Navroop Mitter:

[00.00.03.15–00.00.29.18]

Hello, and welcome back to The Lock & Key Lounge. My name is Navroop Mitter. I’ll be your host for this evening. Tonight I’m joined by Emma Wright. Emma and I were just on the stage at Black Hat Middle East. We were discussing the distinctions between sovereignty in infrastructure and data sovereignty, as well as some of the people, technical, and legal considerations you would want to take into account if you’re thinking about making your services available around the globe but leveraging localized infrastructure. 

[00.00.30.00–00.00.57.17]

Rather than recap the discussion we had at the conference itself, I actually want to take us back, Emma, to start with a question that was actually posed to me, or somebody brought up to me sometime back when I was at a conference in Iceland. So last May, I was there during Startup Week in Iceland, and we had a delegation there from Norway, from Denmark, and from Sweden.

[00.00.57.19–00.01.31.06]

And they brought up this interesting thing. They were becoming rather concerned about using SaaS services that were domiciled in the U.S., because they saw the U.S. potentially becoming a less reliable partner, and, as a result, they were seeing that many of their peers in their ecosystems were advocating for either a) homegrowing new cybersecurity and defense technologies, or b) only leveraging technologies that were developed elsewhere in Europe, but that too ideally only from close, trusted partners—ideally the Nordics themselves.

[00.01.31.08–00.01.41.07]

So it’s been some time since that discussion, but I’m wondering, what’s the temperature in Europe like? I know you’re based out of the U.K. What’s the temperature like in Europe?

Emma Wright:

[00.01.41.09–00.01.44.17]

So, I think, and—first of all, thanks for having me on.

Navroop:

[00.01.44.18–00.01.46.21]

Oh absolutely. We forgot the introduction part, right.

Emma:

[00.01.46.21–00.01.47.18]

Yeah.

Navroop:

[00.01.47.19–00.01.50.11]

We’re actually eating, and this is the first time we’re actually doing one of these episodes.

Emma:

[00.01.50.11–00.01.51.11]

And you’re double parked with non-alcoholic beers.

Navroop:

[00.01.51.13–00.01.57.18]

I am double-parked with non-alcohol beers. Right. So this is the first time we’re actually recording an episode with food and drink at the table.

Emma:

[00.01.57.20–00.02.03.01]

So. But I think if we put it back so…

[00.02.03.03–00.02.40.18]

Typically, the early noughties, Europe had Ericsson, it had Nokia, it had its tech champions. They were telcos, but it had these champions. And we, as Europeans, have found ourselves in the place where we are looking across the Atlantic for most of our tech, most of our underlying operating systems, and our social media. And I think where the commission—and obviously I can’t speak for the commission—but there has been a sense it’s been bubbling through that. 

[00.02.40.18–00.03.18.16]

In fact, that these firms were maybe doing things with data or not offering services in a way that the European Commission, that is part of the European lawmaking bodies, that they weren’t—that they didn’t have the services they wanted. They kept having to turn to the—across the pond, and they didn’t have competitors within Europe. That means that actually, when it came to things like GDPR, we didn’t—there were some services that were withdrawn.

[00.03.18.16–00.03.43.01]

The Americans—the U.S. companies—didn’t want to comply with GDPR. But it also meant it was bad for the economy, and the tech ecosystem, and the growth. And we’re all—Europe is still about growth agenda as well. And if you think about, so GDPR was a game changer that it set the standard for data protection. 

[00.03.43.03–00.04.15.23]

It’s a kind of globally known acronym. However, with recent cyberattacks, finally, there’s been greater focus on resilience—operational resilience. That doesn’t have to involve personal data if you’re critical mass—if you can’t access your electricity because your smart meter has been hacked, or you can’t get a flight out of the airport because the airport is, in some way, a system has been hacked—or doesn’t have to involve personal data.

[00.04.16.01–00.04.52.18]

But the functions of everyday life have been seriously impeded and can cause real issues at a local level. So I think that’s definitely the commission has come out openly and said, we want to build European tech champions. Yeah, you got Mittal in fans from the AIPs. I think—do you think the AI growth has really focused the mind in on this, and maybe some of the more difficult behaviors of social media platforms and the connections around votes, etc., and kind of disinformation. 

[00.04.52.20–00.05.15.04]

But yes, that reflects not so much the U.K. The U.K. still very much considers the U.S. a key partner, and you’ll see the investments going back and forth there, or coming in to the U.K., from there. But with Europe, there is definitely a focus on building local competition.

