By Richard Thieme

Nothing is more difficult to take in hand,
more perilous to conduct,
or more uncertain in its success,
than to take the lead in the introduction of a new order of things.

-Niccolo Machiavelli, The Prince



A discussion of critical infrastructure protection in the larger context of public/private partnerships would seem to be a simple matter. Yet it is complicated by the realities of today’s world and an intricate array of other issues, including the question of what is "public" and what is "private." This is a false dichotomy precipitating more complex questions about the end of security and intelligence work, namely, who or what is being protected, and from who or what?

So here’s the bad news: unless security professionals are willing to think deeply about their work, they can’t do their jobs.

In a stable world, one in which the boundaries that define us persist over a lifetime, we unthinkingly and uncritically share assumptions. Our common vocabulary reflects that. Everyone says what they mean and means what they say. Alas, we do not inhabit a stable world. The boundaries that define everything from an “individual self” to nation states have morphed dramatically.

One example: I imagine that everyone knows what I mean by “morph.” A dozen years ago when I asked audiences what “morph” meant, perhaps a fifth would raise their hands. These days, we all know because, everything is morphing and the vocabulary of the digital technologies that have energized the transformational processes that are reshaping our world has become now part of everyday language.

Older security pros might notice that they have trouble talking to younger ones who were socialized by digital technologies and can’t remember a world lacking the Internet, video games, instant messaging, and cell phones. But it’s not just vocabulary; it’s how we think about reality.

Physicists say that scientific revolutions are occurring one funeral at a time. Security professionals aren’t dying fast enough for that to happen. That’s why we must become philosophers, reflective thinkers willing to dig deep into the assumptions behind our words. We have to be willing to see what different things we mean by “infrastructure,” “public/private” and even “security” in the first place.

Our definitions of everyday reality have been altered by a contextual shift. It did not happen on 9/11 although that is the public marker we use to denote a great sea change in American life. Long before 9/11 I was speaking about the reshaping of social, political and economic realities in the image of distributed networks that would turn just-in-time inventory control into a steady supply of suicide bombers; I wrote about the emergence of anomalous trans-global structures that would change our assumptions about security compared to when nation states defined the battle space.

The mind of society is the battle space of the early 21st century. That’s why security professionals have to be philosophers regardless of who signs their paychecks.

The difficulty we have defining “enemy combatants” is a symptom of the sea-change. The members of trans-global political structures who use terror and perception-alteration as primary weapons are not citizens of “nation-states.” The boundaries that defined those states are porous, semi-permeable at best, or even non-existent as seen from the viewpoint of the emergent global structures that transcend prior organizational structures via nation state boundaries.

A NSA veteran told me, “People seldom ask the right questions when they come to security. The first question ought to be, how do we live in a world without walls?”

How do we define our various identities and therefore the entities we believe we must protect when the boundaries that defined both individuals and nations have gone liquid? When “private/public” and “foreign/domestic” are distinctions that no longer hold? How can we talk about policies and the behaviors that hold us accountable to those policies without first defining exactly what we mean?

Like the Moliere character who did not know he was speaking prose, security practitioners probably do not realize just how much responsibility they have for defining the field of action in the 21st century. They do it through scientific and technological R&D and the implementation of evolving technologies that in turn determine how people act. Security professionals are implicit thought leaders: the structures they create fuse with the people who use them and soon those people forget that there is any other way to work or think about things.

With that comes responsibility for the changes in society that they cause. A CIA veteran told me recently, “Failures to recognize potential (or obvious) issues - including ethical issues- during development cause big issues later. Once a tool is built and deemed usable - whether for operations or intelligence analysis - users take it and run. If developers fail to see a problem, users will quickly become entwined in it.”

Anticipating future problems implicit in the application of new technologies requires a commitment by leaders and managers at critical moments in the development life cycle. They must discuss and explore the consequences for society before, not after, the technology has been implemented. But social, psychological, and political implications are often not debated at all. Technologies are thought of as “just” technologies, sidestepping the responsibility for unintended consequences in the real world.

It is difficult enough to anticipate the future when we try, but it is impossible if we don’t make the attempt.

Computer scientist Langdon Winner said: “To invent a new technology requires that society also invents the kinds of people who will use it; older practices, relationships, and ways of defining people’s identities fall by the wayside and new practices, relationships, and identities take root. …As new patterns solidify, both useful artifacts and the texture of human relations that surround them are often much different from what existed previously.”

The distinction between private and public has gone liquid. Through the nineties, the end of the Cold War and the evolution of American hegemony changed the focus of security. Economic espionage and competitive intelligence became more important, blurring distinctions between “enemies” and “allies.” In the trenches we work with who and whatever works. One symptom of this shift was the rapid growth of the Society for Competitive Intelligence Professionals and the migration early on of professionals like Jan Herring from CIA to Motorola. Nation-state and corporate intelligence blurred; trans-global enterprises like GE or Microsoft challenged the loyalties of persons who “belonged” to GE or Microsoft while at the same time they were citizens of a nation with goals that were sometimes at odds with those of the corporation. Knowing cart from horse became increasingly difficult.

