What this means in practice¶

The tools run continuously on client infrastructure. Not in response to incidents. Not during maintenance windows. Continuously.

The baseline problem¶

To detect anomalous behaviour, you must first catalogue normal behaviour. Security monitoring and surveillance monitoring are, at the collection layer, the same operation. The difference lies in what is done with the output, and under this arrangement, that is not determined by the client.

The accumulation problem¶

A month of traffic patterns tells you what an organisation is doing now. Three years tells you what it does under pressure, how it responds to financial stress, and what the early indicators of significant internal change look like. The tools have been running for longer than most clients realise. The MCLU does not have precise figures. Our estimates are consistent with a period substantially longer than clients would assume if prompted to think about it, which most have not been.

The correlation problem¶

The cloud provider serves multiple clients. The output flows to one recipient. A party with visibility across an entire sector can observe when clients’ patterns change in correlated ways, identify undisclosed relationships, and watch competitive dynamics unfold in real time with access to everyone’s internal data simultaneously. This is not a theoretical capability. It is what the arrangement, as structured, produces.

The Royal Bank does not publish its daily clearing volumes. They are, however, observable. Guild membership activity is subject to formal confidentiality obligations. The members were not consulted about this arrangement. They are, nonetheless, in the data.

The MCLU has asked what is done with all of it. We have received, in response, a silence that is itself informative, though not in a way we can yet put to practical use.