The in(dividual)

Yesterday I went to a reading group within cyber security, and we talked about an interesting paper that was in Science January this year, called “Unique in the shopping mall: on the reidentifiability of credit card metadata” (paid subscription required). Though we talked about several of the issues with the paper and the reason for its appearance in Science for a start, this got me thinking about the wider concept of the ‘dividual’ that Deleuze details in a short article that was published (see paper here) in the publication October in 1992.

Through a fairly dense, but easy to read paper, Deleuze summarises that we have moved from Foucault’s disciplinary societies to control societies. For those with a background in this, please skip to the next paragraph. So, to potentially to give the work of Foucault great injustice in what I am about to say; Foucault identifies a transformation of society in the transition from the medieval to industrial period. These periods are obviously not solely independent and the mechanisms do not always belong to one and can be applied alongside one another. Hence the growth of institutions such as the school, the hospital, the barracks, the prison and so on all were a transition where bodies en masse were controlled and disciplined to work for the powerful.

To speed on from the simple explanation above, Deleuze (and Foucault himself in governmentality and biopolitics) identify a new movement in the development of their thought. This is one where individualism and the body not solely as an empty ‘space’ becomes a ‘place’ where thoughts and movements should be all-flowing and monitored. Modulation is the word Deleuze uses to express this new formation where we do not simply move between institutions as before but are constantly having to learn, self-police, healthcare services in the home and the burgeoning market in healthcare products. This means that the emphasis is on the individual to succeed (with its associated serpent, neoliberal capitalism).

So, why the societies of control or control societies? Unlike in the past where individuals were constructed in order to be disciplined, neoliberalism requires free movement but states (and other stakeholders seeking to control – think corporations, gated communities) still require extensive monitoring to ensure they maintain their power. This monitoring is aided through the use of technologies that track our movements through passes to enter buildings, touchless payment cards and mobile phone signals. Deleuze coins the word ‘dividual’ to capture the data that are produced by in(dividuals) where segments of the data are used to control; such as the ability to access buildings, access to credit according to financial transaction history, et cetera. The concept of the dividual makes more sense if we have discrete datasets. Yet, we live in the world of supposedly ‘big’ data where there is an increasing ability to cross-reference dividualised data to (re)construct an ‘in(dividual)’.

Returning to the paper that constructed my thoughts above, the authors claimed that they could easily reconstruct roughly 90% of unique credit card identifiers through four informational nodes. These could include the location of the shop, time of purchase, approximate cost and distance from next purchase for example. Though there are other issues of privacy and the unicity (the ability to reidentify unique individuals) of data, there is a philosophical question to grapple with that uses both the societies of control and disciplinary societies. I consider the ‘body’ (in its extension to producing non-human datas, movements across space and like) to be critical to arguing our current epoch is not one of pure dividuals – and displaying the geographies this produces.

I much prefer to use the ‘in(dividual)’ to present the current manifestation of our society. The formation of the internet and ever-increasing sharing of information has enabled disparate information to come together and provide ‘value’ to capitalism. This is epitomised in the valuation of social networks such as Facebook and Twitter, and the giant Google. This value requires these companies to in(dividual)ise. Let me explain what I mean here. So for ‘big’-data analytics to operate effectively it needs to dividualise my body(ie)’s movements through its limited collection points; through my credit card, my phone signal, my Facebook account, the cookies I leave lying around and so on. This enables a population-becoming whereby services can be focused on particular ‘groups'(?) and reflects the growing use of statistics in the development of biopolitics (see Louise Amoore’s article ‘Security and the claim to privacy‘ on ‘data derivatives’). Yet there is a requirement for personalised advertising where I must become in(dividual). I must form a group. I am gay. Therefore I get many ‘gay-themed’ adverts across the internet (some to my utter amusement!). This feedback loop, where I am classed as forming as ‘at risk’ group for example, if I was to apply for credit with a ‘poor’ rating, then the in(dividual) would come to play. My in(dividual) body’s movement influences ‘it’, and ‘it’ influences ‘me’.

Therefore how can one work against this? What playful acts can I working as an in(dividual) do? I could spend rather large amounts at different places (although probably not), use different cards, use other people’s cards? Or I could change my Facebook ‘likes’ or make completely false trails everywhere. This is where the power lays. This is where the kink in current society lies. Although I am partially determined by my allocation, what happens if I do not conform to any group – I do not only do it for myself, the data that feeds the group is also skewed. This is true play. To circumvate the rules, to not conform to one identity, but express the multiple identities the body inherently exudes. This in(dividual)ising both can have detrimental effects on how I operate as an in(dividual) as long as I play by the rules. The best play is one which bends them.

