Global — The Association of Data Thieves issued a formal statement this week praising what its leadership described as “a generational leap in operational convenience,” attributing the improvement entirely to the continued global migration of enterprise data into cloud-based storage systems. The statement, released under the association’s official letterhead and transmitted through secure channels the organization declined to specify, identified cloud adoption as “the single most consequential infrastructure development in the history of our field.” It was addressed, in the generic sense, to the technology industry. No specific recipient was named. The association noted that it had not been entirely certain who to send it to, and had ultimately resolved the question by sending it to everyone.
The association, which represents an estimated 847 independent practitioners and forty-three affiliated working groups across six continents, noted that the shift to cloud infrastructure has materially transformed nearly every dimension of its members’ professional lives — operationally, financially, and in terms of what the statement’s authors described, in language that the association’s communications director later clarified was not intended to be provocative, as “the scope of what is now reasonably achievable.” The statement ran to eleven pages, including footnotes, and was accompanied by a two-page executive summary for members who preferred their appreciation condensed.
“We want to formally acknowledge the technology sector’s contribution,” said a spokesperson, reading from prepared remarks at what the association described as a press availability, held in a location it declined to disclose. “This has been a remarkable period. We appreciate what the industry has built.” The spokesperson then answered three questions, declined four others on the grounds that they were “operationally sensitive,” and adjourned the availability approximately fourteen minutes ahead of schedule.
The statement was received without immediate comment by major cloud providers. A spokesperson for one large platform provider said only that the company was “reviewing the correspondence.” A second provider did not respond. A third issued a statement through a public relations intermediary noting that the company “does not comment on third-party assessments of its infrastructure” and that “security remains a top priority,” a formulation that appeared to have been drafted before the specific nature of the correspondence had been fully explained to the people drafting it.
Background: A Brief Institutional History
The association’s origins are, by its own account, modest. It was founded, according to the statement’s historical preamble, during a period when the relevant infrastructure was physically distributed, access required presence, and the overall scale of the enterprise was constrained by logistics in ways that the current membership finds difficult to imagine. “We were a cottage industry,” the preamble reads. “Regionally focused. Relationship-dependent. Capital-intensive in ways that limited who could participate and at what scale.”
The association’s early years coincided with what it describes, in the institutional memory section of its most recent annual report, as “the physical era” — a period defined by the requirement that practitioners be in proximity to the systems, infrastructure, and personnel they were engaging with. This was, the report notes without apparent nostalgia, inefficient. Engagements were time-consuming. Markets were geographically bounded. Scaling required investment in transportation, logistics, and personnel that was difficult to justify against uncertain returns. “We operated,” the report summarizes, “within the constraints of physical reality, because physical reality was at the time non-negotiable.”
That changed. The association’s statement attributes the change not to any internal development within the field but entirely to external infrastructure decisions made by the technology industry for purposes that had nothing to do with the association’s interests — and which, the statement notes with what appears to be genuine admiration, served those interests nonetheless.
The Geographic Problem, Resolved
For most of the association’s institutional history, proximity to data was understood as an operational prerequisite. Physical presence was required — sometimes near a terminal, sometimes near a building, sometimes inside one. Geographic constraints shaped staffing decisions, limited the association’s addressable market, and imposed a ceiling on the scale at which individual practitioners could reasonably operate. Practitioners in one country could not easily engage with targets in another. The logistics were prohibitive. The risk surface was large, in the physical sense of that term — exposure was a function of presence, and presence was expensive to maintain and difficult to conceal.
The spokesperson described this era with what appeared to be genuine affection, the way a veteran might describe conditions that were formative precisely because they were difficult. There was something, the spokesperson suggested, that had been clarifying about the physical constraints — the requirement to be specific, to commit, to bear the cost of proximity. “You knew what you were doing and where,” the spokesperson said. “There was a kind of discipline to it.” A pause. “We don’t miss it.”
“We used to need to be near the data. Now the data comes to us.”
