stops. And that can require a particular kind of almost psychotic ruthlessness.
Second, there is a disproportionate focus on the development team. Sure, without them you won’t have a product, but all the product in the world won’t do you a bit of good if you can’t monetize it or sell it. The assumption is “our developers are good so therefore our product is good and therefore we have something the market will pay for” contains more than one critical fallacy. I watched as our vaunted developers released a major upgrade to our core product that was just catastrophically buggy. And all the brilliant code in the world won’t make a successful company if you give it away. The challenge of monetizing open source software is a brutal one, where no matter how much expertise you hold within the commercial sponsoring organization, if the product is successful the market will produce experts outside of that organization, and then, unable to monetize the product OR the expertise, the organization founders. Red Hat is both the prototypical example and the exception, and it cannot be argued that a free operating system is in any way like a free database or a free application.
Third, there is the problem of funding. I come from a long historical understanding that in order to grow you had to increase revenues and, drawing from that organic source of funding, invest in capital equipment, personnel and and marketing. That’s long been the model for American business, and that is as it should be because it makes sense and is sustainable. Which brings us to the inside view of a venture funded company. A venture - funded startup feels a bit like a heroin addict, except the substance is capital, not drugs. I was frankly gobsmacked to find that revenues weren’t considered important, and there was absolutely NO discussion of profitability. Rather, everything hung on convincing the Venture Capitalists to invest more money in the organization. Revenues didn’t matter, something opaque and ill-defined we called “bookings” mattered. And more than half of those bookings were bullshit. But that didn’t matter, you see, because it wasn’t about generating revenue, it was about convincing the venture funders to invest more money. And I’m sure they aren’t stupid, and they understand the game that’s being played. Which means that the goal isn’t to EVER be a profitable business, but rather to be bought out by a larger company. And that would generate individual wealth, justifying the chaos and positioning and bullshit. Or something. Now, this might be a viable business strategy (although I can think of some reasons to question that premise), but from the standpoint of recruiting, training and motivating a sales staff, it’s toxic. I mean, what do you do? Do you tell them you don’t give a shit about revenues, or do you try to pretend you do, and if that’s your strategy (it’s the one I observed) are you capable of actually sustaining that falsehood, participating in the negotiations and helping your sales team close actual deals? It turns out, at least in this case, that no, that isn’t something that is important enough to deal with. Even if it means closing an 80 thousand dollar deal. That’s just weird.
Now I suppose my experience wasn’t representative of all tech startups, and I’d certainly join another one, this time better prepared to operate within the realities of that environment, rather than drawing from an entirely different experience that seems not to apply. But I think one thing to watch out for might be an organization comprised of serial startup workers - and that was what I found myself a part of. At some point, after going through the process a number of times, creating the image and getting the funding and building the narrative and getting acquired by a bigger company - something most of my colleagues had experienced multiple times - an understanding of building a business, selling and delivering a product or service, building long-term relationships and making good decisions about supply chains, vendors, partners, customers and pricing models just fades away in the chase to generate wealth from nothing more than a well-told story. I don’t know. It may very well be that I’m not suited for this. I have spent decades in a work environment where you could look at my monthly and quarterly billings and tell whether I was successful or not. I generated plenty of revenue at this gig, and that wasn’t enough. Indeed, it may not even have been what was expected...
...
So I’ve recently spent a few months working in a very young software startup. It’s utterly fair to say that I was not successful, although there are a variety of reasons for that, it doesn’t help, and for the purposes of post mortem examination, I won’t examine those that are external. In the final analysis I had a pretty profoundly exciting opportunity and was unable to make the management team see me as a valuable contributor to the effort.
A great deal of that is nothing more than my unfamiliarity with the whole startup ethos, and that’s the focus of this particular examination. Because it’s not at all what I thought it was, but rather something a good bit seedier, less honorable and and quite a bit less admirable than what I previously believed.
First, the concept that this is some kind of small, narrowly focused team is not only false, but actually flies in the face of the psychological makeup of the participants. It’s chaos. Not a team so much as a loose affiliation of desperately greedy and hopeful players, most of whom have ridden this treadmill multiple times and have lost sight of any normal approach to business in favor of chasing that magic billion once again. They operate independently, and while they speak highly of one another, there is an endless process of preening and positioning as they try to be one of the people with a seat at the table when the music finally stops. And that can require a particular kind of almost psychotic ruthlessness.
