Invisibility and the Dragon
What The Invisibility Cloak can teach us about risk: Ransom Where?; Insurance Thinking; Contemporary Monetary Theory; Cyber Equity; Regs With Legs
Tell me, what’s the most valuable thing anybody can ever have? It’s their life, isn’t it? But you can hold onto it as tightly as you can for every waking hour, and you’ll still have to let it go when the time comes, won’t you?
- “The Invisibility Cloak”, Ge Fei
Risk Developments this letter:
Ransom Where?
Insurance Thinking
Contemporary Monetary Theory
Cyber Equity
Regs With Legs
Surviving Modernity
In 1980’s China, author Ge Fei came to fame as the founder of contemporary Chinese fiction. It was the time of market-economy reform, the end of Maoism, a period of opening up to the world and an era of tentative freedom. Despite Ge Fei’s prominence in avant-garde literary circles, he did not frequently participate in public events and took a break from writing novels in 1994. In 2012 he published “The Invisibility Cloak” and in 2016 he burst onto the Western literary scene, when Canaan Morse translated it for English speakers. Still, Ge Fei keeps a low profile preferring to spend his time teaching and heading a Chinese Literature department. In fact, Ge Fei is not even a professor of literature, but a pen name used by Liu Yong a professor at the prestigious Tsinghua University (frequently called the MIT of China, which boasts alumni such as president Xi Jinping). Explaining the enigmatic novella “The Invisibility Cloak” is difficult, but knowing this background and split personality helps just understand what he is trying to say about society, capitalism, technology and risk.
In just eleven chapters, Ge Fei manages to envelop the reader in modern Beijing, with its juxtaposition of gritty noir with shiny materialism. It is a city full of strivers, grasping materialists, tenuous friendships, hollow intellectualism and the odd stubborn resistor, like the main character, Cui (pronounced Tsuay). The novel is fairly light on plot. Cui makes ends meet by sporadically building audio systems for the rich. Facing potential eviction, Cui asks his estranged friend, Jiang Songping, to crash at his garment factory. Jiang, rebuffs the favor and instead offers Cui a shady, but wealthy client, who may be a criminal, named Ding. Cui briefly considers marrying a kind but homely friend of his sister’s before deciding to sell everything he has and do one last job for the gangster. When the gangster vanishes before paying, Cui finds a mysterious woman occupying the mansion where he installed the audio system.
What the novel lacks in plot, it more than makes up for in character development. Cui, divorced and in his forties, spends much of the book reminiscing about the past. He lives with his sister and her loutish husband, but many of the scenes happen in his memory, with his ex-wife, his dead mother or his erstwhile friend. A relic from a different time, Cui never gets up before 10AM, refuses to wear t-shirts and despises modern technology, especially poor quality, mass produced audio equipment made after the 1990’s, a “golden age for audiophiles.”
The sets of characters in the book can be described by two character traits, reliability and dependence, as they relate to Cui. He depends on his family and friends, but they are unreliable. He cannot depend on the Beijing intelligentsia, who make up a shrinking portion of his clients, but they are reliable. His fellow audiophiles, who he buys and sells parts with are reliable, and he depends on them. This leaves the remaining characters, the wealthy and mysterious, as characters he does not depend on and who are unreliable.
The first set of characters, family and friends, represent betrayal. The failing moral system, and confucian backbone of Chinese society, that focused on the family for thousands of years, is being torn apart by modernity. When he seeks out Jiang, now a company CEO, for a bridge loan, Cui is berated, and Jiang bitterly terminates their lifelong friendship. Cui discovers his own sister is lying to him, claiming her husband is beating her because Cui won’t move out. His ex-wife casually suggested a divorce noting that she was already sleeping with someone at work. Finally, even Cui’s own parents were unreliable. His dad lay down and died while working and his mother passed away before warning him that his wife was too pretty to be faithful to him.
The second set of characters, the educated and elite, lawyers, politicians and professors, are reliable, polite and always pay on time, but Cui finds them sanctimonious, ethically vacuous and logically inconsistent. They “are supposed to be the people who take on the world’s problems as their own, who shoulder the world’s burden,” but they are more obsessed with showing off their taste and lecturing about the ills of society. They are predictable, and their tastes follow fashions, which makes them reliable customers, if one can put up with their pontificating.