Why is the body critical to this? Critically the body is one which has truely emancipatory affect (though we must realise we live in a period where ‘able’ bodies tend to ‘succeed’ in comparison to less-able bodies). There are only a limited amount of collection points (though these are ever-increasing in size with sensors in the Internet of Things (IoT)) that mean that their comprehension of the world is always limited and non-pervasive. Therefore feeding certain nodes bits of information that our bodies produce incorrectly (such as hacking a wearable technology to send ‘healthy’ signals to an insurance company) enable small acts of powerful play that not only distort the in(dividual) but the dividualised groupings. We can use the ingenuity of the body (and here I refuse to use the mind-body dualism – useful to point out here) to claim the in(dividual) for ourselves, in whatever form ourself may take.

#FutureFest #DiploHack

Over the past couple of weeks I have been fairly busy completing the end of my taught courses at the Cyber Security CDT and moving onto more substantive research (look for updates here as I post about it!). So a couple of events that have happened…

#FutureFest

This was organised by Nesta (an innovation charity) on 14th/15th March. Luckily I received a free guest ticket from Professor Ian Brown – so thanks for that! This was an exceptional event – where I asked a couple of questions on the future of UK party politics – and had a direct chat with Natalie Bennett (Leader of the England & Wales Green Party). I also had some great 3D printed chocolate and some ‘future’ alcohol shots that varied from delicious to repulsive. It was a great day and would encourage anyone to attend a similar thing!

I even got a clip on blockchain referring to Bitcoin (I’m not sure I completely agree with what I agree with what I said but hey ho)

There were also loads of other great stuff – including seeing my face on a robot…

#DiploHack

So, this was an international competition to generate policy solutions against a cyberattack against a poor state in South-East Asia. It involved 3 U.S. universities (Georgetown, George Washington and Maryland) and 3 European (Oxford (the UK), Leiden Delft (the Netherlands) and Chair Castex (France)). It was organised by CSIS – more information here.

I was a member of the Oxford team that represented between us 6 countries and 4 continents (there were only 8 of us!). It was an absolutely great day that included a fire alarm 5 mins in….

That led to the ‘Zambonian Opportunity’ in the final presentation after a long two-days to deliver the product. I was so happy with everyone on the team. An absolutely amazing job! Here’s me via VTC in Washington DC (just).

Anyway that’s been my past couple of weeks – quite a lot of fun!

Uncertainty: A Critique

Luciano Floridi has recently written on uncertainty in a short editorial on conditions of ‘uncertainty’ within information theory in Philosophy & Technology (the article is currently available free here) with which I have a problem with.

Although I agree with the principles outlined in his piece, I believe there is an assumption explicit within its execution. This is the belief that somehow ‘information’ and its knowledge is able to predict the future. As I mentioned in my previous post, Louise Amoore’s work on probability (and indeed uncertainty) argues that the future is impossible to correctly predict. Thus, information due to its abstracted quality, the impossibility of recording everything and their associated variables ensure that we are always in a ‘block’ or “add some friction to the flow of information”. I am not here to critique the great explanation of uncertainty that Floridi provides, but to make a more nuanced point.

This point refers to the fact that Floridi alludes (whether intentionally or not) to a world where human agency alone provides uncertainty because we cannot somehow ask the right questions and gain their answers. In our world(s) it is not possible to ask all the right questions due to the interplay of the non-human with the human. This ensures that ‘questions’ are out of the bounds of ‘our’ language and we will never be able to generate these questions in their human form. Look to the work of Derrida on the deconstruction of language or différance as examples of how language cannot specify the true meaning of the world. Therefore I believe that information (as an abstracted form of the world which is given intrinsic human value) always provides blockages. Look at the below quote;

“In philosophy, it is time we learn the value of a low and stable degree of uncertainty. It is unhealthy to eradicate it completely, for a small dose of unanswered questions in the social system leads to increased degrees of liberalism, toleration and fairness, as well as more efficient flows of information. It seems that the value of information also lies in what it can teach us about its own equilibria.” (p.3)

This creates an impression that there is an ability to ‘eradicate’ uncertainty and claims we somehow the power to deny this. Plus, I question what Floridi means by “its own equilibria”. Can information ever have an equilibrium? If information is abstracted then it has human value in its process of becoming known. Hence this statement appears to give a somewhat ‘natural’ quality to information based on older western philosophical norms. There is fundamentally nothing ‘natural’ about information – it is a socially-constructed phenomenon. It is therefore interesting that this term is used. Uncertainty, then, is a condition of human existence – we can never comprehend the world in its entirety – yet Floridi’s call for it to be further recognised can be applauded even if its execution is somewhat questionable.

