While written from the point of view of the UK as a state, do you think these principles also apply to technology estates for enterprises and institutions?
I think "Actively engineer diversification, Use standards as a strategic lever, Secure architectural control of critical systems, Sustain sovereign skills and operational know-how, Preserve optionality and strategic agility, and Shape networks of managed interdependence", at least, should all be part of IT strategy for a university.
You are touching an extremely serious issue here. Thanks for providing a very well articulated vision. You wrote this with reference to the UK and your proposed action point are well taken in that context. I am of course thinking of Europe. This is an issue that the EU (or a substantial subset of "willing" countries) should also address, through exactly the same action points. These action points raise an issue of scale. Because of their "weight", it may be impossible for individual countries to reach a form of digital sovereignty. I wish that what you suggest here will become an action program for a coalition of the willing who share the European values of freedom and demopracy.
Thanks Carlo. I have a concern that the EU approach to tech sovereignty will lack the sharp focus that is required. The basis exists, but whether the ability to disentangle the competing policy concerns exists is another question altogether. I have reviewed US, UK and China national security policy with respect to science and technology. I should probably do the same for the EU.
Brilliantly articulated framework here. The architectural control point really cuts through the noise becuase most policy discussions get stuck on the ownership trap. I've seen orgs burn millions tryingto own every component when what they actually needed was interface control and substitutability. This systems-lens approach feels way more actionable than the usual "let's build everything domestically" rhetoric that never pans out anyway.
I agree with what you write. Then again, if Microsoft Outlook calendar goes down for whatever reason then I'd have no idea when/where my next class is... 😖
I wonder how much doing backups can help us (even if everyone did them, which they'll not do), when the resources and systems we need are owned by foreign companies. Imagine they owned the water network and could turn it off at will - would a few of us stockpiling some water bottles help us much?
I was reading about a french judge at the international court of justice (I think) who can no longer bank in France because the US imposed sanctions on him. If you don't control your systems, you're at some other country's will.
Then again, nobody got fired for buying IBM/Microsoft/AWS/Google/Oracle/etc., so I don't expect much to change unless there's a top-down push for this. I heard that the French state asked that people stop using Zoom and start using a local platform. I think that's a good start - hardest thing to replace will probably be Microsoft Office (not because the free alternatives are not good enough for what the majority does, just a question of familiarity with its interface). And of course, try telling IT that it'll no longer be a Windows shop and they'll have to install and manage Linux! 🤣
Great framing. Reliance comes at a cost because CATNAP (Cheapest Available Tech Narrowly Avoiding Prosecution) ensures that HMT and other forces pressure devolved decisions and if everybody goes for cheapest all the school roofs will be in jeopardy when one fails. down.... and the tech equivalent. How much resilace can we afford, then? We reviewed the NRR, which is heavily siloed and ignores cascades, common confounding factors, and applications - hence COBRA is needed to join it all up again after the balloon goes up. Just sayin'.
See Grindrod, P., Bowman, C. E., Smith, G. M., & Stasinakis, A. (2025). The National Risk Register 2023: some reasoned reflections. Sustainable and Resilient Infrastructure, 10(3), 237–251. https://doi.org/10.1080/23789689.2024.2404277
Meanwhile, the UK's Sovereign AI programme is really missing a key ingredient: creating tech in the UK that will be the envy of other nations: inventing and investing in the "generation after next" tech - there is too much catch-up. You cannot win with just a "me-too" strategy (thta all countries have), by providing low friction access to HPC, data centres, and partnerships with global AI tech suppliers.
Somebody, somewhere, in the UK has to take thought leadership and invent part of the next generation and generation are next tech for AI, that is designed for global innovation and leadership. Just sayin'.
tl;dr interdependence, not dependence or independence
these notions were tested nearly to destruction for the UK's food supply during WWII. It is worth going back to what was done then and thinking what is the equivalent for other critical infrastructures (obviously energy is being done already - but more deep analysis of this for other tech) _ by the way, i actually believe we could build a complete local supply chain for digital tech right down to chip fab - but do really we need to? as you very rightly discuss and detail!)....
Anthony (and as far as I know, this observation of mine is original), you have overlooked the issue of polticak and cultural sovereignty, which is at threat from AI. Currently, AI's training sets are created by humans, but, as time goes by, the training sets will become polluted with the outuit from AI. At this pint, the cultural uniqueness of the results of search s will disappear. Plus, the bias will be determined by the inherent biases of the particular AI LLM that exist, and, the biasses from training sets.
A serious question is, to quote Vic Basili on other matters, "Why are we doing this"?
Thanks. Technology embeds values. Thus, for example, urban surveillance tech. AI large language models are a further case. As you say this becomes an issue of understanding the training data. Hence my emphasis on assurance.
While written from the point of view of the UK as a state, do you think these principles also apply to technology estates for enterprises and institutions?
I think "Actively engineer diversification, Use standards as a strategic lever, Secure architectural control of critical systems, Sustain sovereign skills and operational know-how, Preserve optionality and strategic agility, and Shape networks of managed interdependence", at least, should all be part of IT strategy for a university.