Navroop:

[00.05.15.06–00.05.28.21]

So it’s interesting. So you’re saying in the U.K., less an emphasis on this, they’re more than comfortable to continue to use American grown technologies, or making developed technologies, both for cybersecurity and defense. But mainland Europe is where we’re seeing that shift there.

Emma:

[00.05.28.23–00.06.01.15]

So we have, I mean, it’s a different topic, right? We obviously have the Online Safety Act, which regulates the social media platforms. But if you—and for those that want to follow me on LinkedIn—I did not ’til a couple of months ago on the U.S.-UK Technology Partnership. This is something where actually U.K. realizes, in many ways, it just cannot compete at the scale, at how far ahead you are in the U.S. market, the capital, etc.

[00.06.01.16–00.06.31.19]

And so it’s how we find a way of influencing without competing. So if you see the amount of information sharing that goes on with AI safety, cybersecurity, defense, that is that. And that’s something that’s been going on for many, many years. And so you won’t find in the U.K. an open rhetoric around competing with the U.S. Mainly, I think, is most people that laugh.

[00.06.32.00–00.06.33.03]

Right? It’s not.

Emma:

[00.06.33.05–00.06.49.23]

But yeah, that’s why we now—we absolutely want to build out techy ecosystems. And there’s been a focus on AI sovereignty, but that’s about making sure that we can build our own AI ecosystem.

Navroop:

[00.06.50.01–00.07.12.11]

So it’s interesting. That’s not so different from a point I actually made to this delegation for the Nordics. It was that the reality is you don’t have large enough markets in which you’re going to develop all the different types of solutions that you likely rely on today, because that combination of things needed to be developed in a large enough market, where they had all these different use cases, and they had enough potential companies to start to develop technologies for them.

[00.07.12.11–00.07.57.17]

Right. If there’s a thousand things to go develop for—if you want to bring them all onshore, you’ve got the capacity to maybe run 50 of those companies. The other 950 still have to come from somewhere, right? And so you’re not going to be able to completely end your reliance on American technologies or American cybersecurity or defense technologies, but there might be a better way of continuing to adopt them, or adopting them as a sort of localized fashion, right, so that you could get more comfortable around the fact that they’ll still be operational if and when suddenly something becomes less reliable about either connectivity or some sort of compelled action in the U.S. that cuts you off of the service temporarily, that you can still completely operate them. It doesn’t become an impediment to your ongoing operations and resilience.

Emma:

[00.07.57.19–00.08.12.11]

Yeah. And I think, dare I say, some of that might be to do with the Nordics in their proximity to Russia. I mean, the EU market is larger, I believe, than the U.S. market by numbers. 

[00.08.12.13–00.08.29.08]

But we have the different languages as well. So it’s sort of a sub‑market around there. But it’s interesting that they—that that’s the kind of sense—they don’t feel that they can compete on the kind of at that level, because the market is one of the biggest.

Navroop:

[00.08.29.10–00.08.47.03]

I agree. The EU is a very large market. I have to go back and look at the exact numbers. But I think when we’re looking at certain categories of cyber spend, the spend in the U.S. still dwarfed all of Europe. I think when you’re in collaboration tech, it was the same kind of thing, right? Collaboration tech, which is very foundational to how every business operates today. 

[00.08.47.03–00.08.56.21]

Right. And I don’t just mean messaging. I mean the file sharing, all the different collaboration tech. The spend on that in the U.S. was higher than all of Europe combined, if I’m not mistaken.

Emma:

[00.08.56.21–00.09.00.02]

Yeah, I know Europe is digitalized far more since then. But yeah.

Navroop:

[00.09.00.02–00.09.18.09]

Right. Yeah. And this was probably a few years ago, but still, it was just an interesting discussion we were having back and forth, and I said, well, how could you potentially operate that locally for us so we could get comfortable around those companies? And a lot of that was what we were discussing today at Black Hat or in our session itself.

Emma:

[00.09.18.11–00.09.56.11]

Yeah. I—sorry just to jump in there. I think that’s—that actually the geopolitics, like we said, has put the world order kind of on it—on its side. And trusted partners may be able to be a little bit less trusted. And so people are really looking at the operational resilience, the network and information systems regulation, and DORA, the digital operational resilient—resilience piece really drives that. 

