You Say: Cyber. I Say: Unsubscribe

Stop the presses! Sensitive IP has been stolen! Not only that, its some of the world's most advanced technology - robotic surgery! How will the Pentagon respond? Scrambling jets? Carriers on high alert?!?

Oh, one clarification, the headline Mako Sues over stolen trade secrets was not from CNN or NYT, it was from an almost as big a name media player -- the South Florida Business Journal. Not to be confused with the North Florida Business Journal one supposes.

Mako Surgical Corp. filed a lawsuit against rival Blue Belt Technologies and former sales manager Jeffrey Gellman over allegations that he violated his non-compete agreement and gave its competitor client data and trade secrets.

Gellman allegedly used his work email to send confidential information about Mako Surgical’s business to his personal email to help his new employer.

The Davie-based manufacturer of a hip and knee replacement surgical robot (NASDAQ: MAKO) has been under the gun to meet sales expectations, and had to revise its 2012 sales guidance lower last year. Mako Surgical projected sales would be flat or up slightly in 2013, but the emerging Blue Belt is trying to eat into its market share in this emerging field.

Why are we bombarded with IP copying stories as lead stories in all major media when the threat is otuside the US and told this is now our top priority when another story on the same issue (on very likely way more advanced technology) relegated to footnote in a comparatiely tiny media outlet?

Certainly just as much "cyber" was involved, after all the robotic surgery secrets were allegedly sent over email! Were told that "cyber" stealing of IP is the biggest threat of all, why is this Mako Surgical vs Blue Belt dispute of surgical robots not being handled by the White Hosue or at least the Secretary of Defense?

Well, you say, its because they are both in the same market. My answer to that is I can't hear you my ears are full of bullshit. Unfortunately the current international debate on "cyber" has precisely zero sense as to how markets operate. Ask your CEO where growth is coming from? Where are your products actually made? Mature developed nations or emerging Asia? Don't talk to me about "cyber" if you don't know how markets and supply chains work.

But hey maybe economics are not your thing, you serve the higher ideals of the American dream not the crass laws of supply demand. Well let's leave aside economics and do a historical tour of a wonderful country that built  itself from a frontier economy to a world leader through piracy, that country is America.

Its difficult to describe just how fundamental piracy was to building the US economy, the story is told very well in a must read book for any infosec pro - Smuggler Nation some examples:

• "Adam Smith was was such an admirer of smugglers - they were at the forefront of breaking down rigid trade barriers. He viewed a smuggler as 'a person who, though no doubt highly blamable for violating the laws of his country, is frequently incapable of violating those of natural justice, and would have been, in every respect, an excellent citizen, had not the laws of his country made that a crime which nature never meant to be so.'"  
• "a mere 384 hogsheads of molasses per year officially arrived in Boston in 1754-55, but 40,000 hogsheads per year were required to run the region's sixty-three distilleries...Colonial merchants predictably balked when Britain suddenly stopped turning a blind eye to such smuggling in the 1760s. In a revealing line, John Adams would later write, "I know not why we should blush to confess that molasses was an essential ingredient in American independence."
• "Edward Randolph, the appointed head of customs in New England, brought thirty-six seizures to trial -- and all but two were acquitted."
• "Smuggling was so institutionalized that merchants were able to buy insurance policies to cover them in the event of seizure"
• Newport, Rhode Island was the epicenter of the Rum trade in colonial America. Today we tend to associate Newport with yacht racing and gilded-age mansions, but the origins of this northern port's fortunes were less glamorous...By the mid-1760s, twenty-two of the thirty Rhode Islan distilleries were based in Newport. As one historian has remarked, "If merchants from all the American seaports evaded the navigation laws to some extent, those from Newport stood alone as the greatest offenders." No wonder then that the inhabitants of the town - and the rest of the colony for that matter - were denounced by British Admiral John Montagu as "a set of lawless piratical people...whose sole business is that of smuggling and defrauding the King of his duties."
• "The port of New York was even more active than Rhode Island in trading with the enemy. Far from being a business of the socially marginal, such commerce involved not only the city's merchant elite but also the political class - including the mayor and Supreme Court justices"
• Benjamin Franklin described the navy's new anti-smuggling job in especially harsh terms with a heavy dose of sarcasm: "Convert the brave, honest officers of your navy into pimping tide-waters and colony officers of the customs. Let those who in the time of war fought gallantly in defense of their countrymen, in peace be taught to prey upon it. Let them learn to be corrupted by great and real smugglers; but (to show their diligence) scour with armed boats every bay, harbor, river, creek, cove, or nook throughout your coloines; stop and detain every coatser, every wood-boat, every fisherman; tumble their cargoes and even their ballast inside out and upside down; and, if a penn'orth of [dressmakers'] pins is found untethered [on the cargo manifest], let the whole be seized and confiscated. Thus shall the trade of your colonsts suffer more from their friends in time of peace, than it did from their enemies in war... O, this will work admirably.
• "Boston merchants became increasinly outspoken in their defiance. John Hancock, one of Boston's wealthiest shippers, even publicly declared that he would not permit customs officers to inspect his vessels
• "Alexander Hamilton's Report on Manufactures, 1791:"'To procure all such machines as are known in any part of Europe can only require a proper provision and due pains. The knowledge of several of the most important of them here is already possessed. The preparation of them here is, in most cases, practicable on nearly equal terms' Notice that Hamilton was not urging development of indigenous inventions to compete with Europe but rather direct procurement of European technologies through 'proper provision and due pains' - meaning breaking the laws of other countries"
• "Only after it had become a mature industrial power did the country vigorously campaign for intellectual property protection - conveniently overlooking its own illicit path to industrialization"
• "Historians credit Slater as being "the father of the American industrial revolution." But the Boston businessman Francis Cabot Lowell is credited with truly transforming New England textile manufacturing into a mass-production and internationally competitive factory system. Doing so involved pulling off the most remarkable case of industrial espionage in American history. Lowell travelled to Britain in 1810 for an extended stay allegedly for health reasons. The wealthy Boston merchant was not considered a rival manufacturer and therefore not treated with suspicion in local business circles. Lowell toured the Glasgow factories in the spring of 1811. Soon after he visited other factories to obtain "all possible information" on cotton manufracturing "with a view to the introduction of the improved manufacture in the United States" as his business partner later recounted.
• [back in the US in 1813] "Lowell's was the first mill in the country to combine all aspects of the textile production process...The integrated cotton mill was a transformative development in the history of textile manufacturing

The echoes of history are so strong here you need a Richter scale to measure them. Its how emerging economies grow, and get up to scale.  What did England do or not do? What might have worked better? I do not have all the answers here but I can clearly see that amidst what passes for international dialog on "cyber" both economics and history are decidedly absent and yet they very likely contain the seeds of the most important lessons and guideposts for forward looking strategy.

Tom Barnett Interview Part 7

In the last part of my interview with Tom Barnett (part 1, part 2, part 3, part 4, part 5, part 6), Tom explores how changes in the emerging markets may flow into the developed world. Tom Barnett's recent book is Great Powers (and you can read it on your Kindle).

GP: Your depiction of the necessary shifts to realign the globalized Core and the developing Gap includes an interesting distinction on emerging markets governance where they are over-ambitious on the scope or reach of governance but not as committed to ensuring the strength of the institutions themselves. You make the case that we will see globalization driving better institutions (rule of law for example) in emerging markets, I am curious if you expect to see a true dialogue, are there examples where best practices in emerging markets drive new behaviors in globalized Core?

Thomas Barnett: Not so much in corporate governance, because of the high state involvement (either past or present) in most emerging markets.  There are some who expected us to be treated to a long lecture from emerging markets on the dangers of too little state involvement, but that message just hasn’t come through as predicted.  We made the assumption that, because there’s more state involvement in the New Core (rising pillars in East and South), that that component is what accounts for their recent growth.  In truth, and from their perspective, it’s the diminishment of state involvement that’s triggered the growth, not its maintenance.  So the Old Core West, coming off this economic crisis, which culminates a three-decade period of progressive deregulation, anticipated a dialogue that hasn’t really come.

