What Cults In Our Midst can teach us about risk: Cyber Industrial; Hack Back; Chips and China; Big Budgets
The Communist process of ridding people of their old belief system was called colloquially ‘hse nao,’ which literally means ‘wash brain’
- Margaret Singer
Risk Developments this letter:
Chips and China
Cults, Coins and Companies
Is BitCoin a cult or a religion? Is it a belief system or a technology? Is it a bubble or the birth of a new asset? The answer depends on who you ask, but while I’m picking on BitCoin here, these questions can be asked of any fast growing and novel cultural phenomenon, and ex ante the answer isn’t always as clear as we might think. This is the primary lesson of “Cults In Our Midst.”
Originally published in 1996, “Cults…” mostly details the cult phenomenon of 1960’s and 70’s America, although it also includes section on cults in the workplace, a nod to the 1990’s, Clinton era, business positivity and dot com culture. Besides the obvious necessity of only being able to study the past, the emphasis on the 60’s and 70’s is because those decades were the heyday of cults. The breakdown of social norms and a general mistrust of traditional institutions, hierarchies and values created a vacuum that many people were attempting to fill. Unscrupulous, charismatic and psychologically savvy cult leaders began creating new patterns of living based on a mix of eastern philosophy, interrogation techniques and psychological findings. It was the combination of a vulnerable population and the spreading of improved mind control techniques that led to this cult boom. The framing of the book suggests that cults are ever present, but their earliest incarnations are well known and avoidable.
I’m not so sure. For one thing, it’s getting harder and harder to differentiate a cult from a social movement. “Cults…” defines a cult as having three factors: an origin story and leader, a power structure and a coordinated program of persuasion (thought reform or brainwashing). This sounds an awful lot like a startup or a political movement to me. To further separate the pegoritive cult from other movements, Singer focuses mostly on the abuse of power and willful manipulation through persuasion techniques. Using Robert Lifton’s eight criteria of totalism we learn to watch for totalizing techniques such as:
Demand for purity
Doctrine over person
Dispensing of existence
While some of these, “mystical manipulation” for example, may be harder to identify outside of traditional religious cults, Lifton defines it as being persuaded that one is chosen or special. This kind of manipulation is hardly uncommon in startups, investment schemes or other movements. In marketing class we once watched a 60 Minutes segment on Mary Kay. Is it a cult? Hard to say.
What does this have to do with risk? Well despite the obvious cryptocurrency news that we’ll get to later, it is related to the theme from last week, risk does not equal volatility. Risk is a permanent loss, it is the inability to recover. The mass manipulation found in early cults, and perfected today on a wider scale, has the potential to lead to unrecoverable damage.
Startups are notoriously cult-like, but while the company may never recover, individuals can move on to new phases of their careers. Investments in novel means of organizing capital, such as cryptocurrencies (or joint stock companies for that matter) may go to zero, but a portfolio of uncorrelated assets can continue to produce returns under various states of the world.
The challenge then is one of monoculture. When everybody does the same thing and not only are ideological deviations rare, but actively discouraged, organizations, economies and institutions fall victim to their own blind spots. As cryptocurrencies become the norm people will come to recognize them not as odd outsider behavior, but as fully blown belief systems:
Here I’d like to turn to a subject not covered in the book, cargo cults. Here we have cultish behavior without the psychopathy Singer commonly ascribes to cults. Mimicry is a key form of social pressure cult leaders use to cultivate a following, but it is also a spontaneously occurring phenomenon. So what to make of these leaderless cults, or, if you’ll excuse my coining a phrase, autonomous cults?
A power structure with a built in system of persuasion is just a hierarchy looking for a leader. Religions, companies, nations and movements often transition leadership, and one way to understand whether something is a cult is the degree to which one person can gain control over it. Nations can develop cults of personality, company mythologies can idealize and idolize a leader and belief systems can be abused for personal gain. To the extent that something is not a cult, it is because no one person can gain control of the system.
Last week’s Colonial Pipeline news continues to unfold as the biggest event for the cybersecurity world since SolarWinds, just a few months ago. The difference between reactions to the former, which had effects felt by many outside of cybersecurity, and the latter, which was arguably a bigger deal for those in the industry is stark. Although the effects may have been more psychological than logistical, due to panic buying and a reasonably quick recovery. Still, the idea that cyber can do things in the real world has breached public consciousness, and that’s perhaps the biggest news.