[00.09.56.16–00.10.20.17]

It’s the resilience for now, more so than the personal data. And actually, if you look at the digital omnibus that was released last week, the EU have set out as an ambition that they want to simplify the GDPR in some ways, so it’ll be interesting to see where we are with—when we’re out of kilter with everyone else who’s copied the GDPR. 

[00.10.20.19–00.10.23.15]

So we all followed it very closely.

Navroop:

[00.10.23.17–00.10.31.16]

As I say, there are a number of countries that suddenly were like, really, we just got this, and now you want to change it all over? And now I’m going to be forced to copy you yet again.

Emma:

[00.10.31.18–00.10.32.06]

Yeah.

Navroop:

[00.10.32.08–00.10.33.00]

I can never—

Emma:

[00.10.33.02–00.10.50.20]

I was sort of holding off on the UAE act as well. So there are some interesting things coming out, but it’s all very much geared towards making sure that, as a European Union, there is resilience.

Navroop:

[00.10.50.22–00.11.20.07]

It has been interesting to see, though, how slow the adoption or writing into member state law. There—things have been around. NIS2 is an example, right? Because NIS2 is allowed to be written into each member state’s own laws and origins. There’s been significant delays on that front. So while there’s this emphasis on resilience, when I talk to a number of places, they just—at least the companies would just say—yeah, it’s just another piece of paper.

[00.11.20.09–00.11.24.01]

I already got 40 like this on my desk. What makes this one any more important than the others?

Emma:

[00.11.24.03–00.11.54.17]

And that’s where we risk getting to with GDPR. I mean, I don’t want this to be a conversation about GDPR, but are people checking their privacy policies before they take them—the very carefully crafted privacy policies—probably not. They want the service. What they are proposing is to have one centralized point of breach under the reformed GDPR. Query, all I have are those details on this. 

[00.11.54.17–00.12.04.14]

So someone please message me if I didn’t see that for NIS2 or DORA. But whether that’s where it’ll end up heading.

Navroop:

[00.12.04.16–00.12.06.21]

Interesting. Yeah, I wouldn’t have any insights on that.

Emma:

[00.12.06.21–00.12.14.05]

We’re a ways away from lawmaking or law-amending in Europe.

Navroop:

[00.12.14.07–00.12.36.07]

Coming back for a second. You said that there were functions that were being provided by American companies who decided they just don’t want to comply with GDPR. And as a result, did they end up losing those customers entirely, or did the customers end up saying, eh, we’re going to turn a blind eye to your noncompliance, and then continue to some services that we desperately need? Or did that create a vacuum that someone else filled?

Emma:

[00.12.36.07–00.12.42.07]

It was more content providers, and people just—they just switched off the EU being able to access it.

Navroop:

[00.12.42.09–00.12.47.15]

Got it. Okay. So we’re thinking more like the online publications—the New York Times, folks like that.

Emma:

[00.12.47.17–00.12.56.15]

Yeah. But if you think about what happened with ChatGPT and Italy trying to ban it and stop people accessing it, and then people just accessed it by a VPN.

Navroop:

[00.12.56.17–00.13.04.07]

Yeah, I imagine the same thing going to happen with the online publications as well.

Emma:

[00.13.04.09–00.13.44.13]

I think so, but I don’t know for sure. And but I think there was that sense around compliance. What does compliance mean? I mean, I always find it amazing that how far in we are with GDPR, and the supply chain still gets overlooked, and the number of breaches we’ve had come through that ability—and actually that’s often the least considered part of GDPR. What happens when everything goes to the wall and there’s a breach or an incident?

[00.13.44.15–00.13.52.00]

Everyone’s got beautiful privacy policy to tell you, but what actually—what’s our plan in those situations?

Navroop:

[00.13.52.02–00.13.53.04]

Yeah, I mean that goes to—

Emma:

[00.13.53.04–00.13.54.03]

I bet sovereignty comes into it, right?

Navroop:

[00.13.54.03–00.14.15.05]

Sovereignty comes in. But it’s also where post‑breach resilience and post‑breach readiness comes in. A lot of what we’ve done is invest in what happens before an incident or a breach. Very little about the resilience and what comes afterwards. I mean, we often talk about—right—everyone’s got a policy that talks about, or sorry, implementations of all sorts of tools to help prevent an issue from occurring. 

[00.14.15.07–00.14.24.23]

But if and when it does, and the probability of that happening is basically one at this point. And you know it’s a certainty it’s going to happen. They don’t know how they’re going to actually operate when under duress.

