In 1876, the Japanese government brought a vine to the Philadelphia Centennial Exposition. It had broad leaves, purple flowers, and a growth rate that seemed miraculous. Americans planted it everywhere. The Civilian Conservation Corps seeded it across the South to control erosion. The government paid farmers eight dollars an acre to grow it.
In other places, it wasn’t a single-use crop. It was used. For food. For fiber. People had a reason to tend it, to cut it back, to keep it in check.
Here it was only planted for one thing. When farms failed, the land was abandoned. It kept growing.
By the time anyone understood what they had invited, it was too late. Kudzu grew a foot a day in summer. It climbed telephone poles, swallowed barns, choked out forests. It didn’t just grow on things; it grew over them, around them, through them, until the thing underneath was invisible. The original structure was still there. You just couldn’t see it. And if you couldn’t see it, you couldn’t maintain it. And if you couldn’t maintain it, it rotted.
This is a story about kudzu. Not the plant. The other kind.
The technology industry has a kudzu problem. It didn’t start that way.
Cloud computing didn’t get complicated by accident. It got complicated because simplicity doesn’t bill. Every new service is a new billing surface. Not maliciously, mechanically. The system rewards expansion, so it expands. Hundreds of services. Each one slightly different. Just incompatible enough to require its own understanding. Identity that doesn’t match across boundaries. Logs that don’t quite line up. Failure modes that don’t repeat.
By themselves, none of this matters. Together, it’s inevitable. All those services braided together until you can’t see what’s underneath.
The network is still there. It has to be. Every connection still resolves to a path. Every action still reduces to data moving from one place to another. That never changed. What changed is that you don’t see it anymore.
It’s still there. Rotting.
There’s a kind of work that exists only because we agree to pretend it matters. The way David Graeber talks about it has a particular feel. A cool Georgia morning. Mist clinging. Damp. Thick air; you can feel the humidity to come. And the smell. Rot. Graeber calls it bullshit.
There is an enormous amount of it in the cybersecurity industry.
Four decades of specialization have produced a language so dense and self-referential that it no longer describes what it was supposed to describe. Peel it back and underneath is something simple. Laws. In the same sense that gravity is a law. They describe what is, not what should be. There are nine.
Every crime that has ever been committed, in the physical world or the digital one, breaks one or more of them. Every security control exists to prevent or detect those violations. Every product in the cybersecurity market is, at bottom, a way of enforcing them.
There are only nine: murder, rape, assault, kidnapping, extortion, trespass, theft, fraud, and dereliction.
That’s it. Nine laws. Everything else is a derivative, a combination, an equivocation by the powerful, or a marketing abstraction.
Cybercrime lives in a surprisingly narrow band of these nine laws. Not all of them translate into the digital domain in equal measure. Murder, rape, assault, and kidnapping are physical acts that require bodies in proximity. The digital world can facilitate them, but the crime itself occurs in physical space.
Cybercrime proper, committing crimes through digital means against digital targets, rests on two laws: trespass and fraud.
Trespass is intruding into a space that you aren’t permitted to be in against the will of the owner. Fraud is lying to create deception, misperception, loss, or harm.
Every cyberattack requires trespass. You must get where you do not belong. A network you are not authorized to access. A system you are not permitted to control. A database you are not allowed to read. Without trespass, there is no attack. The attacker who cannot get in cannot do anything. An attacker who cannot get out is limited.
Every cyberattack requires fraud. You must deceive something or someone. A phishing email that impersonates a colleague. A forged credential that masquerades as a user. A payload that hides as a legitimate process. Malware embedded in trusted software. Without fraud, trespass is inert; you are standing in a room you shouldn’t be in, but you can’t do anything.
Fail at either one, and you fail at cybercrime. There are no exceptions. Ransomware, espionage, sabotage, data exfiltration; all of them follow the same pattern. Trespass to get in. Fraud to make it work. The objective changes. The combination does not.
Extortion is often the goal. The attacker commits trespass and fraud to extort, but extortion is not the method. The method is always trespass and fraud. Theft occurs when data or funds are taken, but it is accomplished the same way. The nine laws do not compete with each other. They stack.
Both trespass and fraud operate over the network.
This is not a metaphor. It is a physical fact. Every act of digital trespass traverses a network path. A packet moves from the attacker’s machine to the target’s across routers, switches, firewalls, load balancers, and cloud control planes. Every act of digital fraud manipulates a network-connected system. A forged credential is presented over a network connection, a phishing payload is delivered over a network protocol, a command-and-control channel operates over a network socket.