In general, emerging markets remain—to us, at least--surprisingly committed to privatization and embracing globalization, and it’s largely our own anti-market types with whom we must contend.  But even there, the crisis doesn’t seem to have triggered much political change.  Sure, there’s the temporary state involvement in banking, but we haven’t seen any raft of Leftist governments come into power.  They still don’t have a credible alternative to markets as we’ve come to know them in all their flavors (oligarchic, state-directed, big firm, or more entrepreneurial).  As far as I can see, the “end of history” on that debate hasn’t been restarted—as it were, despite plenty of handwringing by pundits.

The debate that has ensued as been appropriately structural in focus:  the rebalancing of trade (West must consume less, the East more), the regulation of cross-border banking activities (no great new answer there, just a general retrenchment, which is probably wise given the lack of will to put in place sufficient new rules), and the question of a global reserve currency that replaces the dollar and relieves America of that burden/temptation.

The last one interests me the most.  As I see it, it would be best for an “Asia” basketed currency (based on the Won, Yen and Yuan, to begin with) to emerge as the third leg to the reserve currency “stool” whose other legs would be the dollar and the euro.  As soon as the combined weight of the euro and “asia” matched the dollar, we’d have a natural balancing function, far better than the collusional efforts of the past (Plaza Accord-like agreements to manage the tectonic movements of major currencies).  The idea of creating something new and artificial is—to me, at least—a lot scarier and untested (it would be, by definition, far more subject to political manipulation because it wouldn’t be based on any underlying economic reality).  We simply don’t know how that would work, and, given the lack of global resolve now on regulating cross-border banking activity, I just don’t see the will to make something that complex work any time soon.

I think the reason why China, for example, wants to leapfrog to something like a new global reserve currency is that such an effort would allow it to delay making the necessary moves on the yuan (convertibility, etc.).  By making the case for the new currency, Beijing is basically asking for our help, saying in effect, “don’t mess up the global economy with your lack of fiscal discipline, because it’ll be a long time before we can manage our own part of a global disciplining function.”

Where the dialogue on new rules has been most evident to date is on global warming and new energy technologies.  I expect to see the best outcomes here in the next decade or so.

GP: As Green Bay fan, are you happy with Packers' draft results?

Thomas Barnett: I like to point out that Aaron Rodgers had almost exactly the same stats as league MVP Peyton Manning did last year—just not the same number of wins.  So the big question from last year has been adequately answered.  Looking over the rest of the offense, the O line looks solid and the receiver corps is strong.  Tight end is weak and there’s not the depth on running back that I’d like (although I hope to be surprised there).  Add it all up and there wasn’t much reason to concentrate the draft on the offense.

Instead, in my mind, the defense was the clearly inferior half last year, thus the radical shift to the 3-4 (which I don’t think we’ve played in GB since its heyday about 20 years ago, yes?).  Given that demand, the draft focus on the D side made sense, starting with the interior lineman in the first pick.

I like our chances this year.  The Vikes still lack a caliber quarterback and I think the Bears will be tougher but not that much improved with their new guy, so I think we’ll be competitive and definitely over .500 for the year, assuming Rodgers follows through on further development.

This wraps up the interview with Tom Barnett. I'd like to thank Tom for his thoughtful answers and sparking some good debates.

Tom Barnett Interview Part 6

In part 6 of my interview with Tom Barnett (part 1, part 2, part 3, part 4, part 5) Tom discusses how he sees the intelligence services fitting in a highly networked world we call globalization. Tom Barnett's recent book is Great Powers (and you can read it on your Kindle).

GP: Your work encompasses many domains from security to technology to economics. One area you do not dwell much on is intelligence. I am curious if this is deliberate and what role do you see for intel in the 21st century? It seems that the same nations with large middle classes also have large intelligence services. Is intelligence a third rail to the big war vs. small war debate? Or is it something different altogether?

Thomas Barnett: When I've spoken about intelligence in my books, it's always been to argue for more open source and more openness within the Intelligence Community and between the IC and the real world.  I've also advocated more focus on human intelligence versus technical means.  In general, I find the National Intelligence Council stuff to be the most useful, and so I've held them up as the model of what the CIA should have become instead of what it is.