Emma:

[00.14.24.23–00.14.29.19]

No. And they should all have beautifully drafted breach response policies.

Navroop:

[00.14.29.21–00.14.46.20]

I’m sure they do. But when you run tabletop exercises around them, one of the questions we’ve been asking law firms is, start asking their clients—and they actually dig a little deeper on—is how will you communicate? And oftentimes the response that they give back is some check‑the‑box thing. Well, we have X. We’ll just use Y, right? 

[00.14.46.20–00.14.49.10]

Or instead of X, and we’ll be good to go. Right.

Emma:

[00.14.49.15–00.14.52.08]

And it gets overlooked time and time again.

Navroop:

[00.14.52.10–00.15.19.12]

One of the things that we’ve started asking law firms to start asking companies is, okay, so you’re going to choose to move to like a Signal or WhatsApp. How are you going to maintain control around who’s actually able to be a part of those communications? How are you going to maintain control around whether or not the policies you’ve got for things like information life cycles, or password policies, or anything else are being enforced on these platforms that are really not designed for any of that enforcement in the first place?

Emma:

[00.15.19.12–00.15.45.15]

Yeah. I mean, that’s for sure. And in my experience, nine times out of ten, we move to WhatsApp, and we have the issues around documenting the comms, accessing the comms. For those that want to get really legal, how you put privilege. Is the comm—are the comms privileged? People un—do all the teams understand what that means?

Navroop:

[00.15.45.17–00.15.59.13]

Can you put up an appropriate notice that tells people this conversation is about X, and as a result, it should be limited to Y to help cert privilege more easily in the future? Yeah. All the kinds of things you’d expect an enterprise tool to be able to do, that your consumer tools just weren’t built for.

Emma:

[00.15.59.15–00.16.08.01]

Correct. And then—and that’s before they even start figuring out how they make payroll depending on the circumstance.

Navroop:

[00.16.08.03–00.16.13.14]

100%. Yeah. Oftentimes, you actually have to start to converse in order to figure out how you’re going to do those things.

Emma:

[00.16.13.16–00.16.29.18]

Yeah. So, and I think that was what was really valuable about the discussion today, considering where we are in the world, or the Kingdom of Saudi Arabia. In many ways, they have considered this, and that I think needs some more depth.

Emma:

[00.16.31.11–00.16.46.05]

They’ve recognized some of the storing data locally is something they want to do. And so it’s like the second wave; we have the first wave of GDPR. 

Emma:

[00.16.46.16–00.17.19.18]

Those countries who thought, we have a transfer place, we have an arrangement for transfers in place, is fine. And they have that over here as well. I’m not a Saudi lawyer, but is in the second wave around, okay, but what does this actually mean? How we—instead of us just looking at what the words are like on a paper, on a piece of paper—how do we get all key services up and running in the event we get attacked, or a cyber incident, or, like you said, the lights go out, we get cut, our cables we no longer have.

Navroop:

[00.17.19.19–00.17.36.04]

Yeah, you’re no longer allowed on the global internet for whatever reason, whether it’s intentional or unintentional, as the case may be. There are certain core technologies you’re going to have to build to operate in order to keep your own internal economy working, at least for some greater time. And comms has always been central to that, in my opinion.

Emma:

[00.17.36.06–00.17.48.07]

Yeah, yeah. But in the same way that many years ago, comms and radio and TV were considered to control the hearts and minds of the people, right? There has to be a way of communicating.

Navroop:

[00.17.48.08–00.18.19.12]

Well, since you’ve already segwayed into what we were talking about on stage now, let’s just jump right into that. Right, part of what we were doing was laying out a framework of kinds of questions that companies who are looking at potentially localizing their services and offering a parallel SaaS service to what they normally operate out of the U.S. or some other jurisdiction might want to offer in other countries around the world, who have these concerns about whether or not the U.S. is a reliable partner or whether or not they are okay using a service that’s based out of France and using the French servers when they really want their data and the infrastructure to be in, say, Saudi or in Oman or Qatar, wherever the case may be. 

[00.18.19.12–00.18.43.01]

What kinds of considerations bubbled up to as top of mind—or, sorry, bubbled up as the most important ones you’d want to summarize here. So what we can’t do is the whole 40‑minute talk or what we’re discussing today, that commission consider people, technical, legal, any of the above, like what—

Emma:

[00.18.43.03–00.18.45.14]

Am I buyer or supplier?