The third set of characters are Cui’s fellow audio system makers. He has never been swindled in a deal with buyers and sellers of high-end audio equipment, despite sending money over the internet to many different countries. Cui breaks the fourth wall to explain,
In an age where scams and cons are so common… you have to admit… such a standard of trust is a miracle…. No doubt our community is still a haven. I personally attribute this to the higher than average ethical conscience among members of the community, shaped by the influence of classical music on human character (“The Invisibility Cloak”, 80).
These people trade technology from the 90’s and live by a code of honor, but being dependable is quickly going out of style.
The final set of characters, the kingpins, are lacking in taste, but commission audio systems from Cui without pompous lectures and don’t pretend to know hi-fi systems better than him. These are the big fish that can support Cui for months at a time. Ding, the biggest of these big fish, lives in Sleeping Dragon Valley, as if to say that only he can pacify the Dragon. While extraordinary and dangerous, Ding is not dependable. Unlike the intellectuals, the bosses cannot be trusted to pay. This description may seem unflattering, but it is their lack of pretense that is admirable and while reliability is often seen as a benefit, it is also a constraint. The business owners’ unreliability also offers uncapped upside. In financial terms it’s a call option, a payoff with asymmetric upside.
In the modern atomized China, family and friends cannot be depended upon, the elites are mediocre, and the number of makers is shrinking. The only way out is to refuse to play by the rules. This echos “The Forest Passage” by Ernst Jünger, which I wrote about last week. Jünger’s Forest Rebel does not outwardly protest, but turns inward to find the weakness in the Leviathan's armor and strikes at that joint. Liu Yong uses invisibility cloaks to avoid the Dragon. As Byrne Hobart pointed out last week, anonymity is a free call option. If you are pushing the envelope of criticizing the government, it’s always good to do it anonymously, but if it becomes wildly popular, you can exercise your option, revealing your identity, safe in the knowledge that you’re too big to jail. When Ge Fei originally became popular, reforms were watering down the cultural revolution and hopes were high for market and civil liberties reforms. Since the implementation of the cultural revival, that hope for free expression has abated.
Ge Fei is writing again and now from his position of authority, he has a platform, if not the same liberties, which explains his nostalgia for an earlier era and his distrust of technology. While the Forest Rebel and the Invisibility Cloak share much in common, including deep introspection, there is at least one key difference between the two. The Forest Rebel turns inward for spiritual sustenance to take down the Leviathan, but the Invisibility Cloak turns inward to escape the Dragon. It is explained to Cui how he can go on living in such a confusing world:
You should understand that nothing in this world is ever truly clear. If life is crazy, let it be crazy! If you tried to live every single detail of your life with perfect clarity, you surely wouldn’t even make it through the first day, Try to be perfect, and where’s the fun?
Risk Developments
Ransom Where?
The FBI’s annual Internet Crime Report is out, and complaints are way up (69% YoY) as are losses (20%). Business email compromise is still the leading type of incident, but ransomware is growing fast. The FBI also notes that it vastly underestimates the damage from ransomware because it does not count any business interruption loss or remediation costs and victims are often reluctant to report paying ransom to the FBI, which discourages the practice.
Another report by the Cisco Talos Incident Response team noted the dramatic rise in ransomware is supported by commodity trojans, open source software and victims’ own infrastructure. Byrne Hobart wrote about the Sierra Wireless ransomeware incident, noting that now tangible losses are being felt, leading to a continued rise in cybersecurity spend.
One more bit of ransomware news is that electronics manufacturing behemoth Acer was hit with a $50M ransomware attack perpetrated by a REvil group; the largest known ransom to date. At a time when NFTs (Non Fungible Tokens) and crypto art sets all time price highs, the original cyber art is keeping up. The industrialization of cyber crime has been a long time coming, and as compliments continue to be commoditized, the trend will continue.
At one point in “The Invisibility Cloak” Cui asks the mysterious woman inhabiting Ding’s mansion how she ended up there and she offhandedly remarks that she was taken hostage, just like him. Cui protests, unconvincingly, that he did what he needed to do; he is a free man. In some sense, when you’re down to your last option, you are a hostage, but as victims who pay up and don’t get restitution know, it is only when you exhaust even your last option that you can truly be free.
The view from the attacker side is fascinating in this interview with the REvil group’s “Unknown.” The political economy of cyber crime is an underrated topic, and is critical to understanding the future of risk. The topics “Unknown” covers include why REvil attacks targets outside the Commonwealth of Independent States, how the affiliate business model works, ransomware as a cyber weapon (and why it doesn’t get much use) and cyber insurance. Here’s an excerpt:
DS: Do your operators target organizations that have cyber insurance?