The network is the only universal chokepoint. It is the one place where every attack must pass, regardless of target, sophistication, or payload. An attacker can vary their tooling, their technique, their objective. They cannot vary the fact that their trespass and fraud must traverse a network.
For 30 years we have ignored what that means. Networking and cybersecurity are not two disciplines. They are one. We split them by convention and vendor economics. A historical accident put the people who built and operated networks in different rooms from the people who defended them. We chose not to repair the damage.
The separation made sense in the beginning. In the 1980s and 1990s, networks were small, physical, and visible. You could walk the cable. You could count the ports. The attack surface was constrained by geography. Security was a padlock on the server room and a password on the login screen. The problem was simple enough to divide. So we did.
The Internet changed the scale. Suddenly the network extended past the building, beyond the campus, around the world. The space to trespass exploded. But the organizational model didn’t change. The networking team still managed connectivity. The security team still managed defense. They bought tools from different vendors, attended different conferences, and reported to different executives. The divide deepened even as the problem became one.
Cloud changed the topology. The network was no longer something you owned and operated. It was something you rented, in pieces, from multiple providers, each with their own abstraction layers. The physical infrastructure that networking teams once managed was replaced by virtual constructs. VPCs, subnets, security groups, and service endpoints exist only as configuration inside someone else’s data center. The networking team’s domain shrank. The security team’s domain expanded. Neither team had full visibility into what was happening, because the kudzu of cloud abstraction grew over the network and hid it.
The kudzu did not grow by accident. It grew because the business model fed it.
Every cloud service is a billing surface. The provider’s revenue scales with the number of services consumed, the volume of data processed, the complexity of the architecture deployed. Simplicity is not rewarded. A customer who uses three services generates less revenue than a customer who uses thirty. A customer who can see their own network traffic clearly needs fewer managed security tools than a customer who is lost in abstraction. The incentive structure produces complexity as a natural byproduct, the complexity produces obscurity, and the obscurity produces dependence.
This is not a conspiracy. It is a coincidence of incentives. The cloud providers did not set out to make their customers less secure. They set out to make their customers more productive, and they succeeded. But the architecture they built to deliver productivity also delivered opacity. The customer traded operational clarity for operational convenience and didn’t notice what they lost until they needed it.
What they lost was the chokepoint.
Conflicts are decided by terrain and logistics. This is not a principle that belongs to cybersecurity. It belongs to warfare, and it is old enough that every civilization has learned it independently, usually in blood.
Sun Tzu wrote about terrain as the decisive factor. Not that good generals fight well, but that they choose where to fight, and that choice determines the outcome before the first blow is struck. “Know the terrain, know the weather, and your victory will be complete.” The terrain is not an advantage you bring to the fight. The terrain is the fight.
Thermopylae, 480 BC. Three hundred Spartans held a narrow coastal pass against a Persian force that outnumbered them by orders of magnitude. They did not hold because they were superhuman. They held because the pass was narrow enough that the Persian numerical advantage was neutralized. The chokepoint didn’t help the defense. The chokepoint was the defense. When Ephialtes revealed the mountain path that bypassed the pass, the chokepoint was lost, and the battle was over. The Spartans didn’t get weaker. The terrain changed.
Kasserine Pass, February 1943. The U.S. II Corps held a natural chokepoint in the Western Dorsal mountains of Tunisia. They had the terrain. What they didn’t have was competence. Green troops, fragmented command, poor coordination, and a failure to understand the ground. Rommel punched through not because the pass was indefensible, but because the defenders didn’t know how to use it. They had the chokepoint and lost it through dereliction.
The Khyber Pass, for two thousand years and counting. A narrow cut through the Spin Ghar mountains connecting Central Asia to the Indian subcontinent. Alexander marched through it. The Mughals followed. The British tried three times and were destroyed twice. The Soviets bled out trying to control the terrain around it. The Americans spent twenty years dependent on it for supply into Afghanistan but never controlled it because Pakistan held the heights. The U.S. needed the gate for its campaign, so it paid and accommodated, because when someone else holds the terrain your logistics depend on, your options are limited to what the gatekeeper permits. The lines on the map said “NATO operational theater.” The terrain said “Pakistan controls your supply line, and you will operate on the terms that reality dictates, not the terms your policy document prefers.”
The Strait of Hormuz, always. Twenty-one miles wide, but the navigable shipping channel is barely two. A third of the world’s seaborne oil passes through it every day. The lines on the map say it is international waters. The terrain says otherwise. Iran’s mountains rise from the northern shore and look down on every tanker that transits the channel. It is the gate to the Persian Gulf, the same way Gibraltar is the gate to the Mediterranean. In both cases, it is the heights that control the gate. Hormuz does not have to be contested to matter. It just has to exist. Whoever holds the heights holds the gate, and whoever holds the gate can close it at will.