Navroop:

[00.18.45.16–00.18.56.07]

You are supplier in this case. So this is—I want to help the companies out who actually want to go maintain access to market, or make sure they don’t lose ground in their ability to sell to a global market.

Emma:

[00.18.56.09–00.19.16.22]

Sure. So, and I think we’ve said this before, actually the first step is not a legal point. Lawyers tend to get drafted in after sales have done their team—have done their work and sold, and then the lawyers come in and try and paper the deal. And the amount of times we’ve been told, yeah, that’s not what sales said. 

[00.19.17.00–00.19.44.10]

So the key is, what are you selling? Are you selling a SaaS service, a SaaS comms service, or are you selling a resilient, an entirely resilient, self‑standing solution? Because there are different bits of functionality around that. And the reason I say this is because when the lights go out, for whatever reason, are you still providing a service?

[00.19.44.12–00.20.06.18]

Now the answer is no. How does that then affect payment? How does that affect your obligations if the customer is really focused on around the service? They can expect service levels that fly. We had a discussion today around whether such occasions would be force majeure. 

[00.20.06.20–00.20.31.07]

And force majeure is the legal term. And during Covid, everyone thought force majeure was—Covid fell within that. And then people, it suddenly became something that people reasonably anticipated. So, but this is a legal podcast, so we can think about that. But actually, what are the obligations as a supplier? You want to fall away, or what are the obligations you want to maintain?

[00.20.31.09–00.20.55.15]

So for instance, if your—the cord has been cut, you’re not going to have to support and maintain it. You’re going to need someone locally to do it. I’m assuming you’re not nodding at me. No. Two, you’re going to want to get paid in some way. Now, we discussed whether you put the URL in escrow to be able to use the local version at the start. 

[00.20.55.15–00.21.20.14]

So escrow is this kind of middle party that exists and holds something for both parties. And there are trigger events that, when X happens, the thing held in escrow is released. So you’re going to have to carefully think about your trigger events. I know you said on the—in the talk, well, I doubt we have to pull it back into the box. 

[00.21.20.16–00.21.26.16]

Does that—is that really possible on a replicated system, all of those points?

Navroop:

[00.21.26.18–00.21.45.02]

I would certainly hope, as a company, if and when whatever the issue was that caused the country to go dark, be cut off, or resolved, that I would be able to take possession of what should have been a domain that we owned and operated back, and then we’d be able to reestablish our ability to maintain the service so that we are continuing to fulfill our obligation otherwise. 

[00.21.45.02–00.21.53.18]

But yeah, it would be an interesting thing to see. How does that work in two directions? What are the triggers that set up that go both ways?

Emma:

[00.21.53.20–00.22.07.04]

And then you, so what you’re saying is put it back into escrow, I think? I mean, the other thing is, how do you keep it secure? How do you patch it for sub security vulnerabilities?

Navroop:

[00.22.07.06–00.22.31.07]

Yeah. That’s where we’re talking about some of the technical controls. Right, one of the things we’ve worked out with the places where we’re already deploying the Sovereign Edition is to ensure that, at the very least, we have enough bandwidth for SAT data that allows us to connect to those systems, to start to provide patches, or to upload things that the local operator can then apply for us, or different capabilities that we can use around administration and maintenance. 

[00.22.31.09–00.22.35.06]

For that reason, even if that isn’t enough to run the entire service off of.

Emma:

[00.22.35.08–00.22.44.08]

Assuming that the local version, or the version in escrow, is being maintained, or else you’re gonna have to do a big upgrade.

Navroop:

[00.22.44.10–00.23.17.09]

Yes, there’s a lot of interesting things that have to happen along the way, and a lot of due diligence to make sure that you are staying on top of maintaining the versions that you’ve uploaded over there. As you’re deploying, you also have to deploy it over an escrow. But in this case, we’re talking less about the code escrow per se, more so the domain from the infrastructure, and the servers, and everything else, and everything else we’ve deployed in theory, because we’re actually patching those along the way as we’re doing things for the—for our US systems. 

[00.23.17.11–00.23.38.00]

We’re going to be doing that for those in parallel. They should be at least as up to date as we are. Now, you’re about to start hearing some background noise. Music potentially here, because we’re then joined by a lovely—is that a cello? It is a cellist, right? Yeah. Okay. We’ve got an amazing cellist over here at the restaurant, and so you might hear a little background music.

