“People used to talk about the American Dream. Now they talk about the Azure uptime guarantee.” – Daniel Vincent Kramer

This blog post previously appeared in The National as part of Common Weal’s In Common newsletter.
If you’d like to support my work for Common Weal or support me and this blog directly, see my donation policy page here.

(Image Source: Unsplash)

[Note: This article was published a few days before the AWS outage that caused havoc throughout multiple digital services – including banks and security devices – on Monday 20th October. This incident was accidental, but serves to highlight the potential impact of a deliberate shutdown of such services.]

If you asked the previous US Government what “security” meant, they might have said “defence”.

If you ask the current Trump US Government what it means, they’ll tell you that “defence” is a “woke” word and that we should be talking about “war” instead.

If you ask the only marginally less belligerent UK Government that question, they’ll still answer by pointing at the same tools – that “security” means nukes, jets and the diversion of the equivalent of half of the NHS’s budget into building even more nukes, jets and other weapons of war.

Meanwhile, this year, multiple important companies not just in the UK but globally and ranging from manufacturers to retail stores have been knocked almost completely out of production by cyberattacks.

There’s no suggestion that the various attacks are related or are the result of a single, hostile state actor but there’s little reason to imagine that they couldn’t be and largely irrelevant whether they are or not.

Our economy has become vastly more complex and interlinked than it was in the past and has simultaneously become more fragile in the face of unexpected shutdowns.

So in a rare moment of aligning with an organ of the British intelligence sector, I share the concerns of the National Cyber-Security Centre when they say that British businesses have to start doing more to secure their IT systems and to create plans for how to keep running if something happens – potentially with plans to run systems without networked computers or with pen-and-paper backups if required.

This should be standard practice in all businesses and not just those vulnerable to cybersecurity incidents. My colleague Robin was recently caught in one of Scotland’s worst power blackouts in several years when – it seems – workers cut a critical power and telecoms cable resulting in several villages being cut off from the modern world for several days.

This included substantial risk factors like the possibility of someone falling ill and being unable to call for emergency services or even to alert the local health clinic.

I’m also reminded of a story someone told me during the early phases of the pandemic. They worked in a public leisure centre and when things started to kick off they realised that their centre would likely become a hub for emergency measures so asked their manager where the disaster planning folder was. The reply they got was “What folder? We don’t have one.”

That centre ended up being used for vaccine deployment but they were also made aware that there were plans to use them as an emergency school (to help spread pupils out), as an emergency health centre (to reduce pressures on the NHS) and, if things got really bad, as an emergency morgue.

What my contact tried to explain to officials was that they could well do any of those but trying to do all of them – as seemed to be the plan at the time – would mean working out how to keep not-yet-vaccinated people away from people sick with Covid at the same time as not forcing school kids to walk past lines of body bags on their way to class.

All while a barebones staff of mostly furloughed, mostly low wage, and increasingly traumatised staff were trying their best just to get by.

The whole thing was a mess of lack of planning for what should have been a foreseeable disaster. In 2019 we knew that a future pandemic was inevitable at some point but the lessons from previous pandemics and pandemic wargame exercises had not and still have not been fully implemented. We warned about this in our 2020 policy paper Warning Lights.

Since then, the foreseeable disasters like pandemics, climate change or malicious hackers have been joined by another one – a hostile government that actively controls our tech sector. We’ve seen some hints of this in the form of the UK’s response to Chinese technology in things like our digital networks (I know of Scottish Local Authorities who are actively replacing such systems at the moment) but the USA is becoming just as large a threat.

It is no longer an unthinkable hypothesis that an unstable President like Donald Trump could have a bad morning and order US companies to spy on British networks or to just lock companies or governments out of Apple, Google and Microsoft and nor is the prospect of an unaccountable billionaire like Elon Musk amplifying hate across social networks, advocating for the violent overthrow of our democratic institutions and threatening to simply shut down access to his own networking devices if he doesn’t get his way.

We need to follow the EU’s example of drastically reducing our dependence on America for tech like the software we use to operate our Government.

The Scottish Government has to start thinking seriously about what real security means in the 21st century. For me, it means resilience as much as anything else. It means ensuring that Scotland can cover our fundamental economy without relying on a partner who may now be unreliable.

Scotland grows enough food to feed everyone here (We grow enough barley alone to meet the calorie needs of 9 million people – it’s just that most of it becomes whisky and most of the rest goes into animal fodder).

We produce enough energy to cover domestic needs sustainably (though we’re not nearly self-sufficient enough in manufacturing the means to harness that energy and far too much of our production is owned by foreign companies).

There are few countries in the world in a better and more stable geopolitical position (other than the targets strapped to our backs in the form of British nukes hosted here).

The rest becomes an issue of ensuring that things remain secure and that we are resilient when breaches do occur so that things don’t grind to an absolute halt.

If I was designing a Scottish defence sector, one of the major departments would be a team of penetration testers whose job it would be to hack Scottish companies then fix the holes they find.

What is important is that once those basics are covered, we see that the actual threats to us are much diminished compared to what the shrill warmongers of the headlines want us to believe and that those that remain certainly can’t be solved by diverting money from health and welfare budgets to build jets to carry US nukes that we now see would be more part of the problem than part of the solution.

Perhaps instead of bolstering Departments for War, we can start to think about what a world that works for peace could look like. It starts by working out how we’d cope if things go wrong and then working out how to make sure they don’t.