🛰 #BigHack and GEs Downturn – VUCA Observatory #26

Hoo boy. The denials to Bloomberg’s Big Hack story have come in, and the sound of “No” is deafening, with Amazon, Apple, the DHS, and the GCHQ all in unison proclaiming: the Bloomberg story’s bogus. So what’s going on?

To recap: Bloomberg published a story detailing upstream supply chain compromise of critical infrastructure in the US. The gist of the story is: the Chinese suppliers of motherboards for US firm Supermicro got infiltrated by Chinese security services and coerced into adding a chip onto these boards (selectively, not wholesale, as apparently there was enough visibility into which boards would end up where), which could alter the boards firmware and allow remote access onto the hardware, hence escaping any intrusion controls built into software running on the boards. The Bloomberg story portrays both Apple and Amazon as potential victims, along with several three-letter US agencies.

And while the denials are atypically strong, the accusations made in the report reverberate across the industry. Of course, Apple and Amazon would deny this, the thinking goes, otherwise nobody would trust their cloud services anymore. And it is striking that Google announced a custom security chip last year, codenamed Project Titan, which seems tailor-made to counter exactly this threat vector. Project Titan and similar approaches speak to the need to embed security even in the hardware. If you’re compromised in hardware, there’s not much you can do in software.

And yet we’re overindexing on one highly-specific scenario which seems targeted enough to not even tough the broad majority of users, while the steps taken to further secure everyday users draw ire due to the trade-offs involved. Case in point: Apple restricting the functionality of its Operating Systems if the hardware has been tampered with.

Apple instituted this policy when it first launched its TouchID authentication system which relies on a custom cryptographic chip called SecureEnclave. To make interception of fingerprint data between the TouchID reader and the secure enclave impossible, these components get coupled at manufacturing time. This means that later repair of replacement of the TouchID sensor results in TouchID not working, as the SecureEnclave doesn’t find its coupled sensor attached to itself. With the SecureEnclave spreading to more Apple platforms, these security precautions do, too.

Security is hard, and usually exploits are found in the software supply chain (back in March ‘17 we talked about outdated JS libraries which present security issues), or poorly secured IoT devices lateraling into infrastructure, so the intentionality of the #BigHack story almost is refreshing.

GE fired its shortest-serving CEO last week. John Flannery, who took over the reins from Jeff Immelt amidst activist shareholder pressure and declining market capitalization held onto his post for just 14 months. Jeff Immelt, on the other hand, served far longer, overseeing a bumpy 17 years at General Electric’s helm.

It was Immelt who, not long ago, featured prominently in Michael E Porters attempt to translate his Five Forces into the digital age. It was Immelt who said that every industrial company needs to become a software company, and arguably attempted as much with GE’s Predix platform. And yet, GE is failing.

Partly to blame are misguided bets in the energy sector. The long shadow of decarbonization is slowly beginning to hit, and the Alstom acquisition took valuable attention and money away from the fast-growing wind business and diverted it into technology for gas, coal, and nuclear powered plants. In a way, it’s the fast moving structural change that so often is discounted early on that broke the back of the GE-Alstom deal.

I’ve long argued that we’re underestimating the speed of change in the energy industry, and that GE’s power business is the anchor that threatens to sink the ship seems to validate this notion.

On the other hand, at the core of GE are management techniques that are the pinnacle of the Industrial Age. BCG developed its 2x2 Matrix (can you spell “Rising Star”?) to clean up GE’s portfolio and help it prioritize. But the GE model of its centralized planning is ill-fit for a dramatically changing world, and not made for fast feedback loops enabled by digital technologies. That’s why Predix always felt ill at ease at the blue giant.

But in a way, what GE’s doing is a bellwether for many more industries and companies that will follow similar fates. Just as the conglomerate approach was made popular by GE and emulated far and wide, so will the the pendulum swing back in face of structural challenges brought about by digital and energy.

That’s it for this week.

As always, I’d love to hear what you think.

Also, could you do me a favor? Could you forward this newsletter to two people whom you think would enjoy it? This newsletter grows by word-of-mouth, so your recommendations are invaluable.

Thank you, and until next week!

Martin

———-

The VUCA Observatory is published by Martin Spindler (@mjays). Martin is a Senior Strategist at hy - the Axel Springer Ecosystem firm.