Second, there is a disproportionate focus on the development team. Sure, without them you won’t have a product, but all the product in the world won’t do you a bit of good if you can’t monetize it or sell it. The assumption is “our developers are good so therefore our product is good and therefore we have something the market will pay for” contains more than one critical fallacy. I watched as our vaunted developers released a major upgrade to our core product that was just catastrophically buggy. And all the brilliant code in the world won’t make a successful company if you give it away. The challenge of monetizing open source software is a brutal one, where no matter how much expertise you hold within the commercial sponsoring organization, if the product is successful the market will produce experts outside of that organization, and then, unable to monetize the product OR the expertise, the organization founders. Red Hat is both the prototypical example and the exception, and it cannot be argued that a free operating system is in any way like a free database or a free application.
Third, there is the problem of funding. I come from a long historical understanding that in order to grow you had to increase revenues and, drawing from that organic source of funding, invest in capital equipment, personnel and and marketing. That’s long been the model for American business, and that is as it should be because it makes sense and is sustainable. Which brings us to the inside view of a venture funded company. A venture - funded startup feels a bit like a heroin addict, except the substance is capital, not drugs. I was frankly gobsmacked to find that revenues weren’t considered important, and there was absolutely NO discussion of profitability. Rather, everything hung on convincing the Venture Capitalists to invest more money in the organization. Revenues didn’t matter, something opaque and ill-defined we called “bookings” mattered. And more than half of those bookings were bullshit. But that didn’t matter, you see, because it wasn’t about generating revenue, it was about convincing the venture funders to invest more money. And I’m sure they aren’t stupid, and they understand the game that’s being played. Which means that the goal isn’t to EVER be a profitable business, but rather to be bought out by a larger company. And that would generate individual wealth, justifying the chaos and positioning and bullshit. Or something. Now, this might be a viable business strategy (although I can think of some reasons to question that premise), but from the standpoint of recruiting, training and motivating a sales staff, it’s toxic. I mean, what do you do? Do you tell them you don’t give a shit about revenues, or do you try to pretend you do, and if that’s your strategy (it’s the one I observed) are you capable of actually sustaining that falsehood, participating in the negotiations and helping your sales team close actual deals? It turns out, at least in this case, that no, that isn’t something that is important enough to deal with. Even if it means closing an 80 thousand dollar deal. That’s just weird.
Now I suppose my experience wasn’t representative of all tech startups, and I’d certainly join another one, this time better prepared to operate within the realities of that environment, rather than drawing from an entirely different experience that seems not to apply. But I think one thing to watch out for might be an organization comprised of serial startup workers - and that was what I found myself a part of. At some point, after going through the process a number of times, creating the image and getting the funding and building the narrative and getting acquired by a bigger company - something most of my colleagues had experienced multiple times - an understanding of building a business, selling and delivering a product or service, building long-term relationships and making good decisions about supply chains, vendors, partners, customers and pricing models just fades away in the chase to generate wealth from nothing more than a well-told story. I don’t know. It may very well be that I’m not suited for this. I have spent decades in a work environment where you could look at my monthly and quarterly billings and tell whether I was successful or not. I generated plenty of revenue at this gig, and that wasn’t enough. Indeed, it may not even have been what was expected...
...
Sunday, April 10, 2011
Cry Havoc! And Let Slip the Bytes of War
...
For all the violent conflict in the world today, 2 things we genuinely thought were no longer realistic possibilities were global war and endless war. With the advance of technology the world has become highly asymmetric militarily - a few rich nations with advanced aircraft and ships and satellites and limitless resources have the power to utterly overwhelm and dominate any of the other nations in a matter of days. And enough nations now have nuclear weapons that a global conflict cannot happen without escalating into a nuclear exchange, which means that global war cannot be won, and is therefore unthinkable to every side.
