<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[Geopolitical Cyber]]></title><description><![CDATA[Analysis of cyber risk, geopolitics and strategic competition.]]></description><link>https://geopoliticalcyber.johnellis.com.au</link><image><url>https://substackcdn.com/image/fetch/$s_!s_E2!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc50e8617-53df-49ec-98aa-f042431ea863_1280x1280.png</url><title>Geopolitical Cyber</title><link>https://geopoliticalcyber.johnellis.com.au</link></image><generator>Substack</generator><lastBuildDate>Fri, 17 Jul 2026 19:58:21 GMT</lastBuildDate><atom:link href="https://geopoliticalcyber.johnellis.com.au/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[John Ellis]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[geopoliticalcyber@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[geopoliticalcyber@substack.com]]></itunes:email><itunes:name><![CDATA[John Ellis]]></itunes:name></itunes:owner><itunes:author><![CDATA[John Ellis]]></itunes:author><googleplay:owner><![CDATA[geopoliticalcyber@substack.com]]></googleplay:owner><googleplay:email><![CDATA[geopoliticalcyber@substack.com]]></googleplay:email><googleplay:author><![CDATA[John Ellis]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[When the Threat Is a Condition]]></title><description><![CDATA[The Discovery Tax of Cyber Persistence. A certain, immediate cost against a harm that may never come.]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/when-the-threat-is-a-condition</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/when-the-threat-is-a-condition</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Mon, 06 Jul 2026 12:11:00 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/85063faa-e588-4d8f-8a39-1dd5f3e913f6_1484x1060.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use AI tools in research and drafting; the analysis and judgement are mine.</p></blockquote><p><span>In July 2025, Singapore did something it had never done before. Its Coordinating Minister for National Security named a specific threat actor, UNC3886, and said it was going after the country&#8217;s critical infrastructure. By February 2026, Singapore had confirmed that the group had compromised all four of its major telecommunications providers, using at least one zero-day and persistence engineered to survive detection, and that containing it had required Operation Cyber Guardian, the largest coordinated cyber defence operation in the country&#8217;s history.[1] No service was disrupted, and there was no indication that customer data had been taken. In operational terms, nothing had happened. That was the point. The value of the access lay precisely in the fact that it had produced nothing visible.</span></p><p><span>I used that episode in my previous piece, </span><em><a href="https://geopoliticalcyber.johnellis.com.au/p/when-silence-stops-being-cheap"><span>When Silence Stops Being Cheap</span></a></em><span>, to argue that public attribution of state cyber operations is less about deterrence than economics. Expose an operation and you force cost back onto the operator. Infrastructure has to be rebuilt. Access pathways have to be re-established. Tradecraft has to be adjusted. Internal scrutiny rises. None of that is decisive in itself, but over time it creates friction, and friction has value. That was the logic behind what I called the retooling tax.</span></p><p><span>In that same piece I noted, almost in passing, that the defender pays too. Every breach, even one that never becomes operationally disruptive, imposes what I called a response tax: teams stand up, regulators expect notification, and effort shifts from forward work to forensic work while the organisation tries to size a compromise it cannot yet measure. I let that observation go by in a sentence. It deserves more, because it is the other half of the ledger, and it behaves quite differently from the cost most institutions are built to price.</span></p><p><span>This cost appears not when the adversary causes visible damage, but when hidden access is discovered. At that point, even if no data has been stolen, no systems have been encrypted, and no public disruption has occurred, the organisation has already crossed into consequence. The moment of knowing changes the economics: discovery creates obligation, obligation creates expenditure, and the expenditure arrives whether or not the adversary ever goes on to do anything dramatic.</span></p><p><span>It matters because most cyber risk models are still built around events. They are calibrated to ransomware, fraud, data breach, service outage, or business interruption. Something happens, impact is realised, loss becomes visible, and the institution can begin the familiar cycle of response, reporting, remediation, and recovery. As I argued last time, corporate risk frameworks lean this way because criminal threats produce quantifiable losses that fit neatly into a register. The model is not foolish. It fits a certain class of threat well, especially criminal operators whose logic is simple enough. They compromise access in order to monetise it. Their business model depends on shortening the distance between intrusion and return.</span></p><p><span>Persistent state-aligned access follows a different logic. Its value often lies in the fact that nothing visibly happens. The point is not always to act, but to gain position: to establish presence inside systems that matter, map dependencies, understand trust relationships, study operating rhythms, and preserve the option to influence, disrupt, coerce, or simply observe later, if and when the strategic environment makes that useful. Volt Typhoon, which I touched on last time, is the clean illustration at state scale. In February 2024 the United States assessed that the Chinese group had been resident in the networks of communications, energy, transport and water utilities, in some cases for at least five years, not to steal or destroy but to pre-position for disruption in the event of a crisis.[2] That is not an intrusion aimed at a payday. It is a foothold held for years as a latent instrument, waiting on a political trigger rather than a technical one. Persistent access of this kind is not best understood as a precursor to an event. It is better understood as a form of geopolitical positioning conducted through digital infrastructure.</span></p><p><span>Many organisations still struggle to absorb this. We remain more comfortable with the language of incident than the language of occupation. This is the register Jon Lindsay captures in </span><em><span>Age of Deception</span></em><span> when he reads cybersecurity as secret statecraft, the organised use of deception for strategic advantage, rather than as warfare: the object of persistent access is position and knowledge, not destruction. A ransomware attack is easy to recognise. A destructive malware event is easy to explain. Even a serious breach can be narrated through the grammar of event, impact, and recovery. Persistent access is different. It sits in the background, may never trigger obvious harm, and yet changes the strategic landscape all the same. What it offers the operator is not merely information, but optionality. And optionality, in a contested geopolitical environment, is a form of power.</span></p><p><span>This is why the issue is larger than cyber security in the narrow corporate sense. In an era of strategic rivalry, quiet access into cloud environments, identity systems, telecommunications, energy networks, logistics platforms, or major service providers may never be used in a spectacular way. Equally, it may be held in reserve as strategic insurance, a latent instrument of coercion, or a means of shaping choices in a crisis. The point is not always to pull the trigger. Sometimes the point is to ensure that, should the political temperature rise, you are already inside the machinery.</span></p><p><span>Persistence of this kind fits badly inside governance models built to price realised harm. Boards want to know what happened, what it cost, and whether the problem has been contained. Regulators ask similar questions. Executives want clarity that can be translated into action and reassurance. Persistent access offers very little of that neatness. At the point of discovery, the most consequential fact may be not what has already happened, but what has been made possible. That is an uncomfortable proposition, because possibility is harder to price than damage, and ambiguity is harder to govern than loss.</span></p><p><span>Once persistent access becomes visible, the organisation is no longer making a calm strategic choice about whether to act. It is responding to an obligation that has already been triggered. That is true even when the facts remain partial. Indeed, it is the incompleteness that drives the cost. You do not know the full scope or the dwell time. You do not know which trust relationships were traversed, which dependencies were mapped, what was accessed, what was observed, or what might have been staged for later use. You may not know whether anything was taken, but nor can you responsibly assume that nothing was. And you do not know what the adversary intended to do with the access, whether next month, next year, or only if the wider context changed.</span></p><p><span>The telecommunications intrusions attributed to a second Chinese group, Salt Typhoon, show what that uncertainty costs once it is discovered. From late 2024, US officials said the group had penetrated the networks of some nine American carriers, among them Verizon, AT&amp;T and Lumen, and had reached the systems used to service lawful wiretap requests, exposing the call and location metadata of a large number of users.[3] What is instructive is not the espionage itself but the aftermath. Evicting an adversary who has embedded in the identity fabric and core routing of a modern carrier turned out to be extraordinarily hard. More than a year on, officials described the activity as ongoing. Some of the exploited weaknesses sat in hardware that could not be closed with a software patch and required physical replacement. Confident remediation would mean forensic examination of tens of thousands of endpoints across networks that were built for reach and resilience, not for expulsion.[4] The federal programme to strip suspect Chinese-made equipment out of US networks has approved reimbursement claims of very nearly five billion dollars, and even that addresses only part of the problem.[5] The bill did not arrive because something broke. It arrived because someone looked, and found.</span></p><p><span>The uncertainty has immediate and practical consequences. Forensics teams are engaged, logs are revisited and often found wanting, identity systems are revalidated, credentials are rotated, and trust assumptions are tested under pressure. Core infrastructure may need to be rebuilt, not because it has failed in any operational sense, but because confidence in its integrity has been seriously weakened. The sequence is not hypothetical. When the SolarWinds compromise, attributed to Russia&#8217;s foreign intelligence service, was uncovered in December 2020, the US emergency directive did not ask agencies to repair a malfunction. It told them to disconnect the affected software, forensically image their systems, reset every credential the software had touched, and rebuild hosts from trusted sources.[6] The systems were still running. The problem was that they could no longer be believed. Meanwhile legal teams are brought in, disclosure thresholds are debated, regulatory obligations are tested, and executives are briefed. Boards ask for certainty at exactly the point when certainty is least available. The institution begins spending money, attention, and credibility not in response to visible destruction, but in response to discovered uncertainty.</span></p><p><span>In a persistence model, the absence of visible damage does not remove the obligation to respond. The response itself becomes a major category of cost.</span></p><p><span>This is the discovery tax.</span></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!d8KF!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fab7faabc-7c85-4ad6-ae1c-502335400605_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!d8KF!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fab7faabc-7c85-4ad6-ae1c-502335400605_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!d8KF!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fab7faabc-7c85-4ad6-ae1c-502335400605_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!d8KF!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fab7faabc-7c85-4ad6-ae1c-502335400605_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!d8KF!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fab7faabc-7c85-4ad6-ae1c-502335400605_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!d8KF!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fab7faabc-7c85-4ad6-ae1c-502335400605_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/ab7faabc-7c85-4ad6-ae1c-502335400605_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1127317,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.johnellis.com.au/i/205489058?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fab7faabc-7c85-4ad6-ae1c-502335400605_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!d8KF!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fab7faabc-7c85-4ad6-ae1c-502335400605_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!d8KF!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fab7faabc-7c85-4ad6-ae1c-502335400605_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!d8KF!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fab7faabc-7c85-4ad6-ae1c-502335400605_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!d8KF!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fab7faabc-7c85-4ad6-ae1c-502335400605_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><blockquote><p><span>&#8220;Two mirror-image costs, split by the moment of discovery: exposure forces the operator to rebuild, while discovery forces the institution to respond.&#8221;</span></p></blockquote><p><span>The two taxes are mirror images. For the attacker, persistence preserves optionality. They can observe, wait, and decide later whether to exploit, influence, disrupt, or simply retain access as a hedge. For the defender, discovery removes optionality. Once you know, you must move. You may not know enough to describe the situation neatly, but you know enough to know it cannot be ignored. One side benefits from remaining unseen. The other, the moment sight is established, inherits cost, scrutiny, and organisational friction.</span></p><p><span>Seen this way, the problem is not merely incident response. It is a structural mismatch between the threat environment and the models institutions use to understand it. Many governance frameworks still assume that cyber risk becomes serious when impact is realised. But persistence does not wait politely for our reporting categories. Some of the most consequential risks in cyber do not first appear as high-impact events. They first appear as ambiguity, and ambiguity in a large institution is expensive. It consumes decision-making time, management attention, legal energy, regulatory bandwidth, and executive confidence. It exposes how much of an organisation&#8217;s operating model depends not simply on systems functioning, but on those systems being trusted.</span></p><p><span>A wider strategic implication follows. If the contest is increasingly about access, visibility, dependence, and response cost, then cyber security cannot be treated as a technical hygiene function sitting off to the side of geopolitics. It sits inside questions of sovereignty, resilience, and strategic dependence. A firm that relies heavily on interconnected digital platforms, third-party technology, global service providers, and tightly coupled identity or cloud architectures is not merely efficient. It is also exposed to a world in which persistent access can create leverage without a shot being fired and without a headline ever appearing. This is the same dynamic I have elsewhere called digital bifurcation, one of the forces reshaping the cyber order. Every exposure hardens the line between trusted and untrusted infrastructure, and every dependency an institution cannot vouch for is a place where that line runs straight through its own estate. The surface story is technical compromise. The deeper story is contested interdependence.</span></p><p><span>The old comfort phrase, that there are only two types of organisation, those that have been breached and those that do not know it yet, is therefore no longer enough. It captures something true, but not something sufficient. The more useful distinction is between organisations that still think of intrusion as event, and those beginning to understand intrusion as condition. The first group anchors on prevention rhetoric and headline incidents. The second starts with a harder question: what does it mean to operate responsibly in an environment where hidden access may simply be part of the landscape, and where the cost of discovery may be immediate even in the absence of obvious harm?</span></p><p><span>This is not an argument for fatalism, and it is not an argument against prevention. Prevention still matters. Visibility matters. Identity discipline matters. Good architecture matters. Friction matters. But prevention alone is an incomplete frame if the adversary&#8217;s goal is not to break something, but to stay, learn, and preserve options. In that world, resilience is not only about stopping bad things from happening. It is also about reducing the strategic and economic shock that follows when you discover that hidden presence has already been established.</span></p><p><span>A different set of boardroom questions follows, and they can be made concrete. Most boards today ask a version of: are we protected, and has anything happened? The persistence frame asks three sharper ones. </span></p><ol><li><p><span>First, if we discovered tomorrow that a capable adversary had been resident in our core systems for two years, how much of our environment could we actually re-verify, and how long would it take to trust it again? That is a test of recovery of confidence, not recovery of service. </span></p></li><li><p><span>Second, which of our dependencies, from identity providers to cloud platforms to a handful of critical suppliers, are so deeply trusted that we have no practical way to detect or expel an intruder who reached them? That is a map of where the discovery tax would fall hardest. </span></p></li><li><p><span>Third, can we make a defensible disclosure and remediation decision on partial information, at speed, without waiting for a certainty that will never come? A board that can answer those three has moved from pricing damage to pricing possibility, which is the shift the environment now demands.</span></p></li></ol><p><span>There is a tension here with where I left things last time, and it is worth naming rather than smoothing over. I argued that a state with strong institutions can choose managed coexistence over reflexive eviction, holding a known intruder under watch rather than tearing the house down at the first sign of a footprint. That latitude is real, but it is not evenly distributed. It belongs to actors with the legal authority, the telemetry, and the institutional nerve to live alongside an adversary they can see. Most boards and most companies have none of those things. For them, discovery does not open a menu of strategic options. It triggers an obligation. That asymmetry is the discovery tax in its sharpest form: the same fact that a disciplined state can absorb as a managed condition lands on an ordinary institution as a bill it must pay at once.</span></p><p><span>This sits alongside the earlier dynamic. Public attribution imposes a retooling tax on the adversary. Discovery imposes a tax on the defender. Neither ends persistence. Neither resolves the competition. What they do is shape its economics. Over time, cyber conflict looks less like a sequence of decisive events and more like a continuous contest over access, visibility, uncertainty, and response cost. This is the world Cyber Persistence Theory describes, one of agreed competition and cumulative gains in which states stay active below the threshold that would invite an armed response, and in which no single intrusion is decisive on its own. What that account leaves underdeveloped is the defender&#8217;s side of the ledger, the cost the condition imposes at the moment it is discovered, which is what the discovery tax tries to price. That is not a comforting frame, but it is a more realistic one. The problem is not only intrusion. It is the political, institutional, and economic condition created by living in systems where intrusion can sit quietly until the moment of discovery forces everybody to move.</span></p><p><span>The uncomfortable implication is this. If persistent access is, at some level, part of the normal strategic environment rather than an exceptional failure of it, then the question shifts. It is no longer simply how to prevent intrusion. It becomes how to govern, endure, and respond in a world where hidden access is part of the competitive landscape and where the cost of knowing may matter as much as the cost of attack.</span></p><p><span>In that world, the most expensive moment is not always when the adversary acts. It may be the moment you realise they have been there long enough that certainty is gone, but responsibility has arrived. Silence, then, was never truly free. It was simply a liability deferred until discovery made the bill impossible to ignore.</span></p><h2><span>References</span></h2><ol><li><p><span>On Singapore&#8217;s naming of UNC3886 and the compromise of its four major telecoms providers, see K. Shanmugam, &#8220;CSA 10th Anniversary Dinner,&#8221; Ministry of Home Affairs Singapore, 18 July 2025, </span><a href="https://www.mha.gov.sg/mediaroom/speeches/csa-10th-anniversary-dinner-the-next-10-years-securing-our-cyberspace-and-digital-future"><span>https://www.mha.gov.sg/mediaroom/speeches/csa-10th-anniversary-dinner-the-next-10-years-securing-our-cyberspace-and-digital-future</span></a><span>; Cyber Security Agency of Singapore, &#8220;Largest Multi-Agency Cyber Operation Mounted to Counter Threat Posed by Advanced Persistent Threat (APT) Actor UNC3886 to Singapore&#8217;s Telecommunications Sector,&#8221; February 2026, </span><a href="https://www.csa.gov.sg/news-events/press-releases/largest-multi-agency-cyber-operation-mounted-to-counter-threat-posed-by-advanced-persistent-threat--apt--actor-unc3886-to-singapore-s-telecommunications-sector/"><span>https://www.csa.gov.sg/news-events/press-releases/largest-multi-agency-cyber-operation-mounted-to-counter-threat-posed-by-advanced-persistent-threat--apt--actor-unc3886-to-singapore-s-telecommunications-sector/</span></a><span>; and &#8220;Chinese cyberspies breach Singapore&#8217;s four largest telcos,&#8221; </span><em><span>BleepingComputer</span></em><span>, February 2026, </span><a href="https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breach-singapores-four-largest-telcos/"><span>https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breach-singapores-four-largest-telcos/</span></a></p></li></ol><ol start="2"><li><p><span>CISA, NSA, FBI and partners, </span><em><span>PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure</span></em><span>, Joint Cybersecurity Advisory AA24-038A, 7 February 2024. </span><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a"><span>https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a</span></a></p></li></ol><ol start="3"><li><p><span>For the reported scope of the Salt Typhoon telecom intrusions, including the number of affected carriers and access to lawful-intercept systems, see &#8220;AT&amp;T, Verizon, Lumen confirm Salt Typhoon breach,&#8221; </span><em><span>The Register</span></em><span>, 30 December 2024, </span><a href="https://www.theregister.com/2024/12/30/att_verizon_confirm_salt_typhoon_breach/"><span>https://www.theregister.com/2024/12/30/att_verizon_confirm_salt_typhoon_breach/</span></a></p></li></ol><ol start="4"><li><p><span>On the difficulty of eviction and the scale of forensic remediation, see &#8220;A house full of open windows: Why telecoms may never purge their networks of Salt Typhoon,&#8221; </span><em><span>CyberScoop</span></em><span>, </span><a href="https://cyberscoop.com/salt-typhoon-chinese-hackers-us-telecom-breach/"><span>https://cyberscoop.com/salt-typhoon-chinese-hackers-us-telecom-breach/</span></a></p></li></ol><ol start="5"><li><p><span>On the scale of the federal &#8220;rip and replace&#8221; programme: approved reimbursement applications reached USD 4.98 billion against an initial USD 1.9 billion appropriation, with a further USD 3.08 billion provided through the FY2025 National Defense Authorization Act. See FCC, </span><em><span>Secure and Trusted Communications Networks Reimbursement Program</span></em><span>, </span><a href="https://www.fcc.gov/supplychain/reimbursement"><span>https://www.fcc.gov/supplychain/reimbursement</span></a><span>; and &#8220;Rip and replace funding passes as part of defense bill,&#8221; </span><em><span>RCR Wireless</span></em><span>, 18 December 2024, </span><a href="https://www.rcrwireless.com/20241218/policy/rip-and-replace-funding"><span>https://www.rcrwireless.com/20241218/policy/rip-and-replace-funding</span></a></p></li></ol><ol start="6"><li><p><span>CISA, </span><em><span>Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise</span></em><span>, 13 December 2020. </span><a href="https://www.cisa.gov/news-events/directives/ed-21-01-mitigate-solarwinds-orion-code-compromise-closed"><span>https://www.cisa.gov/news-events/directives/ed-21-01-mitigate-solarwinds-orion-code-compromise-closed</span></a></p></li></ol><h2><span>Further reading</span></h2><p><span>Michael P. Fischerkeller, Emily O. Goldman and Richard J. Harknett, </span><em><span>Cyber Persistence Theory: Redefining National Security in Cyberspace</span></em><span>, Oxford University Press, 2022.</span></p><p><span>Jon R. Lindsay, </span><em><span>Age of Deception: Cybersecurity as Secret Statecraft</span></em><span>, Cornell University Press, 2025.</span></p>]]></content:encoded></item><item><title><![CDATA[When Washington Switches Off the Model]]></title><description><![CDATA[AI Access, Middle-Power Dependency, and the New Geography of Cyber Risk]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/when-washington-switches-off-the</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/when-washington-switches-off-the</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Sun, 14 Jun 2026 02:30:35 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!M9fQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7843dffe-76f1-427d-ab41-b46ef2b8b6f0_1587x524.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</p></blockquote><p>There are technology stories that are really power stories wearing a product badge.</p><p>The abrupt suspension of access to Anthropic&#8217;s Claude Fable 5 and Claude Mythos 5 is one of them. On the surface, this looks like a dispute between an AI company and the US Government over model safety, jailbreaking and national security controls. That is the visible story. The deeper story is more consequential: access to frontier AI is becoming an instrument of state power.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!M9fQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7843dffe-76f1-427d-ab41-b46ef2b8b6f0_1587x524.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!M9fQ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7843dffe-76f1-427d-ab41-b46ef2b8b6f0_1587x524.png 424w, https://substackcdn.com/image/fetch/$s_!M9fQ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7843dffe-76f1-427d-ab41-b46ef2b8b6f0_1587x524.png 848w, https://substackcdn.com/image/fetch/$s_!M9fQ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7843dffe-76f1-427d-ab41-b46ef2b8b6f0_1587x524.png 1272w, https://substackcdn.com/image/fetch/$s_!M9fQ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7843dffe-76f1-427d-ab41-b46ef2b8b6f0_1587x524.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!M9fQ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7843dffe-76f1-427d-ab41-b46ef2b8b6f0_1587x524.png" width="1587" height="524" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7843dffe-76f1-427d-ab41-b46ef2b8b6f0_1587x524.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:524,&quot;width&quot;:1587,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1648904,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.johnellis.com.au/i/201935071?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3779ebce-f1f5-4c65-a890-1c42a492c800_1774x887.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!M9fQ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7843dffe-76f1-427d-ab41-b46ef2b8b6f0_1587x524.png 424w, https://substackcdn.com/image/fetch/$s_!M9fQ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7843dffe-76f1-427d-ab41-b46ef2b8b6f0_1587x524.png 848w, https://substackcdn.com/image/fetch/$s_!M9fQ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7843dffe-76f1-427d-ab41-b46ef2b8b6f0_1587x524.png 1272w, https://substackcdn.com/image/fetch/$s_!M9fQ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7843dffe-76f1-427d-ab41-b46ef2b8b6f0_1587x524.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>For businesses outside the United States, and especially for middle powers like Australia, that should land with some force. On 12 June, Anthropic said it received a US Government export-control directive at 5:21pm Eastern Time requiring it to suspend access to Fable 5 and Mythos 5 by foreign nationals, whether inside or outside the United States, including foreign-national employees. Axios reported that the directive came through a Commerce Department letter and would require a licence for export, re-export or domestic transfer of the models. The practical effect, according to Anthropic, was that it had to disable the models for all customers while it worked through compliance.</p><p>The key phrase is foreign nationals. Not simply people located in China. Not simply users outside the United States. Foreign nationals. That detail matters because it tells us the boundary being drawn is not just geographic. It is legal, political and strategic. It is a border written through identity, citizenship, jurisdiction and alliance management. Customers outside the United States lost access to capability because a foreign government made a national security decision under laws they do not write, through institutions they do not govern, for reasons they may only partially understand.</p><p>That does not automatically make the decision wrong. It does make the dependency visible.</p><p>The details will no doubt be argued over by lawyers, policymakers, AI safety researchers, national security officials and the usual online crowd that can turn a cup of tea into a constitutional crisis. Anthropic has said its understanding is that the government&#8217;s concern related to a potential jailbreak that could be used to identify software vulnerabilities. It also says the demonstrated vulnerabilities were minor, previously known and discoverable by other publicly available models without the same bypass. The government may see that differently. That is the nature of national security disputes. The public rarely gets the whole file.</p><p>Semafor&#8217;s reporting adds another layer. According to its account, the White House move was linked in part to concerns that a China-linked group may have accessed Mythos. Anthropic has disputed aspects of that story and said the government did not raise Chinese access in its conversations around the directive. It has framed the issue around a narrow jailbreak concern rather than a confirmed foreign-access incident.</p><p>That tension matters, but not because we can resolve it from the outside. We cannot. The point is that customers, allies, employees and downstream users may not get a clean explanation when national security authorities intervene. They may get partial disclosure, conflicting accounts and immediate operational impact. That is how state power often works. It does not wait for vendor transparency, legal neatness or a tidy root-cause analysis.</p><p>Some of the reporting remains contested. The dependency signal does not.</p><h2>This Is Not Really About Anthropic</h2><p>It is tempting to make this story about Anthropic. That would be too narrow. Anthropic is the case study. The real issue is that access to frontier AI is becoming a geopolitical control surface.</p><p>That phrase sounds abstract until the switch is pulled. A model can be announced, priced, documented, integrated into customer workflows and then effectively withdrawn because a government decides the risk calculus has changed. That is not a normal SaaS outage. It is geopolitical kill-switch risk.</p><p>If that sounds familiar, it should. We have seen this pattern before. Semiconductors became strategic. Cloud became sovereign. Data localisation became a regulatory battleground. Telecommunications vendors, undersea cables, firmware, app stores, identity platforms, security tooling and critical minerals have all been pulled into the same argument. Frontier AI models now sit inside that pattern.</p><p>A model that can write code, analyse intelligence, support cyber operations, accelerate vulnerability discovery, generate scientific hypotheses, automate workflows and sit inside enterprise decision-making is not just another piece of software. It is capability. And capability attracts the state. The state will regulate it, test it, procure it, restrict it, classify it, subsidise it and, when necessary, switch it off.</p><p>The real risk equation is no longer simply whether a model is powerful. It is who controls access to that capability, under what legal regime, subject to what political incentives, and with what ability to withdraw, restrict, monitor or compel its use. That is a very different conversation from vendor due diligence. A model can be technically excellent and still sit inside a jurisdictional structure that creates exposure. A vendor can be aligned today and misaligned tomorrow. The vendor may not fail. The political environment around the vendor may change.</p><p>That is the part many organisations have not yet absorbed.</p><h2>Capability Is Only Half the Story</h2><p>Much of the debate will focus on whether Fable and Mythos were uniquely risky. That matters, but it is only half the issue. If one model has crossed a meaningful threshold in autonomous cyber capability, governments should care. If a model can materially uplift malicious actors, defenders, intelligence agencies and private security teams at the same time, then safety controls are not theatre. They are necessary.</p><p>But focusing only on model capability misses the broader operating environment. A model can be safe enough for one policy environment and unacceptable in another. A deployment can be commercially normal one week and legally restricted the next. A provider can release capability globally and then discover that its home government has a narrower view of who should be allowed to use it. That is not a technical edge case. It is the operating model of strategic technology.</p><p>There is an almost absurd symmetry here. Frontier AI companies are commercial actors, safety institutions, defence suppliers, national champions, policy advocates and geopolitical assets all at once. The incentives do not align neatly. They grind against each other. The same companies warning governments that frontier models could create serious cyber, biological or national security risks are also trying to bring those models to market. That does not make them hypocrites. It makes them institutions living inside conflicting pressures. They want to move fast enough to compete, cautiously enough to avoid catastrophe, openly enough to build markets and selectively enough to satisfy governments.</p><p>No one should be shocked when that tension breaks into the open.</p><p>Governments face their own incentive problem. If they move too slowly and a model is misused, they will be accused of negligence. If they move too aggressively, they risk damaging trusted access, commercial confidence, allied relationships and defensive innovation. In the absence of mature governance, the state will reach for the tools it understands: export controls, citizenship restrictions, national security directives and pressure on vendors. That is not elegant, but statecraft rarely is.</p><p>For boards and executives, the lesson is blunt. Vendor risk is no longer just financial stability, cyber posture, audit reports, service levels and contractual terms. Vendor risk is now alignment risk, jurisdictional risk, access risk, policy risk and strategic dependency risk.</p><p>Cyber security leaders should recognise the pattern. For years, we have been told to think in terms of shared responsibility with cloud providers. That model is already strained. AI stretches it further. With frontier models, the organisation may not control the model, may not understand the training data, may not see the safety mechanisms, may not know the monitoring thresholds and may not receive full visibility into government-directed access changes. Yet the organisation may still become dependent on the output. That is not shared responsibility. It is partial control wrapped in contractual optimism.</p><p>The exposure is not only in the technology, but in the trust relationship around it.</p><h2>The Middle-Power Problem</h2><p>This is where the Australian lens matters. From Washington, the Anthropic case looks like a national security decision. From Silicon Valley, it looks like a fight over regulation, safety, capability release and state authority. From an AI safety perspective, it looks like a model governance problem. From Australia, and from much of the Indo-Pacific, it looks like dependency.</p><p>Australia is deeply integrated into the American technology stack. Our public sector, banks, insurers, healthcare providers, universities, telcos and critical infrastructure operators rely heavily on US-controlled cloud, software, identity, productivity, security and now AI platforms. These are world-class technologies. That is precisely why they are everywhere.</p><p>But reliance, however efficient, is still reliance. And reliance becomes exposure when access, pricing, availability, functionality or legal treatment can be shaped by a foreign state acting in its own national interest.</p><p>This is not an argument for retreating from American technology. That would be unrealistic and self-defeating. Australia&#8217;s alliance with the United States remains central to our strategic position, and the democratic technology ecosystem is still vastly preferable to the authoritarian alternatives. But alliances do not remove dependency risk. They change its character.