I don't spend a lot of time on the IC because I find them to be one source among many.  I held top clearances for years and was thus able to compare what I could learn from that world and what I could learn from the open world and I simply found that networking among the universe of non-classified sources to be far superior to being captured by the secrecy of the classified one.  I am, quite frankly, glad to be free of such clearances.  I rarely found anything in that world to be useful for my analysis (and almost completely useless for vision work) and even when you came across something, your ability to use was severely circumscribed.  So once you entered the cloistered world, you rarely escaped, and I just find that sort of narrow specialization quite dangerous to my way of thinking.

In general, I also tend to downplay what some consider to be the supremacy of "good intell" because I don't want to work within a system where the intell guys are the smartest (no worries there), because where I encounter systems where that is true (or was true, like in the USSR), I find a truly bad political and economic situation.  I like my businessmen to be smarter than my politicians (sad world where the brains go into government) and my politicians to be smarter than my military (sad government when the reverse is true) and my generals to be smarter than my intell (or else, how can they contextualize the good stuff they get?).  So when I rack 'em and stack 'em, I just don't view my country's needs as being topped out with "great intell."  I would believe that, if I was living in some dysfunctional, vertically integrated political or economic system, but I live in a truly networked nation in every sense of the word, and so I don't worry about that like other thinkers may.

Do I want better intell?  Always, but--again--I seek it from the widest array of sources as possible.  I just don't believe you can stop scary vertical scenarios (the bolts from the blue) and I think that, in general, Americans tend to be too afraid of them.  Instead, I like to focus on our resiliency in running down the subsequent horizontal scenarios.

But obviously, in a world of frontier integration, like the age we live in now, better local knowledge (call it intell if you must) is crucial, but even there, I tend to caution against "killer insights" based on local cultural knowledge, because, at the end of the day, the goal is connectivity, not preserving the pristine, because if the pristine was working so well, we wouldn't be there with troops.

The notion of integration as the goal perhaps points to an opportunity for intelligence services where they can enable integration. 

Tom Barnett Interview Part 5

Here is part 5 of my interview with Tom Barnett (part 1, part 2, part 3, part 4). I ask Tom about the bureaucratic battle in determining where security is going. Tom Barnett's recent book is Great Powers (and you can read it on your Kindle).

GP: In the chapter on "Security Realignment" you describe a bureaucratic battle between the big war crowd (air-sea forces) and the small war crowd (ground forces), where historically the big war crowd has received the bulk of the focus and budget, even though we are now decades into a small war reality. However as with any good bureaucratic battle, the decisions on budgeting and such is made at a level or two above these two crowds - how does the battle play out with civilian decision makers, and how do you propose changing the conversation to focus on actual security considerations rather than simply scare tactics?

Thomas Barnett: The battle is playing out quite nicely under Gates, with no outside intervention required by anybody.  He has come down clearly on the side of the small-wars crowd, indicating, as I have long argued, that he simply will not stand for poor support to today's warfighter in the face of inordinate support for tomorrow's over-the-top scenarios (where every service community justifies their big-war numbers on fantastic storylines that see them forced to fight entire wars on their).  Obama has clearly indicated that he does not buy into the "rising China" hype whereby their PLA is somehow our soon-to-be global equal (nor the truly ludicrous notion that Russia is "back" on the basis on that pathetic showing in Georgia), so his political top-cover is tight.  With neither the Iran nor DPRK scenario able to derail Gates' rebalancing, we're getting the entirely sensible argument from SECDEF himself that his budget is--in my vernacular--10 percent pure SysAdmin, 50 percent pure Leviathan, and 40 percent swing or dual-use.

So as far as I'm concerned, this battle is won.  And the longer Gates stays, the better the lock-down, with the next QDR serving as the new gospel.