[00.23.38.02–00.24.02.16]

But yeah, we would be maintaining this along the way. So it’s unlikely that they will be so far out that it would be a major lift in order to go maintain that, unless we’re doing some sort of massive release of a whole new capabilities. Around the time that someone has gone dark, in which case we might just be doing is providing ongoing patches for the existing capabilities, rather than giving the new, upgraded functionality that we’re rolling out to the rest of the world at a time.

Emma:

[00.24.02.18–00.24.16.13]

It’s interesting, is we have the two scenarios, right? We had the dark cloud, dark fiber, now that you said. And then the other scenario, which is essentially a scenario where the enterprise or the country gets sanctioned, or you were told you cannot provide services. 

[00.24.16.15–00.24.46.21]

I think that’s a more complex situation in many ways, because instead of the parties working together to restore a service that’s neither of your fault, and I’m not—the other one is going to be a far longer‑term split, likely without any side for either party to exit. 

[00.24.46.23–00.25.17.15]

So, but it’s far more difficult because you may even be restricted about providing services in any way. And that, I think, that’s a far trickier one to do it. And you see it a lot in financial services, contract payments, contracts where the provider says, in the event of authorization, get to revoke for whatever reason, or a government tells us to suspend, we will do that.

[00.25.17.17–00.25.59.21]

And often they say those clauses are non‑negotiable, and customers were sort of getting themselves comfortable with it. Not all customers, but yeah, okay, fine. Yeah. Of course, if you were told, providing you have a policy issue, then it is what it is. We might want some termination payment or whatever. But whereas now, in this new geopolitical environment where things seem a little less predictable, people are suddenly thinking about the what‑ifs, and that thing that was highly unlikely is maybe moved to just unlikely. 

[00.25.59.23–00.26.04.02]

Rather than highly unlikely, this is never gonna happen, and is merely going to happen.

Navroop:

[00.26.04.04–00.26.28.22]

And that’s why we submitted the talk to talk here at Black Hat Middle East, right? It is, we think of this as an ongoing dialog as we start to think through some what‑ifs, new what‑ifs crop up. Customers in different parts of the world, who have different geopolitical concerns or threat models, are asking us very different questions around how are we going to maintain operational resilience for the systems that we’re deploying for them, based on what their current model is.

[00.26.28.22–00.26.46.09]

And the answers aren’t always exactly the same. Sometimes they’re very different. Sometimes we were hamstrung, even just by the availability of local partners who can actually help us scale. The skill sets are a big deal depending on where in the world you are. But yeah, I think that’s what made the discussion rather interesting. Right, is this is an ongoing dialog.

[00.26.46.11–00.27.07.22]

I think while we were here, we ended up practically changing our understanding of how some of the future SLAs will get written for some of these sovereign deployments, which is a different answer than when we came up with your firm almost 18 months ago, when we first started this dialog. And so there’s some interesting evolution in real time, in plain sight, happening in front of other people.

[00.27.07.23–00.27.14.18]

And that’s what I liked about today’s dialog, is we didn’t go in there and say, we have the answers for you. They’re just questions to think about.

Emma:

[00.27.14.20–00.27.18.17]

Markets of old as well, right? The backdrop and the market, the backdrop to the market, and the market of old.

Navroop:

[00.27.18.18–00.27.44.23]

100%. I think if I were to look at some of the topics we touched on, right, with the going dark, it was, what are you going to do about DNS, or what are you going to do about being able to repoint the clients? Right? Is your solution even architected such that they could be pointed at a new entry if need be, just so they could continue to connect to the service that’s local because of DNS fallen out? Do you have some mechanism by which to say, hey, just point to A, B, and C, and said in your email to get back up and running?

[00.27.45.01–00.28.02.20]

We also talked about some of the legal considerations, as you mentioned, around us taking control of things back. But if it is that sanctions or compelled action‑based case, something else we talked about, which I think everyone is still trying to get there, wrap their minds around, is, are you allowed to have a canary in the coal mine?

[00.28.02.20–00.28.21.03]

And even if you are, and you communicate upfront what that might be for that—for those users—sorry, not the users, the local operator, so they can actually determine what action to take because they’ve just seen you do something that tips off to them that you might be trying to jettison the service in their geographies.

Emma:

[00.28.21.04–00.28.31.07]

And I can definitely envisage scenarios, at least in some jurisdictions, where you are not able to be a canary in the coal mine.