</p><p>A friend can still have different priorities. A partner can still move first for domestic reasons. An ally can still impose controls that make sense in Washington and create operational problems in Sydney, Singapore, Tokyo or Seoul. That is the middle-power dilemma. Australia relies on trusted access, commercial relationships, diplomatic alignment and the assumption that its interests will remain close enough to US interests to preserve continuity. That assumption may hold most of the time. But resilience is not built for most of the time. It is built for the moment the assumption fails.</p><p>We want access to the best technology. We want alignment with trusted partners. We want resilience against authoritarian technology ecosystems. We want sovereignty. We want all of it, preferably without trade-offs and with a neat slide for the board pack.</p><p>Good luck with that.</p><p>The uncomfortable truth is that middle powers do not get to control the strategic logic of the great powers whose platforms they use. They can only decide how exposed they are when that logic changes.</p><h2>Sovereign AI Is Not a Slogan</h2><p>This is where &#8220;sovereign AI&#8221; starts to matter, provided we do not reduce it to procurement theatre.</p><p>Sovereign AI does not mean every country needs to build a frontier model from scratch. For Australia, that is probably fantasy dressed up as strategy. We do not have the capital depth, energy base, compute scale, data ecosystem or industrial machinery to replicate the United States or China at the frontier. Pretending otherwise is how countries end up with expensive national capability brochures and very little capability.</p><p>But sovereignty does not have to mean autarky. It can mean knowing which dependencies matter. It can mean maintaining alternatives for critical workloads. It can mean ensuring that regulated entities understand the jurisdictional exposure of the models they use. It can mean requiring transparency around model access, data retention, foreign-national restrictions, operational continuity and provider obligations under home-state law. It can also mean building domestic capability where it matters most: evaluation, assurance, orchestration, model routing, security testing, sensitive data handling, incident response and sector-specific adaptation.</p><p>For Australia, the practical sovereign AI question is not whether we can build our own OpenAI, Anthropic or DeepSeek. The better question is where we need domestic agency, where we can rely on trusted partners, where we need fallback options, and which workloads are too sensitive or too critical to leave entirely exposed to another country&#8217;s policy settings. That is less glamorous than announcing a national frontier model. It is also more useful.</p><p>Sovereignty is not a flag in a data centre. It is the ability to keep operating when someone else&#8217;s politics changes.</p><h2>From Asset Register to Trust Relationship Register</h2><p>For decades, enterprise security has been anchored in the asset register: what do we own, where is it, who can access it and how do we defend it? That still matters. But strategic competition is pushing us toward something else as well: the trust relationship register.</p><p>The asset register tells you what you have. The trust relationship register tells you who you depend on.</p><p>It asks a different set of questions. It maps which critical capabilities depend on providers we do not control, which jurisdictions govern those providers, and what access rights, update mechanisms, model behaviours, identity systems, data flows and legal obligations sit underneath the service. Then it presses the two that matter: which foreign state can alter the operating conditions overnight, and what happens when it does?</p><p>This is not a theoretical exercise. It is the practical expression of geopolitical cyber risk. If an organisation is embedding frontier AI into software engineering, cyber operations, fraud detection, customer service, legal review, risk analysis or executive decision support, then model access is no longer a productivity question. It is part of operational resilience.</p><p>Boards should not ask only whether the organisation is using AI. Everyone is using AI, formally or through the side door. Nor should they ask only whether the vendor is secure. That matters, but it is no longer enough. The better question is this: what critical capabilities are we building on technology we do not control, in jurisdictions we do not govern, under policies we do not set?</p><p>For AI specifically, boards should expect management to know which business processes now depend on frontier models, which providers and cloud platforms sit underneath those models, which jurisdictions control them, what data is exposed, and what happens if access is restricted by nationality, geography, sector, use case or regulatory category. They should also ask whether workloads can shift to another provider, whether the outputs remain reliable and compliant, and whether the fallback is actually tested or merely assumed.</p><p>This belongs in technology risk, third-party risk, operational resilience, cyber scenario modelling and board reporting. If that sounds heavy, it is. But it is still cheaper than discovering during a crisis that a critical workflow depends on a policy decision made in another capital.</p><p>The practical tool is an AI dependency register, but not as another compliance spreadsheet quietly dying in SharePoint. It should identify the model, provider, hosting path, jurisdiction, business process, data exposure, fallback option and operational impact if access is withdrawn. It should separate casual productivity use from critical workflow reliance. It should force a conversation about which dependencies are acceptable, which need mitigation and which are being disguised by convenience. That is where the real risk hides, not in the fact that a business uses AI, but in the fact that it may stop noticing where the dependency begins.</p><h2>Australia&#8217;s Strategic Question</h2><p>Even if this specific restriction is narrowed, reversed or explained away, the precedent matters. Model access can now be altered by sovereign decision, not just vendor availability. For Australian boards, AI is a dependency strategy conducted under foreign jurisdiction, whatever the innovation roadmap says.</p><p>That does not mean retreating from frontier technology. It means being honest about the bargain. We get capability, scale and speed. In return, we inherit exposure to decisions made by governments we do not elect, laws we do not write and policy settings we do not control. That is not a reason to panic. It is a reason to govern the dependency properly.</p><p>The Anthropic episode shows what it looks like when a trust relationship is revalued overnight by someone else&#8217;s state. The vendor remains. The product remains. The capability may even remain technically sound. But the terms of access change because the political context changes.</p><p>That is the lesson.</p><p>For Australia, and for every middle power sitting inside someone else&#8217;s technology stack, the intelligence layer your business depends on may be commercial at the front end, but it is geopolitical underneath.</p><p>When geopolitics reaches into the stack, the outage message will not say &#8220;service unavailable&#8221;.</p><p>It will say, in effect, &#8220;not for you&#8221;.</p><h2>Sources</h2><ul><li><p>Anthropic, statement on the 12 June US Government directive to suspend access to Fable 5 and Mythos 5. https://www.anthropic.com/news/fable-mythos-access</p></li><li><p>Axios, on the Commerce Department export-control letter and the foreign-national restriction. https://www.axios.com/2026/06/12/anthropic-trump-mythos-fable-national-security</p></li><li><p>CNBC, on the directive and Anthropic&#8217;s decision to disable the models for all customers. https://www.cnbc.com/2026/06/12/anthropic-disables-access-to-fable-5-and-mythos-5-to-comply-with-government-directive.html</p></li><li><p>Semafor, on the wider White House context and the contested claim of China-linked access to Mythos. https://www.semafor.com/article/06/13/2026/white-house-move-to-limit-anthropic-linked-to-concerns-about-chinese-access-to-mythos</p></li><li><p>CNN, on the suspension and the broader tension between Anthropic and the administration. https://www.cnn.com/2026/06/13/business/anthropic-mythos-model-national-security</p></li></ul>]]></content:encoded></item><item><title><![CDATA[The Secret and the Wound]]></title><description><![CDATA[Ultra, Crete, and the human cost of knowing]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/the-secret-and-the-wound</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/the-secret-and-the-wound</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Tue, 28 Apr 2026 10:24:13 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!nadO!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12e1308-2019-4f8a-9821-2e33024a35b0_450x600.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>London gave me three doors into the same war: Bletchley Park, Churchill&#8217;s War Rooms, and the Imperial War Museum. One showed me the secret. One showed me the decision. One showed me the cost.</p><p>In London on business, I finally made time for three places I had been wishing to see for a long time. I went carrying a story I thought I already understood. My grandfather, Archibald MacLean Hastie, served in the Second World War with the 2nd New Zealand Divisional Cavalry Regiment. His service number was 1139. He fought in Greece and Crete. He was wounded on Crete in 1941. He survived, returned to the war, and eventually came home to New Zealand.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!nadO!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12e1308-2019-4f8a-9821-2e33024a35b0_450x600.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!nadO!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12e1308-2019-4f8a-9821-2e33024a35b0_450x600.jpeg 424w, https://substackcdn.com/image/fetch/$s_!nadO!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12e1308-2019-4f8a-9821-2e33024a35b0_450x600.jpeg 848w, https://substackcdn.com/image/fetch/$s_!nadO!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12e1308-2019-4f8a-9821-2e33024a35b0_450x600.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!nadO!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12e1308-2019-4f8a-9821-2e33024a35b0_450x600.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!nadO!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12e1308-2019-4f8a-9821-2e33024a35b0_450x600.jpeg" width="450" height="600" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f12e1308-2019-4f8a-9821-2e33024a35b0_450x600.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:600,&quot;width&quot;:450,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;Archibald 22yrs old&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="Archibald 22yrs old" title="Archibald 22yrs old" srcset="https://substackcdn.com/image/fetch/$s_!nadO!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12e1308-2019-4f8a-9821-2e33024a35b0_450x600.jpeg 424w, https://substackcdn.com/image/fetch/$s_!nadO!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12e1308-2019-4f8a-9821-2e33024a35b0_450x600.jpeg 848w, https://substackcdn.com/image/fetch/$s_!nadO!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12e1308-2019-4f8a-9821-2e33024a35b0_450x600.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!nadO!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12e1308-2019-4f8a-9821-2e33024a35b0_450x600.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>Archibald MacLean Hastie WWII 1139</strong></p><p>That is the outline. Families inherit outlines; the rest comes in fragments. In our family, the story was that he was badly wounded, crawled away somewhere, and was found by a mate who refused to leave him behind. Whether every detail is exact, I do not yet know. Military records have a brutal talent for compression. They turn a man&#8217;s screaming world into a few dry lines of ink: evacuation, hospital, returned to duty.</p><p>But I know enough. He was wounded. He survived. Someone brought him back.</p><p>For most of my life, that was family history, important but held at the distance of childhood, wrapped in family shorthand and the gravity of old photographs. I knew him only as Poppy. I was six when he died in 1980. To me, he was not a soldier in the machinery of empire. He was medals, quiet strength, toy soldiers, and the kind of presence some old men carry without explanation.</p><p>Only later do you begin to understand that silence has weight.</p><p>Last year, I went to Chania, in Crete. I stood at Suda Bay and looked across the water and the graves, trying to imagine a young New Zealander, an armoured reconnaissance soldier fighting largely on foot in terrain he had never known, against an enemy descending from the sky.</p><p>It was not battlefield tourism, it was family archaeology.</p><p>I went with my wife and daughters, and that mattered. Memory becomes sterile when it is held alone. Standing there with the next generation gave the place a different force. My grandfather&#8217;s war was no longer just something behind me. It was something moving through us.</p><p>Around that time, I had three service numbers tattooed on my arm. One for my great-grandfather, who fought in the First World War. One for my grandfather, wounded on Crete, and one for my own service, modest by comparison, but part of the same thread.</p><p>I have spent much of my adult life in the world of intelligence, security and risk, where the temptation is always the same: to believe that more data will give us more control. I got the tattoo as a private roll call, a physical anchor for a career spent in abstractions.</p><p>At Suda Bay, those numbers felt like remembrance, in London, they began to feel like a question.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Ys5v!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3445fbdf-8c06-4b42-8d20-86c5b2181695_3072x4080.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Ys5v!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3445fbdf-8c06-4b42-8d20-86c5b2181695_3072x4080.jpeg 424w, https://substackcdn.com/image/fetch/$s_!Ys5v!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3445fbdf-8c06-4b42-8d20-86c5b2181695_3072x4080.jpeg 848w, https://substackcdn.com/image/fetch/$s_!Ys5v!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3445fbdf-8c06-4b42-8d20-86c5b2181695_3072x4080.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!Ys5v!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3445fbdf-8c06-4b42-8d20-86c5b2181695_3072x4080.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Ys5v!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3445fbdf-8c06-4b42-8d20-86c5b2181695_3072x4080.jpeg" width="1456" height="1934" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/3445fbdf-8c06-4b42-8d20-86c5b2181695_3072x4080.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1934,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:2787336,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/195481042?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3445fbdf-8c06-4b42-8d20-86c5b2181695_3072x4080.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Ys5v!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3445fbdf-8c06-4b42-8d20-86c5b2181695_3072x4080.jpeg 424w, https://substackcdn.com/image/fetch/$s_!Ys5v!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3445fbdf-8c06-4b42-8d20-86c5b2181695_3072x4080.jpeg 848w, https://substackcdn.com/image/fetch/$s_!Ys5v!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3445fbdf-8c06-4b42-8d20-86c5b2181695_3072x4080.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!Ys5v!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3445fbdf-8c06-4b42-8d20-86c5b2181695_3072x4080.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>Cross of Sacrifice at Suda Bay, sword inverted, sea and mountains beyond</strong></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!GDoL!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F933f988c-341b-4857-aca7-d32eb42361e9_4080x3072.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!GDoL!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F933f988c-341b-4857-aca7-d32eb42361e9_4080x3072.jpeg 424w, https://substackcdn.com/image/fetch/$s_!GDoL!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F933f988c-341b-4857-aca7-d32eb42361e9_4080x3072.jpeg 848w, https://substackcdn.com/image/fetch/$s_!GDoL!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F933f988c-341b-4857-aca7-d32eb42361e9_4080x3072.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!GDoL!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F933f988c-341b-4857-aca7-d32eb42361e9_4080x3072.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!GDoL!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F933f988c-341b-4857-aca7-d32eb42361e9_4080x3072.jpeg" width="1456" height="1096" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/933f988c-341b-4857-aca7-d32eb42361e9_4080x3072.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1096,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:4606988,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/195481042?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F933f988c-341b-4857-aca7-d32eb42361e9_4080x3072.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!GDoL!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F933f988c-341b-4857-aca7-d32eb42361e9_4080x3072.jpeg 424w, https://substackcdn.com/image/fetch/$s_!GDoL!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F933f988c-341b-4857-aca7-d32eb42361e9_4080x3072.jpeg 848w, https://substackcdn.com/image/fetch/$s_!GDoL!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F933f988c-341b-4857-aca7-d32eb42361e9_4080x3072.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!GDoL!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F933f988c-341b-4857-aca7-d32eb42361e9_4080x3072.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>Rows of New Zealand headstones</strong></p><p>Bletchley Park is a quiet place to encounter the scale of war. It does not overwhelm you with grand architecture. It works on you slowly, through huts, desks and the patient weight of disciplined work. By the end of the war, roughly three quarters of Bletchley Park&#8217;s workforce were women. They worked in shifts that ran around the clock, processing, analysing, indexing, translating and helping break German encrypted military communications, most famously Enigma.</p><p>The intelligence product of this work was given the codename Ultra. The name was deliberate: the material was treated as more sensitive even than the existing classification of Most Secret. The popular version of the story is comforting: codebreakers broke the codes, the war was shortened, lives were saved.</p><p>All of it true, none of it the whole story.</p><p>Intelligence is never that clean. If the Germans realised their codes had been broken, the advantage would vanish. The secret had to be protected, even from those whose lives were shaped by it. Knowledge had to be disguised, laundered or delayed. Leaders could know more than they could say. Commanders could be warned without being told the source. Men in the field could be moved, reinforced or left exposed without ever knowing the picture that placed them there.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!I3Qb!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4986e498-fd96-46d6-be76-d97d0d4bd461_6355x3349.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!I3Qb!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4986e498-fd96-46d6-be76-d97d0d4bd461_6355x3349.jpeg 424w, https://substackcdn.com/image/fetch/$s_!I3Qb!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4986e498-fd96-46d6-be76-d97d0d4bd461_6355x3349.jpeg 848w, https://substackcdn.com/image/fetch/$s_!I3Qb!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4986e498-fd96-46d6-be76-d97d0d4bd461_6355x3349.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!I3Qb!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4986e498-fd96-46d6-be76-d97d0d4bd461_6355x3349.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!I3Qb!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4986e498-fd96-46d6-be76-d97d0d4bd461_6355x3349.jpeg" width="6355" height="3349" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/4986e498-fd96-46d6-be76-d97d0d4bd461_6355x3349.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:3349,&quot;width&quot;:6355,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:4555344,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/195481042?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63cda45b-e1fc-4b2e-909b-26107303ef30_6355x4785.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!I3Qb!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4986e498-fd96-46d6-be76-d97d0d4bd461_6355x3349.jpeg 424w, https://substackcdn.com/image/fetch/$s_!I3Qb!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4986e498-fd96-46d6-be76-d97d0d4bd461_6355x3349.jpeg 848w, https://substackcdn.com/image/fetch/$s_!I3Qb!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4986e498-fd96-46d6-be76-d97d0d4bd461_6355x3349.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!I3Qb!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4986e498-fd96-46d6-be76-d97d0d4bd461_6355x3349.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>Bletchley Park mansion, spring light, lake in foreground</strong></p><p>The Churchill War Rooms sit underground near Westminster, and there is something unsettling about standing where war was turned into maps, pins and files. Strategy always looks cleaner when the map is flat. I went on Anzac Day, a coincidence of scheduling that stopped feeling like a coincidence the moment I stepped below street level.</p><p>It was there that Crete shifted for me. One exhibit framed the question bluntly: did Churchill know that Hitler planned to capture Crete? The answer was not simple, but it was enough to disturb the neatness of the story I had carried.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!fhC5!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F724d612d-8cef-44a3-8c0c-41c5431db69a_358x637.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!fhC5!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F724d612d-8cef-44a3-8c0c-41c5431db69a_358x637.jpeg 424w, https://substackcdn.com/image/fetch/$s_!fhC5!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F724d612d-8cef-44a3-8c0c-41c5431db69a_358x637.jpeg 848w, https://substackcdn.com/image/fetch/$s_!fhC5!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F724d612d-8cef-44a3-8c0c-41c5431db69a_358x637.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!fhC5!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F724d612d-8cef-44a3-8c0c-41c5431db69a_358x637.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!fhC5!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F724d612d-8cef-44a3-8c0c-41c5431db69a_358x637.jpeg" width="358" height="637" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/724d612d-8cef-44a3-8c0c-41c5431db69a_358x637.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:637,&quot;width&quot;:358,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:102928,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/195481042?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c1471ee-f0ff-4324-be0e-578bdd479c98_556x739.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!fhC5!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F724d612d-8cef-44a3-8c0c-41c5431db69a_358x637.jpeg 424w, https://substackcdn.com/image/fetch/$s_!fhC5!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F724d612d-8cef-44a3-8c0c-41c5431db69a_358x637.jpeg 848w, https://substackcdn.com/image/fetch/$s_!fhC5!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F724d612d-8cef-44a3-8c0c-41c5431db69a_358x637.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!fhC5!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F724d612d-8cef-44a3-8c0c-41c5431db69a_358x637.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>Churchill War Rooms: image of the question on did Churchill know about Hitlers plans to capture Crete?</strong></p><p>British leaders had Ultra-derived warning that Crete was in German sights. Freyberg, commanding Creforce, had intelligence warning of the attack. Yet warning did not become clarity, and clarity did not become safety. The intelligence picture was powerful, but constrained. It could be misread. It could show danger without solving the practical problem of defending an exposed island with tired men, few aircraft and too many assumptions.</p><p>Somewhere at the far end of that system was my grandfather.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!CdWB!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3901df3b-07ea-4e8f-9b1c-9d3f543a2d2e_960x731.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!CdWB!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3901df3b-07ea-4e8f-9b1c-9d3f543a2d2e_960x731.png 424w, https://substackcdn.com/image/fetch/$s_!CdWB!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3901df3b-07ea-4e8f-9b1c-9d3f543a2d2e_960x731.png 848w, https://substackcdn.com/image/fetch/$s_!CdWB!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3901df3b-07ea-4e8f-9b1c-9d3f543a2d2e_960x731.png 1272w, https://substackcdn.com/image/fetch/$s_!CdWB!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3901df3b-07ea-4e8f-9b1c-9d3f543a2d2e_960x731.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!CdWB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3901df3b-07ea-4e8f-9b1c-9d3f543a2d2e_960x731.png" width="960" height="731" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/3901df3b-07ea-4e8f-9b1c-9d3f543a2d2e_960x731.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:731,&quot;width&quot;:960,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:173761,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/195481042?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3901df3b-07ea-4e8f-9b1c-9d3f543a2d2e_960x731.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!CdWB!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3901df3b-07ea-4e8f-9b1c-9d3f543a2d2e_960x731.png 424w, https://substackcdn.com/image/fetch/$s_!CdWB!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3901df3b-07ea-4e8f-9b1c-9d3f543a2d2e_960x731.png 848w, https://substackcdn.com/image/fetch/$s_!CdWB!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3901df3b-07ea-4e8f-9b1c-9d3f543a2d2e_960x731.png 1272w, https://substackcdn.com/image/fetch/$s_!CdWB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3901df3b-07ea-4e8f-9b1c-9d3f543a2d2e_960x731.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>A map of Operation Merkur, the German airborne invasion of Crete in May 1941.</strong></p><p>He did not know about Ultra, but he knew dust, confusion and what it was to fight in a collapsing situation. He knew pain.</p><p>This is the moment the story changed shape. Not into an accusation. That would be too easy. Britain was fighting an existential war, and the people in the War Rooms were trying to keep a country alive. But the fact that a decision is necessary does not make it painless. Intelligence can save lives in aggregate while still failing to save the individual man standing in the wrong place at the wrong time.</p><p>Strategy can be right and still be paid for by people who never knew the calculation.</p><p>The Imperial War Museum brought the story back down from decision to consequence. Honest war museums refuse to let you remain safely at the level of policy. They remind you that every strategic decision eventually arrives somewhere smaller: a hillside, a hospital ship, a telegram, a kitchen table.</p><p>War is remembered in speeches, but it is absorbed by families.</p><p>My great-grandfather carried one war home; my grandfather carried another. Neither man turned his suffering into speeches. Mid-century New Zealand did not offer men much vocabulary for what they had carried back. You did not unpack your inner life; you swallowed it. You carried it in your habits, your silences and your distance.</p><p>That, too, is inheritance.</p><p>And the women carried something else. My grandmother lived with what my grandfather could not say. A service file may one day tell me the nature of the wound he suffered; it cannot tell me the tone of voice she used to navigate the silences he brought home. There is no service number for the woman who held the household steady while he held the rest of it inside. That is its own kind of service. It is the part of the story carried forward in what people do not ask each other across kitchen tables.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!p_Xn!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd95ef64a-83db-4bba-890d-236530580923_6144x6144.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!p_Xn!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd95ef64a-83db-4bba-890d-236530580923_6144x6144.jpeg 424w, https://substackcdn.com/image/fetch/$s_!p_Xn!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd95ef64a-83db-4bba-890d-236530580923_6144x6144.jpeg 848w, https://substackcdn.com/image/fetch/$s_!p_Xn!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd95ef64a-83db-4bba-890d-236530580923_6144x6144.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!p_Xn!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd95ef64a-83db-4bba-890d-236530580923_6144x6144.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!p_Xn!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd95ef64a-83db-4bba-890d-236530580923_6144x6144.jpeg" width="6144" height="6144" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d95ef64a-83db-4bba-890d-236530580923_6144x6144.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:6144,&quot;width&quot;:6144,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:5169313,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/195481042?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb504ec2f-f9e8-4ef3-b9dc-8dc2c0ea82d1_6144x8160.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!p_Xn!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd95ef64a-83db-4bba-890d-236530580923_6144x6144.jpeg 424w, https://substackcdn.com/image/fetch/$s_!p_Xn!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd95ef64a-83db-4bba-890d-236530580923_6144x6144.jpeg 848w, https://substackcdn.com/image/fetch/$s_!p_Xn!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd95ef64a-83db-4bba-890d-236530580923_6144x6144.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!p_Xn!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd95ef64a-83db-4bba-890d-236530580923_6144x6144.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>Italian minefield warning sign, &#8220;Chi tocca muore&#8221;, whoever touches it dies</strong></p><p>One object at the Imperial War Museum stayed with me: an Italian minefield warning sign reading <em>Chi tocca muore</em>, whoever touches it dies. It was meant for a battlefield, but it felt uncomfortably close to family memory too. Some silences are dangerous because they are still live.</p><p>In my professional life, the assumption is seductive: if we know more, we can control more. We look for more telemetry, more threat intelligence, more visibility. Bletchley and the War Rooms tell a harder story.</p><p>Knowing is not the same as saving.</p><p>Sometimes knowledge only reveals the cruelty of the available choices.</p><p>Every intelligence system has an edge where abstraction ends. On one side are probabilities and risk assessments. On the other are people who experience the outcome without ever seeing the briefing.</p><p>My grandfather lived on that edge. He was not a data point or an entry in a ledger of necessary sacrifice. He was a young man who went to war, was saved by a mate, and came home carrying things he did not explain.</p><p>I do not know what he would have made of any of it. Perhaps he would have shrugged; perhaps he would have been angry; perhaps he would have said nothing at all. The dead rarely give us the courtesy of clean answers.</p><p>So we make do with fragments. A service number, a wound, a cemetery beside a Cretan bay. A secret kept for strategic advantage and a tattoo on a grandson&#8217;s arm.</p><p>The questions have not settled. For me, it means being more careful with the word strategy. It means respecting those who carry burdens they cannot disclose, while never forgetting those who carry consequences they did not choose. History is not only made in rooms where decisions are taken; it is also made in the lives of those who absorb them.</p><p>Bletchley showed me the secret. The War Rooms showed me the decision. The Imperial War Museum showed me the cost. Crete had already shown me the wound.</p><p>And somewhere between them all, my grandfather stopped being only a family story.</p><p>He became a man at the far end of the intelligence picture.</p><p>A reminder, carried now on his grandson&#8217;s arm, that knowing matters, but knowing is never enough.</p>]]></content:encoded></item><item><title><![CDATA[Running to Stand Still: The Illusion of Cyber Risk Reduction]]></title><description><![CDATA[Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity.]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/running-to-stand-still-the-illusion</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/running-to-stand-still-the-illusion</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Tue, 31 Mar 2026 09:31:04 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!3e3X!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F658418cc-f6b1-4eb5-adea-0a7b10b94e73_1024x1024.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p style="text-align: justify;"><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!3e3X!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F658418cc-f6b1-4eb5-adea-0a7b10b94e73_1024x1024.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!3e3X!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F658418cc-f6b1-4eb5-adea-0a7b10b94e73_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!3e3X!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F658418cc-f6b1-4eb5-adea-0a7b10b94e73_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!3e3X!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F658418cc-f6b1-4eb5-adea-0a7b10b94e73_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!3e3X!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F658418cc-f6b1-4eb5-adea-0a7b10b94e73_1024x1024.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!3e3X!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F658418cc-f6b1-4eb5-adea-0a7b10b94e73_1024x1024.jpeg" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/658418cc-f6b1-4eb5-adea-0a7b10b94e73_1024x1024.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!3e3X!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F658418cc-f6b1-4eb5-adea-0a7b10b94e73_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!3e3X!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F658418cc-f6b1-4eb5-adea-0a7b10b94e73_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!3e3X!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F658418cc-f6b1-4eb5-adea-0a7b10b94e73_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!3e3X!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F658418cc-f6b1-4eb5-adea-0a7b10b94e73_1024x1024.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p style="text-align: justify;">There is a kind of strategic failure that produces no visible signal until it is too late. It looks like progress. It reports well. It generates clean audit findings and improving metrics. And it leaves the organisation materially no safer than when the investment began.</p><p style="text-align: justify;">This is not the failure of neglect. Neglect is obvious and correctable. This is the failure of continuous, well-funded effort directed at only half of the problem. Most security programmes are doing the necessary work. Very few are doing sufficient work. The difference between the two is rarely visible in how investment is presented to boards, and almost never made explicit in how risk position is reported to them. The World Economic Forum, whose 2021 <em>Principles for Board Governance of Cyber Risk</em> has become a benchmark for how organisations think about executive accountability, explicitly frames cyber security as a matter of enterprise risk management rather than technical compliance.<sup>1</sup> That framing is right. The problem is that it has not resolved a deeper confusion about what risk, exactly, is being governed.</p><p style="text-align: justify;">Cyber risk is not a stable variable. It moves continuously, driven by forces that rarely hold steady simultaneously: adversaries who adapt and scale what works; controls that erode as exceptions accumulate and architecture grows more tangled; and businesses whose own risk profiles shift as they restructure, concentrate value, and deepen dependencies. Even a programme performing well against its own measures can be losing ground to this dynamic. A posture appropriate last year is, by default, slightly less adequate this year. The environment moves. Risk drifts upward. Standing still is not available as a strategic option.</p><p style="text-align: justify;">Biologists have a name for this. Leigh Van Valen, writing in 1973, described what became known as the Red Queen hypothesis: the observation that species must keep evolving simply to maintain their relative fitness against co-evolving competitors and parasites.<sup>2</sup> The name comes from Lewis Carroll&#8217;s <em>Through the Looking-Glass</em>, where the Red Queen tells Alice that it takes all the running you can do just to keep in the same place. Van Valen was describing evolutionary arms races, but the logic applies with uncomfortable precision to adversarial environments. Defenders and attackers co-evolve. The effort required to hold a given position grows continuously, because the threat is not static. A security programme that runs at a constant pace in a Red Queen environment fails to hold its position. It is losing ground at the rate the threat is advancing.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!ahjw!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F08cc397e-899b-4897-86ff-b84f003930e0_2048x1117.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!ahjw!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F08cc397e-899b-4897-86ff-b84f003930e0_2048x1117.png 424w, https://substackcdn.com/image/fetch/$s_!ahjw!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F08cc397e-899b-4897-86ff-b84f003930e0_2048x1117.png 848w, https://substackcdn.com/image/fetch/$s_!ahjw!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F08cc397e-899b-4897-86ff-b84f003930e0_2048x1117.png 1272w, https://substackcdn.com/image/fetch/$s_!ahjw!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F08cc397e-899b-4897-86ff-b84f003930e0_2048x1117.