Cloud computing has, in the association’s framing, deprecated geography as a variable entirely. Data that once lived on physical hardware inside specific buildings in specific cities is now accessible, with appropriate credentials, from anywhere with an internet connection. The association characterized this development as “a structural gift” that required no lobbying, no negotiation, and no expenditure on the organization’s part. The technology industry simply built it. The association simply noted its existence and sent a letter.
The letter took some time to draft, the communications director acknowledged. There was internal debate about tone — whether appreciation risked coming across as presumptuous, whether a formal statement was the right vehicle, whether the association should be issuing public communications at all. These concerns were ultimately resolved in favor of publication on the grounds that the statement contained no proprietary information, posed no operational risk, and expressed only gratitude, which the association’s legal counsel confirmed was not, in itself, actionable.
Operational Improvements: A Partial Inventory
The formal statement includes a supplementary annex detailing specific operational improvements attributable to cloud adoption. The association requested that this document not be reproduced in full; several sections were provided on background, with the understanding that specific methodological details would not be attributed and certain figures would be treated as approximate. What follows represents a partial accounting of the improvements enumerated therein. The association reviewed a draft of this section and requested two factual corrections, both of which have been incorporated.
Reduced travel requirements have been among the most immediately quantifiable gains. Practitioners who previously maintained operational budgets weighted toward transportation — ground transport, air travel, hotel accommodations, per diem costs, cover documentation, and the various carrying costs associated with maintaining physical presence in target markets over extended periods — report that those line items have collapsed to a degree that has required reclassification in some members’ accounting frameworks. Categories that previously represented significant portions of engagement costs are now either eliminated or reduced to what one member described as “noise.” “The per-engagement cost structure has changed fundamentally,” one member told association leadership, according to a summary shared with this publication. “We’ve reallocated that capacity toward throughput.”
Access speed has improved in parallel, and the improvement is not marginal. Where engagements once unfolded over days or weeks — shaped by the physical logistics of presence, by the time required to identify, approach, and develop access to specific systems in specific locations — cloud-based targets can often be assessed, approached, and addressed within hours of initial identification. The latency that was once a fixed feature of the work has been compressed to the point where it is no longer a meaningful variable in planning. The association’s annex describes this compression as “a transformation in the relationship between effort and outcome” — a phrase that the communications director noted had been drafted by the association’s internal research committee and reviewed by three senior members before publication. A more senior member, cited anonymously at their request, offered a shorter characterization: “It’s not just easier. It’s cleaner.”
Geographic scalability represents the third major improvement identified in the annex. The association noted that practitioners are no longer constrained to operating in markets within reasonable travel distance of their home base, which had previously meant that the effective market for any individual practitioner was substantially smaller than the nominal global market — bounded by cost, risk, language, logistics, and the practical limits of how many relationships and access points a practitioner could reasonably maintain across disparate physical locations. Simultaneous multi-regional operations, previously logistically complex and expensive enough to be reserved for large, well-resourced working groups, have become “a standard feature of modern practice” available to practitioners operating at significantly smaller scale. The annex’s summary table shows the association’s total addressable market has expanded by an estimated 2,847 percent since the widespread adoption of major cloud platforms began in the early 2010s. The methodology behind this figure was not disclosed. The association noted that the figure was conservative.
Efficiency at Scale: Automation, Simultaneity, and the End of Physical Infrastructure
Beyond the reduction of travel costs and geographic barriers, the association identified a third category of benefit that its leadership characterized as “perhaps the most durable”: the elimination of dependency on physical infrastructure entirely. This was described in the statement as “the deepest structural change” — one whose implications, the statement suggested, the field was still in the process of fully absorbing.