Inevitably the mission of intelligence and security altered. The intelligence community is sanctioned by law to do on foreign soil what is prohibited in the United States. But simple distinctions between “foreign” and “domestic” no longer hold in any meaningful sense. The convergence of enabling technologies of intrusion, interception, and panoptic reach, combined with a sense of urgency about the counter-terror imperative and a mandate from our leaders to do everything possible to defeat an amorphous non-state entity defined by terroristic behaviors rather than boundaries, borders, or even a clear ideological allegiance, has created conditions that frequently undermine traditional notions of law, ethics, and sanctioned behaviors. Distinctions that made sense in the past no longer do. After 9/11 the intelligence community was severely criticized for an inability to share information because of “silos,” i.e. rigid hierarchical structures that prevented a horizontal flow of information. “Breaking down silos” and blurring distinctions between police and intelligence work are often difficult to distinguish post-Patriot Act. Because the context that gave prior distinctions meaning has shifted, what was once “common sense” now seems crazy and vice versa.

Wisdom and insanity are contextual.

Security professionals have multiple loyalties. They carry a burden to produce on behalf of corporations, localities, and nations but increasingly feel uncomfortable, because they are unsure of who or what they’re defending. The changing focus in information security from network perimeters (which symbolize the boundaries of economic or political entities) to applications to granular data (which symbolizes individuals and their rights) illustrates the difficulty in defining an infrastructure because there is a prior difficulty in defining structures in and of themselves.

Operating in that zone of ambiguity can lead to confusion about mission, expectations and execution. That is why, during times of rapid change, leaders can not over-communicate. It’s only human nature that uncertainty and anxiety often interfere with hearing clearly. Clarifying assumptions is not a “touch-feely” exercise of the kind that many disdain. It’s a necessity that prevents shaming and blaming the morning after the unintended consequences of ambiguity and complexity have manifested themselves.

Private/public partnerships that wrestle with these perplexities rather than sweeping them under the carpet have a better opportunity of succeeding.

No wonder philosophy, security, and theories of management are often indistinguishable from one another. Identity is function of boundaries. What we call “an individual” was defined by an arbitrary boundary that we take for granted, but which emerged only a few hundred years ago from a cultural shift during the Renaissance. An “individual” is a social construction of reality, not a physical reality. Before modern times, there were individuals with rights, but they were defined very differently from a post-Renaissance, now common-sense, understanding of rights, and the sense of a proprietary self that we take for granted has changed dramatically. As societies grew larger and more complex, boundaries that defined them grew larger too. The organizational level of complexity of any structure is a function of the flow and speed of flow of information in that structure - both within and in-and-out. “Nation states” emerged in the past few centuries as organizational structures appropriate to the levels of political, social and economic complexity made possible by and a function of the speed of the flow of information. An awareness of belonging to a nation was one consequence of larger boundaries, the boundaries themselves a consequence of the hierarchical restructuring of society enabled by communication and information technologies.

Security, perimeter defense, police action, and intelligence gathering are all related to individual and national identities and who we think we are. Who we think we are defines what is permissible.

Security may now seem to be obviously a function of boundaries—but around what? Boundaries define the “other” that threatens “us.” “Us” is a felt experience of clan, tribal, and societal kinship, a genetic inheritance from Neolithic times. Prior to the emergence of writing several thousand years ago, the “enemy” was the “other” who was not a member of our tribe. But after the emergence of writing, the enemy morphed. In the major religions of the world, the enemy became that which in ourselves must be fought, resisted, or transcended.

This distinction is critical because the practice of security at all levels is carried out in the tension created by those conflicting definitions. Is the enemy within? Or outside? Frequent discussion of the “insider threat” is a symptom of this problem because an “insider” is determined by where one draws the line and computer security testifies to how much that can change in a short time.

Yet we continue to speak of individuals as primary actors and nation states as primary determinants of collective identity, speaking of security as if “we” who live inside one boundary are intercepting or penetrating others “inside” another boundary. But current technologies make the notion of “interception” obsolete. Technologies primarily developed in America constitute the physical framework and software/informational context of a global society. Boundaries between elements of the network -between the networks that make up the network- are arbitrary. We live in a world without walls, and every attribute of a process or structure that broadcasts information about itself by any means can be detected. Information is often not intercepted but is engineered to come to us from the source. “Here” and “there” also are false distinctions.

One example of our dilemma is suggested by the existence of “hackers,” an emergent reality of the past couple of decades. Intelligence professionals were sanctioned to break foreign laws by nations, but suddenly these miscreants, i.e. criminal hackers, had permission to do the same by virtue of the technologies themselves. The threat to social order was defined not by one’s behavior, but by perceived allegiance.

Security professionals have positions of leadership in this brave new world because they participate in creating the structures in which we live. The larger task is a calling not merely to defend and protect a perimeter but to stabilize a world and manage rapid flows of energy and information to ensure a modicum of social control.

But on whose behalf are we acting? Who do we serve? To what end? What are we defending and protecting?



How do we live in a world without walls?



No one said it would be easy, did they?



Writer and speaker Richard Thieme once was called an “information technology philosopher.” He thrives on pushing others to think outside their comfort zones and look at their worlds from a different perspective, which is what he agreed to do for the first issue of “The Gardian.”