The network is all four. Thermopylae, the narrow pass where a defender’s limited resources can match an attacker’s scale. Kasserine, a chokepoint that can be squandered through dereliction and incompetence. The Khyber Pass, the gate your logistics depend on but do not control. Hormuz, the gate that all traffic must pass through, controlled by whoever holds the heights.
If the network is the only place where every attack must pass, then command of the network is the foundation of all defense. Cloud abstraction degrades that command. Every managed service that hides network behavior behind an API removes a section of the chokepoint. Every proprietary control plane that routes traffic through opaque infrastructure creates a path that trespass can traverse without being observed. Every identity federation that spans multiple providers is a fraud surface that no single team can fully audit.
The kudzu grew over the chokepoint. The terrain didn’t change. Our relationship to it did.
The cybersecurity industry does not talk about one law enough: dereliction. Dereliction is willfully failing or abandoning one’s duty. It is not an attack. It is the absence of defense. It enables every other violation.
When an organization cuts its networking budget because “everything is moving to the cloud,” that is dereliction. Not out of malice, but because the duty to maintain the only universal chokepoint is traded for premature cost savings. The old infrastructure is defunded before the new is mature enough to replace it. The gap between them is where attackers live.
When a vendor sells a security product that can detect threats but cannot see the paths they traverse, that is dereliction. The problem is split and only the profitable slices are solved.
When a buyer deploys to a cloud without demanding visibility into the underlying network, that is dereliction. They choose the blind spot because it’s convenient.
Dereliction is not dramatic. It doesn’t make headlines until the breach. But it is the law that makes every other violation possible. Trespass succeeds because someone failed to watch the door. Fraud succeeds because someone failed to verify identity. The attacker provides the trespass and the fraud. The defender provides the dereliction. It takes both sides to produce a breach.
Dereliction accumulates. It creates blind spots, weak controls, and unobserved paths. Those conditions do not stay empty. That is how you get insider attacks.
There are two kinds of insiders. The distinction matters.
The first is the malicious insider. Someone who entered the organization with criminal intent from day one. They applied for the job, passed the interview, cleared the background check, and showed up on Monday morning to commit trespass and fraud from the inside. Their trespass is pre-solved. They don’t need to break in. They were invited. Their challenge is fraud: maintaining a cover identity, concealing their true purpose, and extracting value without triggering suspicion. The longer they operate, the more fraud they must sustain, and the more surface they expose to detection.
The second is the compromised insider. This is someone who started out genuinely aligned with the organization and was turned. Their trespass is also pre-solved. They already have access. The difference is that their fraud does not begin at entry. It develops over time. There are two sub-types, and they behave differently.
The coerced agent is turned by external pressure: blackmail, financial distress, threats against family. They act under duress. This was not their choice. Because they are acting outside their norm, they tend to be clumsy. Their fraud skills are undeveloped. They make mistakes. They access things they don’t normally access, at unusual hours, from unfamiliar locations. They are detectable, if anyone is looking
The disenchanted insider is turned by internal grievance. They were loyal once. Something changed. They no longer feel allegiance to the organization, and they have decided, consciously or not, that the organization deserves what is about to happen.
The disenchanted insider is the most dangerous insider because they have three things: patience, moral justification, and a legitimate baseline. They are not in a hurry. They are not acting under duress. They believe they are right. They have years of behavior that any monitoring system has already learned is normal. When they begin to deviate, they do it slowly. A slightly unusual query here. An extra file download there. A gradual expansion of access that looks unremarkable on any given day. The drift disappears into the noise of daily operations.
In a stable, well-mapped network, this drift might eventually be caught. In a chaotic hybrid environment, mid-transition between on-premise and cloud, where nobody can confidently define normal and the ambient noise of change is constant, it goes unnoticed. The drift is indistinguishable from the background. The kudzu provides perfect cover.
Kudzu doesn’t need fertilizer. We add it anyway.
The budget crunch is the fertilizer. Organizations are under relentless pressure to move capital away from what investors perceive as commodity infrastructure. Networking, more than any other IT function, has been branded as plumbing. Essential, invisible, unglamorous. When budgets tighten, plumbing gets cut. Hardware refresh cycles stretch from three years to five to seven. Staff positions go unfilled. Maintenance windows get skipped. The assumption is that cloud and automation will eventually make traditional networking spend unnecessary. So investment is deferred. Or abandoned.