Historically, the association’s membership maintained and operated infrastructure proportional to its ambitions. Physical storage for extracted materials. Local processing capacity. Transportation and logistics networks. Physical plant of various kinds, held under various arrangements, the details of which the association has consistently declined to discuss. The overhead of personnel whose primary function was managing those systems. All of it represented fixed cost that constrained growth, required ongoing maintenance, and exposed members to a particular category of operational risk that was, in the pre-cloud era, simply a cost of doing business. A practitioner was only as mobile as their infrastructure allowed. Infrastructure was expensive. Mobility was therefore expensive. The field was, in this sense, capital-intensive in a way that most people outside it had never had occasion to consider.
Cloud computing has inverted this relationship entirely, and the inversion has been, according to the annex, “the single largest structural improvement in the field’s economics since the introduction of networked computing.” The infrastructure now belongs to the target sector. The association’s members access it as users — in the functional, if not the contractual, sense of that term. The capital expenditure that practitioners once bore is now borne by the cloud providers and their enterprise clients. The storage, the processing capacity, the redundancy, the global distribution network — all of it maintained, updated, and secured, to the degree it is secured, by entities whose business model depends on keeping it available. “We’ve effectively outsourced our capital expenditure to the cloud providers,” the spokesperson noted at the press availability, before appearing to reconsider the framing and adding: “That’s perhaps not the right way to put it for a public statement.” The communications director did not intervene.
Automation, made practical by cloud-based tooling, application programming interfaces, and the proliferation of infrastructure designed to be accessed programmatically at scale, has enabled simultaneous engagement across multiple targets — a development the association described as “allowing our membership to operate at a scope that would have been inconceivable fifteen years ago and logistically impossible ten years ago.” One practitioner, quoted in the annex under a pseudonym the association selected, described running what they referred to as “concurrent engagements” across four separate organizational targets in three different countries, managed from a single location, over a single weekend. Equipment required: a laptop and a reliable internet connection. Personnel involved: one. The practitioner described the experience as “uneventful, which is exactly how we prefer it.”
The annex includes a section on what it calls “the democratization of practice” — the observation that cloud infrastructure has significantly lowered the barriers to entry for practitioners who would previously have been unable to operate at meaningful scale due to capital constraints. “The field has become more competitive,” the section reads, “because it has become more accessible.” The association notes this development with what appears to be mixed feelings, given that increased competition within the field has put downward pressure on certain engagement economics, but concludes that the net effect has been positive for the field as a whole, if not uniformly positive for every individual member. “A rising tide,” the annex reads, in a sentence that appears to have been included without irony, “lifts all boats.”
The Cybersecurity Community's Position
Reached for comment, several members of the cybersecurity research community declined to express surprise. The observation that cloud computing concentrates valuable data in fewer, more accessible locations — and that this concentration creates a corresponding and structural risk — appears in the professional literature with a frequency that borders on formulaic. It appears in vendor white papers and academic journals, in regulatory guidance and conference presentations, in threat intelligence reports and post-incident analyses. Analysts and practitioners have spent the better part of a decade noting, in various registers of urgency, that the expanded attack surface introduced by cloud adoption is not an incidental or correctable feature of the architecture. It is structural. It is, in some meaningful sense, the point — the same openness that makes cloud systems useful is the openness that makes them accessible to people for whom the system’s designers had not specifically planned.
What the association’s statement adds to this conversation is primarily a shift in perspective, and a formalization of what the security community had long understood abstractly. The cybersecurity community has spent years framing cloud concentration as a risk to be managed, a threat surface to be monitored, a design characteristic to be mitigated through layered controls and careful architecture. The association’s statement frames it as a service that has been rendered — a gift, delivered by the technology industry to its own customers, that happens to have a secondary beneficiary the industry was not aware it was serving.
“We are describing the same system,” the association spokesperson said, when the discrepancy in framing was raised. “We simply have a different relationship to the outcome.”
