This is a valedictory post from the departing technical director of the National Cyber Security Centre, which leads off with a quantum state superposition joke. That might all suggest something of interest only to rather a niche audience. It is true that some of the points made assume a level of familiarity with cyber jargon which not all of us possess, but that turns out not to matter nearly as much as it first appears. The post is in fact a set of ten lessons learned, all of them relevant much more widely across government (and well beyond) than just the immediate world of cyber security. Taken together, they read as a kind of manifesto for systems thinking.
As just one example, point 7 is that ‘incentives really matter.’ That’s something which governments haven’t tended to be very good at, perhaps in part because they don’t think they need to be – governments can, after all, make things mandatory, which is not an approach available to others. But in the end, actors in a system will behave as they perceive it to be in their interests to behave, and it is foolish to assume otherwise. As between government and technologyy infrastructure,
we implicitly expect these companies to manage our national security risk by proxy, often without even telling them. Even in the best case, their commercial risk model is not the same as a national security risk model, and their commercial incentives are definitely not aligned with managing long-term national security. In the likely case, it’s worse.
That that is true much more generally is both pretty self-evident and widely overlooked, and some pretty terrible things have happened as a result.