I wanted to ask Tom this question because I think anyone in infosec can relate to the notion of needing a security realignment, and having to battle bureaucracies and competing priorities to accomplish said realignment. The bottom up decision making criteria that Tom alludes to is one I have a lot of sympathy for. Just because one set of priorities is entrenched in the organization doesn't mean they should guide future decisions. Decide in Latin means "to cut from", so to prioritize one thing you are choosing not to do another. We can't take on new security challenges without reprioritizing our efforts in other areas.

Tom Barnett Interview Part 4

Today, we have part 4 of my interview with Tom Barnett (part 1, part 2, part 3). Tom looks at the notion of Service oriented alliances, and why businesses should think of risk management as a differentiator. Tom Barnett's recent book is Great Powers (and you can read it on your Kindle).

GP: Your notion of Service-Oriented Alliances is that technology is driving business and business is driving globalization - "if I can do damn near anything over the Internet, my company can assume almost any shape I want", this implies connectivity, dynamism, and a degree of uncertainty. How do firms leverage SOA to find advantages in these alliances? Given the connectivity, a level of uncertainty and multiple policy domains - how should they think about risk management?

Thomas Barnett: It’s our argument at Enterra that companies need to view the emerging SOA environment as the IT equivalent of globalization in all its complexity—both good and bad.  It’s an opportunity to render autonomic—through rule set automation—as much of their performance metrics, security (physical, cyber, application), and regulatory compliance practices as possible. That means using genetic algorithms to bake rules into your operating systems and allowing these next-generation management capabilities, in aggregate, to elevate your management’s interventions—as in, keep them above the fray of day-to-day minutia and focused on the serious decisions.  But the key thing is to make these rules instantly updatable and re-renderable based on changes in your operating environment.  Too much of what constitutes management today are execs chasing down all the gaps and internal conflicts among the various rule-set domains to which their company is exposed.  It’s gotten to the point where investors feel that, based on all these recent scandals, major corporations have almost gotten too big to effectively manage.  In the end, all this connectivity and systems integration comes at a price:  you’re increasingly exposed to all manner of networks in this world and with that connectivity comes increasingly higher expectations from clients, suppliers, and governments.

As such, risk management shouldn’t be thought of as a burden but as a differentiator—another chance to prove your company’s worth relative to the competition.

Inside what I call globalization’s Functioning Core (old West, new East, rising pillars of the South), we’ve moved from classic defense to comprehensive security.  Inside my Non-Integrated Gap, defense still trumps security.  So we’re talking two rule-set domains—high and stable versus low and unstable.  But the third domain is crucial.  In political-military terms it’s the question, Under what conditions can/should Core great powers intervene inside the Gap?
The same is essentially true for companies:  mature firms in the high-trust Old Core (i.e., North America, Europe, Industrialized Asia) have undergone deep integration with a lower-trust New Core (BRIC-plus), which in turn, because of its skyrocketing resource requirements, is undergoing greatly heightened integration with the low-to-no-trust Gap regions, like China and India going into Africa big time.  The New Core’s extension of nets into Gap regions means that our connecting networks with rising powers like China and India makes us—by extension—far more vulnerable to bad things coming out of the Gap (i.e., anything capable of creating business discontinuity).  So there’s no question that risk management has gotten a lot more complex—as in, beyond creating redundancy and calling it a day.

Companies need to know their critical assets throughout their systems of supply and production and sales, and be able to re-render those relationships at a moment’s notice, because your client loss this morning is somebody else’s market opportunity that afternoon.  You see that on obvious ones like tainted products:  all of a sudden South Korea is shut down with regard to U.S. beef and maybe you never reclaim that market space as a result.

Interesting to compare with infosec Old Core equals back office enterprise, mainframe and such, Gap equals Internet wild, wild west, and New Core equals large businesses who primarily do business on the web. Different security and integration rules for each environment and when these environments intersect. 

Tom Barnett Interview Part 3

Today, we have part 3 of my interview with Tom Barnett (part 1, part 2). Today Tom drills down on a topic familiar to infosec which is the intersection of connectivity and security, Tom Barnett's  recent book is Great Powers (and you can read it on your Kindle).