Which brings us to what we like to euphemistically call "cyber war". War waged digitally, across networks at the speed of light. Where weapons are bits and packets, malicious programs and malformed headers, escape sequences and Jscript. For at least a decade we have been warned repeatedly that there are nations waging cyber warfare against us, and that we must defend ourselves even as we hone our own offensive capabilities. But make no mistake - what we have seen up to this point is not cyber war. It is more along the lines of cyber - intelligence operations, probing, snooping, hacking, learning where the networks and data centers were, learning how they were hardened and defended, finding ways to penetrate them undetected and learn the secrets contained inside. For all the talk of destroying dams and bringing down power grids, or even crashing entire economies, there really hasn't been much, if anything in the way of offensive operations. Nobody really knew how another nation might react, or what the unintended consequences might be. If things got out of hand and people died in significant numbers, would it lead to an even worse cyber-counterattack, or even a conventional military response?
As a result, most nations were careful to disguise not just their operations, but their very identity. Working through small groups of proxies and hackers, routing attacks through networks around the globe, they always maintained a layer of plausible deniability, and because the goal was information, rather than destruction, it was never possible to link a particular attack to a particular adversary. Oh, we "knew" that China was active in these kinds or actions, as was Russia and others (certainly the US has done it's share of penetrations) but other than expressing outrage, the diplomatic equivalent of a Cease and Desist order, there has been no real reason to escalate the response. Just business as usual in the 21st century.
Then, last July, while we were all busy with our lives and preoccupations, the world changed, radically. dramatically and forever With the release of the Stuxnet worm, the gloves have come off, and the rules of the game have changed for good. Stuxnet is a complex, finely tuned assembly of exploits and malicious software narrowly designed to do one very specific thing. It targets industrial controllers manufactured by Siemens through their own Step 7 SCADA software, and once it is installed in those controllers it sends a very specific set of commands and instructions to the devices under control. At first, nobody knew what it was. It was hard to understand - it didn't seem to want to turn a PC into a zombie for sending spam, it didn't seem to have any bad economic intent, indeed, as it was reverse engineered it became increasingly clear that it was highly sophisticated and very carefully targeted. And then, as the weeks went by and researchers were able to watch its actions and evolution in the wild, along with its propagation pattern and it became clear that it was designed to infect the computers controlling the Iranian uranium enrichment facility at Natanz. And it wasn't there to gather information, or to observe their progress. It was there to break thing, to destroy the actual centrifuge hardware and force the Iranians to shut down the plant while they tried to clean their systems and make sure they would function properly when restarted.
This kind of attack clearly didn't originate with a band of Ukrainian criminal hackers, or from a loose international affiliation of disaffected anarchists. This was designed and built by a nation, with the industrial, intelligence and financial resources to develop and produce this very complex and specific weapon. And when one nation develops a weapon and uses it to attack another nation, that is an act of war.
So now they've done it. They've taken down whatever barriers previously prevented truly destructive acts of cyber warfare, and announced to the world that this is a legitimate and acceptable part of the way adversarial nations interact with each other. They've said "if global norms prevent me from dropping bombs on your nuclear research facility, it is nonetheless OK for me to seek to destroy that facility by infecting the computer networks that control it". But here's the thing. In this form of modern warfare, there is no asymmetric advantage. EVERY nation can put together a team of a hundred (or less) smart programmers and beat you at your own game. You've given up the advantages of of wealth and power, grounded your stealth jets and mothballed your aircraft carriers. This is the twenty first century equivalent of tribal conflict with clubs and stones, where at any given moment anyone can deliver the decisive blow. Indeed, it is countries like the US, Israel and those in Europe that are most dependent upon technology, and therefore most vulnerable to the widest variety of attacks.
No matter what temporary advantage was gained by the release of Stuxnet, it's true result was to open a new front in what will be a global, eternal war, fought among multiple adversaries within shifting alliances for murky motives. There is very little doubt that even now, at this moment, new cyber weapons are being developed, new targets researched, new, ever more diabolically brilliant tactics designed. And we should be concerned. Perhaps even afraid. Because we are vulnerable, and because we invited it...
...
For all the violent conflict in the world today, 2 things we genuinely thought were no longer realistic possibilities were global war and endless war. With the advance of technology the world has become highly asymmetric militarily - a few rich nations with advanced aircraft and ships and satellites and limitless resources have the power to utterly overwhelm and dominate any of the other nations in a matter of days. And enough nations now have nuclear weapons that a global conflict cannot happen without escalating into a nuclear exchange, which means that global war cannot be won, and is therefore unthinkable to every side.