Blackhat, Cybersecurity and 9/11: Connecting the Dots

This weekend I ended up on an impromptu trip to Birmingham and decided to go to see the film Blackhat (Click here to see the official website). Admittedly, it was something rather of an atypical Hollywood blockbuster film – yet it had great insights into the changing perspectives of cybersecurity and its connections to wider security discourses. Most strikingly it had a classic lead in Chris Hemsworth as a convicted hacker who was released to help in a cross-border investigation into a severe hack against a Chinese nuclear power plant and a later one on financial corn exchanges. This pitted cooperation between the US and China on a single hacker – which I thought was a rather bold move. There is a scene in which the FBI discusses the difficult relationship on cybersecurity and the mistrust this exposes, which is returned to at several points during the film. I wish not to spoil the film any further so I will leave those of you who may wish to watch it can do so without me ruining it for you.

The film’s understanding of cybersecurity and general security discourses was particularly encouraging to see. There were definite attempts to engage with current perspectives on cybersecurity beyond a purely technical problem to one of tracing fragments of data and political decision-making. I would claim this demarcates a coming-of-age for cybersecurity in film that is welcome. It clearly had clear parallels with the Stuxnet malware that is thought to have targeted Iranian nuclear power plants in order to commit sabotage, which was comprehensively detailed in 2010. Although the execution of the attacks were somewhat unrealistic, I appreciate that creative license is required to entertain, so was a rather good attempt. The wider questions around attribution were a core theme of the film, in order to find the hacker which included tracing the clues that were left ‘behind’ through not only files, but also money transfers – demonstrating the complex interactions in ‘cyber-crime/terrorism’. This complexity of ‘older’ crimes such as fraud and its combination with cyber attacks demonstrate the physicality of ‘cyber’ and that these crimes may be committed solely through the means of data communications but have material impacts.

The use of 9/11 and wider terrorism discourses in ‘connecting the dots’ which the Department of Justice says was one of the core of elements of the US Patriot Act 2001, is of crucial importance to how cybersecurity is conceived in the public imagination. As Louise Amoore from Durham University states in her latest book, there is a crucial imaginary built upon code and how modelling into the future can ‘pre-empt’ events before they take place. Although this work primarily focuses on the movement of bodies and things, one can argue that cybersecurity discourses are far more (dis)connected. By this, I mean there are difficulties in humans perceiving the tangible effects of much action in cyberspace and yet we are constantly told that we are being increasingly interconnected. This binary is contradicted in Blackhat where the lead female US FBI agent as a ‘human’ body of affects and emotions combines her husband’s death in the 9/11 attacks to preventing further attacks by the hacker. The hacks of the exchange, not only purely lead to monetary values being manipulated, but expose the highly-connected nature where variables in one place can change an entire market and the lives that depend on this. The interesting connotation that the connection of dots, or fragments of the hacker (as a dividualised expression of pseudonym), will prevent further attacks is therefore an interesting imaginary that is formed. I believe this grows out of what was dreamt in the Patriot Act and subsequent actions by the US Government to be able to foresee through data the low probability, high risk event. Therefore the (dis)connection of cybersecurity is intermingling with former security discourses, determining that precision calculation can prevent attacks but admitting that there are tangible effects of a hack. Hence a prevention of attacks in ‘cyberspace’ mean we are directly affected as Blackhat shows, eroding dualisms of physical/cyber. This is something new in this film that I have not seen and lets the inherent complexities of cybersecurity to emerge; folding cyber, physical spaces, humans, politics, materials, code and so on into it.

So, how does the infusion of security discourse of 9/11 and cybersecurity fit together? Here are three examples:

  • First, there is a simple problem of attribution (look to Thomas Rid for some of his work on this at King’s College London). This ‘problem’ correlates concerns of terrorism entering through the US border – with increases in airport security and the use of Passenger Name Records (PNRs) as examples of the increased use of data in order for dots to be connected. Therefore, among all the possible options to identify who is suspicious at the ‘border’ compares well here to detecting the malicious hacker.
  • Second, the international nature of hacking and their sometimes confused objectives. The Blackhat hacker’s motives are constantly questioned within the film and with the networked nature of movements across state spaces, places it in ‘conventional’ terrorist networks within this post-9/11 imaginary. If we think back to Al-Qaeda and other Islamist extremists, then this confused nature of an unknown assailant is clear.
  • Third, the insider. Since the Summer 2005 London bombings, and the recent concern with those returning from Syria who have gone to assist the Islamic State (IS) in Europe, the insider is a dominant schizophrenic problem in security discourses post-9/11. Edward Snowden is the example du jour for cybersecurity – who to trust. Blackhat‘s main character is one whose trust is questioned by the FBI and details how there is now greater scrutiny of those ‘within’ security discourses. The distinctions of ‘inside/outside’ for states have now become problematic and now a core theme in broader security discourses.

