This time it’s war

Keynote address to KnowID, Las Vegas, 25h March 2019.

I’ve said many times that we need an identity infrastructure that deals with the realities of this modern world, the world of the Nth industrial revolution (where N is 4, or 5, or something similar). As things go from bad to worse, we need this infrastructure be a government priority and we need the private and public sectors to come together to deliver it. And if they don’t want to, if you don’t want to, then you should be made to. I’m not standing here flattered to be asked to deliver this keynote because digital identity is about making life easier when you log in to your bank or to do your taxes. I’m here because it is far more important than that. Digital identity is vital national infrastructure

We don’t have long to get our act together and we are starting from scratch. In the UK we have no tradition of identity cards or national identification systems, or anything like it. To the British, national identification is “papers, please”: something associated with authoritarian tyrannies, France and wartime. And even in wartime, the idea of requiring people to hold some form of identification was regarded as so fundamentally incompatible with the customs and practices of Her Majesty’s subjects that the last British identity cards (from the first and second world wars, essentially) drew on what Jon Agar memorably labelled “parasitic vitality” from other systems such as conscription and food rationing. Identity infrastructure was created as a form of mobilisation against the enemies of the Realm and the chosen implementation, the identity card, was not an end in itself, but a means to support those other activities in to aid the war effort.

This dislike of identification as a State function is hardly unique to the United Kingdom. In America there are similarly strong opinions on the topic and the failure of the Australia Card back in 2007 stems, I think, from the same common law roots. These views of course stand in stark contrast to the views of almost all other nations of the world. The majority of people on Earth have some form of state identification and would find it impossible to navigate daily life without it. That doesn’t make the need to be identified by the state at all times either right or proper, by the way, but that’s a different discussion for another day.

If the development of national identity infrastructure is, however, only possible as part of a war effort… well, I have to tell you that we are at war. It’s just that this time we’re in a cyberwar and our identity infrastructure needs to support mobilisation across virtual and mundane realms. World War 3.0 has already started but a lot of people haven’t noticed because it’s in the matrix. There was no specific date when this war broke out and there is no conceivable Armistice Day on which it will end. Rather, as Bruce Schneier put it in his excellent book Click Here to Kill Everybody last year, cyberwar is the new normal.

(This will, unfortunately, make the war movies of the future rather dull. No more Dunkirk or Saving Private Ryan, no more The Dambusters or Enemy at Gate. Instead movies will be about solitary individuals sitting in dimly-lit bedsits typing lines of Perl or Solidity while eating tuna out of a can.)

The advent of cyberspace conflict is not because computers and communications technologies have only just reached the Armed Forces. Far from it: the very first computers were developed to compute ballistic trajectories and part of my young life was spent trying to work out how to use radio and satellite technologies to keep NATO systems connected after a first strike against command and control infrastructure, which is why talk of white noise jamming and direct-sequence spread spectrum transmission still gives me a shiver. But in those far-off days, the reason for knocking out the NATO’s IT infrastructure was so that you could then send tank columns through the Fulda Gap or drop the Spetsnatz into Downing Street. There were cyber aspects to war, but it wasn’t a cyberwar. Now it’s all out cyberwar and as historian Niall Ferguson said in his book The Square and The Tower, it’s war between networks.

(The early British response to this new state of affairs was comfortingly backward-looking. Back in 2013 there was a plan for the creation of a digital Home Guard made up from well-meaning volunteers to stand on the cyber-landing grounds to repel invasion.)

Now, I’m sure that behind the scenes the Department of Defense have been working around the clock to defend our payment systems and water supplies against foreign hackers but I do wonder if the insidious threat from the intersection of post-modernism and social media had as a high a priority? It should have done, because as it turned out the enemy stormed Facebook, not the Fulda Gap. We need a wall right enough, but we need it to around our data.

Marshall McLuhan saw this coming, just as he saw everything else coming. Way back in 1970, when the same Cold War that I played my part in was well under way, he wrote in Culture is our Business that “World War III is a guerrilla information war with no division between military and civilian participation”. Indeed. And as we are now beginning to understand, it is a war where quiet subversion of the enemy’s mental assets is as important as the destruction of their physical assets. Social media are creating entirely new opportunities for what The Economist referred to as “influence operations” (IO) and the manipulation of public opinion. We all understand why! In the future, “fake news” put together with the aid of artificial intelligence will be so realistic that even the best-resourced and most professional news organisation will be hard pressed to tell the difference between the real and the made-up sort.

Smart cyber-rebels will want to take over social media, just as rebel forces set off to capture the radio and TV stations first: not to shut them down, but to control them. The lack of identity infrastructure makes it easy for them: at least you could see when your favourite news reader had been replaced by a colonel in a flak jacket, but you’ve no idea who is feeding the “news” to your social media timeline. It’s probably not even people anymore. While writing these words I read of (yet another) complaint about social media companies doing nothing to control co-ordinated bot attacks. But how are they supposed to know who is a bot and who isn’t? Whether a troll army is controlled by enemies of the state or commercial interests? If an account is really that of a first-hand witness to some event or a spy manufacturing an event that never happened?

The need to tell “us” from “them”, real from fake, insiders from outsiders, attackers from defenders is critical and the lack of an identity infrastructure (as much as the creation of identity infrastructures that are too easy to subvert) leaves us open to manipulation. We need to create an effective infrastructure as a matter of urgency but it should not be framed in the context of a 20th-century bureaucracy responding to the urban anonymity of the industrial revolution by conceiving of people as index cards, but in a 21st-century context based on McLuhan’s notions of identity forged in relationships. We need to create an environment of ambient safety, where both security and privacy are strengthened, twin foundations for the structures we need to build to prevent chaos.

(America may or may not need a Space Force, but it most certainly needs a Cyberspace Force.)

So this is my challenge to KnowID. This is a conference I take very seriously and an audience that I respect. I am looking to you to man the barricades. I want you to begin the process of assembling the infrastructure that we so desperately need, so that I can tell my e-mail package to ignore messages that say they came from bank but didn’t, my web browser to put a red border around “news” that does not come from a reputable, cross-checked source and set my phone to ignore tweets that come from bots rather than people.

If this all sounds over-dramatic: it isn’t. I think it is perfectly reasonable to interpret the current state of cyberspace in these terms because the foreseeable future is one of continuous cyberattack from both state and non-state actors and digital identity is a necessary building block of our key defences. I sincerely hope that over the next couple of days you will find new ideas, new ways of co-operating and perhaps even a new mission to protect and survive in this new era of amazing opportunities, astonishing threats and terrifying risks.

Thank you.