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!ahjw!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F08cc397e-899b-4897-86ff-b84f003930e0_2048x1117.png" width="1456" height="794" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/08cc397e-899b-4897-86ff-b84f003930e0_2048x1117.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:794,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!ahjw!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F08cc397e-899b-4897-86ff-b84f003930e0_2048x1117.png 424w, https://substackcdn.com/image/fetch/$s_!ahjw!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F08cc397e-899b-4897-86ff-b84f003930e0_2048x1117.png 848w, https://substackcdn.com/image/fetch/$s_!ahjw!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F08cc397e-899b-4897-86ff-b84f003930e0_2048x1117.png 1272w, https://substackcdn.com/image/fetch/$s_!ahjw!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F08cc397e-899b-4897-86ff-b84f003930e0_2048x1117.png 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p style="text-align: justify;">This is not a metaphor. It&#8217;s a description of observed behaviour. Threat capability has been compressing the average interval between technique development and widespread adversarial adoption for at least a decade. The move from exploit development to commodity tooling, the industrialisation of ransomware as a service, and the acceleration of vulnerability weaponisation, each of these shortens the window in which defenders can respond before a technique becomes standard practice. An organisation investing the same in risk management this year as last is almost certainly losing ground, not holding it. Yet investment proposals rarely account for this. The implicit assumption underpinning most security programme governance, that current effort, properly maintained, will produce stable outcomes over time, is one the evidence does not support.</p><p style="text-align: justify;">The core problem, though, lies beneath the arms race dynamic. Governance frameworks rarely distinguish between two categorically different kinds of work.</p><p style="text-align: justify;">The first is risk management: the continuous activity required to maintain a position against a moving system. Vulnerability remediation, detection tuning, review of findings, and control maintenance. Necessary and non-negotiable, but conservative in its effect. It holds the line. The second is risk reduction: interventions that change the system itself. Removing an attack path rather than managing around it. Redesigning to reduce blast radius. Breaking a critical dependency before it becomes a point of failure. Designing out a class of vulnerability rather than continuously processing its instances. This is structural change. It alters the terms of the adversary&#8217;s problem, not merely the speed of the defender&#8217;s response.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!_i5J!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a4be903-f377-417c-b3cf-d976c005684d_2048x1117.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!_i5J!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a4be903-f377-417c-b3cf-d976c005684d_2048x1117.png 424w, https://substackcdn.com/image/fetch/$s_!_i5J!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a4be903-f377-417c-b3cf-d976c005684d_2048x1117.png 848w, https://substackcdn.com/image/fetch/$s_!_i5J!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a4be903-f377-417c-b3cf-d976c005684d_2048x1117.png 1272w, https://substackcdn.com/image/fetch/$s_!_i5J!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a4be903-f377-417c-b3cf-d976c005684d_2048x1117.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!_i5J!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a4be903-f377-417c-b3cf-d976c005684d_2048x1117.png" width="1456" height="794" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/6a4be903-f377-417c-b3cf-d976c005684d_2048x1117.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:794,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!_i5J!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a4be903-f377-417c-b3cf-d976c005684d_2048x1117.png 424w, https://substackcdn.com/image/fetch/$s_!_i5J!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a4be903-f377-417c-b3cf-d976c005684d_2048x1117.png 848w, https://substackcdn.com/image/fetch/$s_!_i5J!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a4be903-f377-417c-b3cf-d976c005684d_2048x1117.png 1272w, https://substackcdn.com/image/fetch/$s_!_i5J!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a4be903-f377-417c-b3cf-d976c005684d_2048x1117.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p style="text-align: justify;">These two kinds of work are not simply different in degree. They are different in kind. The boundary between them is not always crisp, some risk management activity, pursued with sustained intent and the right organisational authority, does produce structural change over time. But the distinction matters because these two categories carry different strategic weight, warrant different investment logic, and tell different stories about actual trajectories. An organisation that separates them has a coherent basis for allocating capital. One that does not is likely funding risk management at scale while understating how little structural ground it is actually gaining.</p><p style="text-align: justify;">It is also worth noting that structural improvement is not a permanent condition. Architectural change accumulates its own exceptions and complexity over time. A consolidation that genuinely reduces attack surface in year one can generate new dependencies and coverage gaps by year three. A simplification that removes one class of failure can create another form of concentration. Risk reduction is better understood as a time-bound intervention than a durable achievement. This is one reason governance frameworks need to track structural posture as a live indicator rather than as a completed item on a programme list. The WEF principles and the subsequent NACD partner report that elaborated them both emphasise the importance of the board understanding the organisation&#8217;s cyber posture in terms of business risk impact.<sup>3</sup> That understanding is not possible without a framework that can distinguish between these two categories of work.</p><p style="text-align: justify;">Why does the confusion persist? The answer is partly a measurement failure and partly an incentive problem, and the two reinforce each other in ways worth examining.</p><p style="text-align: justify;">Activity is visible and auditable; progress is an inference from it. Boards can track programmes, count closures, and review dashboards. The alternative interpretation, that the programme is running to stand still, is uncomfortable and hard to surface through standard governance mechanisms. But the incentive problem runs deeper. The full ecosystem of board, executive, security leadership, and vendor rewards delivery: clear milestones, improving metrics, programmes that are well-governed and on schedule. It does not reward the harder and more disruptive work of removing dependency, simplifying architecture, or absorbing near-term operational pain for long-term structural improvement.</p><p style="text-align: justify;">This is not a failure of competence. It is a rational response to how performance is measured and rewarded. Hans Jonas, whose moral philosophy of technology remains one of the more demanding frameworks for contemplating responsibility under uncertainty, argued that the scale and complexity of modern technological systems creates an obligation to attend to long-range consequences that are inherently difficult to perceive in the immediate term. His concept of the &#8220;imperative of responsibility&#8221; is directed at actors whose decisions shape systems in ways that outlast their tenure. The board member approving a security programme measured entirely by near-term delivery metrics is doing exactly what Jonas warned against: optimising for what is visible and tractable while discounting what is diffuse and structural. This is not malice. It is the predictable result of governance frameworks calibrated to motion rather than to direction.</p><p style="text-align: justify;">Vendors operate within the same logic. Structural change that reduces the need for ongoing intervention is, in purely commercial terms, less attractive than managed, recurring activity. Capital flows toward what can be shown, and what can be shown is motion. The security industry&#8217;s business model has a structural preference for risk management over risk reduction, because the former creates durable revenue streams and the latter threatens them.</p><p style="text-align: justify;">This produces a pattern that is consistently visible in incident post-mortems. Organisations that have lived through a serious breach frequently saw their programme metrics improving beforehand. Backlogs were shrinking. Detection had been uplifted. Governance was functioning. The post-mortem accounts of major incidents, whether the sustained intrusions at organisations with mature security programmes or the ransomware events that have paralysed health systems and infrastructure operators with security investments, reveal the same structural signature: well-managed programmes that nonetheless failed to address the architectural conditions that made catastrophic impact possible.<sup>4</sup> The metrics were not lying, exactly. They were measuring the wrong thing: how well the organisation was managing its position, not how well that position would hold under real adversarial pressure.</p><p style="text-align: justify;">One question makes the situation legible. For any material security investment, does this reduce risk, or does it stop risk from getting worse? Both categories of work are necessary. But they carry different strategic weight, speak differently to a board&#8217;s risk appetite, and require different governance. Blurring them produces a narrative calibrated to motion rather than to direction. It also produces portfolios heavily weighted toward running, and lightly weighted toward changing the terrain.</p><p style="text-align: justify;">The UK government&#8217;s 2025 mapping of its cyber governance code to the WEF principles is instructive here.<sup>5</sup> The mapping is careful and technically competent. But it reproduces the same gap: it tells organisations how to govern what they are already doing rather than how to interrogate whether what they are doing is sufficient against the threat they actually face. Governance sophistication is not the same as strategic clarity about the nature of the problem being governed.</p><p style="text-align: justify;">The required move is not to stop managing risk. That is the floor, not the ambition. The discipline of being explicit in investment decisions and programme reporting changes how organisations understand which kind of work is being funded. How much holds the line? How much actually shifts exposure? Where are structural bets placed consciously, and where is effort being absorbed into programme delivery and labelled as progress?</p><p style="text-align: justify;">A board that cannot answer these questions does not have a clear picture of its risk position. It has a picture of its programme performance, which is different and considerably less useful. A security function that cannot articulate the distinction lacks the ability to make the case for structural investment, because it has no language that separates the work that changes the game from the work that merely keeps it going.</p><p style="text-align: justify;">Running hard is not the same as moving forward. The Red Queen dynamic means that standing still requires effort, but effort does not guarantee standing still. Most organisations are not failing because of neglect. They are working, spending, and delivering against a system that is advancing at roughly the same pace. The question governance rarely forces is whether all that effort is actually changing anything, or merely sustaining a position that everyone has agreed, for understandable reasons, to describe as progress. Boards that cannot distinguish between these two things are not governing cyber risk. They are governing the appearance of it.</p><p><strong>Notes</strong></p><p>1.  World Economic Forum, Principles for Board Governance of Cyber Risk (Geneva: WEF, 2021). See also Chris Krebs et al., &#8220;Principles for Board Governance of Cyber Risk,&#8221; Harvard Law School Forum on Corporate Governance, 9 June 2021</p><p>2.  Leigh Van Valen, &#8220;A New Evolutionary Law,&#8221; Evolutionary Theory 1 (1973): 1-30. For an accessible account of the Red Queen hypothesis and its extension beyond biology, see Wikipedia, &#8220;Red Queen hypothesis,&#8221; accessed 2026.</p><p>3.  National Association of Corporate Directors (NACD), Principles for Board Governance of Cyber Risk (NACD/WEF partner research report, 2023). The report elaborates the WEF principles with particular attention to how boards should receive and interrogate risk reporting from management.</p><p>4.  Hans Jonas, The Imperative of Responsibility: In Search of an Ethics for the Technological Age (Chicago: University of Chicago Press, 1984). Jonas&#8217;s central argument, that technological power creates an obligation to anticipate and prevent harm at scales and timescales previously beyond individual moral consideration, is summarised in the secondary literature; see &#8220;Hans Jonas: Ethics, Technology, and the Responsibility of the Future,&#8221; Philosophy World Democracy (2025), and the Philosophia overview of Jonas&#8217;s framework (2017).</p><p>5.  UK Government, &#8220;Mapping cyber governance code to WEF Principles for Board Governance of Cyber Risk&#8221; (2025). The document is a useful reference for organisations seeking to align their governance frameworks to the WEF principles, but it addresses procedural alignment rather than the substantive question of whether the underlying investment logic is adequate.</p>]]></content:encoded></item><item><title><![CDATA[When Silence Stops Being Cheap]]></title><description><![CDATA[Public attribution isn't moral signaling; it&#8217;s a retooling tax. Explore why Singapore&#8217;s move against UNC3886 signals the end of cheap silence and the rise of industrialised cyber attrition.]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/when-silence-stops-being-cheap</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/when-silence-stops-being-cheap</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Sun, 15 Feb 2026 11:21:07 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!50Q4!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83651875-6829-4231-be66-7dcda38403ad_2304x1219.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><p>In July 2025, Singapore&#8217;s Coordinating Minister for National Security, K. Shanmugam, stood up at the Cyber Security Agency&#8217;s tenth anniversary dinner and did something Singapore had never done before. He named a threat actor - UNC3886, a China-nexus APT tracked by Mandiant, and said it was going after the country&#8217;s critical infrastructure. He didn&#8217;t say &#8220;China&#8221;. But he didn&#8217;t need to. Anyone literate in threat intelligence knew exactly what he was saying.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!50Q4!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83651875-6829-4231-be66-7dcda38403ad_2304x1219.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!50Q4!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83651875-6829-4231-be66-7dcda38403ad_2304x1219.png 424w, https://substackcdn.com/image/fetch/$s_!50Q4!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83651875-6829-4231-be66-7dcda38403ad_2304x1219.png 848w, https://substackcdn.com/image/fetch/$s_!50Q4!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83651875-6829-4231-be66-7dcda38403ad_2304x1219.png 1272w, https://substackcdn.com/image/fetch/$s_!50Q4!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83651875-6829-4231-be66-7dcda38403ad_2304x1219.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!50Q4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83651875-6829-4231-be66-7dcda38403ad_2304x1219.png" width="2304" height="1219" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/83651875-6829-4231-be66-7dcda38403ad_2304x1219.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1219,&quot;width&quot;:2304,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:3520647,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/187575898?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd1e353ac-1203-45d4-88ae-7b4106287258_2304x1728.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!50Q4!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83651875-6829-4231-be66-7dcda38403ad_2304x1219.png 424w, https://substackcdn.com/image/fetch/$s_!50Q4!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83651875-6829-4231-be66-7dcda38403ad_2304x1219.png 848w, https://substackcdn.com/image/fetch/$s_!50Q4!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83651875-6829-4231-be66-7dcda38403ad_2304x1219.png 1272w, https://substackcdn.com/image/fetch/$s_!50Q4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83651875-6829-4231-be66-7dcda38403ad_2304x1219.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>By February 2026, Singapore confirmed UNC3886 had compromised all four of its major telecommunications providers using zero-day exploits, rootkits, and persistent access mechanisms designed to survive detection. Operation Cyber Guardian was deployed to contain it. No customer data was exfiltrated. No services were disrupted. But the access was real, and it had been there for a long time.</p><p>That disclosure is worth studying, not because of what Singapore said, but because of what it reveals about how cyber statecraft actually works once the rhetoric is stripped away. We talk about &#8220;cyberwar&#8221; as if it&#8217;s a thing you can win, or deter, or end, but it isn&#8217;t.</p><p>Instead, what we are dealing with is something far more mundane and exhausting: industrialised state cyber operations. Persistent access, long dwell times and human operators grinding away quietly in the background. No climactic battles, just attrition.</p><p>That matters, because it changes what strategy even means.</p><p>Here, strategy is not about demonstrating resolve or setting boundaries. It&#8217;s about deciding what you&#8217;re willing to live with, and what you&#8217;re prepared to make expensive for the other side, knowing full well you&#8217;ll pay a price too.</p><p>For years, public attribution was largely a practice-driven by the US and its vendors, and adopted within the Five Eyes. Beyond that perimeter, most states avoided it entirely. A values exercise and something you did if you could afford the politics. Safer to stay quiet. That logic is breaking. Not because anyone suddenly got braver, but because silence stopped being cheap.</p><h2>A quick note on lens</h2><p>I don&#8217;t approach this from the perspective of a single country. I lived in Singapore for fourteen years, I&#8217;m married to a Chinese woman, and I&#8217;ve worked inside American and British companies; now I sit in Australia in a global role. That doesn&#8217;t make me neutral. It makes me allergic to single-lens explanations.</p><p>Cyber posture looks very different depending on where you sit &#8212; politically, economically, and culturally. So this isn&#8217;t a Western argument or an Eastern one. It&#8217;s a practical one.</p><h2>When the grey zone stops being permissive</h2><p>The &#8220;grey zone&#8221; once sounded attractive. Low cost. High deniability. Plenty of room to manoeuvre. That worked when operations were smaller and slower. At scale, silence becomes a subsidy.</p><p>If an actor sits quietly in your network today, they&#8217;re not just stealing information. They&#8217;re banking advantage. Mapping dependencies. Improving tradecraft. Preserving options. All without friction. UNC3886 had been active since at least 2021, quietly exploiting zero-days in firewalls and hypervisors using living&#8209;off&#8209;the&#8209;land techniques designed to blend into normal operations, that is, repurposing legitimate admin tools so malicious activity looks like normal system behaviour. Volt Typhoon followed a similar pattern across US critical infrastructure, energy, water, transport, and telecoms, with dwell times stretching into years.</p><p>These are not smash-and-grab operations. They are slow, deliberate programmes of strategic pre-positioning. That&#8217;s the part people still underplay.</p><p>So when you hear terms like &#8220;active defence&#8221; or &#8220;defend forward&#8221;, don&#8217;t picture cyber punch-ups. What&#8217;s actually happening is terrain shaping, making persistence less comfortable, less clean, and less predictable.</p><p>The goal is still to make intrusion hard, reducing probability matters, not least because every breach, even one that never becomes operationally disruptive, imposes its own response tax. Teams spin up. Regulators expect notification. Resources shift from forward work to forensic work. And upon discovery, you rarely know how big is big, scoping a compromise can take weeks or months, during which the organisation is burning capacity on a question it can&#8217;t yet answer. So prevention earns its keep. But the strategic point is different: for actors operating at this level, some access will be achieved. The goal is to make that access unrewarding, to deny the conditions under which persistence compounds into strategic advantage.</p><p>This is one of the ways digital bifurcation becomes self-reinforcing, what I&#8217;ve previously described as one of the Five Forces reshaping the geopolitical cyber order. Each exposure hardens the boundary between trusted and untrusted infrastructure. Every burned operation widens the gap between allied and adversarial digital ecosystems. The retooling tax doesn&#8217;t just impose cost, it accelerates structural separation in the digital order.</p><h2>The retooling tax (and why it&#8217;s misunderstood)</h2><p>Public exposure is still dismissed as &#8220;naming and shaming&#8221;. That&#8217;s a lazy read. In a persistence model, attribution isn&#8217;t about morality. It&#8217;s about forcing work.</p><p>Once an operation becomes legible, infrastructure gets burned. Tooling is shelved. Access paths collapse. People have to rebuild things they thought were settled. Oversight tightens, tempo drops and mistakes creep in and that&#8217;s the retooling tax.</p><p>The point isn&#8217;t to end persistence. It&#8217;s to break the conditions that let persistence compound unchecked.</p><p>Inside the adversary&#8217;s system, exposure triggers internal review. Resources shift from expansion to damage assessment. The incentives temporarily shift from risk-taking to caution. For programmes built on patience, that friction matters.</p><p>But here&#8217;s the uncomfortable part: capable adversaries plan for this. At scale, they amortise the cost. Modular tooling. Redundant infrastructure. Parallel accesses. Burning one campaign becomes maintenance, not defeat. The i-Soon leaks in February 2024 confirmed what many suspected &#8212; industrial depth matters.</p><p>The retooling tax falls unevenly. It genuinely disrupts mid-tier operators. For top-tier actors, it can prune the field and concentrate persistent access among those best equipped to sustain it, so no, this doesn&#8217;t stop them.</p><p>What it does is change the economics. Persistence still exists, but it becomes slower, noisier, and less reliable. Over time, that compounds.</p><h2>Transparency is not free &#8212; it&#8217;s finite</h2><p>This is where many defenders get sloppy. Disclosure isn&#8217;t binary. It&#8217;s not silence versus exposure and it&#8217;s a finite resource.</p><p>Every time you go public, you teach the other side something: what you can see, what you care about, where your telemetry is strong, and where it isn&#8217;t. A serious opponent studies your disclosures the same way you study their campaigns.</p><p>They don&#8217;t fear noise. They curate it. False flags. Proxies. Cheap tooling is combined with bespoke access. The aim is simple: raise attribution costs and weaken confidence.</p><p>What complicates this further is that states no longer fully control disclosure timing. Vendor reports now drive much of public attribution, sometimes aligned with government objectives, sometimes not. Commercial incentives often lack a clear alignment with operational discipline, potentially leading to premature disclosure of sensitive information.</p><p>Yes, noise can deny permissiveness, but unmanaged noise degrades the signal. Transparency without discipline isn&#8217;t bold. It&#8217;s counter&#8209;productive.</p><h2>The cost you pay at home</h2><p>None of this comes for free. Once something goes public, it stops being a technical problem and becomes a political one. Attention spikes. Media flattens nuance. Ministers want certainty that doesn&#8217;t exist.</p><p>Security teams lose room to manoeuvre. Bureaucracies react to headlines rather than evidence. Over time, the public either panics or tunes out&#8212;and institutions themselves can habituate to noise, dulling response when it actually matters.</p><p>This friction isn&#8217;t a side effect; it&#8217;s the price of admission and only states with strong institutional discipline can absorb that pressure without turning disclosure into theatre. Many can&#8217;t. For them, visibility creates more risk than it removes.</p><h2>Singapore, as an example &#8211; not a template</h2><p>Singapore&#8217;s handling of UNC3886 is instructive precisely because of what it didn&#8217;t do.</p><p>Minister Shanmugam named the threat actor cluster&#8212;a Mandiant designation&#8212;without saying &#8220;China&#8221;. The exposure was technical, bounded, and calm. No chest-thumping. No moralising. There was no attempt to publicly corner anyone.</p><p>Beijing&#8217;s response was equally calibrated. The Chinese Embassy expressed &#8220;strong dissatisfaction&#8221; via local media while avoiding direct escalation. The unspoken rules of exchange were honoured.</p><p>Seen through a Sun Zi lens, the objective was never deterrence of China. It was preservation of operating space under constraint&#8212;denying permissive terrain without forcing escalation.</p><p>It works because Singapore understands its constraints: economic exposure, regional dynamics, and the need for institutional cohesion. It also quietly reassures investors, insurers, and critical service providers that persistent access is being managed competently rather than denied until failure forces the issue.</p><p>When attempted without those conditions, the same approach leads to noise, panic, and poor decisions.</p><h2>Who this actually works for</h2><p>This approach isn&#8217;t universal. It favours states with strong legal authority, high trust in institutions, and the ability to tolerate ambiguity. It disadvantages those with fragile politics, exposed economies, or a taste for moral theatre.</p><p>There&#8217;s a further complication. Most corporate risk frameworks are calibrated for criminal operators&#8212;ransomware, data theft, business interruption&#8212;because those threats produce quantifiable losses that fit neatly into a risk register. The state persistence model described here requires a fundamentally different posture: patience over speed, managed coexistence over rapid eviction, and strategic disclosure over reflexive transparency. Holding both models simultaneously is genuinely difficult, and the insurance and loss-quantification ecosystem keeps pulling boards towards the criminal lens at the expense of the strategic one. That tension doesn&#8217;t resolve. It has to be managed.</p><p>There are also real tail risks. Get attribution wrong and credibility evaporates, not just for the attributing state, but for the coalitions that rely on shared confidence. Push too hard and partners fracture. Make everything public and intrusion becomes background radiation.</p><p>This isn&#8217;t deterrence by punishment. It&#8217;s attrition by design and attrition always cuts both ways.</p><h2>The realist corrective: endurance as strategy</h2><p>We still look for decisive moments. Cyber doesn&#8217;t offer them.</p><p>As Cyber Persistence Theory makes clear, there is no final victory here, only a continuous contest for initiative. By choosing to make the silence noisy, states are acknowledging that the grey zone is no longer a place of comfort but a frontline of industrialised attrition.</p><p>The retooling tax isn&#8217;t a win. It&#8217;s a maintenance fee, the price paid to ensure that while adversaries remain persistent, they never remain comfortable.</p><p>Silence is no longer cheap. The question now is how deliberately we choose to spend it.</p><div><hr></div><h2>References &amp; Further Reading</h2><p><strong>Singapore&#8217;s UNC3886 Attribution</strong></p><ul><li><p>K. Shanmugam, &#8220;CSA 10th Anniversary Dinner &#8212; The Next 10 Years: Securing Our Cyberspace and Digital Future,&#8221; Ministry of Home Affairs Singapore, 18 July 2025. <a href="https://www.mha.gov.sg/media-room/newsroom/csa-10th-anniversary-dinner-the-next-10-years-securing-our-cyberspace-and-digital-future/">https://www.mha.gov.sg/mediaroom/speeches/csa-10th-anniversary-dinner-the-next-10-years-securing-our-cyberspace-and-digital-future</a></p></li><li><p>Cyber Security Agency of Singapore, <em>Singapore Cyber Landscape 2024/2025</em>, September 2025. <a href="https://www.csa.gov.sg/resources/publications/singapore-cyber-landscape-2024-2025/">https://www.csa.gov.sg/resources/publications/singapore-cyber-landscape-2024-2025/</a></p></li><li><p>BleepingComputer, &#8220;Chinese Cyberspies Breach Singapore&#8217;s Four Largest Telcos,&#8221; February 2026. <a href="https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breach-singapores-four-largest-telcos/">https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breach-singapores-four-largest-telcos/</a></p></li><li><p>Louise Marie Hurel, &#8220;What Singapore&#8217;s First Public Cyber Attribution Tells Us,&#8221; Royal United Services Institute, 30 July 2025. <a href="https://www.rusi.org/explore-our-research/publications/commentary/what-singapores-first-public-cyber-attribution-tells-us">https://www.rusi.org/explore-our-research/publications/commentary/what-singapores-first-public-cyber-attribution-tells-us</a></p></li></ul><p><strong>Volt Typhoon &amp; PRC Cyber Pre-Positioning</strong></p><ul><li><p>CISA, NSA &amp; FBI, &#8220;PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,&#8221; Joint Cybersecurity Advisory AA24-038A, February 2024. <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a">https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a</a></p></li><li><p>Ciaran Martin, &#8220;Typhoons in Cyberspace,&#8221; Royal United Services Institute, 2025. <a href="https://www.rusi.org/explore-our-research/publications/commentary/typhoons-cyberspace">https://www.rusi.org/explore-our-research/publications/commentary/typhoons-cyberspace</a></p></li><li><p>Mandiant, &#8220;Cloaked and Covert: Uncovering UNC3886 Espionage Operations,&#8221; Google Threat Intelligence, 2023. <a href="https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations">https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations</a></p></li></ul><p><strong>i-Soon Leaks</strong></p><ul><li><p>Associated Press, &#8220;Leaked Files from Chinese Firm Show Vast International Hacking Effort,&#8221; February 2024. <a href="https://apnews.com/article/china-cybersecurity-leak-isoon">https://apnews.com/article/china-cybersecurity-leak-isoon</a></p></li></ul><p><strong>Cyber Persistence Theory &amp; Strategic Literature</strong></p><ul><li><p>Michael P. Fischerkeller, Emily O. Goldman &amp; Richard J. Harknett, <em>Cyber Persistence Theory: Redefining National Security in Cyberspace</em>, Oxford University Press, 2022.</p></li><li><p>Jon R. Lindsay, <em>Age of Deception: Intelligence Warfare in the 21st Century</em>, Oxford University Press, 2025.</p></li></ul><p><strong>Attribution as Statecraft</strong></p><ul><li><p>Florian Egloff &amp; Max Smeets, &#8220;Publicly Attributing Cyber Attacks: A Framework,&#8221; <em>Journal of Strategic Studies</em>, 2022.</p></li><li><p>Herb Lin, &#8220;Attribution of Malicious Cyber Incidents: From Soup to Nuts,&#8221; <em>Journal of International Affairs</em>, Columbia University, 2016.</p></li></ul><p><strong>Sun Zi &amp; Calculated Restraint</strong></p><ul><li><p>Sun Tzu, <em>The Art of War</em>, translated by Roger Ames, Ballantine Books, 1993. (Ames translation recommended for its emphasis on strategic context over aphorism.)</p></li></ul><div><hr></div><p><em>For more on the distinction between strategy and activity in cyber, see <a href="https://geopoliticalcyber.substack.com/p/cyber-strategy-is-not-activity">Cyber Strategy Is Not Activity</a>.</em></p>]]></content:encoded></item><item><title><![CDATA[Cyber Strategy Is Not Activity]]></title><description><![CDATA[(And Why Confusing the Two Quietly Undermines the Business)]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/cyber-strategy-is-not-activity</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/cyber-strategy-is-not-activity</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Sun, 08 Feb 2026 01:33:04 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!hZjZ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3182ac2d-d505-4bdd-a4c4-1766221dd6b8_2247x1327.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><p>Cybersecurity is routinely performed under the guise of strategy, yet it is almost universally practised as a form of high-stakes reactivity. This is not for a lack of intelligence or intent among leadership; rather, it is the predictable outcome of a discipline that matured in the frantic crucible of technical virtuosity and immediate crisis. In an environment that rewards the visible heroics of incident response and the quantifiable progress of audit evidence, the quiet, analytical demands of strategy can feel dangerously like hesitation.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!hZjZ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3182ac2d-d505-4bdd-a4c4-1766221dd6b8_2247x1327.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!hZjZ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3182ac2d-d505-4bdd-a4c4-1766221dd6b8_2247x1327.png 424w, https://substackcdn.com/image/fetch/$s_!hZjZ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3182ac2d-d505-4bdd-a4c4-1766221dd6b8_2247x1327.png 848w, https://substackcdn.com/image/fetch/$s_!hZjZ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3182ac2d-d505-4bdd-a4c4-1766221dd6b8_2247x1327.png 1272w, https://substackcdn.com/image/fetch/$s_!hZjZ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3182ac2d-d505-4bdd-a4c4-1766221dd6b8_2247x1327.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!hZjZ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3182ac2d-d505-4bdd-a4c4-1766221dd6b8_2247x1327.png" width="2247" height="1327" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/3182ac2d-d505-4bdd-a4c4-1766221dd6b8_2247x1327.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1327,&quot;width&quot;:2247,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:5838364,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/187250448?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe200aac0-ffff-47ec-9ca2-3f310c5a90d2_2816x1536.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!hZjZ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3182ac2d-d505-4bdd-a4c4-1766221dd6b8_2247x1327.png 424w, https://substackcdn.com/image/fetch/$s_!hZjZ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3182ac2d-d505-4bdd-a4c4-1766221dd6b8_2247x1327.png 848w, https://substackcdn.com/image/fetch/$s_!hZjZ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3182ac2d-d505-4bdd-a4c4-1766221dd6b8_2247x1327.png 1272w, https://substackcdn.com/image/fetch/$s_!hZjZ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3182ac2d-d505-4bdd-a4c4-1766221dd6b8_2247x1327.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>True strategy, however, demands precisely that: a form of disciplined restraint. It is the uncomfortable realisation that the most effective leaders are defined not by the fires they extinguish, but by the fires they choose to let burn. The classical strategists understood this tension as a fundamental law of conflict. Sun Tzu&#8217;s observation that victory is decided before the first banner is raised was not a mystical claim but a pragmatic one: it is an acknowledgement that conditions, not effort, dictate outcomes. Centuries later, Richard Rumelt would sharpen this into a modern axiom: strategy is a clear diagnosis of the real problem, followed by a coherent set of actions designed to overcome it. In the cyber realm, we have greedily absorbed the language of these thinkers while largely ignoring their required discipline.</p><h3>When Security Becomes the Objective</h3><p>The most consequential mistake currently sitting at the heart of the corporate cyber programme is the belief that &#8220;security&#8221; is the goal. It is not. Security is merely a means to an end&#8212;the end being the organisation&#8217;s continued ability to pursue growth, reliability, and innovation within a digital environment that remains stubbornly hostile. A cyber strategy that cannot articulate what it is protecting, and more importantly <em>why</em>, is not a strategy at all; it is an aspiration dressed up in the expensive livery of technical intent.</p><p>Sun Tzu&#8217;s relevance here is not in the &#8220;art of war&#8221;, but in the &#8220;art of the asymmetric&#8221;. His focus was on shaping conditions so that conflict, should it arrive, was cheap and manageable. When applied to the modern enterprise, this means deciding&#8212;explicitly and unapologetically&#8212;where resilience matters most, where friction is an acceptable cost of doing business, and where loss is simply a tolerable reality of operating in the 21st century. These decisions are inherently uncomfortable because they necessitate trade-offs, and trade-offs require the one thing most cyber functions lack: the organisational permission to say &#8220;no&#8221;.</p><h3>The Three Layers of Perception</h3><p>Cyber conversations often collapse into a circular, exhausted logic because we fail to distinguish between strategy, operations, and tactics. <strong>Strategy</strong> in this context lives at the friction point between business intent and digital risk. It is rarely a technical discussion. Instead, it asks the questions that make people shift in their chairs: Which business processes are existential? Where does the speed of the market outweigh the necessity of control? A serious strategy might conclude that the rapid recovery of a customer-facing platform is more vital than preventing the intrusion itself. These are not &#8220;control&#8221; decisions; they are orientation decisions, and they dictate the entire trajectory of the firm&#8217;s defence.