It is systems all the way down!
just reading Apple in China, Innovation in Real Places and the House of Lords report on "Bleeding to Death" and wrote this blog which is kind of a warning about some models of diversification of your supply chain:-) https://paravirtualization.blogspot.com/2026/01/fabless-industries-arent-exactly-new.html
Very interesting to look at these sort of 'case studies'.
You are touching an extremely serious issue here. Thanks for providing a very well articulated vision. You wrote this with reference to the UK and your proposed action point are well taken in that context. I am of course thinking of Europe. This is an issue that the EU (or a substantial subset of "willing" countries) should also address, through exactly the same action points. These action points raise an issue of scale. Because of their "weight", it may be impossible for individual countries to reach a form of digital sovereignty. I wish that what you suggest here will become an action program for a coalition of the willing who share the European values of freedom and demopracy.
Thanks Carlo. I have a concern that the EU approach to tech sovereignty will lack the sharp focus that is required. The basis exists, but whether the ability to disentangle the competing policy concerns exists is another question altogether. I have reviewed US, UK and China national security policy with respect to science and technology. I should probably do the same for the EU.
Brilliantly articulated framework here. The architectural control point really cuts through the noise becuase most policy discussions get stuck on the ownership trap. I've seen orgs burn millions tryingto own every component when what they actually needed was interface control and substitutability. This systems-lens approach feels way more actionable than the usual "let's build everything domestically" rhetoric that never pans out anyway.
Thank you. That is appreciated.
I agree with what you write. Then again, if Microsoft Outlook calendar goes down for whatever reason then I'd have no idea when/where my next class is... 😖
My calendar is probably the only thing I do not have a local backup of. Time to export a .ics Thanks!
I wonder how much doing backups can help us (even if everyone did them, which they'll not do), when the resources and systems we need are owned by foreign companies. Imagine they owned the water network and could turn it off at will - would a few of us stockpiling some water bottles help us much?
I was reading about a french judge at the international court of justice (I think) who can no longer bank in France because the US imposed sanctions on him. If you don't control your systems, you're at some other country's will.
Then again, nobody got fired for buying IBM/Microsoft/AWS/Google/Oracle/etc., so I don't expect much to change unless there's a top-down push for this. I heard that the French state asked that people stop using Zoom and start using a local platform. I think that's a good start - hardest thing to replace will probably be Microsoft Office (not because the free alternatives are not good enough for what the majority does, just a question of familiarity with its interface). And of course, try telling IT that it'll no longer be a Windows shop and they'll have to install and manage Linux! 🤣
.ics is a standard (RFC 5545) so at least gives some optionality! We will clearly need to have a debate on platforms.
Great framing. Reliance comes at a cost because CATNAP (Cheapest Available Tech Narrowly Avoiding Prosecution) ensures that HMT and other forces pressure devolved decisions and if everybody goes for cheapest all the school roofs will be in jeopardy when one fails. down.... and the tech equivalent. How much resilace can we afford, then? We reviewed the NRR, which is heavily siloed and ignores cascades, common confounding factors, and applications - hence COBRA is needed to join it all up again after the balloon goes up. Just sayin'.
See Grindrod, P., Bowman, C. E., Smith, G. M., & Stasinakis, A. (2025). The National Risk Register 2023: some reasoned reflections. Sustainable and Resilient Infrastructure, 10(3), 237–251. https://doi.org/10.1080/23789689.2024.2404277
Meanwhile, the UK's Sovereign AI programme is really missing a key ingredient: creating tech in the UK that will be the envy of other nations: inventing and investing in the "generation after next" tech - there is too much catch-up. You cannot win with just a "me-too" strategy (thta all countries have), by providing low friction access to HPC, data centres, and partnerships with global AI tech suppliers.
Somebody, somewhere, in the UK has to take thought leadership and invent part of the next generation and generation are next tech for AI, that is designed for global innovation and leadership. Just sayin'.
I very much agree on the NRR and have been advocating for a rethink. I will read the paper with interest.
tl;dr interdependence, not dependence or independence
these notions were tested nearly to destruction for the UK's food supply during WWII. It is worth going back to what was done then and thinking what is the equivalent for other critical infrastructures (obviously energy is being done already - but more deep analysis of this for other tech) _ by the way, i actually believe we could build a complete local supply chain for digital tech right down to chip fab - but do really we need to? as you very rightly discuss and detail!)....
Interesting! Is there a good history of UK civil resilience during WW2?
I hope gou are wrong. The EU needs to wake up. No time left.
Anthony, you don't address the treats to political and cultural sovereignty. More soon, have soe thiughts on this.
Anthony (and as far as I know, this observation of mine is original), you have overlooked the issue of polticak and cultural sovereignty, which is at threat from AI. Currently, AI's training sets are created by humans, but, as time goes by, the training sets will become polluted with the outuit from AI. At this pint, the cultural uniqueness of the results of search s will disappear. Plus, the bias will be determined by the inherent biases of the particular AI LLM that exist, and, the biasses from training sets.
A serious question is, to quote Vic Basili on other matters, "Why are we doing this"?
Regards
Karl
Thanks. Technology embeds values. Thus, for example, urban surveillance tech. AI large language models are a further case. As you say this becomes an issue of understanding the training data. Hence my emphasis on assurance.