UNK: Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.
Insurance Thinking
Speaking of targeting cyber insurance holders and then carriers, themselves, CNA, one of the biggest underwriters of cyber insurance, was hit with an attack that forced them to disconnect their systems. Not much more news about this today, but their stock is trading flat as of mid-day today. Another insurance giant, Willis Towers Watson (WTW) is offering a new cyber product to the energy industry. As the second biggest broker in the world, they have a good perspective across industries and know that securing legacy grids and devices in the energy industry is a much different problem, with a different distribution of losses, than securing networks and applications in the financial services industry.
Two other large insurance companies with prominent cyber lines, Chubb and The Hartford made insurance news with an acquisition offer that was quickly rebuffed. Both companies have been pioneers in applying deep technical expertise to insurance problems. The Hartford was a major innovator in developing and popularizing controls for steam boilers, which I’ve written about here. Chubb created a set of for-profit technical schools in the 1970’s that ultimately failed but intended to train people to work in the IT field.
In terms of anticipated risks, CNA certainly should have been more aware of their own risks, and brokers like WTW have had visibility to see that that cyber risk should be underwritten separately from general business risks. Chubb also experienced a breach last year. So what gives? One explanation is that the front office and the back office don’t share information. Another is that insurers, who are short cyber risk, don’t believe cyber risks are that bad (otherwise, they would be long), or at least that the risk can be diversified away.
Risk expert and SIRAcon board member, Tony Martin-Vegue, has a great new post up on part one for future proofing risk models, that may provide another explanation; the “the vulnerability du jour.” His three rules are no specifics, quantify uncertainty and embrace the possible. Everybody is subject to “it won’t happen to me” bias and this is only compounded by the false relationship between impact and probability. Humans are not naturally statistical thinkers and we struggle with the difference between a 0.0001% chance of a catastrophic event and a 0.001%, even though the latter is ten times as likely.
As society continually reduces mundane risks, we come to rely less on our personal relationships and rely more on the institutions that hold up our complex emergent systems. Over-reliance on scholars, lawyers and politicians leads to shocks when exotic and speculative risks emerge. These cracks in the system are inevitable as seeds of the next crisis are often sewn by the solution to the last one. The key, as Cui learns, is to flow with the crises, not against them.
Contemporary Monetary Theory
We’ve talked some about the history of money, decentralized banking and The Fed. What we haven’t addressed directly is Post-Keynsianism and Modern Monetary Theory. As a coherent school of economics, it’s hard to tie together. As an observation about how the Federal Reserve is a defacto branch of government that will always fund the Treasury Department, it has become a matter of fact.
Cyber Equity
Cyber equity financing news came fast and furious this week. Risk analysis and cybersecurity firm QOMPLX is going public via a SPAC. The oldest bank in America, BNY, invested in Fireblocks, a crypto custodian, and will be rolling out services using their product. Private equity firm, KKR is taking cybersecurity training company KnowBe4 public in an IPO and Fortinet acquired cloud security startup ShieldX.
Equity financing is not a source of capital one can depend on, but it is reliable. When it’s hot, it’s sweltering and when it’s cold it’s freezing. This goes for times as well as sectors. The key is always to time that last job and the key to timing is having the option to walk away. That’s real freedom.
Regs With Legs
Unlike equity capital markets, one thing you can’t (usually) walk away from are regulators. The EU put out a new Cybersecurity Strategy which says all the right things about providing a public good like national security, but top down approaches are difficult to pull off, and coordinating EU member states on norms, laws and information sharing will not be easy and may prove impossible.
Meanwhile, The New York Department of Financial Services (NYDFS) settled with Residential Management Services Inc. in the second ever cyber enforcement action. The settlement is for a paltry $1.5, compared to the $5B in loans they process annually (my back of the envelop estimate is $100M in revenue on processing fees alone). Another term of the settlement is submission of an incident response plan, which seems like the least they could ask for. Maybe some systems remediation and preventative controls would be more helpful? Still, any progress is good progress. Small concrete steps in the right direction, however feeble they may be, are better than pontification by those who “are supposed to be the people who take on the world’s problems”
Gratitude
Big thanks to Byrne Hobart, Canaan Morse and Tony Martin-Vegue for sharing your writing and providing inspiration throughout this piece.