</p><p><strong>Operations</strong> is the layer where this intent either becomes reality or dissolves into noise. It is the discipline of sequencing and endurance. It recognises that Clausewitz&#8217;s &#8220;friction&#8221;&#8212;the inevitable fog and fatigue of execution&#8212;destroys more plans than any adversary ever will. A cyber function that pivots weekly between new initiatives based on the latest headline isn&#8217;t being &#8220;agile&#8221;; it is simply drifting.</p><p><strong>Tactics</strong>, meanwhile, are the most seductive part of the craft. Incident response, red teaming, and vulnerability triage are visible, skill-intensive, and feel decisively productive. They are also entirely local and transient. Tactical excellence can, and often does, coexist with strategic failure. Many organisations respond with surgical precision to incidents while remaining fundamentally exposed to the same underlying forms of loss, year after year. To borrow from the Stoics, it is the difference between being a skilled rower and actually knowing which way the current is moving.</p><h3>A Lived Example: The Courage of Bounded Risk</h3><p>A few years ago (in a prior role), following a high-quality red team exercise, we were presented with findings that were as well-evidenced as they were uncomfortable. The natural institutional instinct was to close every gap and uplift every control immediately. On a dashboard, this would have looked like responsible management. In reality, it would have cannibalised the engineering capacity of a revenue-critical platform that had nothing to do with the exercise but everything to do with a vitally important business unit&#8217;s market strategy.</p><p>The strategic question was not whether the findings were valid&#8212;they were. The question was: <em>What loss actually matters most to the business over the next eighteen months?</em> The answer was not &#8220;improving a maturity score&#8221; but ensuring the continuity of the revenue engine. We made the counterintuitive decision to accept certain risks as &#8220;bounded&#8221; and redirected our limited capital towards recovery capability and identity controls that reduced the blast radius across the entire estate. There was nothing heroic about the decision, and it made for a particularly dull board report, but it aligned our effort with reality. That is what strategy looks like in practice: it is quiet, often misunderstood, and profoundly boring to those who crave tactical drama.</p><p>There is a further, often unspoken force shaping cyber strategy: regulation itself. Regardless of whether a particular standard, circular, or supervisory focus reflects an organisation&#8217;s internal risk assessment, the moment a regulator asks a question, it reshapes the terrain. Attention must be paid. Resources must be allocated. Sequencing must change. This is not necessarily misalignment; it is a fact of operating in a regulated space, where fear, reputation, and institutional self-preservation exert their own quiet gravity. Sun Tzu would recognise this immediately. Terrain does not need to be fair to be decisive. The strategic failure is not acknowledging its impact but allowing externally imposed obligations to crowd out deliberate choice about what actually matters most.</p><p>Thucydides, writing of Athens and Sparta, reminds us that even the most rational actors are ultimately driven by fear, honour, and interest&#8212;a triad that still governs how boards, regulators, and executives respond to cyber risk under pressure.</p><h3>The Board-Level Postscript</h3><p>For those at the executive level, the distinction between these layers is the difference between governance and interference. A mature cyber function should not be judged by the absence of issues but by the presence of clear, calm, and coherent decision-making under constraint.</p><p>When the board asks, &#8220;Are we secure?&#8221;, they are asking a tactical question that invites a defensive answer. The more sophisticated enquiry&#8212;the one that drives real value&#8212;is: &#8220;Are we managing digital risk in a way that supports our risk appetite and business objectives?&#8221; This requires clarity on three things:</p><ol><li><p><strong>Materiality:</strong> Which systems would cause genuine, material harm if lost? If everything is a priority, nothing is.</p></li><li><p><strong>Explicit Trade-offs:</strong> Every control introduces friction. We must be honest about where we are choosing speed over security and why that choice is justified.</p></li><li><p><strong>Trajectory over Activity:</strong> Metrics should indicate whether we are becoming more resilient to the losses that matter, not just how many &#8220;activities&#8221; we performed this quarter.</p></li></ol><p>If cybersecurity is to mature as a business discipline, it must reclaim its classical lineage. We do not need louder dashboards or faster responses; we need clearer thinking about what matters and the discipline to leave the rest behind. This kind of thinking is slower; it does not reward short attention spans, and in an era of digital volatility, that is precisely why it is our only real competitive advantage.</p><h2>Further Reading: Strategic Lineage, Not Cyber Canon</h2><p>The argument in this piece does not originate in cybersecurity. It draws instead from a longer tradition of strategic thought concerned with power, constraint, uncertainty, and human behaviour under pressure. For readers who wish to explore that lineage more deeply, the following works are particularly instructive.</p><p>They are not recommended as military texts but as <strong>guides to judgement</strong> in complex, regulated, and adversarial environments.</p><p><strong>The Art of War (&#23385;&#23376;&#20853;&#27861; / </strong><em><strong>Sun Zi Bing Fa</strong></em><strong>)</strong><br>Sun Zi&#8217;s enduring relevance lies not in tactics, but in orientation. His central insight is that outcomes are shaped less by effort than by conditions: terrain, timing, asymmetry, and perception. In modern organisational terms, this translates to understanding which constraints matter, which risks can be shaped rather than eliminated, and where indirect advantage is preferable to direct confrontation.<br>For accessibility and modern context, Anthony Cummins&#8217; interpretation is particularly readable. For those interested in fidelity and nuance, bilingual editions with side-by-side Chinese and English text offer valuable insight into Sun Zi&#8217;s emphasis on judgement over prescription.</p><p><strong>On War &#8211; Carl von Clausewitz</strong><br>Clausewitz is often misunderstood as a theorist of violence rather than a philosopher of constraint. His concepts of friction, fog, and the subordination of action to political purpose are directly applicable to contemporary organisations operating under regulatory pressure, resource scarcity, and imperfect information. His work explains why well-intentioned plans fail in execution and why coherence matters more than precision. <em>On War</em> rewards slow reading and resists simplification, much like the environments it describes.</p><p><strong>Good Strategy Bad Strategy &#8211; Richard Rumelt</strong><br>Rumelt provides a modern, unsentimental articulation of strategy stripped of mystique. His framing of strategy as diagnosis, guiding policy, and coherent action is especially relevant to cyber and governance contexts, where activity often substitutes for thought. This work is invaluable for distinguishing genuine strategy from ambition, slogans, or accumulated effort. For boards and executives, it offers a practical language for challenging &#8220;busy&#8221; programmes that lack a clear theory of value.</p><p><strong>The Prince &#8211; Niccol&#242; Machiavelli</strong><br>Machiavelli is best read not as a moral provocateur, but as a realist observer of power, legitimacy, and institutional survival. His insights into appearance, authority, and the gap between intent and outcome remain highly relevant to executives navigating stakeholder expectations, regulatory scrutiny, and reputational risk. Where Sun Zi focuses on terrain, Machiavelli reminds us that perception itself is terrain, and that leaders are often judged less by outcomes than by how their decisions are understood.</p><p><strong>History of the Peloponnesian War &#8211; Thucydides</strong><br>Thucydides offers perhaps the clearest account of how rational actors behave under pressure. His framing of decision-making as a tension between fear, honour, and interest explains why organisations frequently act against their own stated preferences during crises. For boards and regulators confronting cyber risk, this work is particularly illuminating. It should be read not as military history, but as a study of governance, escalation, and institutional behaviour in conditions of uncertainty.</p><p>Taken together, these texts converge on a single insight: <strong>strategy is not the accumulation of activity, but the disciplined management of power and constraint</strong>. They remind us that the hardest part of leadership is rarely execution itself, but deciding what is worth executing, in what order, and at what cost.</p><p>That challenge has not changed in two millennia. Only the terrain has.</p>]]></content:encoded></item><item><title><![CDATA[The Great Realignment: America’s Strategic Pivot from Global Guardian to Hemispheric Power]]></title><description><![CDATA[Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity.]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/the-great-realignment-americas-strategic</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/the-great-realignment-americas-strategic</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Mon, 08 Dec 2025 11:38:18 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!TdsA!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><p><strong>Author&#8217;s Note:</strong> Geography dictates perspective. Viewed from Washington, the Indo-Pacific is a priority theatre. Viewed from where I sit in Australia, it is simply the neighbourhood. I am writing this analysis from Melbourne &#8211; the southern anchor of the Indo-Pacific &#8211; looking north. This is not a critique of American strategy but an assessment of what that strategy means for those of us living in its new architecture.</p><p><strong>Executive Summary</strong></p><ul><li><p><strong>The Shift:</strong> The 2025 National Security Strategy (NSS) signals a structural move from global policing to &#8220;Hemispheric Consolidation&#8221;.</p></li><li><p><strong>The Metric:</strong> Industrial capacity and digital sovereignty have replaced soft power as the primary measures of national interest.</p></li><li><p><strong>The Action:</strong> For Australian executives, &#8220;efficiency&#8221; (Just-in-Time) must be replaced by &#8220;survivability&#8221; (resilience) in supply chains and digital architecture.</p></li></ul><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!TdsA!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!TdsA!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png 424w, https://substackcdn.com/image/fetch/$s_!TdsA!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png 848w, https://substackcdn.com/image/fetch/$s_!TdsA!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!TdsA!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!TdsA!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png" width="1456" height="813" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/b5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:813,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:5947883,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/181028527?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!TdsA!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png 424w, https://substackcdn.com/image/fetch/$s_!TdsA!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png 848w, https://substackcdn.com/image/fetch/$s_!TdsA!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!TdsA!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb5de4ba4-cbcd-4f68-9749-d573748ddde7_2752x1536.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Most commentary on the 2025 U.S. National Security Strategy repeats the same shallow refrains: &#8220;America First&#8221;, &#8220;protectionism&#8221;, and &#8220;isolationism&#8221;.</p><p>That&#8217;s theatre.</p><p>The real shift is structural: the United States has ended its post&#8211;Cold War role as global guardian and is reorganising its power for a world it no longer believes it can manage.</p><p>Washington is not withdrawing. It is reprioritising, and the order of priorities is now explicit:</p><ol><li><p><strong>Hemispheric Pre-eminence</strong></p></li><li><p><strong>Industrial and Digital Sovereignty</strong></p></li><li><p><strong>Selective Indo-Pacific Competition</strong></p></li><li><p><strong>Conditional Support to Europe</strong></p></li></ol><p>Everything else is optional.</p><p>For Australia and the broader Asia-Pacific, this isn&#8217;t a political debate. It&#8217;s the new strategic terrain. </p><p>The US National Security Strategy can be downloaded from the Whitehouse website: https://www.whitehouse.gov/wp-content/uploads/2025/12/2025-National-Security-Strategy.pdf</p><h3>What the NSS Actually Says</h3><p>The document is clearer than most analysts seem comfortable admitting.</p><p><strong>1. The Western Hemisphere becomes non-negotiable</strong></p><blockquote><p>&#8220;After years of neglect, the United States will reassert and enforce the Monroe Doctrine to restore American preeminence in the Western Hemisphere... This &#8216;Trump Corollary&#8217; to the Monroe Doctrine is a common-sense and potent restoration of American power and priorities, consistent with American security interests.&#8221; (p. 15)</p></blockquote><p>Preeminence. The NSS uses this term for no other region. The Western Hemisphere gets &#8220;pre-eminence.&#8221; The Indo-Pacific gets &#8220;compete successfully&#8221;. Europe gets questioned on whether it will remain &#8220;reliable&#8221;.&#8221;</p><p>This is the one region where Washington insists on primacy rather than partnership.</p><p><strong>2. Europe is downgraded from pillar to problem</strong></p><blockquote><p>&#8220;Should present trends continue, the continent will be unrecognizable in 20 years or less. As such, it is far from obvious whether certain European countries will have economies and militaries strong enough to remain reliable allies.&#8221; (p. 25)</p></blockquote><p>The burden-shifting is equally direct:</p><blockquote><p>&#8220;The days of the United States propping up the entire world order like Atlas are over. We count among our many allies and partners dozens of wealthy, sophisticated nations that must assume primary responsibility for their regions.&#8221; (p. 12)</p></blockquote><p>This isn&#8217;t a Trump flourish. It&#8217;s a strategic judgement about declining European capability.</p><p><strong>3. Industrial and digital sovereignty are the new foundations of power</strong></p><blockquote><p>&#8220;We want the world&#8217;s most robust industrial base. American national power depends on a strong industrial sector capable of meeting both peacetime and wartime production demands... Cultivating American industrial strength must become the highest priority of national economic policy.&#8221; (p. 4)</p></blockquote><p>Not <em>a</em> priority. <em>The</em> highest priority.</p><p>Digital infrastructure appears throughout the document not as a tech issue but as a geopolitical instrument:</p><blockquote><p>&#8220;We should... harden existing and future cyber communications networks that take full advantage of American encryption and security potential.&#8221; (p. 18-19)</p><p>&#8220;The U.S. Government&#8217;s critical relationships with the American private sector help maintain surveillance of persistent threats to U.S. networks, including critical infrastructure. This in turn enables the U.S. Government&#8217;s ability to conduct real-time discovery, attribution, and response (i.e., network defense and offensive cyber operations) while protecting the competitiveness of the U.S. economy.&#8221; (p. 21-22)</p></blockquote><p>Notice the framing: network defence enables economic competitiveness, which enables sustained deterrence.</p><p>The Intelligence Community is explicitly tasked to <em>&#8220;monitor key supply chains and technological advances around the world to ensure we understand and mitigate vulnerabilities and threats to American security and prosperity.&#8221;</em> (p. 13)</p><p>This is the core insight: geopolitical autonomy now depends on digital and industrial control.</p><p>You cannot deter if you cannot produce.</p><p>You cannot compete if your networks leak.</p><p>You cannot act if your supply chain is captured.</p><p><strong>4. Cyber is not a domain &#8212; it is the glue</strong></p><p>The NSS treats cyber operations as the connective tissue between economic competitiveness, industrial capacity, and strategic deterrence.</p><p>Conventional cybersecurity discourse treats these as separate concerns&#8212;industrial policy over here, network defence over there, supply chain risk as a third bucket. The NSS reveals they&#8217;re the same constraint operating at different scales.</p><h3>Three Futures the NSS Actually Points To</h3><p>Applying a structural realist lens&#8212;incentives, constraints, capability, bureaucracy, digital infrastructure&#8212;the document logically resolves into three plausible futures.</p><p><strong>I. Fortress Hemisphere, Forward Asia</strong></p><p>This is the NSS executed faithfully.</p><p>U.S. dominance in the Americas is secured through port control, telecom control, energy control, and digital-network hardening. The &#8220;Trump Corollary&#8221; becomes operational: non-hemispheric competitors are systematically denied the ability to <em>&#8220;position forces or other threatening capabilities, or to own or control strategically vital assets, in our Hemisphere.&#8221;</em> (p. 15)</p><p>Reindustrialisation is treated not as policy, but as strategy. In the Indo-Pacific, the American posture shifts from patrol to denial. The NSS frames this as building <em>&#8220;a military capable of denying aggression anywhere in the First Island Chain&#8221;</em> while pressing allies to <em>&#8220;allow the U.S. military greater access to their ports and other facilities, to spend more on their own defense, and most importantly to invest in capabilities aimed at deterring aggression.&#8221;</em> (p. 24)</p><p>The goal is not &#8220;stability&#8221;&#8212;it is to deny adversaries the strategic space to coerce.</p><p>Allies are explicitly told to spend more, carry more, and integrate more. The Hague Commitment&#8212;requiring NATO countries to spend 5% of GDP on defence&#8212;signals the expectation level. This is not abandonment&#8212;it&#8217;s burden reallocation.</p><ul><li><p><strong>Implications for Australia:</strong> Alignment strengthens deterrence but raises cost: critical minerals pressure, cyber and intelligence integration, export-control alignment, increased operational expectations. The risk is volatility, not withdrawal. If U.S. politics fracture, the machinery of this strategy can stall.</p></li></ul><p><strong>II. The Splintered West</strong></p><p>If Europe reads the NSS assessment&#8212;that the continent <em>&#8220;will be unrecognizable in 20 years&#8221;</em>&#8212;as abandonment rather than challenge, it accelerates toward uneven strategic autonomy.</p><p>The NSS acknowledges this possibility by noting that <em>&#8220;many of these nations are currently doubling down on their present path&#8221;</em> of regulatory suffocation and declining competitiveness.</p><p>Beijing fills the economic and infrastructure vacuum. Moscow expands grey-zone operations. Regulatory divergence fractures the coherence of the Western alliance. This isn&#8217;t ideological &#8212; it&#8217;s structural entropy.</p><ul><li><p><strong>Implications for Australia:</strong> This is the most dangerous world for Canberra. U.S. dependence becomes absolute. Regulatory incoherence forces technical and architectural lock-ins. Fragmented threat models mean misaligned cyber thresholds and inconsistent crisis responses. This is how geopolitical constraints become technical constraints&#8212;you can&#8217;t fix cyber risk when the geopolitical layer determines which vendors, standards, and architectures are even available.</p></li></ul><p><strong>III. Transactional Balance</strong></p><p>A tense, workable equilibrium.</p><p>The U.S. holds the hemisphere. China competes without risking war. Europe muddles through a semi-autonomous middle posture. The NSS envisions this when it states: <em>&#8220;If America remains on a growth path... we should be headed from our present $30 trillion economy in 2025 to $40 trillion in the 2030s.&#8221;</em> (p. 20)</p><p>Tech decoupling slows into &#8220;managed divergence.&#8221; Supply chains diversify rather than relocate entirely. The document&#8217;s call to <em>&#8220;re-secure our own independent and reliable access&#8221;</em> becomes operational through friendshoring, not full reshoring.</p><p>Cyber becomes the pressure valve: espionage as constant background radiation, coercive signalling when needed, but no state willing to trigger systemic escalation.</p><ul><li><p><strong>Implications for Australia:</strong> This is the &#8220;permanent turbulence&#8221; scenario. Efficiency gives way to optionality. Boards must design for resilience, not optimisation: multi-cloud, multi-stack architectures; diversified supply chains; sovereign intelligence and cyber capability; and capital flexibility. Shocks aren&#8217;t anomalies in this future&#8212;they&#8217;re the operating climate. Planning assumes volatility, not stability returning.</p></li></ul><h3>The Australian Imperative: Trust Requires Resilience</h3><p>Across all futures, the prescription is identical.</p><h4>1. Capability over symbolism</h4><p>Deterrence is missiles, sensors, cyber persistence, and industrial output. Not procurement theatre promising submarines in 2045. The NSS is explicit: &#8220;A strong, capable military cannot exist without a strong, capable defense industrial base.&#8221; (p. 14)</p><h4>2. Digital and industrial sovereignty are national-security functions</h4><p>You don&#8217;t control risk when adversaries control your infrastructure. You don&#8217;t have autonomy if your supply chain lives offshore.</p><p>When the U.S. demands that allies <em>&#8220;align their export controls with ours,&#8221;</em> it&#8217;s identifying the mechanism of constraint. Digital infrastructure that runs through adversary-controlled nodes isn&#8217;t a risk to be managed&#8212;it&#8217;s a structural dependency that limits sovereign action.</p><h4>3. Hedging is discipline, not indecision</h4><p>Middle powers survive by keeping options open, not by betting the country on a single technology stack or alliance assumption. As the U.S. reprioritises (hemisphere first, selective Indo-Pacific engagement), as China adapts its strategy, and as Europe drifts, locking into a single market, technology stack, or alliance narrative becomes dangerous.</p><h3>The Realist Corrective</h3><p>Whether one approves of Washington is irrelevant.</p><p>The NSS reflects the real American condition: the U.S. will still lead, but only where leading aligns with its hierarchy of interests.</p><p>The document is explicit about this shift, acknowledging that &#8220;American strategies since the end of the Cold War have fallen short&#8221; because elites <em>&#8220;badly miscalculated America&#8217;s willingness to shoulder forever global burdens.&#8221;</em> (p. 1)</p><p>For Australia, the consequence is decisive: we can no longer plan around what America promises&#8212;only around what America prioritises.</p><p>And what America prioritises, per the NSS, is in this order:</p><ol><li><p><strong>&#8220;Preeminence in the Western Hemisphere&#8221;</strong></p></li><li><p><strong>&#8220;Halt and reverse the ongoing damage... to the American economy&#8221;</strong></p></li><li><p><strong>&#8220;Support our allies&#8221;</strong></p></li></ol><p>This matters for security leaders because <strong>you cannot build digital trust on fragile geopolitical foundations.</strong> When the NSS positions the industrial base as <em>&#8220;the highest priority of national economic policy&#8221;</em> and network defence as a prerequisite for <em>&#8220;protecting the competitiveness of the U.S. economy,&#8221;</em> it reveals the causal chain:</p><p><strong>Geopolitics &#8594; Industrial Capacity &#8594; Digital Infrastructure &#8594; Strategic Autonomy</strong></p><p>When any link in this chain breaks&#8212;geopolitical fragmentation, industrial dependencies, compromised digital infrastructure&#8212;strategic autonomy collapses.</p><p>The NSS makes explicit what cyber discourse usually ignores: you cannot secure what you do not control, and you cannot control what you do not build.</p><p>The NSS lays out those priorities with unusual clarity. Ignoring them would be a strategic error we may not get to make twice.</p>]]></content:encoded></item><item><title><![CDATA[Why Western Strategic Models Keep Misreading China]]></title><description><![CDATA[Misreading China in geopolitics leads to misreading China in cyber.]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/why-western-strategic-models-keep</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/why-western-strategic-models-keep</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Sun, 07 Dec 2025 01:47:11 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!nWW_!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F27817514-46e9-4986-b855-53b5a5eaec21_2542x1179.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><p><em><br>I have been travelling to China for more than twenty years and studied its cyber policy during my master&#8217;s degree. I am also married into a Chinese family, which means many of my geopolitical debates take place at the dinner table. None of this makes me an oracle, but it does mean I try to see China as it actually functions rather than as Western narratives prefer to imagine it. Our biggest analytical failure is not that we underestimate China or overestimate it. The real issue is that we rely on the wrong model entirely.</em></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!nWW_!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F27817514-46e9-4986-b855-53b5a5eaec21_2542x1179.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!nWW_!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F27817514-46e9-4986-b855-53b5a5eaec21_2542x1179.png 424w, https://substackcdn.com/image/fetch/$s_!nWW_!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F27817514-46e9-4986-b855-53b5a5eaec21_2542x1179.png 848w, https://substackcdn.com/image/fetch/$s_!nWW_!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F27817514-46e9-4986-b855-53b5a5eaec21_2542x1179.png 1272w, https://substackcdn.com/image/fetch/$s_!nWW_!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F27817514-46e9-4986-b855-53b5a5eaec21_2542x1179.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!nWW_!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F27817514-46e9-4986-b855-53b5a5eaec21_2542x1179.png" width="2542" height="1179" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/27817514-46e9-4986-b855-53b5a5eaec21_2542x1179.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1179,&quot;width&quot;:2542,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:4336306,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/180925109?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5453101e-63cb-40a9-b02a-798d2f089703_2752x1536.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!nWW_!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F27817514-46e9-4986-b855-53b5a5eaec21_2542x1179.png 424w, https://substackcdn.com/image/fetch/$s_!nWW_!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F27817514-46e9-4986-b855-53b5a5eaec21_2542x1179.png 848w, https://substackcdn.com/image/fetch/$s_!nWW_!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F27817514-46e9-4986-b855-53b5a5eaec21_2542x1179.png 1272w, https://substackcdn.com/image/fetch/$s_!nWW_!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F27817514-46e9-4986-b855-53b5a5eaec21_2542x1179.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><em><strong>&#8220;Same reality. Different measurements. Wrong models.&#8221;</strong></em></p><h3><strong>A Note on Analytical Stance</strong></h3><p>Explaining how China works is not the same as endorsing it. Understanding strategic logic is not agreement with policy outcomes. If the model is wrong, the strategy that flows from it will be wrong as well. What follows is an attempt to replace rhetoric with a clearer view of interests, incentives and capabilities. The West keeps misreading China for one reason: we treat a fragmented, adaptive system as if it were either omnipotent or terminally weak. It is neither.</p><div><hr></div><h2><strong>The Capability and Perception Gap</strong></h2><p>Commentary in the West often swings between two equally misleading caricatures. In one direction China is cast as a master planner with perfect coordination and unlimited ambition. In the other it is described as a brittle autocracy that is one shock away from collapse. Neither view survives even basic scrutiny.</p><p>China&#8217;s system can deliver world-class capability while producing world-class blunders on the same day. Capacity is enormous. Competence is uneven. That distinction is the blind spot in most Western analysis. Anyone who has worked inside a complex institution will recognise the pattern. If we want more effective strategy in Australia, the United States or anywhere else navigating this landscape, we need a model that reflects how the system actually works. At the moment we are measuring the wrong thing.</p><div><hr></div><h2><strong>Why This Matters for Cyber</strong></h2><p>Western threat modelling often exaggerates China&#8217;s internal coordination and underestimates the degree of fragmentation inside the system. This creates two predictable errors. We prepare for centralised campaigns that never appear and we underprepare for persistent and opportunistic activity that does.</p><p>Some intelligence teams have already adjusted to this reality, but it has not yet shaped the wider strategic conversation. If you imagine a perfectly unified adversary, you will misread both strengths and vulnerabilities. In cyberspace those misreads come with real consequences.</p><p>Western cyber frameworks still assume a level of central coordination that rarely exists. Much of China&#8217;s cyber activity looks less like a grand campaign and more like hundreds of operational units pursuing overlapping mandates with uneven skill and intermittent direction. Some act on strategic guidance, others on bureaucratic incentives or local opportunity. If you model this as a single adversary with perfect alignment, you&#8217;ll misread both tempo and intent &#8212; and your defences will be postured for the wrong fight.</p><div><hr></div><h2><strong>1. China&#8217;s Stability and the Performance Mandate</strong></h2><p>China&#8217;s stability is not the product of fear alone. The Party has a performance mandate and for four decades it has delivered enough to maintain broad support. When performance falters the system feels it. The Great Leap Forward, the Cultural Revolution and the sudden reversal of Zero COVID remain reminders of what happens when the mandate breaks. The Party governs with these lessons in view.</p><p>Life expectancy has risen from the low forties in the early years of the People&#8217;s Republic to the high seventies today. Hundreds of millions have been lifted from absolute poverty. Investments in health, education and infrastructure have shaped the lived experience of several generations.</p><p>Survey data is imperfect but consistent. It shows a population that recognises material progress even if it is critical of local officials or specific policies.</p><p>This stability is real, but it is not absolute. Demographic decline, property market stress and debt accumulation have created a more complex outlook. A realistic model acknowledges both stability and strain. Assuming imminent collapse is comforting, but it is not analysis. Systems can be strained and stable at the same time.</p><p>Performance legitimacy also does not operate in isolation. It is reinforced by information controls that narrow the range of public narratives. Ignoring this creates a distorted picture, but so does pretending information control alone explains stability. Both matter.</p><div><hr></div><h2><strong>2. The Myth of Strategic Omniscience</strong></h2><p>Western narratives often portray China as ruthlessly efficient and centrally guided. The evidence paints a more uneven picture.</p><p>The Belt and Road Initiative illustrates this clearly. It is sometimes described as a coherent geopolitical project and sometimes as a costly misadventure. In truth it is a mixture of strategic intent, bureaucratic friction and opportunistic adjustment.</p><p>Beijing wants influence. State owned enterprises often execute poorly. Local actors in partner countries exploit gaps for their own benefit. All of this can occur simultaneously.</p><p>This is not the behaviour of a perfectly coordinated adversary, but neither is it the behaviour of a failing one. It is the natural output of a large and uneven system where ministries, provinces, companies and political factions interact in unpredictable ways.</p><div><hr></div><h2><strong>3. Innovation and the Strategic Trajectory</strong></h2><p>China is often underestimated in the one area that will matter most for long term competition. Innovation.</p><p>China now spends more on research and development than the European Union and is closing in on the United States. Patent filings have surged and while raw volume does not capture quality, the scale shows a system that is learning, building and becoming structurally harder to ignore.</p><p>Made in China Twenty Twenty Five produced mixed results, but the deeper trajectory is clear. China is shifting from efficiency toward autonomy and resilience. This is most visible in semiconductors, artificial intelligence, biotechnology and clean energy.</p><p>China&#8217;s innovation model is also hybrid. It combines legitimate investment and scale advantages with ongoing technology acquisition through non market channels. Focusing only on intellectual property theft misses the real capacity being built. Ignoring the hybrid nature of the system misses how China actually learns.</p><p>The real shift is not that China copies less but that it learns faster. Its innovation model compounds scale, investment and strategic intent. That acceleration matters more than any single policy document Beijing publishes.</p><div><hr></div><h2><strong>4. The Sovereignty Bloc and Its Implications</strong></h2><p>China&#8217;s influence is often most visible not in military deployments but in voting patterns at the United Nations.</p><p>China anchors a broad coalition organised around a simple idea. Non interference. For many states in Africa, Southeast Asia, the Middle East, Central Asia and Latin America, this principle offers political insulation from external conditionality. Alignment inside this group is instrumental rather than ideological, but the incentive structure is durable.</p><p>This bloc is not uniform, but it is a structural feature of contemporary geopolitics and it shapes global governance in ways that Western analysts often underweight. For the West, this means the diplomatic operating environment is structurally less favourable than it was twenty years ago. Influence is no longer granted by default.</p><div><hr></div><h2><strong>5. The Limits of the Democracy and Autocracy Frame</strong></h2><p>Western analysis frequently defaults to a moral binary. Democracies behave one way and autocracies behave another. It is emotionally satisfying but strategically unhelpful.</p><p>If regime type explained behaviour, democratic states would not conduct surveillance on allies and autocratic states would not pursue trade agreements or avoid conflict. States act according to interests, incentives and constraints. Constitutional labels explain far less than people assume.</p><p>This is not an argument against democratic values. It is an argument for analytical precision. The better questions are simple.</p><p><em><strong>What does China want?<br>What can it realistically do?<br>What limits shape its decisions?</strong></em></p><p>Those questions produce strategy. Ideological labels produce noise.</p><div><hr></div><h2><strong>6. The Security Dilemma in Practice</strong></h2><p>From Beijing&#8217;s perspective its maritime posture is defensive. It wants to push United States forces further from its coastline, avoid encirclement and assert long standing claims.</p><p>From the perspective of its neighbours the same actions are coercive and destabilising.</p><p>Both views contain truth. Recognising this is not endorsement. It is analysis. Without that clarity every maritime dispute becomes a morality play instead of a strategic problem.</p><div><hr></div><h2><strong>7. The Real Blind Spot</strong></h2><p>Western models misread China because they begin with assumptions that do not hold.</p><p>They assume coherence where fragmentation is common.<br>They assume fragility where performance and control create resilience.<br>They assume strategic brilliance where improvisation explains more.<br>They assume ideological ambition where sovereignty is the real organising principle.</p><p>When the assumptions are wrong the strategy that follows will be wrong as well.</p><div><hr></div><h2><strong>8. What This Means for Strategy</strong></h2><p>A more realistic model requires several shifts.</p><p>Stop overestimating coherence. Fragmentation matters.<br>Stop underestimating stability. Resilience has deeper roots than many analysts admit.<br>Distinguish capacity from competence. China has enormous capability but uneven execution.<br>Treat sovereignty based alignment as a structural force, not a temporary coalition.<br>Anchor cyber and geopolitical strategy in incentive based analysis rather than ideological preference.</p><p>Threat inflation wastes resources. Threat blindness creates consequences.</p><div><hr></div><h2><strong>Closing Reflection</strong></h2><p>China is not collapsing and it is not on the verge of global dominance. It is behaving like a rising and insecure great power that wants space, insulation and the ability to shape its environment where it can.</p><p>Effective strategy starts with describing reality as it is, not as we wish it to be. Everything else is theatre. Strategic clarity beats strategic theatre. Every time.