VIEW 31
Top-down vs bottom-up
If you walk south over London Bridge to Borough Market, you will find a building called the Hop Exchange. This Grade II listed building by R.H. Moore opened in 1867, and this part of London, known as Southwark, has been famous for its coaching inns and breweries since Chaucer’s time, when there was only one bridge over the Thames. It was also the center of the hop trade.
Hops, grown in Kent, came up the Old Kent Road to be used in the breweries and were traded by the many hop factors in the area. If you step inside the building, you will see three tiers of balconies over a vast open atrium as shown in the photograph. This “open outcry” design, where merchants on the balconies could shout their orders to the traders on the floor, is similar in concept to the Lloyd’s insurance building.
Victorian developers built this beautiful building in a burst of progressive optimism, hoping to capture and consolidate the hop trade inside its walls. But the hop factors and merchants already had their own various premises and saw no reason why they should move. They were perfectly happy trading hops in their dingy warehouses, as you can see in the second photo. So, the Hop Exchange was a failure, no hops were ever traded there and it is now a general-purpose office building.
Top-down failure This is a good example of a top-down failure; an attempt to impose some organizational structure from above on an activity that is inherently bottom-up. The nature of trade is bottom-up, with entrepreneurs seeking opportunities to enrich themselves.
But the best example of a bottom-up system is the natural world itself, since that is the foundational principle of Darwinian evolution. Darwin’s theory has so far successfully refuted all proposals of an intelligent design principle or some top-down organizational input to explain how we all came to be.
This brings us to the central conundrum at the heart of cyber security. At first glance, computer systems would appear to be quintessentially top-down; planned, specified, and engineered by IT experts to do the tasks required both repeatedly and endlessly. But the ecology of the cyber landscape is bottom-up. The last 60 years of entrepreneurial development by tech companies has created a patchwork quilt of systems, software kernels, apps, emulators, protocols, and device drivers.
Sometimes a critical code module buried deep, say, in a Python library, was created by a single individual and is only being maintained at their whim. The Log4j incident is a good example. This open-source Java-based logging utility was written by Ceki Gulcu in 2001 and—being free—became widely used in millions of computer systems worldwide. A zero-day vulnerability discovered in December 2021 in Log4j sent organizations and governments scrambling to comb through their systems to see if it was a module that they used in their servers. This highlighted the complacency of top-down thinking in an environment that is fundamentally bottom-up.