Navroop:

[00.28.31.09–00.28.52.06]

Right? So then the question is potentially the fallback for both parties to agree in advance that certain actions require a—almost two‑hands‑on‑keys type solution, whereby if we are trying to take action X, it actually requires them to be a participant and turn the key simultaneously in order for it to go through. And so they start to see us trying to do something. 

[00.28.52.08–00.29.07.05]

They automatically interpret that either as potential breach, because it was unexpected and we did coordinate with them, or they interpret that as us being compelled to potentially do something, and they still turn out turning their second key.

Emma:

[00.29.07.07–00.29.17.18]

And then I—in a situation where, for instance, you are all with that country—I’m not sure how that will play out.

Navroop:

[00.29.17.20–00.29.20.21]

Absolutely. Agreed. And that’s one of the ones we did not actively consider. 

Emma:

[00.29.20.21–00.29.27.20]

Yeah, I can definitely see scenarios where that is not going to work out for the canary in the coal mine. 

Navroop:

[00.29.27.22–00.29.30.19]

Right. Yeah, 100%.

Emma:

[00.29.30.21–00.29.31.19]

Yeah. 

Navroop:

[00.29.31.21–00.29.44.05]

Yeah. You wouldn’t be allowed to actively use a canary at that point. They would almost have to be trying to read the tea leaves to figure out what are you trying to do, and then make a decision independently on their own. Because you couldn’t have any of those preset canary.

[00.29.44.07–00.29.47.03]

Yeah. Us going to war with one of the countries where we avoid—

Emma:

[00.29.47.05–00.29.48.02]

Just—right—not in the—

Navroop:

[00.29.48.07–00.29.51.20]

I know that wasn’t one of the ones we contemplated. At least not publicly on stage.

Emma:

[00.29.51.23–00.29.52.15]

Nor shall we either. 

Navroop:

[00.29.52.15–00.30.10.05]

Right. Not one we want to contemplate at the moment either. Interesting one to add to the hypothetical list. So next time we’re giving, we will play that one out too. But this, what I like about this dialog with Crowell & Moring, right, we’ve been able to evolve these kinds of discussions over time. Each of the new scenarios, new ideas.

[00.30.10.07–00.30.26.06]

And that’s what I love about this partnership. For those of you who have been longtime listeners of the podcast and/or followers of ArmorText in general, Crowell & Moring is actually the law firm with whom we published those open‑source tabletop exercises that we’ve made available to the entire world as part of a Creative Commons license.

[00.30.26.06–00.30.42.23]

So you were able to adapt them to your own needs without having to owe us anything. And this is one of your predecessors that we worked with on this. Good old Matt Welling. He was amazing. We had to get him—he still is. Yes, that’s true. Matt is still a friend. He’s still amazing, despite him now being at a different firm.

[00.30.43.01–00.31.00.15]

We had to arm wrestle him a few times to finally get him and everyone else to agree to a Creative Commons license to give this IP, because they looked at it as something rather internal and important to them. I think we were being told that we should stop our recording, given that the cellist is trying to entertain everyone else.

[00.31.00.15–00.31.04.06]

So with that said, Emma, I’ve really enjoyed this conversation.

Emma:

[00.31.04.06–00.31.16.08]

Likewise. Thank you for having me on this podcast. Thank you for finally eating and drinking for the podcast. And thank you for giving me the reason to pronounce Saudi Arabia.

Navroop:

[00.31.16.12–00.31.30.16]

Well, I was just about to thank you for joining us in Saudi Arabia. Right. Because we called Emma at the last second when Matt was unable to make it and said, Emma, we really need you to jump in over here in Riyadh. And she said, absolutely, I’m on the next flight, and lo and behold, she was actually there.

[00.31.30.18–00.31.34.16]

And she stole the show. So, Emma, thank you very much.

Emma:

[00.31.34.18–00.31.47.17]

You are most welcome, and really enjoyed the conversation. And let’s carry on talking about the different scenarios and how you can mitigate risk and supply contracts.

Navroop:

[00.31.47.19–00.32.05.07]

Absolutely. And with that said, we’re going to close this episode out. This is an episode of The Lock & Key Lounge. Thank you for bearing with us as we were both chewing through our food and drinking our non‑alcoholic beers. This is a—me signing off from Black Hat Middle East. We will see you on the next episode. Cheers.