</p><div><hr></div><h3><strong>Author&#8217;s Note</strong></h3><p>A follow up essay will examine how these same modelling failures distort Western cyber strategy and how to build a more realistic threat framework.</p>]]></content:encoded></item><item><title><![CDATA[The CISO’s Dilemma: Operationalising Sovereign Technology Decisions in Private Sector Risk Frameworks]]></title><description><![CDATA[(Part of the &#8220;Five Forces Breaking the Digital Order&#8221; series)]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/the-cisos-dilemma-operationalising</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/the-cisos-dilemma-operationalising</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Fri, 28 Nov 2025 11:14:06 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!kP-f!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc36a437a-88d2-41e6-9a1a-5ca07b75d799_1024x552.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><p>The message arrived from a good friend and colleague in Asia &#8212; a CISO at one of the region&#8217;s major banks.</p><p><em>&#8220;A lot of talk around sovereign tech, tech bifurcation etc but no real concrete so what for private organisations&#8230; I&#8217;m secretly hoping your next Substack will focus on this because there&#8217;s too much motherhood crap coming from media.&#8221;</em></p><p>He&#8217;s right. Governments across the Asia-Pacific are wrestling with sovereignty and vendor trust. Australia&#8217;s ASPI talks about &#8220;trusted tech ecosystems&#8221;. The United States actively weaponises export controls. The European Union builds sovereignty through regulation. Meanwhile, CISOs at banks, insurers, and telcos face vendor committees next Tuesday, making decisions that will lock in operational risk for the next decade.</p><p>The gap between policy discourse and operational necessity has never been wider, and this essay aims to bridge that divide.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!kP-f!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc36a437a-88d2-41e6-9a1a-5ca07b75d799_1024x552.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!kP-f!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc36a437a-88d2-41e6-9a1a-5ca07b75d799_1024x552.png 424w, https://substackcdn.com/image/fetch/$s_!kP-f!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc36a437a-88d2-41e6-9a1a-5ca07b75d799_1024x552.png 848w, https://substackcdn.com/image/fetch/$s_!kP-f!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc36a437a-88d2-41e6-9a1a-5ca07b75d799_1024x552.png 1272w, https://substackcdn.com/image/fetch/$s_!kP-f!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc36a437a-88d2-41e6-9a1a-5ca07b75d799_1024x552.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!kP-f!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc36a437a-88d2-41e6-9a1a-5ca07b75d799_1024x552.png" width="1024" height="552" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/c36a437a-88d2-41e6-9a1a-5ca07b75d799_1024x552.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:552,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1277356,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/180165660?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F045b648b-0e1a-45d5-a6d4-04728cf4212a_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!kP-f!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc36a437a-88d2-41e6-9a1a-5ca07b75d799_1024x552.png 424w, https://substackcdn.com/image/fetch/$s_!kP-f!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc36a437a-88d2-41e6-9a1a-5ca07b75d799_1024x552.png 848w, https://substackcdn.com/image/fetch/$s_!kP-f!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc36a437a-88d2-41e6-9a1a-5ca07b75d799_1024x552.png 1272w, https://substackcdn.com/image/fetch/$s_!kP-f!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc36a437a-88d2-41e6-9a1a-5ca07b75d799_1024x552.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>The Problem: Geopolitical Risk Without a Language</h2><p>Technology bifurcation, one of the <a href="https://geopoliticalcyber.substack.com/p/cybersecurity-at-the-digital-crossroads">Five Forces</a> I&#8217;ve argued is reshaping the digital order, is now a defining feature of the technology landscape. But recognising the trend doesn&#8217;t help a CISO explain to a CFO why vendor nationality matters or how to quantify the difference in exposure between cloud providers under different legal regimes.</p><p>Traditional enterprise frameworks measure financial stability, cyber maturity, and compliance. None translate jurisdictional exposure into risk appetite. When a board asks, &#8220;Why does it matter if our cloud is American, Chinese, or European?&#8221; most frameworks offer hand-waving.</p><p>The issue moved from theoretical to immediate in 2023 when Chinese state actors exploited a flaw in Microsoft&#8217;s cloud identity infrastructure, enabling access to senior US officials&#8217; emails. The subsequent review by the US Government&#8217;s Cyber Safety Review Board described &#8220;a cascade of avoidable security failures&#8221; at Microsoft. But the deeper lesson for CISOs was not simply technical; it was that large global vendors are subject to geopolitical incentives and legal systems that shape their threat profile. In other words, some vendors attract sovereign-level attention regardless of how strong their engineering is.</p><p>For Asia-Pacific firms operating under conflicting regulators &#8212; BNM, RBI, MAS, APRA, HKMA, BSP &#8212; this becomes existential. Technology choices made today embed structural dependencies that will persist long after the procurement team has moved on. Cloud computing, identity, and communications platforms define operational sovereignty in ways that few organisations fully confront.</p><h2>Beyond Binary Thinking: A Framework for Vendor Geopolitical Risk</h2><p>The real question isn&#8217;t &#8220;Which country&#8217;s technology should we trust?&#8221;<br>It&#8217;s: </p><p><strong>What risks arise from this vendor&#8217;s legal obligations, given the sensitivity of the system and the geopolitical exposure of the organisation&#8212;and how can these risks be mitigated?</strong></p><p>A pragmatic framework rests on four dimensions:</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!FNUV!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4ab251e-9633-4b51-b36a-fc441f9bba95_1764x565.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!FNUV!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4ab251e-9633-4b51-b36a-fc441f9bba95_1764x565.png 424w, https://substackcdn.com/image/fetch/$s_!FNUV!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4ab251e-9633-4b51-b36a-fc441f9bba95_1764x565.png 848w, https://substackcdn.com/image/fetch/$s_!FNUV!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4ab251e-9633-4b51-b36a-fc441f9bba95_1764x565.png 1272w, https://substackcdn.com/image/fetch/$s_!FNUV!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4ab251e-9633-4b51-b36a-fc441f9bba95_1764x565.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!FNUV!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4ab251e-9633-4b51-b36a-fc441f9bba95_1764x565.png" width="1764" height="565" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f4ab251e-9633-4b51-b36a-fc441f9bba95_1764x565.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:565,&quot;width&quot;:1764,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:156509,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/180165660?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9579bab4-8d83-4b7f-93f7-38d86f5fe182_1764x722.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!FNUV!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4ab251e-9633-4b51-b36a-fc441f9bba95_1764x565.png 424w, https://substackcdn.com/image/fetch/$s_!FNUV!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4ab251e-9633-4b51-b36a-fc441f9bba95_1764x565.png 848w, https://substackcdn.com/image/fetch/$s_!FNUV!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4ab251e-9633-4b51-b36a-fc441f9bba95_1764x565.png 1272w, https://substackcdn.com/image/fetch/$s_!FNUV!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4ab251e-9633-4b51-b36a-fc441f9bba95_1764x565.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3>Worked Example: Singapore-Based Bank, 2025</h3><p><strong>Scenario:</strong> Migration of a core payments platform &#8212; AWS Singapore vs Huawei Cloud Hong Kong.<br><strong>Criticality/Sensitivity:</strong> High-High (real-time payments, regulated data).</p><p><strong>Vendor Jurisdictions:</strong></p><ul><li><p>AWS &#8594; subject to U.S. CLOUD Act.</p></li><li><p>Huawei &#8594; subject to PRC National Intelligence Law &amp; Data Security Law.</p></li></ul><p><strong>Organisational Exposure:</strong> Operates in Singapore and Australia; no mainland China footprint; under MAS and APRA supervision.</p><p><strong>Mitigations:</strong></p><ul><li><p>External key management</p></li><li><p>MAS-aligned data localisation</p></li><li><p>Tested regional failover</p></li></ul><p><strong>Assessment:</strong><br>AWS introduces U.S. legal reach; Huawei introduces PRC data-access exposure. Under MAS/APRA mapping, U.S. exposure is manageable with external KMS. PRC exposure is not acceptable for a High-High financial system.</p><p><strong>Decision:</strong><br>Proceed with AWS plus mitigations.</p><ul><li><p><strong>Cost:</strong> +22% vs single vendor</p></li><li><p><strong>Resilience:</strong> ~3&#215; RTO improvement (24h &#8594; 8h)</p></li></ul><p>This is what geopolitical risk looks like when translated into an operational decision.</p><h2>Translating Framework to Risk Appetite</h2><p>Boards don&#8217;t need another sentence about having a &#8220;low appetite&#8221; for foreign influence. They need <strong>decision gates</strong>.</p><h3><strong>High-High Systems</strong></h3><ul><li><p>Vendor jurisdiction must align with at least two primary regulatory regimes</p></li><li><p>Encryption keys must be externalised</p></li><li><p>Annual failover and portability testing</p></li><li><p>Transparent reporting of government data requests</p></li></ul><h3><strong>High-Low Systems</strong></h3><ul><li><p>Multi-cloud or regional redundancy preferred</p></li><li><p>Portability and continuity clauses required</p></li></ul><h3><strong>Low-Criticality Systems</strong></h3><ul><li><p>Traditional commercial and technical assessment</p></li><li><p>Jurisdiction as a secondary consideration</p></li></ul><p>This turns geopolitical noise into something a board can govern.</p><h2>The Financial Services Layer: Supervisory Fractures</h2><p>Regulators across the region are diverging, not converging:</p><ul><li><p><strong>MAS (Singapore):</strong> Cloud-pragmatic, resilience-focused, strong on exit planning.</p></li><li><p><strong>APRA (Australia):</strong> CPS 230 heightens scrutiny on offshore dependencies and material service providers.</p></li><li><p><strong>HKMA (Hong Kong):</strong> Sensitive to data flows that may be accessible from mainland China.</p></li></ul><p>A regional bank must therefore design for <strong>regulatory interoperability</strong>, not regulatory uniformity.</p><ul><li><p><strong>Regulatory mapping:</strong> Understand divergence in localisation, sovereignty, and resilience.</p></li><li><p><strong>Architecture by jurisdiction:</strong> e.g., regional cloud for MAS markets; hybrid with externalised KMS for APRA markets.</p></li><li><p><strong>Supervisor engagement:</strong> Seek alignment before deploying critical workloads.</p></li><li><p><strong>Audit trail:</strong> Document how geopolitical risks were assessed, mitigated, and accepted.</p></li></ul><h2>Expanding the Options: Beyond the US&#8211;China Binary</h2><p>The US&#8211;China vendor dichotomy obscures more strategic choices than it reveals. It&#8217;s a framing that dominates the headlines but rarely helps boards or CISOs make operational decisions.</p><p>In my analysis of the uBios development and other arguments, I have shown that <strong>origin is a blunt and misleading proxy for risk</strong>. A Chinese vendor operating in Singapore, a US vendor operating in Frankfurt, and an EU vendor operating in Australia all carry <strong>extraterritorial legal exposure</strong>. The risks differ &#8212; but not in the simplistic &#8220;country-of-origin = trustworthiness&#8221; way the public debate assumes. Jurisdiction, legal obligations, and system criticality matter far more than flags or sentiment. This is why a framework-based approach beats ideology every time.</p><p>With that in mind, the real choice set is broader:</p><p><strong>Sovereign cloud alternatives</strong><br><strong>Australia: </strong>AUCloud (Sovereign Cloud Australia) and Canberra Data Centres offer Australian ownership and in-country operations, reducing foreign legal exposure. Trade-offs: limited scale and service breadth versus hyperscalers, especially for advanced analytics and AI.</p><p><strong>Singapore: </strong>Government Commercial Cloud (GCC/GCC+) provides government-orchestrated environments on commercial clouds with Singapore-only regions and sector-specific compliance for public sector workloads.</p><p>Both models reduce but don&#8217;t eliminate cross-border legal risk while constraining capability compared to global platforms.</p><p><strong>Alliance-based trust frameworks</strong><br>AUKUS, EU&#8211;US adequacy arrangements, and Five Eyes-aligned assurance models</p><ul><li><p>Lower friction for specific data classes</p></li><li><p>Highly sector-dependent (especially defence, national security)</p></li></ul><p><strong>Open-source and self-managed models</strong><br>Kubernetes/OpenStack on sovereign compute</p><ul><li><p>Maximum jurisdictional independence</p></li><li><p>High operational complexity and cost</p></li></ul><p>Each option still requires evaluation across the same four dimensions: system criticality, vendor jurisdiction, organisational exposure, and mitigation.</p><h2>From Framework to Tools</h2><h3><strong>1. Vendor Geopolitical Risk Scorecard</strong></h3><p>Ten practical lenses:<br>legal compulsion &#183; transparency &#183; regulator alignment &#183; portability &#183; resilience &#183; sector targeting &#183; supply-chain opacity &#183; financial durability &#183; incident behaviour &#183; exit cost/time</p><h3><strong>2. Technology Estate Classification Matrix</strong></h3><p>Classify all systems by <strong>criticality &#215; sensitivity</strong> to trigger differentiated vendor requirements.</p><h3><strong>3. Strategy Comparison: Cost&#8211;Resilience Trade-Offs</strong></h3><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!UgI9!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c5a744b-901a-403b-b773-7b5861a9b4d1_1668x418.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!UgI9!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c5a744b-901a-403b-b773-7b5861a9b4d1_1668x418.png 424w, https://substackcdn.com/image/fetch/$s_!UgI9!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c5a744b-901a-403b-b773-7b5861a9b4d1_1668x418.png 848w, https://substackcdn.com/image/fetch/$s_!UgI9!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c5a744b-901a-403b-b773-7b5861a9b4d1_1668x418.png 1272w, https://substackcdn.com/image/fetch/$s_!UgI9!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c5a744b-901a-403b-b773-7b5861a9b4d1_1668x418.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!UgI9!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c5a744b-901a-403b-b773-7b5861a9b4d1_1668x418.png" width="1668" height="418" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/8c5a744b-901a-403b-b773-7b5861a9b4d1_1668x418.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:418,&quot;width&quot;:1668,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:95341,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/180165660?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbccd55da-4030-41c2-8e96-a1f05f632cbc_1668x594.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!UgI9!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c5a744b-901a-403b-b773-7b5861a9b4d1_1668x418.png 424w, https://substackcdn.com/image/fetch/$s_!UgI9!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c5a744b-901a-403b-b773-7b5861a9b4d1_1668x418.png 848w, https://substackcdn.com/image/fetch/$s_!UgI9!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c5a744b-901a-403b-b773-7b5861a9b4d1_1668x418.png 1272w, https://substackcdn.com/image/fetch/$s_!UgI9!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c5a744b-901a-403b-b773-7b5861a9b4d1_1668x418.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>4. Scenario Planning</strong></h3><p>Stress-test vendor choices against plausible shocks:</p><ul><li><p>CLOUD Act subpoena</p></li><li><p>PRC DSL/NIL enforcement abroad</p></li><li><p>CPS 230 interpretations</p></li><li><p>Taiwan/Philippines escalation</p></li><li><p>Supply-chain ransomware attack on a major cloud provider</p></li></ul><h2>Indicators to Watch (2026&#8211;27)</h2><ol><li><p>CLOUD Act case law on overseas data production</p></li><li><p>First PRC Data Security Law enforcement involving non-Chinese entities</p></li><li><p>APRA&#8217;s CPS 230 guidance on offshore dependency</p></li><li><p>Legal durability of the EU&#8211;US Data Privacy Framework</p></li><li><p>AUKUS implementation for data handling and tech-sharing</p></li><li><p>RCEP digital harmonisation trends across ASEAN</p></li></ol><p>As these factors change, your vendor risk posture will change accordingly.</p><h2>The CISO as Geopolitical Risk Manager</h2><p>Technology bifurcation has quietly turned CISOs into interpreters of geopolitics. We still manage cyber resilience, but now we also arbitrate between legal systems, evaluate jurisdictional incentives, and design around geopolitical exposure.</p><p>It&#8217;s shared work:</p><ul><li><p>Boards must understand why jurisdiction matters</p></li><li><p>Executives must accept cost&#8211;complexity trade-offs</p></li><li><p>Risk teams must integrate geopolitical exposure into frameworks</p></li></ul><p>Different organisations, such as a bank in Melbourne, a fintech in Jakarta, or an insurer in Hong Kong, will establish different boundaries, but they all stand to gain from transforming rhetoric into measurable, defensible criteria.</p><p>My next piece in this series will transform this framework into a concrete scorecard and a board-ready appetite dashboard&#8212;practical tools designed to make sovereign technology decisions both repeatable and defensible.</p><h2>Closing Thought</h2><p>The vendor committee meets next Tuesday. The cloud business case goes to the board next month. Geopolitical risk isn&#8217;t a policy debate; it&#8217;s part of the operating environment.</p><p>Operational sovereignty isn&#8217;t declared; it&#8217;s engineered, and increasingly, that work starts with the CISO.</p><h2>References</h2><p>[1] Department of Homeland Security Cyber Safety Review Board, &#8220;Review of the Summer 2023 Microsoft Exchange Online Intrusion,&#8221; March 2024 </p><p>[2] Clarifying Lawful Overseas Use of Data Act (CLOUD Act), 18 U.S.C. &#167; 2713, 2018 </p><p>[3] People&#8217;s Republic of China, National Intelligence Law (2017) and Data Security Law (2021) </p><p>[4] European Union, General Data Protection Regulation (GDPR) 2016/679 and Network and Information Security Directive (NIS2) 2022/2555 </p><p>[5] Monetary Authority of Singapore, &#8220;Technology Risk Management Guidelines,&#8221; January 2021 (updated June 2023) </p><p>[6] Australian Prudential Regulation Authority, &#8220;Prudential Standard CPS 230: Operational Risk Management,&#8221; effective July 2025 </p><p>[7] Australia-United Kingdom-United States Security Partnership (AUKUS), technology-sharing provisions announced September 2021, implementation ongoing</p>]]></content:encoded></item><item><title><![CDATA[Europe’s Spreadsheet Sovereignty: Can Procurement Policy Compete with China’s Firmware Control?]]></title><description><![CDATA[Writing on cyber operations, stragegy, statecraft, and geopolitics in a personal capacity.]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/europes-spreadsheet-sovereignty-can</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/europes-spreadsheet-sovereignty-can</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Tue, 04 Nov 2025 12:00:26 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/52e135b3-a4f3-448c-8b22-ad5f87756a58_1536x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><p>In September, at the Gartner Global CISO Summit in New Orleans, I outlined five forces breaking the digital order. The fourth&#8212;<strong>technology bifurcation</strong>&#8212;described how sovereignty is no longer confined to borders or trade law but is now being written directly into silicon and standards. A few weeks later, China proved the point with the release of <strong>UBIOS</strong>, an indigenous firmware stack designed to eliminate foreign code from the most trusted layer of computing.</p><p>Now, Brussels has offered its response, not in firmware, but in spreadsheets.</p><p>The <strong>EU Cloud Sovereignty Framework (v1.2.1, October 2025)</strong> doesn&#8217;t control what code runs at boot time; it controls who gets paid. If a cloud provider fails the minimum SEAL level on even one of eight sovereignty objectives, it is disqualified from the &#8364;180-million initial procurement, no exceptions, no appeals, and no diplomatic courtesy. Where China hard-codes sovereignty into firmware, Europe encodes it into procurement rules. The intention is the same: define the boundary, make it measurable, and use it to reclaim strategic independence from external control.</p><p>The question is whether spreadsheet sovereignty can deliver what UBIOS hard-codes&#8212;strategic independence from foreign leverage, or whether it will accelerate the very fracture it hopes to prevent.</p><div><hr></div><h2><strong>The Framework Decoded</strong></h2><p>The Cloud Sovereignty Framework introduces <strong>Sovereignty Effectiveness Assurance Levels (SEAL-0 &#8594; SEAL-4)</strong>.</p><ul><li><p><strong>SEAL-0 &#8211; No Sovereignty:</strong> Services under exclusive non-EU control.</p></li><li><p><strong>SEAL-1 &#8211; Jurisdictional Sovereignty:</strong> EU law applies but enforcement is limited.</p></li><li><p><strong>SEAL-2 &#8211; Data Sovereignty:</strong> Material non-EU dependencies remain.</p></li><li><p><strong>SEAL-3 &#8211; Digital Resilience:</strong> Minimal external control.</p></li><li><p><strong>SEAL-4 &#8211; Full Digital Sovereignty:</strong> Complete EU control, no critical foreign dependencies.</p></li></ul><p>Each tenderer receives a <strong>Sovereignty Score</strong> weighted across eight objectives, and failing a minimum SEAL threshold on any single objective means automatic disqualification. Among those who qualify, the overall score influences award rankings.</p><p>On firmware, the framework examines the <em>&#8220;jurisdiction and provenance of embedded code controlling hardware&#8221;,</em> scrutinising CPUs, GPUs, storage, and network components for European origin or verifiable transparency. It&#8217;s <strong>UBIOS logic repurposed for procurement</strong>, where Beijing mandates indigenous firmware, and Brussels demands auditable provenance.</p><p>Encryption policy requires that <em>&#8220;only the customer, not the provider, has effective control over cryptographic keys.&#8221;</em> If U.S. law can compel a provider to surrender access, the service fails&#8212;no matter how strong its technical isolation.</p><p>Jurisdictional exposure is explicitly scored: the framework lists the <strong>U.S. CLOUD Act</strong> and <strong>Chinese Cybersecurity Law</strong> as examples of extraterritorial reach incompatible with higher SEAL levels. It names what diplomacy usually avoids: sovereignty cannot coexist with compulsory foreign legal access.</p><p>The framework came into effect through an initial six-year procurement for EU institutions, with up to four providers expected to win contracts between December 2025 and February 2026. It remains guidance rather than regulation, but it sets a precedent that could soon shape eligibility for all public-sector cloud tenders in Europe.</p><div><hr></div><h2><strong>The Lattice Test</strong></h2><p>The framework&#8217;s strategic test is straightforward: can Europe preserve interoperability while building resilience, or will its internal contradictions collapse the middle ground?</p><p>Brussels is trying to construct what might be called <strong>lattice logic</strong>&#8212;graduated thresholds that preserve cross-border operations while reducing critical dependencies. The SEAL system allows shades of sovereignty rather than a binary pass or fail. Weightings of 20 percent for supply chain, 15 percent each for operational, strategic, and technological sovereignty, and 10 percent for legal, data, and compliance objectives reveal a policy trying to balance ambition with realism. It is Europe&#8217;s attempt to build what I call the <strong>Strategic Lattice</strong>: a world in which geopolitical tension is managed through <em>minimum viable interoperability</em> instead of outright fragmentation.</p><p>Yet lattice stability depends on credible enforcement, and enforcement demands institutional backbone. The framework lacks the machinery that gives other EU regimes their power: no penalties, no designated authority, and no sustained technical-audit capacity. By comparison, <strong>GDPR</strong>, <strong>NIS2</strong>, and <strong>DORA</strong> all carry both enforcement and consequence; GDPR alone has produced over <strong>&#8364;5.6 billion</strong> in fines since 2018 [1]. Without similar mechanisms, the Cloud Sovereignty Framework risks becoming what critics already call <em>regulatory theatre</em>: architecturally sophisticated, operationally hollow.</p><p>Meanwhile, U.S. hyperscalers continue to localise at scale. <strong>AWS</strong> has committed &#8364;7.8 billion to its Brandenburg region [2]; <strong>Microsoft</strong>, over &#8364;20 billion in European infrastructure within sixteen months [3]; and <strong>Google</strong> has expanded sovereign partnerships with Thales and T-Systems [4]. These projects deliver local staffing, customer-held keys, and EU-incorporated entities, yet they remain legally American, still bound by the CLOUD Act. As one French MP observed during Senate testimony, <em>&#8220;A cloud can be in France and still answer to Washington.&#8221;</em> [5a]</p><p>Operational sovereignty can be engineered; jurisdictional sovereignty requires geopolitical leverage that Europe still lacks.</p><div><hr></div><h2><strong>The Delaware Problem</strong></h2><p>Consider an EU pharmaceutical company running high-value research workloads on Microsoft Azure Germany. Its data sits in Frankfurt, encryption keys are customer-controlled, and operations are handled by EU citizens employed by Microsoft Deutschland GmbH. On paper, it qualifies for SEAL-3.</p><p>Now imagine the U.S. Drug Enforcement Administration issues a CLOUD Act order to Microsoft Corporation in Delaware, demanding tenant-level access. Microsoft Deutschland asserts that German law prevents compliance, yet the parent company faces contempt charges if it refuses.</p><p>The framework anticipates such conflicts; it scores them at SEAL-1 or SEAL-2 depending on the degree of exposure but provides no circuit breaker, no adjudicator, and no tested fallback plan. The customer must either comply through its provider or migrate mid-crisis to a European vendor it has never validated.</p><p>This is operational sovereignty colliding with jurisdictional sovereignty. The framework can measure the gap, but it cannot close it. That limitation, more than any technical weakness, will determine whether Europe&#8217;s lattice holds or slides into a Red Zone of regulatory incompatibility.</p><div><hr></div><h2><strong>Enforcement, Markets, and the Math of Dependence</strong></h2><p>There is no enforcement body, no penalty structure, and no budget for technical verification; compliance simply determines who gets invited to bid.</p><p>The contrast with GDPR and NIS2 is stark&#8212;and so is the market reality. U.S. hyperscalers control roughly 70 percent of Europe&#8217;s &#8364;61 billion cloud market, while European providers hover around 15 percent [5]. Even perfect compliance cannot rebalance that scale. The graduated scoring is therefore a political compromise&#8212;an attempt to signal ambition without upending dependence.</p><p>The economics are no kinder. Achieving full digital sovereignty would cost around <strong>&#8364;3.6 trillion</strong> over a decade&#8212;twelve times more than a partnership model [6]&#8212;and likely leave Europe three technology generations behind its competitors. Spreadsheet sovereignty is cheaper than rebuilding the stack but still costly enough to test Europe&#8217;s fiscal patience.</p><div><hr></div><h2><strong>What Boards Should Do</strong></h2><p>Boards cannot legislate sovereignty, but they can design for it.</p><p><strong>Interrogate vendor SEAL claims.</strong> When a provider claims SEAL-3 compliance, ask which legal mechanism prevents CLOUD Act enforcement and how quickly it can respond to a non-EU order.</p><p><strong>Map workloads by sovereignty need.</strong> Identify which systems truly require SEAL-3 assurance and which can safely operate under SEAL-1 contracts.</p><p><strong>Engineer for migration speed.</strong> A multicloud strategy that cannot move a critical workload within 90 days is theatre, not resilience.</p><p><strong>Track policy as intelligence.</strong> Regulatory divergence is now as important an indicator as a state-sponsored intrusion.</p><p><strong>Push decision-making closer to the risk.</strong> Fragmented governance is slow governance; authority must sit where information concentrates.</p><p>The central question for executives is no longer <em>&#8220;Are we compliant?&#8221;</em> but <em>&#8220;Which dependencies can be weaponised against us, and how fast can we replace them?&#8221;</em></p><div><hr></div><h2><strong>The Bootloader of Procurement</strong></h2><p>Europe&#8217;s framework captures a broader truth: when a region cannot compete on innovation speed, it competes on governance reach. Whether that becomes strategic patience or strategic paralysis will depend on how quickly the framework grows teeth.</p><p><strong>UBIOS</strong> shows sovereignty imposed with binary clarity at the firmware layer; the EU&#8217;s framework shows sovereignty negotiated through twenty-seven democracies and filtered by trillion-dollar lobbyists&#8212;optional, gradual, and slow. Yet both rest on the same logic: <strong>when dependencies become weapons, control becomes currency.</strong> China chose architectural independence; Europe chose procurement governance. Neither guarantees resilience, but both recognise that sovereignty can no longer be deferred.</p><p>The crucial difference is enforceability. <strong>UBIOS</strong> is mandatory within Chinese jurisdiction, while the Cloud Sovereignty Framework remains voluntary guidance. One operates at the millisecond before an operating system loads; the other, at the months-long cadence of contract awards. The open question is whether procurement policy can ever deliver strategic effect when the infrastructure itself remains under foreign jurisdiction.</p><p>Australia faces a similar dilemma. The government&#8217;s <strong>Whole-of-Government Hosting Strategy</strong> and its <strong>AUD $2 billion Top Secret Cloud partnership with AWS</strong> [7] mirror Europe&#8217;s procurement-based approach: operational control is local, but jurisdictional control remains offshore. Canberra, like Brussels, is learning that sovereignty measured through procurement checklists is not the same as sovereignty enforced through law. Jurisdiction travels with the parent company, not the rack. The real test is whether Australia can build credible enforcement and domestic capability before legal dependence hardens into strategic vulnerability.</p><p>Europe&#8217;s wager is that measurement can substitute for power&#8212;an attempt to reverse-engineer leverage through rules and thresholds, much as <strong>Basel III</strong> once did for banking. Whether that preserves the Strategic Lattice or accelerates Red Zone drift will hinge on three indicators:</p><ol><li><p>Whether France, Germany, and the Netherlands make SEAL thresholds mandatory for national procurement by mid-2027.</p></li><li><p>Whether the Commission proposes an enforcement mechanism within eighteen months.</p></li><li><p>Whether any U.S. hyperscaler attains SEAL-4 by 2027&#8212;a near-impossibility that will reveal how much of this sovereignty is real and how much is theatre.</p></li></ol><p>In systems architecture, as in geopolitics, the winner is not the actor with the most elegant framework but the one still able to operate when frameworks collide.</p><div><hr></div><p><em><strong>John Ellis</strong> writes about the geopolitics of technology and cyber security at <strong>GeopoliticalCyber</strong>. The views expressed are his own.</em></p><div><hr></div><h2><strong>Sources</strong></h2><p>[1] DLA Piper, <em>GDPR Fines and Data Breach Survey</em>, Jan 2025; CMS Law, <em>GDPR Enforcement Tracker Report</em>, Mar 2025.<br>[2] AWS, <em>AWS plans to invest &#8364;7.8 billion into the AWS European Sovereign Cloud</em>, May 2024.<br>[3] Microsoft, <em>Landmark EU Data Boundary announcement</em>, Feb 2025.<br>[4] Google Cloud, <em>Advancing digital sovereignty on Europe&#8217;s terms</em>, Oct 2022; <em>Advances in sovereignty and security</em>, May 2025.<br>[5] Synergy Research Group data, 2025; Heise Online, July 2025.<br>[5a] French Senate hearing on Cloud Act implications, Paris, July 2024 (reported in <em>Le Monde</em> and <em>DCD</em>).<br>[6] CEPA, <em>Digital Sovereignty: Can Europe Afford It?</em>, Nov 2025.<br>[7] Australian Department of Defence, <em>AWS Top Secret Cloud Partnership</em>, July 2024; Office of National Intelligence, <em>TS Cloud Announcement</em>, July 2024.</p>]]></content:encoded></item><item><title><![CDATA[The Governance Paradox: Why Organisations Measure What’s Manageable, Not What Matters]]></title><description><![CDATA[Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity.]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/the-governance-paradox-why-organisations</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/the-governance-paradox-why-organisations</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Sun, 02 Nov 2025 11:44:23 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!rCF-!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><p>Years ago, I watched a board receive news that a key business system had been compromised only hours before their scheduled meeting. The CISO presented slides showing the breach resulted from an unpatched vulnerability, one that had appeared on the risk register as &#8220;medium&#8221; for six months. A non-executive director asked whether the breach represented a failure of basic hygiene. The CISO confirmed it did. The board chair reminded everyone that the organisation had no appetite for losses exceeding [a material threshold], a statement that had appeared verbatim in the minutes for the past eighteen months.</p><p>The discussion felt decisive. Nothing changed.</p><p>I&#8217;ve seen variations of this scene across financial services, healthcare, and critical infrastructure throughout my career. The language differs, but the pattern holds: boards accept measurements based on what can be easily reported rather than what fundamentally affects organisational resilience. Formal discussions appear robust, while the underlying measurement remains superficial. This is the essence of the governance paradox: the tendency to govern what is manageable rather than what is meaningful.</p><p>Boards are under growing pressure to demonstrate cyber resilience, yet most continue to rely on management reports built around heatmaps and binary appetite statements that create an illusion of control over what is inherently probabilistic. A more mature approach begins when boards require risk appetite to be expressed in probabilistic terms, materiality to be calibrated as conditions evolve, and assurance to validate the reasoning behind the numbers rather than just the presence of documentation.</p><p>When a board adopts a probabilistic mindset, it begins to govern uncertainty with the same discipline that insurers apply to capital adequacy and solvency management. This represents the next stage in the maturity of cyber governance [1][2][3].</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!rCF-!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!rCF-!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!rCF-!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!rCF-!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!rCF-!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!rCF-!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png" width="1456" height="971" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:971,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1734573,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/176618619?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!rCF-!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!rCF-!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!rCF-!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!rCF-!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff5b98b8c-b14d-4513-bfca-59ac7e2dfa72_1536x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>The Governance Paradox</h2><p>Cyber risk is inherently probabilistic, yet it is commonly managed through deterministic tools. Heatmaps, control ratings, and binary appetite statements reduce complex risk distributions into simplified traffic-light representations. The result is a paradox in which the most material risks often receive the least quantified scrutiny [8].</p><p>Consider a loss exceedance curve compared to a standard heatmap. The heatmap may show a risk marked green, suggesting it is well managed. The exceedance curve, however, reveals a nine per cent probability of losses exceeding fifty million dollars. These aren&#8217;t two interpretations of the same information; they represent fundamentally different understandings of exposure. One provides comfort; the other provides insight. Boards that require appetite to be expressed in probabilistic terms gain a more accurate understanding of what they&#8217;re actually facing.</p><h2>Board and Management: Distinct but Interdependent Roles</h2><p>A frequent source of confusion in cyber governance is the boundary between oversight and execution. Some boards, influenced by industry commentary or internal reporting structures, assume responsibilities that properly belong to management.</p><p>Management is responsible for implementation. It measures and reports on controls, allocates resources, and converts risk appetite into operational action. The board governs by defining appetite, setting strategic direction, challenging management&#8217;s reasoning, and ensuring that reporting faithfully represents exposure. It carries ultimate accountability for oversight [1][2][3].