To end this post – I believe the critical point to take away is the enveloping of cybersecurity into wider security discourses as it enters the popular imagination. Therefore we can no longer see cybersecurity as solely a technical ‘problem’ but one interconnected in wider security discourses and is being used so, such as with the recent Sony hack where its interests became one of US national security. It is about connecting the dots.

Cybersec Medical Landscapes: Ontological Challenges

I recently read a fascinating article by Rachel Colls and Bethan Evans in Progress in Human Geography called ‘Making space for fat bodies?: A critical account of ‘the obesogenic environment’’that is available if you click on its title (paid subscription required). This piece argues with much previous work in areas such as ‘Fat Geographies’ that there needs to be a much wider appreciation of the environments where obesity is created not just by humans, but by non-humans and social practices. Although this may appear far from my doctoral studies in Cyber Security, I believe there is some connection with implantable electronic medical devices and their security. I believe my affinity to this work further extends from being privileged to have been taught on a very small scale by Rachel on feminisms. I appreciate some will disagree with ‘transplanting’ such different issues across in this way however this is not the attempt at some form of porting. I am interested in how the body is conceptualised, especially in medical discourses. It is already well-discussed among those in geography and other social sciences (and indeed some in ‘science’) that the body is already more than itself. In that life and bodily action cannot be simply summarised as a sum of its parts. This follows much thought and development in philosophy since the 1960s and which became far more critical during the 1990s, with the emergent Actor Network Theorists such as Bruno Latour. Thus far I have yet to find a real critical engagement with how ‘cyberspace’ (I believe this term needs far more interrogation but will be something I use as an interim) and security as a form of environment in ‘cyber-physical’ systems intertwines. There is much work in cyber security studies on this area from a business-critical approach yet I believe this works extremely well with some forms of ‘cyber’ insurance as a protection of society and individual from risk, if we can think of the world consisting of something ‘virtual’ and ‘real’. So, returning to the article at hand, there has been a move and appreciation that ‘obese’ bodies are not only emergent to some form of ‘individual’ becoming-fat. Yet this sits and plays with the environment where leisure spaces, fresh food, urban space, cooking habits and so on all contribute to obesogenic landscapes. If one is to turn to medical devices such as those of pacemakers, insulin pumps (and I believe in the future those that monitor and rectify our health before a ‘problem’ even occurs) then I believe a security environment that involves bodies and perceptions, social inequalities, ‘healthy’ bodies including many more will be (and is emergently) prevalent. Therefore what will be the risks and inequalities that arise in the ‘securitisation’ of the implantable device that is part of the becoming-human? It is simply not reasonable to even have a dominant narrative of anthropocentricism, as the technical/mechanical becomes the body as its environment between human/para-human/non-human become mixed in ways not experienced before. As these devices are infused with increased machine-learning techniques, what does security in ‘cyber’ become if it ‘learns’ to die? Obviously designers of machine-learning will attempt to make sure that this is hard-coded out. Yet, as we know, ‘things’ have a tendency to exert agency beyond that of human will and is a fairly common problem in cyber security: for example the multiple uses of a piece of code that would always pass functional testing (we do have some counter-weight in penetration-(or pen)testing). Therefore can we talk of cybersec medical landscapes or environments, where security will come to an understanding from this distributed, tangled world in which we live? The challenges present in the cybersec medical landscape will lead to a fundamental and ontological questioning of ourselves, humans, among a much greater network than ever before. This leads me to further question during my studies the need to develop a fully non-anthropological philosophy. This is something that I have been thinking of over the past couple of months and is starting to take more and more of my spare moments, especially when I drift off when I go walking anywhere. I think the key that links across all ‘objects’, ‘things’, ‘atmospheres’ or whichever term you may wish to use, is the term ‘agency’. If I take the ontological distinction here that everything that exists expresses some form of agency, and because humans are so exceptional in the breadth of their agency, it enables something that expresses everything in its uniqueness of coming together. I believe that we can see how through a combination of different forms of agency, new forms of agency and life emerge. Therefore intelligence can also be expressed in a similar function that the potentiality of the body through its combined agencies through forms of evolutions, learnings, societal performances and so on help define this. As I look to have diverged somewhat from the article that I feel expresses some of these themes, I will return to it to attempt to conclude a lot of thinking here which is expressed in such a short blog post. I believe the challenge that has been applied by Colls and Evans need to be applied in cyber security far more coherently and strongly. These include the acceptance of a larger environment and about researching in new novel ways and philosophies. They do currently exist but there is a lack of critical thought present, especially on my area of interest on implantable medical devices. In cyber security studies, we are very good at appreciating and adapting the technical applications of devices. Yet as society becomes aware it is technical and that this is becoming more so, we have to also tackle all of society and humans as well. This may potentially lead to the extinction of ‘cyber’ itself, yet who knows what the future may hold?

