Capability provided¶

The technology falls into a category the MCLU has been attempting to get legally defined for several years. The parties most interested in a precise definition are, naturally, the parties most interested in not having one, which has made progress brisk in the wrong direction.

Functionally, the tools monitor network traffic volume, timing, and routing; map communication pathways; detect anomalies in system behaviour (which requires first establishing what normal behaviour looks like, and retaining that model indefinitely, which is an entirely standard feature of security tools and completely unrelated to anything else); fingerprint devices and services on the managed network; and correlate activity across multiple clients simultaneously. The last capability serves no defensive purpose at the individual client level. Its value, as the MCLU understands it, lies in the aggregate view.

The Engravers’ Guild knows who ordered what letterhead. The clacks network knows who sent what message. This system knows considerably more than either, and unlike either, does not keep that knowledge for itself.

A security stack asks: is something wrong? A collection apparatus asks: what is happening? The first question needs data about threats. The second needs data about everything.

The technology asks the second question. Clients were informed it was asking the first.