Which brings us to what we like to euphemistically call "cyber war". War waged digitally, across networks at the speed of light. Where weapons are bits and packets, malicious programs and malformed headers, escape sequences and Jscript. For at least a decade we have been warned repeatedly that there are nations waging cyber warfare against us, and that we must defend ourselves even as we hone our own offensive capabilities. But make no mistake - what we have seen up to this point is not cyber war. It is more along the lines of cyber - intelligence operations, probing, snooping, hacking, learning where the networks and data centers were, learning how they were hardened and defended, finding ways to penetrate them undetected and learn the secrets contained inside. For all the talk of destroying dams and bringing down power grids, or even crashing entire economies, there really hasn't been much, if anything in the way of offensive operations. Nobody really knew how another nation might react, or what the unintended consequences might be. If things got out of hand and people died in significant numbers, would it lead to an even worse cyber-counterattack, or even a conventional military response?
As a result, most nations were careful to disguise not just their operations, but their very identity. Working through small groups of proxies and hackers, routing attacks through networks around the globe, they always maintained a layer of plausible deniability, and because the goal was information, rather than destruction, it was never possible to link a particular attack to a particular adversary. Oh, we "knew" that China was active in these kinds or actions, as was Russia and others (certainly the US has done it's share of penetrations) but other than expressing outrage, the diplomatic equivalent of a Cease and Desist order, there has been no real reason to escalate the response. Just business as usual in the 21st century.
Then, last July, while we were all busy with our lives and preoccupations, the world changed, radically. dramatically and forever With the release of the Stuxnet worm, the gloves have come off, and the rules of the game have changed for good. Stuxnet is a complex, finely tuned assembly of exploits and malicious software narrowly designed to do one very specific thing. It targets industrial controllers manufactured by Siemens through their own Step 7 SCADA software, and once it is installed in those controllers it sends a very specific set of commands and instructions to the devices under control. At first, nobody knew what it was. It was hard to understand - it didn't seem to want to turn a PC into a zombie for sending spam, it didn't seem to have any bad economic intent, indeed, as it was reverse engineered it became increasingly clear that it was highly sophisticated and very carefully targeted. And then, as the weeks went by and researchers were able to watch its actions and evolution in the wild, along with its propagation pattern and it became clear that it was designed to infect the computers controlling the Iranian uranium enrichment facility at Natanz. And it wasn't there to gather information, or to observe their progress. It was there to break thing, to destroy the actual centrifuge hardware and force the Iranians to shut down the plant while they tried to clean their systems and make sure they would function properly when restarted.
This kind of attack clearly didn't originate with a band of Ukrainian criminal hackers, or from a loose international affiliation of disaffected anarchists. This was designed and built by a nation, with the industrial, intelligence and financial resources to develop and produce this very complex and specific weapon. And when one nation develops a weapon and uses it to attack another nation, that is an act of war.
So now they've done it. They've taken down whatever barriers previously prevented truly destructive acts of cyber warfare, and announced to the world that this is a legitimate and acceptable part of the way adversarial nations interact with each other. They've said "if global norms prevent me from dropping bombs on your nuclear research facility, it is nonetheless OK for me to seek to destroy that facility by infecting the computer networks that control it". But here's the thing. In this form of modern warfare, there is no asymmetric advantage. EVERY nation can put together a team of a hundred (or less) smart programmers and beat you at your own game. You've given up the advantages of of wealth and power, grounded your stealth jets and mothballed your aircraft carriers. This is the twenty first century equivalent of tribal conflict with clubs and stones, where at any given moment anyone can deliver the decisive blow. Indeed, it is countries like the US, Israel and those in Europe that are most dependent upon technology, and therefore most vulnerable to the widest variety of attacks.
No matter what temporary advantage was gained by the release of Stuxnet, it's true result was to open a new front in what will be a global, eternal war, fought among multiple adversaries within shifting alliances for murky motives. There is very little doubt that even now, at this moment, new cyber weapons are being developed, new targets researched, new, ever more diabolically brilliant tactics designed. And we should be concerned. Perhaps even afraid. Because we are vulnerable, and because we invited it...
...
Subscribe to:
Posts (Atom)