</p><p>The Australian Institute of Company Directors puts it clearly: <em><strong>&#8220;While it is not the role of the board to directly manage cyber risk, the board does have ultimate accountability for how risks are governed and addressed.&#8221;</strong></em> [1]</p><p>Effective governance depends upon a disciplined separation of these functions. The quality of oversight improves when boards challenge management&#8217;s reasoning rather than its activity.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!MwpN!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ebc6381-34ff-42bd-a279-c0194c2b69fc_1240x371.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!MwpN!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ebc6381-34ff-42bd-a279-c0194c2b69fc_1240x371.png 424w, https://substackcdn.com/image/fetch/$s_!MwpN!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ebc6381-34ff-42bd-a279-c0194c2b69fc_1240x371.png 848w, https://substackcdn.com/image/fetch/$s_!MwpN!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ebc6381-34ff-42bd-a279-c0194c2b69fc_1240x371.png 1272w, https://substackcdn.com/image/fetch/$s_!MwpN!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ebc6381-34ff-42bd-a279-c0194c2b69fc_1240x371.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!MwpN!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ebc6381-34ff-42bd-a279-c0194c2b69fc_1240x371.png" width="1240" height="371" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/4ebc6381-34ff-42bd-a279-c0194c2b69fc_1240x371.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:371,&quot;width&quot;:1240,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:59444,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/176618619?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F640453e5-2a60-4566-8cb7-2d1a7f9ebfed_1240x482.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!MwpN!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ebc6381-34ff-42bd-a279-c0194c2b69fc_1240x371.png 424w, https://substackcdn.com/image/fetch/$s_!MwpN!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ebc6381-34ff-42bd-a279-c0194c2b69fc_1240x371.png 848w, https://substackcdn.com/image/fetch/$s_!MwpN!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ebc6381-34ff-42bd-a279-c0194c2b69fc_1240x371.png 1272w, https://substackcdn.com/image/fetch/$s_!MwpN!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ebc6381-34ff-42bd-a279-c0194c2b69fc_1240x371.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>The Illusion of Appetite</h2><p>Risk appetite statements often provide reassurance without measurement. Phrases such as &#8220;no appetite for losses exceeding twenty million dollars&#8221; express intent but fail to convey probability.</p><p>Douglas Hubbard&#8217;s <em>How to Measure Anything in Cybersecurity Risk</em> demonstrates why this matters [8]. The same statement can be reframed as: &#8220;The organisation aims to maintain less than a five percent probability of losses exceeding twenty million dollars per year.&#8221;</p><p>This statement isn&#8217;t semantic wordplay. The first version is aspiration; the second is governance. It converts intent into quantifiable commitment and provides a foundation for investment, oversight, and assurance decisions. Declaring risk appetite is not governance; quantifying it is.</p><h2>Connectedness and the Learning Loop</h2><p>Early in my career I viewed cyber risk as a function of control status: green was acceptable, and red was not. Dashboards reinforced this illusion by presenting progress as the number of issues closed. The work of Jack Jones and the FAIR model fundamentally altered that understanding [10][11].</p><p>Risk is not a set of discrete control failures but an interconnected network of conditions that collectively shape the probability of loss. Individual control weaknesses rarely operate in isolation. Each alters the likelihood of success for subsequent stages in an attack chain.</p><p>Here&#8217;s a concrete example: during a red team exercise at a previous organisation, the team compromised an employee&#8217;s credentials through a phishing simulation. That initial success wasn&#8217;t just one control failure. It significantly increased the likelihood of lateral movement, privilege escalation, and data exfiltration. When we updated our loss estimates, we didn&#8217;t just mark &#8220;phishing awareness&#8221; as red. We recalibrated our probability estimates for every scenario where initial access was a precondition for more damaging outcomes.</p><p>This reflects a Bayesian approach to governance where prior assumptions are updated as new evidence emerges. A failed red-team test or a recurring audit finding isn&#8217;t another point of failure on a scorecard; it&#8217;s evidence that should revise the organisation&#8217;s estimate of loss probability. Weak multi-factor authentication increases both the probability of compromise and the frequency of attempts as adversaries identify opportunity. Frequency and susceptibility are linked.</p><p>The objective, described by Richard Seiersen as &#8220;risk removal&#8221;, is to eliminate entire pathways to loss rather than marginally improve control scores [8][12]. Boards don&#8217;t need to view equations to appreciate this principle, but they should be confident that the organisation learns from evidence and recalibrates its understanding of exposure as conditions change. This principle is the distinction between static compliance reporting and adaptive, evidence-based governance.</p><h2>Worked Example: Translating Appetite into Measurement</h2><p>When appetite is expressed probabilistically, it becomes possible to evaluate trade-offs with clarity. Suppose a board&#8217;s tolerance is defined as a five per cent probability of losses exceeding fifty million dollars. If current modelling shows the probability at ten percent, management can propose options that the board can compare based on evidence:</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!geux!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7bcd9875-23a2-46f2-b258-cc585a5bfeb6_1456x525.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!geux!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7bcd9875-23a2-46f2-b258-cc585a5bfeb6_1456x525.png 424w, https://substackcdn.com/image/fetch/$s_!geux!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7bcd9875-23a2-46f2-b258-cc585a5bfeb6_1456x525.png 848w, https://substackcdn.com/image/fetch/$s_!geux!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7bcd9875-23a2-46f2-b258-cc585a5bfeb6_1456x525.png 1272w, https://substackcdn.com/image/fetch/$s_!geux!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7bcd9875-23a2-46f2-b258-cc585a5bfeb6_1456x525.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!geux!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7bcd9875-23a2-46f2-b258-cc585a5bfeb6_1456x525.png" width="1456" height="525" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7bcd9875-23a2-46f2-b258-cc585a5bfeb6_1456x525.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:525,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:74413,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/176618619?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F26d205e3-49b8-4769-b5b2-ea6528f4a339_1456x614.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!geux!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7bcd9875-23a2-46f2-b258-cc585a5bfeb6_1456x525.png 424w, https://substackcdn.com/image/fetch/$s_!geux!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7bcd9875-23a2-46f2-b258-cc585a5bfeb6_1456x525.png 848w, https://substackcdn.com/image/fetch/$s_!geux!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7bcd9875-23a2-46f2-b258-cc585a5bfeb6_1456x525.png 1272w, https://substackcdn.com/image/fetch/$s_!geux!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7bcd9875-23a2-46f2-b258-cc585a5bfeb6_1456x525.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Although Option A requires greater expenditure, it achieves a larger reduction in loss probability at a lower cost per risk-reduction point. If the board&#8217;s target appetite is five percent, then option A brings the organisation within one point of that target, while option B leaves a residual gap of 3.5 points.</p><p>Quantification transforms risk management from a compliance exercise into an investment decision, enabling evidence-based capital allocation rather than intuition-driven spending.</p><h2>From Concept to Practice: Lessons from the Field</h2><p>During my time at Akamai in the mid-2010s, quantifying the return on investment in security products was a persistent challenge for clients. Everyone accepted that the controls had value, yet few could express that value with the financial confidence needed to justify cloud adoption for DDoS protection and web security, especially in Asia, where I was based at the time.</p><p>The FAIR model provided a structured way to make such calculations feasible and, more importantly, to shift the conversation. It introduced just enough rigour, enough <em>maths</em> and <em>science</em>, to translate security discussions into the language of business value at risk: what needed to be protected, the cost to protect it, and the effect of investment on reducing that value at risk. It was a more mature, more relatable conversation for executives.</p><p>Controls were then mapped to their loss-reduction value and linked to tangible business outcomes. In sectors such as aviation and financial services, where digital sales, booking platforms, and deferred revenue could be measured, the financial impact of cyber events became quantifiable. Once we established those linkages, we could express reductions in potential harm as measurable benefits instead of abstract improvements in maturity.</p><p>Sean Coady, a colleague at the time, recognised that the task was not a technical exercise but a financial one: a method for connecting investment value to business value. Many of the more forward-leaning organisations were already moving in this direction&#8212;a practice now formally recognised as Cyber Risk Quantification (CRQ).</p><p>For many organisations, data quality, analytical capabilities, and cultural readiness remain obstacles. The correct response is to begin small and focus on the scenarios that intelligence identifies as most probable or consequential. Quantification should be treated as a programme of work rather than a project.</p><p>Establish periodic release cycles (for example, every six months) to review assumptions, inputs, and reporting. Structured iteration communicates that this is a continuous process rather than a discrete task. Similar to all areas of business management, understanding and governing cyber risk is an ongoing process without a definitive endpoint.</p><p>Several approaches are available. In previous organisations, we developed internal capabilities using the OpenFAIR toolkit, supported by threat modelling and open-source intelligence feeds. Commercial offerings such as RiskLens and KPMG&#8217;s Cyber Risk Insights (CRI) provide mature frameworks, and independent analyst coverage such as <em>The Forrester Wave: Cyber Risk Quantification, Q2 2025</em> offers market context [13].</p><p>Quantification is best viewed not as a technology but as a mindset: begin with intelligence-led scenarios and evolve quantification as a disciplined and iterative practice linking cyber resilience to business value.</p><h2>The Future of Cyber Governance</h2><p>Advances in artificial intelligence now permit real-time updates to loss-exceedance models. Regulators, including APRA, MAS, the SEC, and the PRA, increasingly expect quantitative and decision-useful reporting [2][4][5][6][7]. Cyber insurers are also determining coverage prices based on validated risk exposure instead of relying on qualitative indicators.</p><p>The convergence of analytics, regulation, and insurance economics will reshape how boards understand and govern cyber risk. The integration of quantification into assurance and capital disciplines will redefine effective governance.</p><h2>Boardroom Questions</h2><p>Directors can use these questions to assess whether their organisation is measuring what matters:</p><ul><li><p>What is the organisation&#8217;s current probability of a material loss?</p></li><li><p>How has that probability evolved, and what factors have driven the change?</p></li><li><p>Which assumptions or control dependencies have the greatest influence on this estimate?</p></li><li><p>Which investments would most efficiently alter that probability?</p></li><li><p>What assurance is there regarding the data and methodologies used?</p></li><li><p>How frequently is materiality recalibrated?</p></li><li><p>Is the organisation learning from evidence, or is it merely reporting on compliance?</p></li></ul><h2>Closing Reflection</h2><p>Boards cannot remove uncertainty, but they can govern it with intelligence and discipline. Risk appetite should be expressed as probability rather than aspiration, and materiality should be revisited as conditions evolve. Assurance must evaluate reasoning and evidence rather than the presence of documentation.</p><p>All models are approximations. A measure of governance quality lies in how consistently an organisation learns from evidence and improves its understanding of risk over time. At stake is the transition from governance theatre to governance substance, where the objective is not certainty but confidence derived from disciplined measurement.</p><div><hr></div><h2>References</h2><ol><li><p>Australian Institute of Company Directors. <em>Cyber Security Governance Principles</em>. 2025.</p></li><li><p>Australian Prudential Regulation Authority. <em>CPS 234 Information Security</em>. July 2019.</p></li><li><p>National Institute of Standards and Technology. <em>The NIST Cybersecurity Framework (CSF) 2.0</em>. February 2024.</p></li><li><p>U.S. Securities and Exchange Commission. <em>Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure</em>. Release Nos. 33-11216; 34-97989. July 26, 2023.</p></li><li><p>Monetary Authority of Singapore. <em>Notice 655 &#8211; Cyber Hygiene</em>. Consolidated version.</p></li><li><p>Bank of England Prudential Regulation Authority. <em>SS2/21 &#8211; Outsourcing and third-party risk management</em>. Effective 2022.</p></li><li><p>Bank of England Prudential Regulation Authority. <em>SS1/21 &#8211; Operational resilience: Impact tolerances for important business services</em>. March 2021.</p></li><li><p>Hubbard, D. and Seiersen, R. <em>How to Measure Anything in Cybersecurity Risk</em>. Wiley. 2016 (2nd ed. 2023).</p></li><li><p>Howard, R. <em>Cybersecurity First Principles</em> (series). The CyberWire. 2022.</p></li><li><p>FAIR Institute. <em>FAIR Model Overview</em> (Technical Brief).</p></li><li><p>RiskLens. <em>An Introduction to FAIR</em> (Whitepaper).</p></li><li><p>Seiersen, R. &#8220;Risk Removal.&#8221; Conference presentation and related materials, 2020.</p></li><li><p>Forrester. <em>The Forrester Wave: Cyber Risk Quantification, Q2 2025</em>.</p></li></ol>]]></content:encoded></item><item><title><![CDATA[The Bootloader of Power: China’s UBIOS and the Politics of Digital Sovereignty]]></title><description><![CDATA[Technology Bifurcation at the Firmware Layer]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/the-bootloader-of-power-chinas-ubios</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/the-bootloader-of-power-chinas-ubios</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Sun, 26 Oct 2025 09:08:04 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!E7kZ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852663cc-b1ce-4997-83c6-ab8219e46bdf_989x540.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><p>When I spoke in New Orleans at the Gartner Global CISO Community event, I outlined five forces breaking the digital order. The fourth was <strong>technology bifurcation</strong>, the emergence of rival stacks operating under different governance, using different standards, and ultimately answering to different authorities. I focused on 5G, sovereign cloud, and competing AI frameworks.</p><p>I should have been talking about firmware.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!E7kZ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852663cc-b1ce-4997-83c6-ab8219e46bdf_989x540.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!E7kZ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852663cc-b1ce-4997-83c6-ab8219e46bdf_989x540.png 424w, https://substackcdn.com/image/fetch/$s_!E7kZ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852663cc-b1ce-4997-83c6-ab8219e46bdf_989x540.png 848w, https://substackcdn.com/image/fetch/$s_!E7kZ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852663cc-b1ce-4997-83c6-ab8219e46bdf_989x540.png 1272w, https://substackcdn.com/image/fetch/$s_!E7kZ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852663cc-b1ce-4997-83c6-ab8219e46bdf_989x540.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!E7kZ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852663cc-b1ce-4997-83c6-ab8219e46bdf_989x540.png" width="989" height="540" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/852663cc-b1ce-4997-83c6-ab8219e46bdf_989x540.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:540,&quot;width&quot;:989,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1294170,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/177157332?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa3c5cc05-2dfc-4b3b-bd71-d38284706bbb_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!E7kZ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852663cc-b1ce-4997-83c6-ab8219e46bdf_989x540.png 424w, https://substackcdn.com/image/fetch/$s_!E7kZ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852663cc-b1ce-4997-83c6-ab8219e46bdf_989x540.png 848w, https://substackcdn.com/image/fetch/$s_!E7kZ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852663cc-b1ce-4997-83c6-ab8219e46bdf_989x540.png 1272w, https://substackcdn.com/image/fetch/$s_!E7kZ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852663cc-b1ce-4997-83c6-ab8219e46bdf_989x540.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>China&#8217;s recently announced <strong>Unified Basic Input/Output System (UBIOS)</strong> represents bifurcation at its most fundamental level. This is not about applications or cloud providers. It is about <strong>divergent roots of trust at the bootloader</strong>, the first code a machine executes. If you control what a system trusts before the operating system loads, you control the foundation on which everything else depends.</p><h3>A sovereign bootloader</h3><p>Thirteen Chinese institutions, including Huawei, Inspur, and the China Electronics Standardisation Institute, have co-developed UBIOS as a domestic replacement for the <strong>Unified Extensible Firmware Interface (UEFI)</strong>, the dominant firmware standard of the past two decades.</p><p>The significance is straightforward. Firmware sits below everything else. It determines what a machine trusts when it initialises. For years, that handshake has relied on American code signed and certified by Intel, AMD, or Microsoft. The global computing base has, in effect, been <strong>booting on American cryptographic authority</strong>.</p><p>UBIOS replaces that lineage. It brings Chinese governance frameworks, cryptographic standards, and certificate authorities into the trust chain. The geopolitical intent is unmistakable. Beijing wants the first line of code executed inside China <strong>not to require permission from Washington, Santa Clara, or Redmond</strong>. This is digital sovereignty implemented at the hardware&#8211;firmware boundary.</p><h3>From dependency to detachment</h3><p>UBIOS aligns with <strong>Document 79</strong>, the 2022 directive mandating the removal of foreign technology from state systems by 2027. The document was reportedly handled under strict controls, with no photocopying and review in secure settings, which signals how seriously Beijing treats technological independence.</p><p>UBIOS is part of a broader structural pattern. China has pursued <strong>RISC-V</strong> to bypass x86 dependencies, developed <strong>Loongson</strong> for domestic production, and built <strong>HarmonyOS</strong> to reduce reliance on Android. Each layer insulates core systems from external pressure and creates optionality under sanctions or export controls.</p><p>The logic is <strong>precedent</strong>, not paranoia. For two decades, the United States held leverage through control of firmware trust chains and root certificates. That visibility enabled dominance over standards and, importantly, over how the global computing base initialises and validates itself. If chips, operating systems, and cloud services can be weaponised, <strong>firmware is the logical next frontier</strong>.</p><p><strong>UBIOS severs that dependency chain.</strong> The 2022 to 2024 export control cycle targeting advanced chips and high-bandwidth memory showed that access can be restricted overnight. Rebuilding the stack, from silicon to firmware to operating systems, becomes a matter of national resilience.</p><h3>The firmware frontline</h3><p>Firmware is invisible to most users but strategically foundational. It anchors boot integrity, enables remote attestation, and establishes platform trust. Whoever governs firmware defines what &#8220;assurance&#8221; means in a computing environment.</p><p>Replacing UEFI with UBIOS localises not only production but <strong>authority</strong>. Once standardised across Chinese data centres and exported via Digital Silk Road projects, Western transparency at the hardware level will erode. That matters because security validation frameworks such as <strong>Common Criteria</strong> and <strong>FIPS 140-3</strong> are built around Western cryptographic primitives, including <strong>RSA</strong> for public key operations, <strong>ECDSA</strong> for digital signatures, and <strong>SHA-256</strong> for hashing.</p><p>China mandates its own <strong>ShangMi (SM)</strong> cryptographic standards, governed by the Commercial Cryptography Administration. <strong>SM2</strong> provides elliptic curve signatures and key exchange. <strong>SM3</strong> offers hashing. <strong>SM4</strong> handles symmetric encryption. These are not mere re-skins of Western algorithms. They are distinct standards maintained under Chinese regulatory authority.</p><p>The result is an <strong>asymmetry of visibility</strong>. Western assessors cannot easily inspect or attest to initialisation sequences in UBIOS systems using SM-series cryptography. Tooling does not translate cleanly. Certificate chains terminate in Beijing rather than in Verisign or DigiCert. Governance operates under Chinese law rather than under regimes Western regulators can audit or compel.</p><p>A practical scenario makes the point. An Australian critical infrastructure provider procures Chinese-manufactured servers. Under UEFI, assurance is well-established. Verify firmware signatures against known Intel or AMD roots, check published vulnerabilities, and validate the boot chain against independently audited hashes.<br>With UBIOS, the process shifts. The certificate authority is Chinese. The cryptographic algorithms are SM-series, which many Western tools do not natively validate. The firmware source is governed by Chinese intellectual property frameworks and may not be available for independent audit. The <strong>trust anchors</strong>, the root certificates underpinning the chain, are managed by state-aligned institutions rather than global certification bodies.</p><p>Western assurance frameworks must either <strong>develop new validation methodologies</strong> that accommodate Chinese cryptography and governance or accept a degree of operational blindness. Neither path is attractive, and both have implications for supply chain security and regulatory compliance.</p><h3>Strategic symmetry, not rebellion</h3><p>This is best read as <strong>strategic symmetry</strong>, not defiance. Washington has long leveraged hardware and firmware standards as instruments of influence, just as export controls shape semiconductor supply. Beijing&#8217;s response is architectural independence, a <strong>parallel stack immune to Western veto</strong>.</p><p><strong>Competing stacks</strong></p><ul><li><p><strong>Western:</strong> UEFI/Secure Boot; NIST-approved cryptography (RSA, ECDSA, SHA-256); global certification bodies operating primarily under U.S. and European regulatory frameworks.</p></li><li><p><strong>Chinese:</strong> UBIOS/National Trust Chain; SM-series cryptography (SM2, SM3, SM4); state-aligned certification authorities under Chinese regulatory oversight.</p></li></ul><p>This split occurs at the lowest software layer, before operating systems or hypervisors, where the definition of <em>trusted</em> is set. Interoperability becomes a <strong>political choice</strong>, not a technical default.</p><p>In New Orleans, I argued that technology bifurcation was fracturing the digital order. UBIOS shows the fracture runs deeper than many assumed. It reaches all the way to the firmware that decides, in milliseconds, which code a machine will believe.</p><h3>What changes for institutions</h3><p>For national security planners, firmware sovereignty shifts risk from the technical to the <strong>policy</strong> domain. The question is no longer only &#8220;Is this secure?&#8221; but &#8220;<strong>Under whose authority is trust established, and what are the geopolitical implications of that dependency?</strong>&#8221;</p><p>For enterprises operating across jurisdictions, UBIOS reshapes third-party due diligence. Supply chain security, regulatory assurance, and audit practices have assumed that organisations can validate hardware and firmware using globally recognised tools. That assumption is weakening. Systems procured from Chinese manufacturers, or deployed in Chinese data centres, may initialise under cryptographic authority that Western teams cannot readily inspect.</p><p>Critical infrastructure operators face the most acute challenge. Logistics, manufacturing, telecommunications, and energy networks may depend on devices initialised under <strong>foreign cryptographic governance</strong>. The resulting <strong>assurance gap</strong>, the difference between what must be validated and what can be validated, becomes as consequential as any zero-day. You cannot defend against what you cannot see, and you cannot validate trust chains you cannot inspect.</p><p>The operational answer is <strong>dual-stack validation</strong>, frameworks capable of attesting firmware integrity across both UEFI and UBIOS architectures. That requires technical diversity, fluency in both Western and Chinese cryptographic ecosystems, and geopolitical awareness of which jurisdictions govern which trust anchors under what legal norms. This is the next evolution of cyber resilience. Success will favour organisations that operate confidently across both ecosystems without assuming either is inherently superior or inherently compromised.</p><h3>The bootloader as battlefield</h3><p>When a server powers on, it decides whom to trust. That decision, unseen yet absolute, now sits at the centre of global competition.</p><p><strong>UBIOS is Beijing&#8217;s declaration that Chinese systems will not boot on foreign permission.</strong> It is the digital analogue of launching a sovereign satellite constellation, largely invisible to citizens yet strategic in every sense. Just as GPS underwrote American advantage and BeiDou underwrites Chinese independence, UBIOS underwrites independence at the firmware layer.</p><p>The decisive contests ahead will not begin with software exploits. They will begin in the milliseconds before the operating system loads, when a machine decides whose cryptographic authority defines truth. This is where sovereignty is encoded into silicon, where alignment is embedded into boot sequences, and where the future of technology governance is being written.</p><p>In New Orleans, I described a possible future I called <strong>the Red Zone</strong>, a world of high threat pressure, collapsing alignment, diverging regulations, proliferating stacks, and segregated supply chains. <strong>UBIOS is what the Red Zone looks like when it&#8217;s coded into firmware.</strong> The alternative, what I called the <strong>Strategic Lattice</strong>, remains possible: a world where high pressure is managed through minimum viable interoperability. But it will not emerge by accident.</p><p>In geopolitics, as in Bayesian reasoning, priors update when evidence arrives. <strong>UBIOS is new evidence.</strong> The question is whether institutions will update their strategies or continue operating on assumptions that no longer fit a world of bifurcated trust architectures.</p><p><strong>Author bio:</strong><br><em>John Ellis is the author of GeopoliticalCyber, a blog exploring the intersection of cyber resilience, strategy, and geopolitics.</em></p>]]></content:encoded></item><item><title><![CDATA[Cybersecurity at the Digital Crossroads]]></title><description><![CDATA[Leading through Global Fragmentation]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/cybersecurity-at-the-digital-crossroads</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/cybersecurity-at-the-digital-crossroads</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Mon, 22 Sep 2025 11:17:17 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/b75682fd-9128-457e-b77f-5182b45c244d_1536x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><p><em>This article builds on my presentation at Gartner&#8217;s Global CISO Executive Summit in New Orleans, where I introduced the framework &#8220;Five Forces Breaking the Digital Board.&#8221; What follows expands on that analysis, integrating fresh research on digital fragmentation, supply chain weaponisation, and my scenario planning methodology. The argument is simple: it&#8217;s not prediction that matters, but positioning. Positioning is resilience, and resilience decides who wins tomorrow.</em></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!kANU!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52a661b6-8c24-4fe4-9c2e-bb4b7fbed304_1824x1028.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!kANU!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52a661b6-8c24-4fe4-9c2e-bb4b7fbed304_1824x1028.png 424w, https://substackcdn.com/image/fetch/$s_!kANU!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52a661b6-8c24-4fe4-9c2e-bb4b7fbed304_1824x1028.png 848w, https://substackcdn.com/image/fetch/$s_!kANU!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52a661b6-8c24-4fe4-9c2e-bb4b7fbed304_1824x1028.png 1272w, https://substackcdn.com/image/fetch/$s_!kANU!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52a661b6-8c24-4fe4-9c2e-bb4b7fbed304_1824x1028.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!kANU!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52a661b6-8c24-4fe4-9c2e-bb4b7fbed304_1824x1028.png" width="1456" height="821" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/52a661b6-8c24-4fe4-9c2e-bb4b7fbed304_1824x1028.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:821,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:2013312,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/174233298?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52a661b6-8c24-4fe4-9c2e-bb4b7fbed304_1824x1028.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!kANU!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52a661b6-8c24-4fe4-9c2e-bb4b7fbed304_1824x1028.png 424w, https://substackcdn.com/image/fetch/$s_!kANU!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52a661b6-8c24-4fe4-9c2e-bb4b7fbed304_1824x1028.png 848w, https://substackcdn.com/image/fetch/$s_!kANU!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52a661b6-8c24-4fe4-9c2e-bb4b7fbed304_1824x1028.png 1272w, https://substackcdn.com/image/fetch/$s_!kANU!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52a661b6-8c24-4fe4-9c2e-bb4b7fbed304_1824x1028.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>From Plumbing to Battlefield</h2><p>When Salt Typhoon briefings reached Capitol Hill in December 2024, the response was visceral. Senators walked out of classified sessions visibly rattled. Mark Warner called it &#8220;the worst telecom hack in our nation&#8217;s history.&#8221; Christopher Wray described it as &#8220;the most significant cyberespionage in history.&#8221; Marco Rubio dispensed with understatement, labelling it &#8220;the most disturbing and widespread incursion into our telecommunications systems in the history of the world.&#8221;</p><p>This episode was not theatre. It was the realisation, at the highest levels of government, that the plumbing metaphor for cyber has expired. For years, boards and their management, treated cyber like piping in a building: invisible until it burst, patchable when it did, and insurable against financial leakage. That era is gone. Cyber today is not hidden infrastructure behind the walls. It is contested terrain outside the front door. The water company may still deliver supply, but in this world it could also be an adversary with a hand on the valve.</p><h2>The Persistence Condition</h2><p>Too many organisations continue to approach cyber threats in an episodic manner, responding to an attack, mounting a response, ensuring recovery, and then issuing a report. That model is obsolete.</p><p>Volt Typhoon maintained access to U.S. critical infrastructure for at least five years. Salt Typhoon burrowed into telecommunications networks from 2022 through late 2024 and was still present during congressional briefings. These were not mere raids. They were patient positioning campaigns, a reminder that persistence is not an exception in cyber but the norm.</p><p>Cyber persistence theory explains why. Michael Fischerkeller and colleagues argue that unlike conventional warfare (which seeks victory through conflict) or nuclear strategy (which seeks to prevent conflict), cyber operates in &#8220;the alternative to war&#8221;&#8212;a space of continuous competitive campaigning below the threshold of armed conflict. The very interconnectedness of cyberspace creates the conditions that make persistence inevitable.</p><p>The translation is straightforward: persistence is the condition. Stop planning for &#8220;return to normal&#8221;. There is no normal. There is only continuous pressure, with adversaries maintaining footholds while business continues.</p><h2>The Five Forces Breaking the Digital Board</h2><p>In my presentation in New Orleans I argued that five forces are fracturing the digital order. They are not speculative; they are already reshaping contracts, compliance requirements, and boardroom assumptions.</p><p><strong>The first force is technology as seen through a national security lens. </strong>Semiconductors, artificial intelligence, cloud services, and telecommunications are no longer primarily commercial domains. They are instruments of statecraft. U.S. export controls in 2022, 2023, and 2024 progressively tightened choke points. The December 2024 measures went further than ever by explicitly restricting high-bandwidth memory, a critical enabler of advanced AI systems. Beijing retaliated with export bans on gallium, germanium, and antimony. By October, antimony shipments to Europe had fallen to zero; by December, exports to the United States were prohibited entirely. These were not marginal supply chain disruptions. These served as examples of how economic warfare can leverage critical materials. For organisations, the implication is stark: every technology decision is now a geopolitical decision. Vendor risk is alignment risk.</p><p><strong>The second force influencing geopolitics is regulation. </strong>By early 2023, one hundred separate data localisation measures were in effect across forty countries. More than two-thirds of the measures combined storage requirements with outbound flow restrictions, which are the most restrictive form possible. GDPR fines reached &#8364;1.2 billion in 2024 alone, with cumulative penalties since 2018 amounting to &#8364;5.88 billion. Survey data consistently shows regulatory fragmentation as a growing concern. PwC's 2024 Global Digital Trust Insights found that 73% of executives cite regulatory complexity as hindering cyber resilience efforts, while Gartner's 2024 CISO survey indicated that 68% of security leaders expect compliance requirements to create operational friction within two years. These frameworks are not converging. They are colliding. Compliance has become less about legal diligence and more about strategic positioning to maintain market access.</p><p><strong>The third force is supply chain weaponisation. </strong>The 2021 compromise of Microsoft Exchange servers, attributed to Hafnium (linked to China&#8217;s Ministry of State Security), rippled through hundreds of thousands of organisations globally. By 2024, 81 percent of companies reported direct negative impacts from third-party breaches. The lesson is that one vendor compromise can cascade across entire sectors and geographies. Optimising for cost or speed alone is dead. Supply chains must now be mapped by jurisdiction as well as by function, with credible alternatives in place. Otherwise, one supplier sneezes in Shenzhen and the boardroom catches pneumonia in Sydney.</p><p><strong>The fourth force is technology bifurcation. </strong>From 5G standards to encryption algorithms, rival stacks are emerging. Sovereign cloud infrastructure, designed to meet national data requirements, was a $96.8 billion market in 2024. By 2033 it is projected to reach nearly $649 billion. The result is not market hype. This approach incorporates coding sovereignty directly into the architectural design. For global firms, the outcome is maintaining parallel infrastructures. Efficiency will not save you from sovereignty. Organisations must design for modularity, knowing they will pay to run the same functions twice.</p><p><strong>The fifth force involves fragmentation in both financial systems and standards. </strong>When Russia was excluded from SWIFT in March 2022, seven banks, including VTB, were cut off, representing up to 1.5 percent of daily transactions. It was a watershed moment, signalling that financial infrastructure itself is now an instrument of statecraft. The rise of central bank digital currencies and alternative settlement rails reinforces the trend. The result is parallel monetary systems that may not interoperate. For companies, resilience is no longer disaster recovery. It is the capacity to settle, pay, and be paid across shifting regimes.</p><h2><strong>Positioning, Not Prediction</strong></h2><p>Boards crave certainty: forecasts, percentages, straight lines. But in the cyber-geopolitical environment, certainty is an illusion. The risk is being lulled into <em>the tyranny of the present</em> &#8211; assuming tomorrow will be a linear extension of today.