GP: Many security writers and thinkers are obsessed with threats, they throw a dart a connected systems, extrapolate worse case scenario and everything goes "boom!"; your work is different, it accounts for system perturbation from threats but has more focus on the system resiliency to deal with events over the long haul. I find this system thinking lacking in many of your peers, and have never understood how worst case threat extrapolation can automatically lead to a parasite that takes over its host. Can you explain why its different to think of security in terms of resiliency rather than simply threats? What insights fall out of this distinction?

Thomas Barnett: Worst-case thinking obviously has its uses in the national security realm.  I just think we got into very odd, extreme tendencies during the Cold War, when the threat of nuclear conflict distorted our thinking unduly.  We’re just beginning to see thinkers and analysts and strategists emerge from a post-Cold War educational environment, like my nephew Brendan who’s studying Russian and International Relations (as I once did) at my alma mater, Wisconsin.  The problem is, the field of international relations, as Brendan will attest, is still obsessed with game theory and all sorts of artificial schools and still tends to be way too insular (economics still needs to embraced far more, not in some antiseptic academic sense but more in a keen understanding of how international business works).  But the key thing is, Brendan and others of his generation won’t be held to the extreme fears that my generation was, despite the constant hyping of the threat of nuclear proliferation, so they’re forced to cast their nets wider and that’s a good thing.

The key thing, in my mind, is acknowledging--in a Robert Wright/non-zero-sum sense—that humanity continues to progress.  The worst-casers tend to view all this rising connectivity as teetering (always!) on the edge of complete collapse, seeing only vulnerabilities and few workarounds.  But to me, the key thing is that more connectivity yields more rules and more rules yield more peace.  Most IR thinkers tend to fret unduly over the fact that politics trails economics and security trails networks.  But these are normal dynamics for a frontier-integrating age.  

Then there's the generational experience explanation:  For many of the teachers I had, they grew up in the shadow of World-War-II-bleeding-into-the-Cold-War, so they were natural—even aggressive—worst casers. But for somebody like me, who comes of age in the early 1970s, it’s hard not to be optimistic, because the global security environment has gotten so much better and the global economy has advanced to a degree that—at least when I was an undergrad in the early 1980s—was inconceivable to the IR field I was trained within.

So I see my role as trying to temper what I consider to be the pointlessly hyperbolic analyses of too many of my elders and simply hold down the fort until my relief arrives in the form of Generation Y thinkers who came of age in an already connected world and thus are able to judge its possibilities and dangers with more equanimity.

Its an interesting image, the younger generation Y being the more rational, reality based looking to how things actually work rather than theories.

Tom Barnett Interview Part 2

Yesterday, I posted part 1 of my interview with Tom Barnett. Today, Tom explores a theme from his recent book Great Powers (and you can read it on your Kindle).

GP: Drilling down on China and India, your books and blog capture many of the differences of the progression of these two countries. In your book you compare China's trajectory to the Alexander Hamilton path, and India's to Thomas Jefferson's ideal. Can you summarize this argument for readers who may not have read your book? In addition, assuming you're correct on China, we have a  reasonably good idea where this well worn path leads, but where might India's Jeffersonian path lead? This is more unproven as it scales out, correct?

Thomas Barnett: China chooses to industrialize and move up the production chain in a lock-step fashion, in the manner of Hamilton’s preference that America replicate Britain’s rapid industrialization path—Deng channeling Hamilton.  India, with its Gandhian reification of village life, simply hasn’t pushed the same urbanization effort that China has, thus it hasn’t been forced to industrialize to the same degree in order to provide urban-based manufacturing jobs to displaced rural workers.  As a result, India has only a small fraction (single millions) of its working population laboring in the formal manufacturing sector, compared to China’s well over 100 million.  In contrast to the normal development path, India has sought to leapfrog into the services sector, succeeding magnificently on a global scale but employing only a tiny fraction of its educated population.

Both countries naturally face competitive pressures over time from smaller countries that seek to out-India India on services and out-China China on manufacturing, on the assumption that those two countries’ labor costs will inevitably rise, which they are.