A view to the future: US Cyber Strategy

It has been a while since I last posted on my old blog which has now been closed. So here is the start of the new blogs here. Apologies for the delay in getting to this point – I have been active on my mini-projects and during the Easter break I took some well-earned rest over in Madrid. However over the past couple of weeks we have got a somewhat more detailed view of cyber security from the United States and when there would be a case under their doctrine for a response. This is just a brief look at the speech by the Secretary of Defense, Ashton Carter, on the new Department of Defense’s Cyber Strategy, that capture some of the thinking behind their thinking. Though there is some hyperbole behind the media response to this new strategy (Daily Mail (UK)) regarding ‘cyber war’, there are some good articles such as those by the Washington Post. This article shows how much more pragmatic the US is becoming (moving away from Leon Panetta’s ‘cyber Pearl Harbor‘ remarks). I think this is a particularly wise move – as drumming up some form of comparison with Pearl Harbor does no good to anyone.

In the speech by Carter, there is an interesting connection between academia, government, and the Pentagon in WWII and the Cold War. This is detailed below:

“Looking out over the last 75 years, we’ve had a long history of partnership. Sometimes the bonds between the academy, industry, and defense were particularly close…like during World War II, when the Manhattan Project and the MIT Radiation Laboratory and others brought together the brightest minds, and the best of industry cranked out the ships, planes, and tanks – at what are now astonishing to us numbers. And another was during the Cold War, when a cross­section of military, academic, and private­ sector experts paved the way to a future of precision­guided munitions, battle networks, and stealth. At times, we also eyed each other warily – like when Bobby Inman faced off against Martin Hellman and Whit Diffie over public­key encryption and commercialization; or during the controversy over the Clipper ship – chip – Clipper chip, excuse me, in the 1990s; and, more recently, after the actions of Edward Snowden.”
What is interesting in the above quote is the doctrine of the past 15 or so years since 9/11 and the ‘War on Terror’ is mysteriously missing. There have been significant collaborations between industry and government in particular in this period. So it would seem odd for this to be somehow not mentioned? It is well known large segments of academia have been very unhappy with some of the policies of the ‘War on Terror’ and the George Bush State of Union Address 2002 describing the ‘axis of evil’. Therefore there is a deliberate construction, I believe, of a third new major collaboration and challenge for the USA in ‘cyber’ security. This is a repositioning of foreign and domestic policy to one based on broad-based consensus rather than the more divisive politics of Bush.
Carter announces three core elements of the new problem facing the USA in ‘cyber’:

“This is one of the world’s most complex challenges today, which is why the Department of Defense has three missions in the cyber domain. The first is defending our own networks and weapons, because they’re critical to what we do every day…and they’re no good if they’ve been hacked. Second, we help defend the nation against cyberattacks from abroad– especially if they would cause loss of life, property destruction, or significant foreign policy and economic consequences. And our third mission is to provide offensive cyber options that, if directed by the President, can augment our other military systems.”

The first two have been commonplace and widely accepted in US approaches to cyber security. It is the third, to provide offensive cyber options, which is the clearest statement yet that the US is willing to participate in forms of cyber attack (or war, though I still don’t fully see this as a possibility in the current theorisations we have). For those who surround themselves in cyber security – this is not something we did not know before. For example look at the Stuxnet case on the Nantanz enrichment facility in Iran and have a look on Google on the cyber security courses that are accredited by the NSA in US universities that are clearly focused towards the ability to train young people for offensive operations.

By publicly disclosing this policy there is both a foreign and domestic aim. Abroad it is a confirmation of what every state already knew about US cyber operations – and therefore be able to use it as a proxy for potential intervention. Domestically, it is to garner support for the intelligence agencies after Snowden and establish a broad-based consensus around cyber operations from a ‘third’ threat. This requires a redrawing and collecting forgetting of the ‘war on terror’ as somehow not one of the major threats to the US (regardless whether one agrees with this or not).