</p><p>Scenario planning is the antidote. It accepts that there is no single &#8220;most likely&#8221; future. Instead, it maps multiple plausible outcomes shaped by forces outside management&#8217;s control. The value is not in accuracy but in agility&#8212;expanding mental models so leaders are not blindsided when discontinuities hit.</p><p>My framework builds from this principle:</p><ul><li><p><strong>Plausible futures</strong> are mapped against two critical axes: <strong>Threat Pressure (low to high)</strong> and <strong>Alignment (harmonised to fragmented)</strong>. This generates distinct operating environments rather than one &#8220;expected case&#8221;.</p></li><li><p><strong>Preferences and constraints</strong> define what each actor wants and what structural limits allow. These shape the range of possible moves.</p></li><li><p><strong>Watchpoints and thresholds</strong> identify the signals that shift scenario weightings&#8212;tightened export controls, diverging AI governance blocs, or exposure to long-term persistence campaigns.</p></li><li><p><strong>Dynamic updating</strong> means probabilities are never fixed; they flex as signals emerge. Think less like a forecast and more like a GPS recalculating when a roadblock appears.</p></li></ul><h3><strong>Futures of Fragmentation (Scenario Planning Quadrant)</strong></h3><p><strong>Axes:</strong></p><ul><li><p><strong>X-axis:</strong> Threat Pressure &#8594; <em>Low to High</em></p></li><li><p><strong>Y-axis:</strong> Alignment &#8594; <em>Harmonised to Fragmented</em></p></li></ul><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!_mU0!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a75d86b-6238-47b4-800e-0a83940110f3_1450x706.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!_mU0!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a75d86b-6238-47b4-800e-0a83940110f3_1450x706.png 424w, https://substackcdn.com/image/fetch/$s_!_mU0!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a75d86b-6238-47b4-800e-0a83940110f3_1450x706.png 848w, https://substackcdn.com/image/fetch/$s_!_mU0!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a75d86b-6238-47b4-800e-0a83940110f3_1450x706.png 1272w, https://substackcdn.com/image/fetch/$s_!_mU0!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a75d86b-6238-47b4-800e-0a83940110f3_1450x706.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!_mU0!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a75d86b-6238-47b4-800e-0a83940110f3_1450x706.png" width="1450" height="706" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2a75d86b-6238-47b4-800e-0a83940110f3_1450x706.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:706,&quot;width&quot;:1450,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:136144,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/174233298?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a75d86b-6238-47b4-800e-0a83940110f3_1450x706.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!_mU0!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a75d86b-6238-47b4-800e-0a83940110f3_1450x706.png 424w, https://substackcdn.com/image/fetch/$s_!_mU0!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a75d86b-6238-47b4-800e-0a83940110f3_1450x706.png 848w, https://substackcdn.com/image/fetch/$s_!_mU0!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a75d86b-6238-47b4-800e-0a83940110f3_1450x706.png 1272w, https://substackcdn.com/image/fetch/$s_!_mU0!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a75d86b-6238-47b4-800e-0a83940110f3_1450x706.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><em>Figure 1. Futures of Fragmentation (Scenario Planning). Framework developed by the author. Probabilities shift dynamically as signals (watchpoints) accumulate.</em></p><p>This approach translates directly to the boardroom. When I assigned a probability of 35&#8211;55% for a Red Zone trajectory within three years, it wasn't a random guess. This estimate was based on a specific point in time. However, when subsequent signals, such as mineral export bans, new choke points, and Salt Typhoon&#8217;s scope, all fired, the analysis pushed that probability north of 70%, and and the framework flexed, not because I &#8220;revised a forecast&#8221;, but because the evidence updated the map.</p><p>The point is simple: success doesn&#8217;t come from predicting which scenario will play out. It comes from positioning the organisation so it can survive and compete across whichever future emerges.</p><h2><strong>Red Zone vs Strategic Lattice</strong></h2><p>From this framework, two dominant high-threat futures matter most for organisations.</p><p><strong>The Red Zone</strong><br>This is what happens when <strong>threat pressure is high and alignment collapses</strong>. Regulatory regimes diverge until they are mutually incompatible. Rival technology stacks proliferate with little interoperability. Supply chains segregate along bloc lines. Financial and communications infrastructures evolve in parallel, cutting across assumptions of global integration. Intelligence sharing shifts from cooperative to competitive. If leaders fail to take action, the Red Zone will emerge as the default trajectory within 18 to 36 months.</p><p><strong>The Strategic Lattice</strong><br>The counter-scenario arises when <strong>threat pressure is high but alignment holds, at least partially</strong>. Here, blocs remain in competition but maintain a minimum viable architecture of interoperability. Some cross-border data flows are preserved, regulatory frameworks are selectively recognised, and crisis communication channels remain intact. Think of it as a cyber-era Bretton Woods: rivalry without collapse. Unlike the Red Zone, the Lattice will not emerge naturally. It requires deliberate leadership within the next 12 to 18 months.</p><h3><strong>Red Zone vs Strategic Lattice (Comparison Table)</strong></h3><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!ldex!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F535d16ce-a34f-4b69-a369-8e5c0f5f451c_1368x906.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!ldex!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F535d16ce-a34f-4b69-a369-8e5c0f5f451c_1368x906.png 424w, https://substackcdn.com/image/fetch/$s_!ldex!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F535d16ce-a34f-4b69-a369-8e5c0f5f451c_1368x906.png 848w, https://substackcdn.com/image/fetch/$s_!ldex!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F535d16ce-a34f-4b69-a369-8e5c0f5f451c_1368x906.png 1272w, https://substackcdn.com/image/fetch/$s_!ldex!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F535d16ce-a34f-4b69-a369-8e5c0f5f451c_1368x906.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!ldex!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F535d16ce-a34f-4b69-a369-8e5c0f5f451c_1368x906.png" width="1368" height="906" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/535d16ce-a34f-4b69-a369-8e5c0f5f451c_1368x906.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:906,&quot;width&quot;:1368,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:163438,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/174233298?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F535d16ce-a34f-4b69-a369-8e5c0f5f451c_1368x906.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!ldex!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F535d16ce-a34f-4b69-a369-8e5c0f5f451c_1368x906.png 424w, https://substackcdn.com/image/fetch/$s_!ldex!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F535d16ce-a34f-4b69-a369-8e5c0f5f451c_1368x906.png 848w, https://substackcdn.com/image/fetch/$s_!ldex!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F535d16ce-a34f-4b69-a369-8e5c0f5f451c_1368x906.png 1272w, https://substackcdn.com/image/fetch/$s_!ldex!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F535d16ce-a34f-4b69-a369-8e5c0f5f451c_1368x906.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><em>Figure 2. Comparative scenarios. The Red Zone emerges by default; the Strategic Lattice requires active leadership to preserve interoperability under pressure.</em></p><h2><strong>Governance Implications</strong></h2><p>The governance challenge is no longer <em>&#8220;What is the probability?&#8221;</em> But <em>&#8220;How do we know when probabilities change?&#8221;</em> Scenario positioning beats point forecasting precisely because it avoids false precision while keeping strategic relevance.</p><ul><li><p><strong>Board Chairs</strong> must anchor oversight in watchpoints: which signals&#8212;new sanctions, regulatory divergence, long-term campaigns&#8212;would force a shift in strategy?</p></li><li><p><strong>CEOs</strong> must guard against stranded growth. Models built for seamless efficiency can become liabilities in a Red Zone. Governance is now about optionality.</p></li><li><p><strong>CISOs</strong> must shift from episodic response to continuous operation under compromise. Volt Typhoon&#8217;s five-year dwell time is not an exception&#8212;it is the new benchmark. Detection, containment, and restoration metrics must be board-level indicators.</p></li><li><p><strong>Risk officers and insurers</strong> must acknowledge that persistence and supply chain aggregation create systemic exposures beyond actuarial modelling. Cyber is no longer an episodic, insurable peril&#8212;it is a continuous operational condition requiring new transfer models.</p></li></ul><h2>Operational Priorities for Boards</h2><p>Compliance architecture must assume divergence. A data flow lawful in Frankfurt may be criminalised in Shanghai and blocked in Washington. Boards should require data flows to be tagged with lawful bases and kill switches built in, with rerouting capabilities tested regularly.</p><p>Supply chain sovereignty must be stress-tested. A backup supplier on paper is not resilience unless it has been exercised under production-like conditions. The December 2024 export controls showed how quickly critical components can disappear.</p><p>Technology stacks should be designed for hot-swappability. Crypto-agility is not jargon; it is survival when a regulator declares yesterday&#8217;s algorithm non-compliant. Identity providers, storage back-ends, and algorithm sets should be engineered for rapid replacement.</p><p>Geopolitical intelligence must sit alongside cyber threat intelligence. Organisations should not only track indicators of compromise but also indicators of regulation, sanctions, and persistent campaign intent. Trigger lists &#8212; what law or sanction would force a workload migration or supplier switch &#8212; should already exist.</p><p>Finally, decision velocity must be addressed. Fragmentation multiplies cognitive load. Authority must sit where information concentrates. Strategy can remain central, but execution must be distributed. Decision-making speed should be tested in scenario exercises, not assumed.</p><h2>What Success Looks Like</h2><p>Successful organisations will look different in the fractured digital order. They will hold portfolios resilient enough that no single vendor, standard, or jurisdiction represents critical dependency. They will have compliance capability that functions as a competitive differentiator. Their systems will be engineered for operational sovereignty, with components swappable at speed. They will continue operating under compromise, treating persistent adversary access as a baseline rather than an exception. And they will operate within trusted networks of alliances that span jurisdictions and sectors, recognising that ecosystem resilience matters more than platform dominance.</p><h2>The Choice Ahead</h2><p>We have crossed into a world where cybersecurity is inseparable from geopolitical positioning. The Red Zone is not inevitable, but signals keep firing. Only if leaders make it happen will the Strategic Lattice remain viable.</p><p>Boards face a strategic paradox: they must prepare for the Red Zone while working to preserve the Strategic Lattice. Success requires not predicting which scenario will emerge but building adaptive capacity for either outcome.</p><p>In geopolitics as in chess, the winner is not the grandmaster with elegant theory. It is the player who still has pieces on the board when the clock runs down.</p><p>The winners will be those who recognise cybersecurity, not as IT plumbing but as geopolitics.</p><p><em>John Ellis is Global Head of Security Trust &amp; Influence at QBE Insurance and writes at GeopoliticalCyber. The views expressed are the author&#8217;s own and do not represent the positions or policies of any employer or affiliated organisation.</em></p>]]></content:encoded></item><item><title><![CDATA[Stuck in the Stack]]></title><description><![CDATA[Australia's Digital Dilemma in an Isolationist America]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/stuck-in-the-stack</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/stuck-in-the-stack</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Thu, 03 Apr 2025 10:37:45 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!o34Z!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!o34Z!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!o34Z!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!o34Z!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!o34Z!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!o34Z!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!o34Z!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png" width="1456" height="971" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/eb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:971,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:3252231,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://geopoliticalcyber.substack.com/i/160479598?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!o34Z!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!o34Z!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!o34Z!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!o34Z!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb809c9b-da28-4a5c-b80e-8b795592649b_1536x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Trump&#8217;s back. Tariffs are flying. And &#8220;Liberation Day&#8221; is grabbing headlines across the globe. But behind the slogans lies something more consequential: a shift in U.S. economic posture that&#8217;s sending ripples well beyond America&#8217;s borders. For allies like Australia, it signals a broader inflection point&#8212;one that tests our economic resilience and raises deeper questions about where we&#8217;re exposed.</p><p>Australia isn&#8217;t the main target of America&#8217;s latest protectionist push, but we&#8217;re certainly not immune. A 10% tariff now applies to $23.9 billion worth of Australian exports&#8212;beef, pharmaceuticals, aluminium among them. The message, while not overt, is hard to miss: alignment matters.</p><p>And while tariffs dominate the headlines, they&#8217;re only part of the story. Beneath the trade tension lies a more enduring strategic concern&#8212;one that&#8217;s embedded in how we operate day to day: our deep reliance on U.S.-controlled digital infrastructure.</p><h3><strong>Visible Dependence &#8211; Trade Tensions in Sharp Relief</strong></h3><p>Let&#8217;s start with what we can quantify:</p><ul><li><p><strong>Beef exports</strong>, a key component of our trade relationship with the U.S., now face a 10% cost hike. Demand may remain high, but margins just got tighter.</p></li><li><p><strong>Pharmaceuticals</strong> have been exempted&#8212;for now. That likely has more to do with global health supply chains than any special diplomatic carveout.</p></li><li><p><strong>Mining</strong>, while not directly targeted, remains exposed to second-order effects if demand slows in China, South Korea, or Japan.</p></li></ul><p>KPMG has projected that the tariff package could reduce Australia&#8217;s GDP by <strong>A$27 billion</strong>. That&#8217;s not theoretical&#8212;it&#8217;s fiscal pressure with real-world consequences. This isn't just about trade. It&#8217;s about how the world is reorganising itself.</p><p>At home, policymakers are weighing two competing instincts: align more closely to avoid collateral damage&#8212;or maintain strategic space. It&#8217;s not a left-right issue. It&#8217;s a resilience calculus.</p><h3><strong>The Hidden Dependency &#8211; Deeply Embedded Digital Reliance</strong></h3><p>But beyond the tariff sheets and customs codes lies another form of dependency&#8212;one that doesn&#8217;t show up on a shipping manifest.</p><p>Australia&#8217;s public and private sectors run on U.S.-controlled platforms:</p><ul><li><p><strong>AWS</strong> supports infrastructure for over 140 government agencies.</p></li><li><p><strong>Microsoft 365</strong> is now the de facto productivity suite across the federal landscape.</p></li><li><p><strong>Azure and Google Cloud</strong> underpin critical services in finance, healthcare, and telecoms.</p></li><li><p><strong>Apple and Android</strong> dominate mobile platforms. <strong>Google Search</strong> is near-universal.</p></li></ul><p>These are exceptional technologies. But reliance, no matter how efficient, comes with risk. Not because the platforms are flawed, but because they exist within a different legislative and geopolitical context.</p><p>What happens if access is limited&#8212;not out of hostility, but through regulatory change? What happens if geopolitical tension triggers restrictions? We&#8217;ve seen both play out globally.</p><p>The question isn&#8217;t whether these platforms are trustworthy. It&#8217;s whether we have <strong>a contingency if conditions shift</strong>.</p><h3><strong>Rethinking Sovereignty &#8211; From Borders to Backends</strong></h3><p>Sovereignty once meant border control, defence capability, and national infrastructure. Today, it must also account for platform control, data jurisdiction, and the resilience of digital systems.</p><p>The U.S. has demonstrated it will use digital platforms as tools of statecraft&#8212;sometimes directly, sometimes through broader legal mechanisms like the CLOUD Act or export controls. This isn&#8217;t a criticism. It&#8217;s a recognition of how power is exercised in the 21st century.</p><p>Even allies must understand: access to core systems can become conditional. Not out of malice, but as a function of shifting strategic priorities. Resilience now requires more than strong firewalls. It requires <strong>structural optionality</strong>.</p><h3><strong>Building Digital Resilience: What It Actually Takes</strong></h3><p>So what does that look like in practice? Not panic. Not wholesale decoupling. But deliberate, strategic rebalancing:</p><ol><li><p><strong>Multi-cloud architectures</strong> &#8211; Prioritise design flexibility to avoid single points of failure.</p></li><li><p><strong>Local capability uplift</strong> &#8211; Invest in domestic platforms for critical and high-sensitivity functions.</p></li><li><p><strong>Trusted regional alliances</strong> &#8211; Collaborate with partners like Japan, South Korea, and EU nations on shared digital frameworks.</p></li><li><p><strong>Critical infrastructure standards</strong> &#8211; Treat cloud and data platforms with the same scrutiny we apply to ports, grids, and pipelines.</p></li><li><p><strong>Tech diversification as trade strategy</strong> &#8211; Just as we&#8217;ve expanded export markets, we must expand our tech stack.</p></li><li><p><strong>A national digital sovereignty plan</strong> &#8211; A roadmap that aligns economic, cyber, and supply chain resilience into a single strategic narrative.</p></li></ol><p>This isn&#8217;t about building digital fortresses. It&#8217;s about building <strong>optionality at scale</strong>.</p><h3><strong>Final Thought: Optionality is Strategic Strength</strong></h3><p>U.S. platforms will remain core partners. Their innovation and scale are unparalleled. But resilience demands more than efficiency. It demands the ability to pivot when circumstances change.</p><blockquote><p>Sovereignty used to mean borders. Today, it means controlling your platforms, your data flows, and your digital identity.</p><p>In an era of multipolar technology and global interdependence, resilience isn&#8217;t just protection&#8212;it&#8217;s the ability to adapt.</p></blockquote><p>If we want to navigate the future on our own terms, we need more than access. We need agency.</p><p><em>All views are my own. You can disagree. But the infrastructure still runs in Virginia.</em></p>]]></content:encoded></item><item><title><![CDATA[The Bonfire of Truth ]]></title><description><![CDATA[Shadows, Power, and the Illusion of Reality &#8211; A Poetic and Philosophical Reflection]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/the-bonfire-of-truth</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/the-bonfire-of-truth</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Tue, 18 Feb 2025 00:43:31 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Bj4t!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F673f40b6-7a68-45df-8b9a-b137381de3b3_1024x1024.webp" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Bj4t!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F673f40b6-7a68-45df-8b9a-b137381de3b3_1024x1024.webp" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Bj4t!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F673f40b6-7a68-45df-8b9a-b137381de3b3_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!Bj4t!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F673f40b6-7a68-45df-8b9a-b137381de3b3_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!Bj4t!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F673f40b6-7a68-45df-8b9a-b137381de3b3_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!Bj4t!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F673f40b6-7a68-45df-8b9a-b137381de3b3_1024x1024.webp 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Bj4t!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F673f40b6-7a68-45df-8b9a-b137381de3b3_1024x1024.webp" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/673f40b6-7a68-45df-8b9a-b137381de3b3_1024x1024.webp&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;A surreal digital painting blending the themes of Plato's Allegory of the Cave and the Bonfire of Truth. The image depicts a dark cave where shadowy figures are chained, watching flickering shadows on the wall. In the center, a large bonfire burns brightly, casting shifting illusions on the cave walls. Silhouettes of powerful figures stand behind the fire, manipulating its flames, while outside the cave, a distant opening reveals a bright, untouched reality. The scene conveys a sense of deception, control, and the struggle for enlightenment.&quot;,&quot;title&quot;:&quot;A surreal digital painting blending the themes of Plato's Allegory of the Cave and the Bonfire of Truth. The image depicts a dark cave where shadowy figures are chained, watching flickering shadows on the wall. In the center, a large bonfire burns brightly, casting shifting illusions on the cave walls. Silhouettes of powerful figures stand behind the fire, manipulating its flames, while outside the cave, a distant opening reveals a bright, untouched reality. The scene conveys a sense of deception, control, and the struggle for enlightenment.&quot;,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="A surreal digital painting blending the themes of Plato's Allegory of the Cave and the Bonfire of Truth. The image depicts a dark cave where shadowy figures are chained, watching flickering shadows on the wall. In the center, a large bonfire burns brightly, casting shifting illusions on the cave walls. Silhouettes of powerful figures stand behind the fire, manipulating its flames, while outside the cave, a distant opening reveals a bright, untouched reality. The scene conveys a sense of deception, control, and the struggle for enlightenment." title="A surreal digital painting blending the themes of Plato's Allegory of the Cave and the Bonfire of Truth. The image depicts a dark cave where shadowy figures are chained, watching flickering shadows on the wall. In the center, a large bonfire burns brightly, casting shifting illusions on the cave walls. Silhouettes of powerful figures stand behind the fire, manipulating its flames, while outside the cave, a distant opening reveals a bright, untouched reality. The scene conveys a sense of deception, control, and the struggle for enlightenment." srcset="https://substackcdn.com/image/fetch/$s_!Bj4t!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F673f40b6-7a68-45df-8b9a-b137381de3b3_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!Bj4t!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F673f40b6-7a68-45df-8b9a-b137381de3b3_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!Bj4t!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F673f40b6-7a68-45df-8b9a-b137381de3b3_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!Bj4t!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F673f40b6-7a68-45df-8b9a-b137381de3b3_1024x1024.webp 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h6><strong>"The Fire of Illusions" - pictured generated by DALL&#183;E, AI image-generation tool</strong></h6><p>In shadowed caves where echoes reign,<br>Men watch the walls and call it plain.<br>Bound by chains of whispered lore,<br>Truth is but the tale they swore.</p><p>The priests once spoke from altars high,<br>Marking stars upon the sky.<br>"This is light, this is dark,<br>Bow your head, ignite the spark."</p><p>But kings soon learned, with gilded pen,<br>That gods could rule through mortal men.<br>The papal seal, the emperor&#8217;s writ,<br>Turned holy tongues to politics.</p><p>Then came the press, the printed page,<br>A new machine, the war of age.<br>Monarchs fell, the truth stood free,<br>Yet money bought its sovereignty.</p><p>The radio hummed, the screens soon shone,<br>And every voice became a throne.<br>Wars were waged on what was real,<br>Truth was shaped by those who deal.</p><p>And now the net, the tangled sprawl,<br>A hundred flames, none true at all.<br>A million prophets, each their creed,<br>All selling doubt as holy seed.</p><p>The East weaves whispers in the mist,<br>The West cries out, yet both insist:<br>&#8220;We speak the light, they speak the lies.&#8221;<br>Yet truth, like smoke, still twists and flies.</p><p>And so we stand, axe in hand,<br>Chopping wood upon the land.<br>Before enlightenment, the fire burned,<br>After? Only lessons learned.</p><p>For truth&#8217;s no beacon, standing bright,<br>But a bonfire lit in the dead of night.<br>Fed by power, fanned by schemes,<br>A flickering wisp of shattered dreams.</p><p>So ask not what is truth, my friend,<br>But who has shaped it in the end.</p><div><hr></div><h3><strong>The Bonfire of Truth &#8211; Reflections and Annotations</strong></h3><h4><strong>What is truth?</strong></h4><p>A simple question with an answer that has been shaped, twisted, and weaponized throughout history. From the shadows of <strong>Plato&#8217;s cave</strong> to the <strong>altars of religion</strong>, from <strong>monarchs' decrees</strong> to the <strong>algorithms that now dictate what we see</strong>, truth has always been less about <strong>objective reality</strong> and more about <strong>who holds the power to define it</strong>.</p><p>This poem started as a passing comment in a chat group, turned into a journal entry, then escalated into a late-night debate with my wife (which, for the record&#8212;and for my continued domestic peace&#8212;I definitely lost). The spark? A discussion about narratives in global geopolitics, particularly Peter Zeihan&#8217;s views on the Ukraine-Russia war, Western commentary, US politics, and China&#8217;s approach to information warfare.</p><p>But beyond the politics, this piece is something more personal. I&#8217;ve always been fascinated by the tug-of-war between perception and reality&#8212;how civilizations have built entire frameworks around belief, how power has always found a way to shape &#8220;truth,&#8221; and how, despite all our technological advancements, we are still just as susceptible to illusions as the prisoners in Plato&#8217;s cave. Maybe even more so.</p><p>This poem is my meditation on truth, power, and perception throughout history. It weaves together my understanding of philosophy, historical shifts in information control, and the cynical realities of modern narratives. Below, I&#8217;ve included a breakdown of the themes and references embedded in the lines&#8212;so you can see the thought process behind what I wrote and why.</p><p>In the end, I kept circling back to a line from <strong>Epictetus</strong>:</p><blockquote><p><em>&#8220;It is impossible for a man to learn what he thinks he already knows.&#8221;</em></p></blockquote><p>So here&#8217;s my take&#8212;a poem on the <strong>malleability of truth</strong>, shaped by my interest in <strong>history, philosophy, Stoicism, cyber security, and geopolitics</strong>. Hope it sparks some thoughts of your own.</p><div><hr></div><h4><strong>1. Plato&#8217;s Cave and the Perception of Truth</strong></h4><blockquote><p><em>In shadowed caves where echoes reign,<br>Men watch the walls and call it plain.</em></p></blockquote><p>This is a direct nod to <strong>Plato&#8217;s Allegory of the Cave</strong> from <em>The Republic</em>. In his metaphor, prisoners are chained in a cave, only able to see shadows projected onto a wall. They mistake these shadows for reality because it is all they have ever known. The line highlights the idea that our perception of truth is often nothing more than reflections of deeper realities controlled by unseen forces.</p><div><hr></div><h4><strong>2. Religion as the Original Shaper of Perception</strong></h4><blockquote><p><em>The priests once spoke from altars high,<br>Marking stars upon the sky.<br>"This is light, this is dark,<br>Bow your head, ignite the spark."</em></p></blockquote><p>Here, the poem references the role of <strong>organised religion in shaping societal beliefs</strong>. Throughout history, religious institutions have dictated moral and cosmological truths&#8212;claiming divine authority to define what is right, wrong, sacred, or heretical. This duality of <em>light vs. dark</em> reflects how structured narratives shape human behavior, often invoking divine legitimacy to command obedience.</p><div><hr></div><h4><strong>3. The Transition to Political Power and Ideological Control</strong></h4><blockquote><p><em>But kings soon learned, with gilded pen,<br>That gods could rule through mortal men.<br>The papal seal, the emperor&#8217;s writ,<br>Turned holy tongues to politics.</em></p></blockquote><p>As empires rose, kings and rulers realised that controlling religious doctrine meant controlling the people. The <strong>Divine Right of Kings</strong>, the <strong>Holy Roman Empire</strong>, and <strong>imperial mandates</strong> all showcase this fusion of religious and political power. When the papal seal or an emperor&#8217;s decree determined &#8216;truth,&#8217; it blurred the line between faith and governance.</p><div><hr></div><h4><strong>4. The Printing Press and the Battle for Information</strong></h4><blockquote><p><em>Then came the press, the printed page,<br>A new machine, the war of age.<br>Monarchs fell, the truth stood free,<br>Yet money bought its sovereignty.</em></p></blockquote><p>This section touches on <strong>the Gutenberg press and the democratisation of knowledge</strong>. The printing press enabled the Reformation, the fall of absolute monarchies, and the spread of new ideologies. However, while information became more widely available, it also became commodified&#8212;truth no longer belonged to the clergy but to whoever controlled the press, the publishers, and later, the media.</p><div><hr></div><h4><strong>5. Mass Media, Propaganda, and the 20th Century</strong></h4><blockquote><p><em>The radio hummed, the screens soon shone,<br>And every voice became a throne.<br>Wars were waged on what was real,<br>Truth was shaped by those who deal.</em></p></blockquote><p>This reflects the <strong>rise of mass media, propaganda, and information warfare</strong>. From <strong>World War II propaganda</strong> to the Cold War&#8217;s <strong>ideological battles</strong>, truth became a tool wielded by governments and corporations. The advent of television and radio ensured that controlling the narrative meant controlling entire populations. The phrase <em>&#8220;those who deal&#8221;</em> alludes to media moguls, intelligence agencies, and corporate interests shaping public perception for profit and power.</p><div><hr></div><h4><strong>6. The Digital Age and the Chaos of Competing Truths</strong></h4><blockquote><p><em>And now the net, the tangled sprawl,<br>A hundred flames, none true at all.<br>A million prophets, each their creed,<br>All selling doubt as holy seed.</em></p></blockquote><p>This section encapsulates <strong>the internet&#8217;s role in fragmenting truth</strong>. Unlike past centuries where centralised authorities controlled narratives, today&#8217;s digital landscape has created an explosion of competing voices. From <strong>conspiracy theorists to state-sponsored misinformation campaigns</strong>, everyone claims to hold the &#8216;real&#8217; truth. The phrase <em>&#8220;selling doubt as holy seed&#8221;</em> is a nod to how skepticism&#8212;once a tool for enlightenment&#8212;has been weaponised to erode trust in institutions, leaving people susceptible to manipulation.</p><div><hr></div><h4><strong>7. Geopolitical Propaganda and the New Battlefields</strong></h4><blockquote><p><em>The East weaves whispers in the mist,<br>The West cries out, yet both insist:<br>&#8220;We speak the light, they speak the lies.&#8221;<br>Yet truth, like smoke, still twists and flies.</em></p></blockquote><p>This section moves into the realm of <strong>geopolitical information warfare</strong>, particularly between <strong>China, Russia, and Western powers</strong>. Every major global player claims to represent the light while casting their adversaries in shadow. <strong>China&#8217;s state-controlled media, Russian disinformation strategies, and Western corporate news spin</strong> all operate under the same fundamental principle: control the narrative, control the populace.</p><p>Yet, as the last line suggests, truth remains elusive&#8212;drifting like smoke, impossible to grasp fully.</p><div><hr></div><h4><strong>8. Zen Philosophy and the Return to Simplicity</strong></h4><blockquote><p><em>And so we stand, axe in hand,<br>Chopping wood upon the land.<br>Before enlightenment, the fire burned,<br>After? Only lessons learned.</em></p></blockquote><p>This is inspired by the <strong>Zen proverb: "Before enlightenment, chop wood, carry water. After enlightenment, chop wood, carry water."</strong> It suggests that even after great revelations or awakenings, the fundamental nature of existence remains unchanged.</p><p>In the context of the poem, this passage questions whether uncovering &#8216;truth&#8217; changes anything at all. Despite humanity&#8217;s endless search for certainty&#8212;through philosophy, religion, media, and war&#8212;the struggle remains the same.</p><div><hr></div><h4><strong>9. The Final Cynical Reflection: Who Holds the Match?</strong></h4><blockquote><p><em>For truth&#8217;s no beacon, standing bright,<br>But a bonfire lit in the dead of night.<br>Fed by power, fanned by schemes,<br>A flickering wisp of shattered dreams.</em></p></blockquote><p>Here, truth is likened not to a <strong>guiding light</strong> but to <strong>a bonfire&#8212;manipulated, fed, and controlled</strong>. The image of a bonfire in the night suggests that truth, far from being an objective force, is something that those in power construct and manipulate to serve their needs.</p><blockquote><p><em>So ask not what is truth, my friend,<br>But who has shaped it in the end.</em></p></blockquote><p>The final lines drive home <strong>the ultimate cynicism of the poem</strong>: truth is rarely a pure, objective reality. More often than not, it is a construct&#8212;crafted, shaped, and reshaped by those with the means to do so.</p><p>In the world of geopolitics, information warfare, and ideological battles, the question is not simply <em>what is true?</em> but <em>who benefits from this version of truth?</em></p><div><hr></div><h3><strong>Closing Thoughts</strong></h3><p>This poem and its accompanying reflections paint a picture of truth as <strong>a contested space, a tool of power, and a shifting illusion shaped by those in control</strong>. From ancient philosophy to modern geopolitics, the nature of truth has remained as much a battlefield as it has a mystery.</p><p>In a world where competing narratives drown each other out, perhaps the only certainty is that someone, somewhere, is holding the match.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://geopoliticalcyber.johnellis.com.au/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading John&#8217;s Substack! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[DeepSeek, Apple, and the Real AI Battle: Stop Playing Checkers, Start Playing Go]]></title><description><![CDATA[A Follow-Up to &#8220;DeepSeek, Chinese Tech, and the Selective Security Debate&#8221;]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/deepseek-apple-and-the-real-ai-battle</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/deepseek-apple-and-the-real-ai-battle</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Sun, 09 Feb 2025 13:11:32 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!DNWi!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd8729cd6-3d66-4c87-8f07-58f5d5dbd1bf_1792x1024.webp" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!DNWi!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd8729cd6-3d66-4c87-8f07-58f5d5dbd1bf_1792x1024.webp" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!DNWi!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd8729cd6-3d66-4c87-8f07-58f5d5dbd1bf_1792x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!DNWi!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd8729cd6-3d66-4c87-8f07-58f5d5dbd1bf_1792x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!DNWi!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd8729cd6-3d66-4c87-8f07-58f5d5dbd1bf_1792x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!DNWi!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd8729cd6-3d66-4c87-8f07-58f5d5dbd1bf_1792x1024.webp 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!DNWi!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd8729cd6-3d66-4c87-8f07-58f5d5dbd1bf_1792x1024.webp" width="1456" height="832" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d8729cd6-3d66-4c87-8f07-58f5d5dbd1bf_1792x1024.webp&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:832,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:490538,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/webp&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!DNWi!