At initial glance, China’s route has higher risks concerning its political system (all those unruly and increasingly assertive urban laborers can go all Marxist on Beijing’s allegedly “communist” ruling party), but India has higher risks concerning its economic trajectory (you point about scaling out badly).  It’s just easier to imagine—for me at least—China having to change politically than India somehow avoiding industrialization and the social tumult/reformatting it will cause the country’s rural life.  China’s got a lot of that already under its belt (although its rural impoverished population remains vast, there are plenty of opportunities for village employment or migration to the cities), and its government seems willing to do whatever it takes to encourage and accommodate the migration from rural areas to cities.  But India moving far more tepidly in this direction, the result being that, what rural-to-urban migration does occur, often results in rather scary urbanization scenarios (more slumdog than millionaire).  

In the end, it’s really amazing that we have these two experiments running side-by-side at the same time:  the democracy that doesn’t push its people too hard but then puts its economic development more at risk; and the authoritarian system that does push its people plenty and then puts its political development at risk.  For a political scientist like myself, this is the most interesting political experiment I’ve ever come across—far more interesting than the Cold War.

Indeed, its two experiments running side by side with well over 2 billion people in the sample set.

Tom Barnett Interview

For my money, Tom Barnett is the most interesting thinker on security because he approaches security in a mutli-track synthetic way that combines technology, globalization, and economics. Too often people get locked into binary "secure vs insecure" thinking, when in reality the technology, globalization and economics drivers factor into security in the real world. Note that Ross Anderson in his second edition of Security Engineering picked up on the theme of incentives in addition to our standard - policy, mechanism and assurance. Incentives obviously taken from economics.

Barnett's work avoids the binary "secure vs insecure" trap, combines the above factors with a perspective on where this is all leading. His first book Pentagon's New Map was breakthrough material which showed among other things how security models differ in the "core and the gap", you can watch  video briefs here. Barnett's latest book which I highly recommend you read is Great Powers (and you can read it on your Kindle). 

I had a number of questions for Tom on his work which he answered via email, and I will spool these out over the next couple of days as his answers come in.

GP: One of the themes, I found compelling about "Great Powers" was the historical parallels you draw between early America and developing countries like Brazil, Russia, India and China - you wrote: 

"In this world we find  no strangers, just younger versions of ourselves, who are prone to  all the same sins and manias we once suffered even as they teach us  magnificent news ways to improve our lives and secure our tightly shared future. We must neither fear nor dismiss them , but encourage their pursuit of happiness, and in doing so, , we'll find their main goal is one very familiar to us - the attainment of a middle class existence."

It seems that the emerging middle class is the main factor that separates the developing countries' past and future, they always had some very rich people and many very poor people, but now depending on how you measure it, India's middle class is 200 million people. What trends should we watch as the global middle class emerges? What milestones will mark key events along the progression?

Thomas Barnett: The one of greatest interest is when per capita income gets in the range of $5,000 per year.  Somewhere between $5,000 and $10,000 is where you see previously authoritarian, single-party-dominated states move into the process of increasingly pluralism, typically started when a reformist faction breaks off from, and begins to challenge, the dominant party.Obviously, India is already blessed in that regard, so China is the one to watch there.  Until China reaches such a level of development, all talk about authoritarian capitalism being superior to democratic capitalism is historically premature.  Authoritarian regimes do well with extensive growth (simply adding in more resources) but then tap out when it comes to shifting into innovation-based, intensive growth.

More generally, the rise of a global middle class raises the big question of the "direction" of rule:  as in, is it from the Left (radical rule from below designed to prevent the rise of the bourgeosie--akin to Bolshevism) or from the Right (authoritarian rule from above designed to protect the bourgeosie from the radical Left--akin to fascism) or from the middle (American-style republicanism or representative rule)?  When industrialization brought about a middle class in the West across the latter decades of the 19th century, Europe came up two extreme answers and America, thanks to its Progressive Era, came up with a moderating one.  But remember, our Progressive Era was preceded by an angry and unstable Populist Era (1870s and 1880s) which featured many of the same dynamics inside America that we now see inside the BRIC--both good and bad.  So it will not be a dull journey for them.