The assumption is wrong. It is also powerful. It creates a transition gap. That is when the organization is most vulnerable. During the transition, the organization runs a hybrid environment. Some traffic flows through on-premise infrastructure that is aging and understaffed. Some traffic flows through cloud abstractions that are new and poorly understood. Some traffic flows through paths nobody has mapped, because the mapping tools were built for one world or the other, not both. The old model is being defunded. The new model is not yet mature. The system is at its most complex. The defense is at its least coherent.
This isn’t an accident. The system rewards expansion, so we expand. For most companies, expansion equals growth. The same pressure that defunds the old demands that the new be built faster and cheaper. Building under pressure does not reduce complexity. It compounds it. The system fragments. The gaps widen. People feel it. The real work becomes harder. The bullshit work multiplies. They stop being able to focus on the work in front of them. Control slips away, slow at first, but faster every day. That is where grievance takes root.
The budget crunch does not produce readiness. It produces a gap. The system becomes more complex. The team becomes less capable of understanding it. The work does not slow down. The demands increase. Networking and security collapse into one problem, but the people responsible for it do not suddenly gain the skills to solve it.
So they reach for leverage.
They reach for systems that can see what they cannot see, map what they cannot map, and correlate what they cannot hold. They reach for digital agents. The pressure that created the gap does not disappear. It accelerates. The same investors who wrongly assumed the cloud would simplify the system now assume that AI will make its complexity irrelevant. That it can be abstracted away. Automated out of existence.
It won’t be.
Digital agency is not a feature. It is not a product category. It is not a bullet point on a slide deck. What we call AI is the variable that determines whether this transition succeeds or fails. Whether the skills gap closes before the budget gap is exploited.
The discipline that networking and cybersecurity are becoming demands a breadth of knowledge that no single human being carries. Routing and switching. Firewall policies. Application delivery. Identity systems. Threat detection and response. Cloud architecture across multiple providers. Behavioral analytics. Compliance. The person who understands all of these things at a deep level does not exist. A few thousand people in the world come close. None of them are available to hire. Most of them are attackers.
This has always been the barrier to convergence. You can merge the teams on paper, but if the people don’t have the expertise to operate across both domains, nothing has converged. You have a single team that is bad at two things instead of two teams that are each good at one. Expertise is neither fungible nor contagious. This has always been true.
It is why people get excited about the claims of what AI is going to do for them.
But the answer is not AI as the next marketing cycle trying to replace cloud on the cover of Wired. It is digital agents; small programs that can infer mostly right answers from incomplete information and act on them.
Agents change the constraint.
Agency isn’t making people more capable; it changes where they put their attention. Agents can observe network behavior continuously and detect anomalies without fatigue. They transfer business process into network policy without getting bored, distracted, or making typographical errors. They absorb bullshit work.
That gives people the time to do the work that actually matters.
It also compresses the kind of expertise required for many tasks.
A mid-level network engineer augmented by agents can perform security analysis that previously required a senior threat analyst. A mid-level security analyst augmented by agents can troubleshoot network path issues that previously required a senior network architect. Threat investigation that required manual log correlation across dozens of systems, in multiple formats, over multiple days, can be compressed into minutes. Network configuration changes that required careful planning and peer review can be validated against security policy instantaneously.
The disenchanted insider, whose drift is too slow and too subtle for any human analyst to notice becomes detectable when an agent holds a baseline across millions of observations and flags deviations that disappear into the noise of daily operations. The drift doesn’t have to be dramatic. It just has to be consistent. That subtle pattern is invisible to humans. It isn’t to machines.
This is what agency does: it compresses time. Tasks that took weeks take hours. Skills that took a decade can be approximated in months. The person who operates across both domains becomes possible, not because the humans became smarter, but because the machine handles the breadth while the human provides the judgment.
Without agents, kudzu is the end of the story. We’ve already created more complexity than we can manage, and we aren’t going to stop. Merging networking and cybersecurity together remains aspirational. The combined discipline is too broad for any team to staff.
With them, convergence becomes operational. A lean team, augmented by machines that retain context and identify correlations at scale, can operate across the full spectrum of network security in a way that two separate teams never could.
The constraint changes. The incentives do not.
If agents are built and deployed under the same pressures that shaped the cloud, they will follow the same trajectory. Features will expand. Abstractions will multiply. Visibility will degrade. The market will optimize for revenue before it optimizes for clarity. The kudzu will grow.
As long as the kudzu is growing, the terrain is invisible.
As long as the terrain is invisible, the industry defends against the weather.
You cannot seize the initiative from the weather.
Without the initiative, you do not set the terms of victory.
Leave a Reply
You must be logged in to post a comment.