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd8729cd6-3d66-4c87-8f07-58f5d5dbd1bf_1792x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!DNWi!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd8729cd6-3d66-4c87-8f07-58f5d5dbd1bf_1792x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!DNWi!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd8729cd6-3d66-4c87-8f07-58f5d5dbd1bf_1792x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!DNWi!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd8729cd6-3d66-4c87-8f07-58f5d5dbd1bf_1792x1024.webp 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Introduction: From Idealism to Realpolitik</h2><p>For most of my career, I believed technology could bridge divides and tackle humanity&#8217;s most urgent challenges&#8212;that AI, cyber, and digital infrastructure were enablers of global progress, not weapons in an escalating power struggle. I&#8217;ll admit, part of that optimism stemmed from a genuine desire to see innovation used for social good rather than geopolitical rivalry.</p><p>But my perspective shifted when I saw how quickly technology moved from enabler to potential weapon. The U.S. response to China&#8217;s 5G dominance, AI breakthroughs, and semiconductor push wasn&#8217;t merely fair competition&#8212;it was about containing a strategic rival. Almost overnight, innovation felt like a battlefield.</p><p>China, meanwhile, didn&#8217;t just respond&#8212;it intensified its efforts. The Chinese administration viewed cyberspace and outer space as strategic realms of global power, concluding it had to compete there. That realisation resonated deeply&#8212;especially after years spent studying China&#8217;s culture, language, and history with both admiration and curiosity.</p><p><em>(Acknowledging Bias: My background ties me to both Western markets and Sino perspectives, so I must ensure I don&#8217;t oversimplify either as monolithic. The West, too, can be fragmented, and China&#8217;s strategies, though often portrayed as unified, hold internal complexities.</em></p><p>That vantage point prompted me to re-examine my assumptions about how states leverage technology, especially once I encountered <strong>Cyber Persistence Theory</strong>, which posits that modern conflict isn&#8217;t limited to conventional or nuclear means&#8212;cyberspace is now a key domain of strategic competition. It crystallised what I had already sensed:</p><ul><li><p>Unlike conventional warfare, cyberspace is a realm of persistent exploitation, where nations don&#8217;t seek final victory but ongoing advantage&#8212;cyber operations, AI supremacy, digital dominance.</p></li><li><p>China isn&#8217;t just competing; it&#8217;s playing a long game, integrating cyber and AI into supply chains, finance, and regulatory frameworks.</p></li><li><p>The West isn&#8217;t simply defending; it&#8217;s aggressively shaping the battlefield via economic restrictions, cybersecurity mandates, and digital governance to contain China&#8217;s rise.</p></li></ul><p>For me, it was a sober reminder that the cyber domain, AI, and the broader tech ecosystem aren&#8217;t just industries; they&#8217;re central arenas of modern geopolitics. As Kai-Fu Lee notes in AI Superpowers, the AI race extends beyond mere innovation&#8212;it&#8217;s about defining the future.</p><p>But this isn&#8217;t just about banning an AI model or protecting digital privacy&#8212;it&#8217;s about who writes the rules of the digital age.</p><p>If we still see this as purely about blocking one AI model, we&#8217;re playing checkers.</p><p>Whereas the real game is Go&#8212;strategic positioning ensures dominance long before anyone realises they&#8217;ve lost. Naturally, the map isn&#8217;t the territory; real geopolitics is more intricate than any board game. Still, checkers vs. Go highlights how short-term battles differ from long-term strategic power.</p><p><em>(Misconception to Note: &#8220;Checkers vs. Go&#8221; is just a metaphor&#8212;some take it literally, but it&#8217;s meant to illustrate how short-term or reactive bans contrast with sustained positioning.)</em></p><p>Navigating this landscape triggers a personal dilemma: I straddle Western markets (in cyber and insurance) yet have deep ties to China (studying its culture and language). I&#8217;m constantly seeking strategies that protect security without discarding the ideals of global collaboration I hold dear.</p><div><hr></div><h2>The Digital Battlefield: Banning AI is Just the Start</h2><p>When I first wrote about the Chinese AI startup DeepSeek, I framed the push for its restrictions as a selective security measure, arguing that the real issue wasn&#8217;t just cyber security but the geopolitics of who controls the future of AI, cyber, and technology.</p><p>Since then, a clear pattern has emerged:</p><ul><li><p>Australia, South Korea, Taiwan, and Italy have all moved to restrict DeepSeek&#8212;whether by banning it from government systems or implementing broader limitations.</p></li><li><p>In the broader struggle over security and corporate independence, the UK has ordered Apple to create an encryption backdoor (<em>Washington Post, 2025</em>), undermining its own privacy stance while banning foreign AI on &#8220;security concerns.&#8221; Apple&#8217;s predicament exposes a deeper tension between corporate autonomy and state control, raising the fundamental question: who sets the rules?</p></li><li><p>China is actively embedding its digital governance frameworks across the Global South, shaping the technological landscape on its own terms. Meanwhile, the West remains on the defensive&#8212;reacting with bans rather than defining a proactive strategy.</p></li></ul><p>But this isn&#8217;t just about technology bans and backdoors&#8212;it&#8217;s about fragmentation, eroding trust, and a global power struggle over digital control. The digital world is splintering into competing blocs, each imposing its own rules, standards, and strategic interests.</p><p>We&#8217;re past a simple U.S.-China standoff. The contest has expanded&#8212;spanning multiple nations, technologies, and governance models as countries navigate the increasingly complex struggle for digital dominance.</p><div><hr></div><h2>Beyond the U.S.-China Binary: A Multipolar Digital Order</h2><p>An old colleague and dear friend from Singapore once said:</p><p><em><strong>"John, many Westerners see this as a two-player game, China vs. US, but there are many playing their own game entirely."</strong></em></p><p>He was right:</p><ul><li><p>India is developing AI and semiconductor industries to remain independent of both the U.S. and China. Its indigenous chip production is a power move, securing critical infrastructure in global supply chains.</p></li><li><p>Singapore, Japan, and South Korea shape hybrid digital governance models aligned to their economic and security needs&#8212;not merely echoing the U.S. or China.</p></li><li><p>The UAE is emerging as a global AI hub, positioning itself as a neutral bridge among various ecosystems.</p></li><li><p>African nations adopt localised fintech, telecom, and AI solutions, reducing reliance on Western or Chinese platforms.</p></li></ul><p>As <strong>Ian Bremmer</strong> discusses in <strong>Us vs. Them </strong>(Bremmer, 2018), local or nationalistic strategies are remaking global dynamics. Indeed, banning Chinese AI (like DeepSeek) showcases a broader shift: multiple competing digital ecosystems are arising under their own frameworks.</p><p><em>(Possible Bias: We might overemphasise state-level moves&#8212;governments are key, but major private players, civil society, and open-source efforts also shape these ecosystems.)</em></p><p>Yet as these new digital orders form, one question lingers: How does the West respond to restricting China&#8217;s tech? That leads us to the strategic paradox of bans.</p><div><hr></div><h2>The Strategic Paradox: The More We Block, The More China Builds</h2><p>Western policy frequently centres on restricting China&#8217;s access to AI, semiconductors, and cybersecurity tools&#8212;assuming it&#8217;ll slow China&#8217;s ascendancy.</p><p>But it&#8217;s quickening their independence:</p><ul><li><p>Huawei, meant to be hamstrung by sanctions, is now producing 7nm chips (Reuters, 2024).</p></li><li><p>China is &#8220;decoupling&#8221; from Western tech, building its own AI ecosystems, supply chains, and platforms.</p></li><li><p>Through Belt &amp; Road, China extends its digital governance norms across the Global South (Hillman, 2021).</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!OmW4!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F367a4385-146f-4c4f-96fc-99981249741f_3576x2100.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!OmW4!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F367a4385-146f-4c4f-96fc-99981249741f_3576x2100.png 424w, https://substackcdn.com/image/fetch/$s_!OmW4!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F367a4385-146f-4c4f-96fc-99981249741f_3576x2100.png 848w, https://substackcdn.com/image/fetch/$s_!OmW4!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F367a4385-146f-4c4f-96fc-99981249741f_3576x2100.png 1272w, https://substackcdn.com/image/fetch/$s_!OmW4!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F367a4385-146f-4c4f-96fc-99981249741f_3576x2100.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!OmW4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F367a4385-146f-4c4f-96fc-99981249741f_3576x2100.png" width="1456" height="855" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/367a4385-146f-4c4f-96fc-99981249741f_3576x2100.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:855,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!OmW4!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F367a4385-146f-4c4f-96fc-99981249741f_3576x2100.png 424w, https://substackcdn.com/image/fetch/$s_!OmW4!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F367a4385-146f-4c4f-96fc-99981249741f_3576x2100.png 848w, https://substackcdn.com/image/fetch/$s_!OmW4!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F367a4385-146f-4c4f-96fc-99981249741f_3576x2100.png 1272w, https://substackcdn.com/image/fetch/$s_!OmW4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F367a4385-146f-4c4f-96fc-99981249741f_3576x2100.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div></li></ul><p>And it&#8217;s not just China adapting&#8212;everyone is:</p><ul><li><p>Brazil is draughting AI and encryption laws, asserting digital sovereignty.</p></li><li><p>The EU&#8217;s Digital Markets Act is reshaping how global tech giants operate, defining distinct regulatory standards.</p></li><li><p>India, Israel, and South Korea craft AI and cybersecurity policies suited to their national goals.</p></li></ul><div><hr></div><h2><strong>The Five Dimensions of Digital Power (5D2P): A Framework for Strategic Influence</strong></h2><p>Rather than simply reacting to China&#8217;s AI advances, the West must proactively shape the global digital order. This requires a fundamental shift&#8212;from defensive containment to assertive leadership in defining the future of technology. Securing long-term strategic positioning demands investment, innovation, and regulatory influence, not just countermeasures.</p><p>The <strong>Five Dimensions of Digital Power (5D2P)</strong> offer a strategic lens for understanding how nations compete in the modern tech landscape. By examining these dimensions, we move beyond isolated challenges to a comprehensive strategy&#8212;one that strengthens national security, economic influence, and global leadership in an era of digital competition.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Qts3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5f00ba3f-51ba-4036-9fe9-fca856f5299c_5916x4477.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Qts3!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5f00ba3f-51ba-4036-9fe9-fca856f5299c_5916x4477.png 424w, https://substackcdn.com/image/fetch/$s_!Qts3!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5f00ba3f-51ba-4036-9fe9-fca856f5299c_5916x4477.png 848w, https://substackcdn.com/image/fetch/$s_!Qts3!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5f00ba3f-51ba-4036-9fe9-fca856f5299c_5916x4477.png 1272w, https://substackcdn.com/image/fetch/$s_!Qts3!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5f00ba3f-51ba-4036-9fe9-fca856f5299c_5916x4477.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Qts3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5f00ba3f-51ba-4036-9fe9-fca856f5299c_5916x4477.png" width="1456" height="1102" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/5f00ba3f-51ba-4036-9fe9-fca856f5299c_5916x4477.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1102,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Qts3!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5f00ba3f-51ba-4036-9fe9-fca856f5299c_5916x4477.png 424w, https://substackcdn.com/image/fetch/$s_!Qts3!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5f00ba3f-51ba-4036-9fe9-fca856f5299c_5916x4477.png 848w, https://substackcdn.com/image/fetch/$s_!Qts3!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5f00ba3f-51ba-4036-9fe9-fca856f5299c_5916x4477.png 1272w, https://substackcdn.com/image/fetch/$s_!Qts3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5f00ba3f-51ba-4036-9fe9-fca856f5299c_5916x4477.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>1. Technology Sovereignty &#8211; Who Controls the Foundations of Digital Power?</strong></h3><p>The first dimension&#8212;technology sovereignty&#8212;centres on control over critical technologies such as artificial intelligence, semiconductors, encryption, and cloud computing. A nation&#8217;s ability to secure and advance these foundational capabilities determines its resilience and strategic autonomy in an interconnected world. Without self-sufficiency in these areas, dependence on external suppliers creates structural vulnerabilities, exposing economies and national security to geopolitical coercion.</p><p>To achieve true technology sovereignty, the West must aggressively invest in next-generation chip design, AI leadership, and cyber security innovation. This will likely require direct government intervention, including strategic subsidies for private firms to ensure technological leadership remains aligned with national interests. The U.S. National Security Commission on AI (NSCAI) Final Report underscores the urgency of these investments, warning that falling behind in AI and semiconductor development could undermine national security (U.S. NSCAI, 2021).</p><p>Meanwhile, China&#8217;s Made in China 2025 initiative showcases how state-backed investment is actively reducing dependency on Western technology. The recent 7nm chip breakthrough by Huawei&#8212;achieved despite U.S. sanctions&#8212;demonstrates how strategic investments can accelerate domestic capabilities (Reuters, 2024). The race for technology sovereignty is not just about innovation; it&#8217;s about control over the digital and economic future.</p><h3><strong>2. Market Influence &#8211; Who Shapes the Digital Economy?</strong></h3><p>The second dimension&#8212;market influence&#8212;determines which nations shape the global AI, cyber, and digital services landscape. Economic power in these sectors isn&#8217;t just about financial gains&#8212;it translates directly into geopolitical leverage.</p><p>A common misconception is that technological dominance is driven solely by state actors. In reality, corporate giants&#8212;from Google and Microsoft to Huawei and Alibaba&#8212;dictate much of the market direction. At the same time, the European Union wields regulatory influence through the Brussels Effect, exporting its data privacy and technology standards worldwide (Bradford, <em>The Brussels Effect</em>, 2020).</p><p>China&#8217;s Belt and Road Initiative (BRI) extends its digital footprint through massive infrastructure investments, embedding Chinese digital norms and platforms across Africa, Latin America, and Southeast Asia (Hillman, 2021). This means digital market leadership isn&#8217;t just about selling AI models&#8212;it&#8217;s about controlling the frameworks that govern AI deployment and global digital infrastructure.</p><h3><strong>3. Governance &amp; Norms &#8211; Who Writes the Rules of the Digital Age?</strong></h3><p>The third dimension&#8212;governance and norms&#8212;determines who sets the rules for AI security, cyber operations, and digital policy. Nations that lead in shaping digital governance don&#8217;t just influence technology; they define how AI is deployed, how cybersecurity threats are mitigated, and what ethical boundaries exist in AI-driven decision-making.</p><p>This competition goes beyond national laws&#8212;it&#8217;s about who establishes global standards. The EU&#8217;s General Data Protection Regulation (GDPR) reshaped how companies worldwide handle data, while China&#8217;s Cybersecurity Law and Data Security Law force foreign companies to comply with Chinese security requirements, embedding Beijing&#8217;s influence into the global digital framework.</p><p>As Ian Bremmer notes in <em>Us vs. Them</em>, the fragmentation of governance models reflects a broader geopolitical realignment, where nations shape digital governance to serve their political and economic interests (Bremmer, 2018).</p><p>While Western democracies prioritise privacy, decentralisation, and open internet principles, China advocates a state-controlled model, exporting digital authoritarianism through its state-backed tech giants (Kai-Fu Lee, <em>AI Superpowers</em>, 2018). The battle is no longer just about which AI systems dominate&#8212;it&#8217;s about which governance frameworks will define the future digital order.</p><h3><strong>4. Supply Chain Control &#8211; Who Owns the Infrastructure of the Digital Age?</strong></h3><p>The fourth dimension of technological competition&#8212;supply chain control&#8212;underscores the critical need for ownership over hardware, software, and essential raw materials, including rare earth elements and high-performance magnets. As Ed Conway notes in <em>Material World</em>, securing these resources is as vital as mastering semiconductor design (Conway, 2023). Without them, even the most advanced chip architectures remain theoretical exercises.</p><p>China currently dominates the global supply chain for rare earth elements, which are indispensable for producing semiconductors, batteries, and AI hardware. This dominance creates a structural dependency that leaves Western technology firms vulnerable to bottlenecks, stalling innovation, and weakening resilience in strategic industries.</p><p>While the CHIPS Act aims to restore domestic semiconductor manufacturing in the U.S., it does little to address the upstream dependency on critical raw materials&#8212;leaving fundamental supply chain vulnerabilities unaddressed. Compounding this risk is the continued reliance on TSMC in Taiwan and Samsung in South Korea for cutting-edge chip fabrication. These dependencies represent a geopolitical chokepoint&#8212;one that could disrupt entire industries if tensions in the Taiwan Strait or Korean Peninsula escalate (Miller, <em>Chip War</em>, 2022). As Chris Miller highlights, whoever controls semiconductor design holds the keys to AI leadership.</p><p>Supply chain control is not just about securing raw materials&#8212;it extends to infrastructure resilience. Dependence on foreign-owned cloud providers, semiconductor foundries, and networking equipment introduces security risks that cannot be ignored. As global supply chains fragment, so too does the digital ecosystem. The once-monolithic internet is splintering along geopolitical lines, reinforcing the urgency of technological self-sufficiency.</p><p>Securing the future isn&#8217;t merely about controlling resources&#8212;it&#8217;s about fortifying infrastructure, diversifying supply chains, and reducing strategic exposure to foreign influence. Without a concerted effort to shore up these vulnerabilities, Western economies risk ceding not just production capacity but also technological leadership itself.</p><h3><strong>5. Persistent Digital Competition &#8211; How Do Nations Secure an Ongoing Advantage?</strong></h3><p>The final dimension&#8212;persistent digital competition&#8212;reflects the reality that cyber conflict and AI-driven rivalry are ongoing, not isolated battles with clear winners and losers. Unlike traditional warfare, cyber operations and AI-enabled strategies unfold in real time, continuously reshaping the balance of power across finance, intelligence, and defence.</p><p>Nations that effectively integrate cyber security, AI-driven intelligence, and strategic disinformation gain a sustained advantage. The U.S., China, and Russia all engage in cyber espionage, influence operations, and AI-enhanced intelligence gathering&#8212;not to achieve immediate victories, but to gradually erode adversaries&#8217; strengths and shape the future digital landscape to their benefit.</p><p>This competition extends beyond national security&#8212;it&#8217;s a struggle for economic and ideological dominance. AI-generated disinformation, financial cyberattacks, and algorithmic decision-making in warfare are no longer hypothetical threats; they are emerging tools of statecraft, forcing governments and industries into a state of continuous adaptation.</p><p>As Jonathan Hillman argues in <em>The Digital Silk Road</em>, China&#8217;s push for digital infrastructure dominance isn&#8217;t just about economic expansion&#8212;it&#8217;s about securing long-term strategic leverage through cyber and AI-enabled influence (Hillman, 2021). In this environment, digital resilience is no longer optional&#8212;it&#8217;s the foundation of geopolitical power.</p><div><hr></div><h3><strong>Shaping the Future, Not Just Defending It</strong></h3><p>It is a misconception to think the semiconductor race alone will determine the outcome of this strategic contest. While chip design and fabrication are crucial, raw materials, open-source innovation, and private-sector influence play equally important roles. There is no single solution that guarantees dominance in this evolving digital landscape.</p><p>If the West hopes to lead, it must move beyond reactive policies like banning Chinese AI models or restricting access to key technologies. Instead, it must proactively define the digital ecosystem, ensuring that democratic values, technological sovereignty, and economic security remain at the forefront.</p><p>Whether through policy, investment, or market strategy, nations must play a long game&#8212;not checkers, but Go&#8212;positioning themselves to set the rules of the next digital age rather than reacting to the moves of others.</p><p>Apple&#8217;s encryption standoff in the UK exemplifies how governments can compel Big Tech to align with national priorities&#8212;touching privacy, autonomy, and global rule-setting. This microcosm captures the larger puzzle: Who truly governs our digital future?</p><p>Beyond AI and cyber, the horizon promises quantum computing, biotech, and outer space technology&#8212;all potential new battlegrounds. If we remain bogged down in reactive bans, we risk repeating these missteps in the next domain.</p><p><em>(Another Bias: We may lean on a zero-sum mindset&#8212;one side&#8217;s gain is the other&#8217;s loss. Yet areas like AI ethics or climate tech could benefit from partial cooperation.</em></p><div><hr></div><h2>Final Thoughts</h2><p>This digital battlefield isn&#8217;t simply about AI&#8212;it&#8217;s about who writes the rules of the 21st century. The checkers-vs.-Go analogy may not perfectly reflect real geopolitics, but it does reveal how short-term tactics differ from sustained strategic power.</p><p>Ultimately, the West must pick: either shape the digital ecosystem with foresight and collaboration or cling to reactive bans that let others dictate the future. As someone bridging Western markets and Chinese perspectives, I believe realpolitik can still incorporate cooperation and innovative ideals&#8212;it simply demands intentional effort to script the next digital chapter instead of reading lines someone else has already written.</p><p>Personally, reconciling my commitment to global collaboration with a security-first lens means recognising that national advantage and collective progress aren&#8217;t always mutually exclusive. We must choose carefully which battles need strict regulation and which areas&#8212;like AI for healthcare or climate research&#8212;benefit from cross-border partnership. Doing so might prevent Apple-like showdowns in the future and allow us to harness technology for a more balanced, cooperative world.</p><p>(Epilogue: Yes, the map isn&#8217;t the territory; real geopolitics is messy and diverse. But if we chase illusions of simple, quick wins, we&#8217;ll overlook deeper supply chain complexities, raw material dependencies, private sector power, and the truth that neither China nor the West is monolithic. Recognising these nuances is the first step in forging a more balanced digital future.</p><div><hr></div><h2>References</h2><ol><li><p><strong>Kai-Fu Lee</strong>, <strong>AI Superpowers: China, Silicon Valley, and the New World Order</strong>. Houghton Mifflin Harcourt, 2018.</p></li><li><p>[<strong>Washington Post article</strong> on Apple&#8217;s encryption backdoor (2025)]</p></li><li><p><strong>Ian Bremmer</strong>, <strong>Us vs. Them: The Failure of Globalism</strong>. Portfolio, 2018.</p></li><li><p>[<strong>Reuters article</strong> on Huawei producing 7nm chips]</p></li><li><p><strong>Jonathan E. Hillman</strong>, <strong>The Digital Silk Road: China&#8217;s Quest to Wire the World and Win the Future</strong>. Centre for Strategic and International Studies, 2021.</p></li><li><p><strong>Chris Miller</strong>, <strong>Chip War: The Fight for the World&#8217;s Most Critical Technology</strong>. Simon &amp; Schuster, 2022.</p></li><li><p><strong>U.S. National Security Commission on AI (NSCAI) Final Report</strong>. March 2021.</p></li><li><p><strong>Ed Conway</strong>, <strong>Material World: The Myth of Progress and the Reality of the Resource Crunch</strong>. [Knopf Doubleday Publishing Group, 2023]</p></li></ol>]]></content:encoded></item><item><title><![CDATA[DeepSeek, Chinese Tech, and the Selective Security Debate: Competing in a Multipolar World]]></title><description><![CDATA[Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity.]]></description><link>https://geopoliticalcyber.johnellis.com.au/p/deepseek-chinese-tech-and-the-selective</link><guid isPermaLink="false">https://geopoliticalcyber.johnellis.com.au/p/deepseek-chinese-tech-and-the-selective</guid><dc:creator><![CDATA[John Ellis]]></dc:creator><pubDate>Sun, 09 Feb 2025 10:03:08 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!U7Em!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff900e767-b305-48d4-bb44-0ba4079ca038_1280x720.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<blockquote><p><em>Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.</em></p></blockquote><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!U7Em!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff900e767-b305-48d4-bb44-0ba4079ca038_1280x720.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!U7Em!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff900e767-b305-48d4-bb44-0ba4079ca038_1280x720.png 424w, https://substackcdn.com/image/fetch/$s_!U7Em!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff900e767-b305-48d4-bb44-0ba4079ca038_1280x720.png 848w, https://substackcdn.com/image/fetch/$s_!U7Em!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff900e767-b305-48d4-bb44-0ba4079ca038_1280x720.png 1272w, https://substackcdn.com/image/fetch/$s_!U7Em!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff900e767-b305-48d4-bb44-0ba4079ca038_1280x720.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!U7Em!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff900e767-b305-48d4-bb44-0ba4079ca038_1280x720.png" width="1280" height="720" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f900e767-b305-48d4-bb44-0ba4079ca038_1280x720.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:720,&quot;width&quot;:1280,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1568268,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!U7Em!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff900e767-b305-48d4-bb44-0ba4079ca038_1280x720.png 424w, https://substackcdn.com/image/fetch/$s_!U7Em!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff900e767-b305-48d4-bb44-0ba4079ca038_1280x720.png 848w, https://substackcdn.com/image/fetch/$s_!U7Em!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff900e767-b305-48d4-bb44-0ba4079ca038_1280x720.png 1272w, https://substackcdn.com/image/fetch/$s_!U7Em!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff900e767-b305-48d4-bb44-0ba4079ca038_1280x720.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h5>Illustration: Ben Jones <a href="https://www.economist.com/leaders/2024/10/10/the-front-line-of-the-tech-war-is-in-asia">The Economist: The front line of the tech war is in Asia</a></h5><div><hr></div><h3>A Lifelong Fascination with the Great Game</h3><p>As a kid, I spent hours poring over world maps, flipping through my Collins Encyclopedia (<em>best present ever</em>), and watching Sean Connery&#8217;s Bond navigate Cold War intrigue (Daniel Craig is my favourite Bond - just). That childhood curiosity evolved into a lifelong study of geopolitics, history, technology, and the great game&#8212;one that has taken me across China for over two decades, studying its language, culture, and philosophy firsthand.</p><p>Some will label me "pro-China" or even "pro-CCP." But I don&#8217;t see this as taking sides&#8212;I see it as understanding the full picture. Actually, in a playful homage to Russell Crowe&#8217;s Oscar acceptance speech: <em>"Cheers to America! May China prosper! Kia Kaha, New Zealand! And thank the Southern Cross for Australia!"</em></p><p>Because let&#8217;s be clear&#8212;this debate isn&#8217;t just about DeepSeek, Huawei, or EVs. It&#8217;s about who controls the future. It&#8217;s about who sets the rules, who shapes the digital order, and who dominates the next era of global power.</p><div><hr></div><h3>Technology as a Contested Domain in the Great Power Competition</h3><p>Technology is no longer just about <strong>innovation</strong>&#8212;it&#8217;s about <strong>leverage, influence, and control.</strong></p><ul><li><p><strong>AI, semiconductors, quantum computing, and data governance</strong> have become the frontlines of great power competition.</p></li><li><p><strong>China&#8217;s rapid advancements</strong> directly challenge U.S. dominance, accelerating the transition toward a multipolar world.</p></li></ul><p>This shift forces us to ask:</p><ul><li><p>Are we adapting to this new multipolar reality&#8212;or just reacting to it?</p></li><li><p>Are we critically assessing AI security risks&#8212;or defaulting to technological decoupling as a tool of strategic competition?</p></li></ul><div><hr></div><h3>The Battle for the Digital Order: Competing Visions</h3><p>This isn&#8217;t just about AI or cyber security. It&#8217;s about who writes the rules of the digital age.</p><p>For decades, the U.S.-led liberal order set the global norms&#8212;open markets, democratic values, and Western-dominated institutions shaping trade, finance, and technology. The West built the system, policed the system, and benefited from the system.</p><p>Now, China is creating an alternative.</p><ul><li><p>Belt and Road Initiative (BRI): Infrastructure projects that bind countries into China&#8217;s economic orbit.</p></li><li><p>AIIB &amp; Digital Silk Road: Parallel financial institutions and tech ecosystems that bypass Western gatekeepers.</p></li><li><p>Technology Standards: China is actively shaping global AI, 5G, and quantum computing norms, often in ways that reflect state control over information and infrastructure.</p></li></ul><p>So when we talk about AI bans, tech decoupling, and cyber security fears, we&#8217;re really talking about who sets the rules for the next era of technology.</p><blockquote><p><strong>Are we prepared to compete on that level&#8212;or are we just trying to stall the inevitable?</strong></p></blockquote><div><hr></div><h3>The Selective Security Debate: Why Only Chinese Tech?</h3><p>We&#8217;ve seen this playbook before:</p><ul><li><p>Huawei &amp; ZTE &#8211; Huawei spent years under UK National Cyber Security Centre (NCSC) scrutiny, yet was banned&#8212;not due to technical flaws, but geopolitical distrust. ZTE faced similar scrutiny, based more on state ties than clear evidence of wrongdoing.</p></li><li><p>Chinese Electric Vehicles (EVs) &#8211; Now facing scrutiny over connected systems that supposedly pose security risks.</p></li></ul><p>Yet we blindly trust connected vehicles from Tesla, Hyundai, Toyota, and BMW&#8212;all of which regularly send data offshore and have already been compromised by cybercriminals.</p><p>I drive a Subaru, and I'm not exactly thrilled about the latest security incident: <a href="https://www.wired.com/story/subaru-location-tracking-vulnerabilities/">Wired: Subaru Location Tracking Vulnerabilities</a></p><p><strong>Why are Chinese EVs framed as an existential security risk, while others aren&#8217;t?</strong></p><blockquote><p><strong>Is this about cyber security&#8212;or about geopolitical trust?</strong></p></blockquote><div><hr></div><h3>Cyber Operations: A Contested Domain That Won&#8217;t Disappear</h3><p>One of the most na&#239;ve assumptions in this debate is that cutting off Chinese AI or banning its technology will make us "more secure."</p><p>The reality? Cyberspace is a battlefield&#8212;always has been, always will be.</p><ul><li><p><strong>Cyber Persistence Theory</strong> (<em>Lindsay, Fischerkeller, &amp; Harknett</em>) argues that cyber competition is <strong>constant, not episodic</strong>&#8212;states don&#8217;t wait for war to conduct cyber operations. They engage in persistent campaigns of intrusion, influence, and exploitation. <a href="https://academic.oup.com/book/41918">https://academic.oup.com/book/41918</a></p></li><li><p><strong>The International Institute for Strategic Studies (IISS)</strong> confirms that every <strong>major nation-state</strong> engages in <strong>cyber operations</strong>&#8212;not just China, but also the U.S., UK, Australia, Russia, Iran, and others. <a href="https://www.iiss.org/research-paper/2022/02/great-power-offensive-cyber-campaigns/">https://www.iiss.org/research-paper/2022/02/great-power-offensive-cyber-campaigns/</a></p></li></ul><p>This means that while concerns over Chinese cyber activities are valid, pretending that blocking Chinese AI or EVs eliminates cyber risk is delusional.</p><p>Because let&#8217;s be real:</p><ul><li><p><strong>China engages in cyber espionage?</strong> Yes.</p></li><li><p><strong>The U.S. engages in cyber espionage?</strong> Also yes.</p></li><li><p><strong>The U.S. and its allies conduct persistent cyber operations against adversaries?</strong> Absolutely.</p></li></ul><p>If we&#8217;re serious about national security, we need proactive cyber resilience strategies, not knee-jerk bans that give a false sense of security.</p><div><hr></div><h3>Who Profits From the Fear Narrative?</h3><p>A more uncomfortable truth is that some actors profit from portraying cyber security as an absolute, existential crisis. This isn&#8217;t to downplay real threats&#8212;but who benefits from certain narratives?</p><ul><li><p><strong>The cyber security industry thrives on fear</strong>&#8212;the more catastrophic and unsolvable the threats appear, the easier it is to sell security solutions, services, and consultancy.</p></li><li><p><strong>The intelligence and defense sectors benefit from heightened tensions</strong>, which drive investment into offensive and defensive cyber capabilities.</p></li><li><p><strong>Policymakers use cyber security fears to justify restrictive policies</strong>, sometimes for economic protectionism rather than genuine security concerns.</p></li></ul><p>China&#8217;s rise in AI, EVs, and quantum computing is a challenge, but is it an existential threat that justifies shutting down engagement? That&#8217;s a stretch.</p><blockquote><p><strong>Fear sells. But is it strategically wise?</strong></p></blockquote><div><hr></div><h3>The Path Forward: Compete, Don&#8217;t Avoid</h3><p>China is shaping the future of AI, connected vehicles, and the global tech order&#8212;whether the West likes it or not.</p><p>The challenge isn&#8217;t avoiding AI like DeepSeek or banning Chinese EVs&#8212;it&#8217;s learning how to engage with China&#8217;s rise strategically, without escalating into all-out technological confrontation.</p><p>Instead of retreating into binary narratives, we should be asking:</p><ul><li><p>How do we create rigorous AI evaluation frameworks that apply to all technologies&#8212;regardless of origin?</p></li><li><p>How do we maintain leadership in AI without knee-jerk protectionism?</p></li><li><p>How do we compete intelligently instead of reacting out of fear?</p></li></ul><p>This is where <strong>Graham Allison&#8217;s Thucydides Trap</strong> becomes relevant&#8212;history shows that when a <strong>rising power (China) challenges an established hegemon (U.S.), tensions escalate</strong>&#8212;often to <strong>the point of conflict.</strong> <a href="https://www.hks.harvard.edu/publications/destined-war-can-america-and-china-escape-thucydidess-trap">https://www.hks.harvard.edu/publications/destined-war-can-america-and-china-escape-thucydidess-trap</a></p><p>However, <strong>Kevin Rudd&#8217;s The Avoidable War</strong> offers an alternative view&#8212;that this competition can be strategically managed through engagement, diplomacy, and clearly defined red lines. <a href="https://www.hachette.com.au/kevin-rudd/the-avoidable-war-the-dangers-of-a-catastrophic-conflict-between-the-us-and-xi-jinpings-china">https://www.hachette.com.au/kevin-rudd/the-avoidable-war-the-dangers-of-a-catastrophic-conflict-between-the-us-and-xi-jinpings-china</a></p><div><hr></div><h3>Conclusion: Compete or Concede?</h3><p>The rise of Chinese tech isn&#8217;t a threat to be avoided&#8212;it&#8217;s a challenge that demands intelligence, innovation, and strategic competition.</p><p>If the West chooses fear over engagement, it won&#8217;t just be losing the AI and tech race&#8212;it will be conceding its leadership in the future of global technology.</p><p>Because if "block China" is the best strategy we can come up with, then we&#8217;re not leading. We&#8217;re reacting. And if we&#8217;re only reacting, we&#8217;ve already lost the initiative.</p><p>The question isn&#8217;t whether we trust Chinese tech&#8212;it&#8217;s whether we trust ourselves to lead the future of global innovation.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://geopoliticalcyber.johnellis.com.au/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading John&#8217;s Substack! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item></channel></rss>