The key for the United States is to remember that it is natural for these rising powers to develop strategic visions for how they should interact with the world as great powers, along with the capabilities and willingness to use those capabilities, meaning we should not be surprised--indeed we should welcome--their natural desires to rebrand their militaries as forces for "international stability" in a manner that protects and advances their economic interests.

Why should we welcome these developments?  We are experiencing an age of frontier integration all over the world in terms of globalization's rapid advance. Integrating frontiers is manpower-intensive, as America has discovered in this persistent struggle against violent extremism.  All of our traditional allies are demographically moribund and are shrinking their militaries.  In general (and Russia is  big exception here), rising great powers tend to feature strong demographics and rising defense budgets.  So if America wants to see--to the logical conclusion--its grand strategy of extending an international liberal trade order (now known as globalization), it will need to shift its alliance dependencies away from the West and toward the rising East and South.

Average annual income is an interesting indicator, China is at around $6,000/year, Turkey is about $12,000, and Indonesia $3,900. Cambodia (where the annual income is about $2,000/year) is set to get its first stock exchange before the end of this year.

Part 2 of the interview will be tomorrow. 

Threats in the Age of Obama

The book "Threats in the Age of Obama" is now out and available on online. Its all about 21st century security, and has a number of chapters on cyber security including one I wrote.

Our intrepid editor Michael Tanji puts it this way

This is not a diatribe about real or perceived shortcomings of any individual or school of thought, but simply an attempt to plant the seed of an idea that we as a nation have little to lose by actually changing the way that we look at the problems we face.

Thanks to @Tim O'Reilly for letting me use his Web 2.0 meme map. More details on the book are available here.

Information Security Reading List

Like information security in the real world, most (all?) information security books are about tactics, but what we also need is to understand where we are and where we are going. To do that, its important to read other fields and understand their ideas. Here is a brief reading list to explore some concepts that are useful, but relatively unexplored in information security.

1. Dhandho Investor by Mohnish Pabrai. I posted on how much I enjoyed this book in the past, and James McGovern did as well. Key thing here for us infosec types is to decouple risk and uncertainty and focus more on the former. I have often said, that I have learned more about security from reading Buffett and Munger than anything in information security literature. Pabrai is a fellow traveler on the Buffett Munger trail.

2. World is Flat - ubiquitous, but the best quote on why this work matters comes from Chris Ceppi he said to me that he thinks this book does a better job at explaining federated identity than any technical work. I agree.

3. Pentagon's New Map and Blueprint for Action by Thomas Barnett - these two books are absolutely critical to understanding 21st century security - how to think horizontally about security, deliver decentralized security services, and enable resiliency for the system as a whole. Barnett gives us a 21st century security builder model. The best work I have seen on the overlap of economic models and security models.

4. Brave New War by John Robb as I mentioned in my review Robb is the Black hat to Barnett's White hat. But when he does get perscriptive about dealing with the asymmetric threat problem that globalization has unleashed on us - the action items are all around survivability and resilience.

5. Starfish and the Spider by Ori Brafman and Rod Beckstrom - again a focus on decentralization, mapping services and skills; identifying and enabling catalysts, through trusted networks. Spiders die, starfish regenerate - think about that next time you are designing access control. Interestingly enough, Rod Beckstrom is now the cyber security czar, and I am very hopeful to see some good things come out of this appointment. Its very interesting to think about OWASP as a starfish organization. Totally decentralized, I believe one employee, a major global impact - the single best source for software security (not just web app security) - OWASP is a living testament to the positive power and impact that starfish organizations can have.

One thing these all have in common is decoupling and decentralization. In the field many times people automatically associate security with centralization, but this is often the wrong approach. Many times, the most cost effective, proportional approach is to take a decentralized path, these books give some ideas on how to do that.

Update: Chapter 5 of The New School of Information Security by Adam Shostack and Andrew Stewart is about this same issue of learning from other fields. I will have a review of this book soon, they go into quite a lot of detail about what Information Security can glean from economics, psychology and other disciplines, and I particularly like their last sentence in that chapter:

Lessons from other sciences allow us to observe the world, ask why, and receive an answer.