One related industry that has seen a lot of herd-like buying behavior is construction and lumber. It’s a lot harder to imagine how construction and manufacturing get shut down by a cyber attack, but this article about poor security in construction is trying. The key thing to remember about the Colonial Pipeline shutdown is that the flow of oil was turned off by the company because billing was shut down due to the breach of IT systems, not Operational Technology failure. In the part of industrial and manufacturing that typically does spend a lot of time and money on cybersecurity (defense) the billing is discontinuous, opsec is taken semi-seriously and products undergo rigorous testing. It’s much easier for attackers, whether they be criminal or nation-state actors, to go after the weakest point in the system (for more on this see Byrne Hobart’s excellent Diff writeup on cyber liability).
Preying on the weak, as cults do, is a positive selection game. It’s hard to disrupt systems where the good risks willingly walk in the door. One solution that is often bandied about is to go after the bad actor directly on behalf of the victims. The perpetrators of the Colonial Pipeline attack, DarkSide, suddenly disappeared after the attack. Their servers shut down, their franchise program closed and they left debts to their affiliates unpaided. It’s unclear whether this was the action of the U.S. government (official spokespeople do not comment and former advisors deny it as a possibility), a private entity, self imposed or another government. If it is either the U.S. or Russian government, that greatly changes what we know about nation state capabilities and partners. If it’s a private entity, that is interesting, and if it’s self imposed, as threat researchers hypothesize in the article, get ready for things to continue to get worse.
One often overlooked aspect of the hack back argument is that attackers can hack back too. Deterrence in cyber is already hard enough with attribution issues, but escalatory actions would only make things harder. Some asian divisions of the French insurance conglomerate, AXA, suffered a ransomware attack after declaring that they would not pay out insurance claims for ransomware targeting French companies.
I’m not claiming that AXA made the wrong move here, but only that attacker motivations matter. In some ways it’s evidence that insurance companies should take a hard line regarding ransomware, after all, it did seem to bother the ransomware gangs. One option we’ve discussed before is self insuring by holding bitcoin on the balance sheet. Another is for governments to step in and provide subsidies, as it does for terrorism or flood insurance, but because governments can’t print bitcoin, that would just cause the price of bitcoin to climb.
The best move is to improve national cybersecurity defense, but that is a big challenge in many different ways. From chips to trade laws, company incentives and information asymmetries, there are a lot of problems to solve.
Chips and China
U.S. Senate Democrats are proposing a $52 billion semiconductor production bill aimed at bringing chip manufacturing back to the U.S. Supply chain risks to both logistics and cybersecurity have come front and center over the past year, kicking off an arms race in chip design and production between the U.S. and China.
The rest of the bill includes $100 billion for basic science research in fields like AI, Quantum computing, 5G and other buzzy topics. The trade focused amendment has been watered down as Biden resists Republican attempts to remove Trump era tariffs and meddle in executive branch decisions about the U.S. Trade Representative post. While the political process is painful to watch, in the U.S. it’s at least still one where nobody is in control.
We’ve spoken a lot about cybersecurity recently, in part because that’s where the money is. Gartner’s newly released cybersecurity spending forecast puts the 2021 prediction at $150 billion, up some $26 billion from last year’s estimate, which predicted a slight deceleration due to covid. Clearly that prediction, made about this time last year did not turn out to be correct. Does this mean we’re more cyber secure than we expected to be last year? What is the value of the marginal cyber dollar, is still the most under discussed question in the industry.
Another budget explosion is coming from the insurance challengers, known as insurtech, funded by some $2.2B of venture capital. A similar question arises here. What is the marginal dollar of the VC insurtech dollar? If the pitch decks are to be believed, better underwriting through AI and big data are going to provide a competitive advantage versus incumbents, but if it’s all spent on marketing, we may just end up with the same results for more money. Sound familiar?
Big thanks to Byrne Hobart, Geoff Lewis, Jeremiah Grossman and others for sharing your ideas!