Cybersecurity professionals interviewed for this article were reluctant to engage substantively with the association’s framing on the record, a reluctance that appeared to stem from professional caution rather than disagreement with the underlying analysis. Several observed, in terms that were uniformly diplomatic, that the argument was “not technically wrong.” One principal researcher at a major security consultancy, who requested anonymity, said the statement represented “a coherent economic description of cloud infrastructure from a particular vantage point” and that the field would benefit from “sitting with the discomfort of that description rather than dismissing it.” A second researcher, with a large financial sector client base, declined to comment substantively but observed: “This is the kind of letter you read and then you call your CISO.” A third said only: “Yes. We know. We have been saying this.” When asked whether the industry had adequately responded to what the security community had been saying, the researcher did not answer immediately. Then: “No.”
The question of why cloud infrastructure, despite a well-documented and extensively publicized attack surface, continues to expand at the pace it does is one the security community has addressed in several registers without arriving at a consensus answer. The most common answer is economic: the efficiency gains and cost reductions of cloud adoption are real, immediate, and distributed across the organizations adopting it, while the costs of the associated security risks are probabilistic, deferred, and often externalized — borne by customers whose data is compromised rather than by the enterprises whose infrastructure made the compromise possible. The association’s statement does not engage with this literature directly, but its structure implicitly confirms the analysis: the association benefits from an arrangement it did not create and did not pay for, and it is aware that this is the case.
A Note on the Association's Membership and Structure
The association has declined to release a membership directory, which it describes as “a standard professional accommodation” for a field in which public identification of practitioners poses obvious difficulties. What is known about its membership comes primarily from the statement itself and from the supplementary materials made available on background.
The 847 independent practitioners figure represents, the association notes, only those who have paid current dues and are in good standing with the organization’s membership committee. The actual population of practitioners operating in the field is, the statement notes in a footnote, “substantially larger” — the association makes no claim to comprehensive representation and notes that many practitioners prefer to operate without formal affiliation. “We are a professional organization,” the communications director said. “We provide research, advocacy, and a degree of collective voice. Membership is voluntary. We do not require it, and we do not track non-members.”
The forty-three affiliated working groups represent what the association describes as “specialized practice areas” — subfields within the broader field that have developed their own methodologies, tooling, and professional norms. Several of these working groups have issued their own statements on cloud adoption, some of which were incorporated into the association’s master document. The working group on automated access tooling, the statement notes, was “particularly vocal” in contributing to the sections on efficiency and scale. The working group on organizational target assessment contributed language to the sections on market expansion. The association’s research committee, comprising eleven members, provided the statistical analysis. The legal committee reviewed the final draft and recommended three deletions, all of which were accepted without argument.
Dr. Gutenberg Weighs In
Dr. Henry Gutenberg, Director of Applied Incentives at the Port-au-Prince Institute for Market Dysfunction, argued in a telephone interview that the association’s statement represents a natural and, in his view, entirely predictable consequence of a technology sector that optimized aggressively for one dimension of the user experience — accessibility, convenience, scale — without adequately pricing the externalities that optimization introduced. Gutenberg has spent most of the past decade studying what he calls “the secondary market problem” in digital infrastructure: the tendency of systems designed for one set of users to generate, as a structural byproduct, significant value for a second set of users whose existence the designers had either not considered or had considered and preferred not to discuss.
“Cloud providers built global, centralized, internet-accessible repositories of sensitive organizational data,” Gutenberg said. “They built it for the legitimate users. They priced it for the legitimate users. They marketed it to the legitimate users, using language — scale, accessibility, frictionless integration — that described exactly the features that make it useful to the association’s membership as well. The association’s membership are also users. They are using the system in the way the system makes available to be used. This is not a paradox. This is a product that works as designed, serving a constituency the designers preferred not to think about.”
Gutenberg noted that the association’s appreciation for cloud infrastructure is, from a strictly economic standpoint, rational in a way that most industries would recognize immediately if they encountered it in a different context. A road built for commerce is also available to people whose commerce is conducted without licenses. A port built for shipping is available to ships carrying goods their owners would prefer not to declare. An encryption standard developed to protect sensitive communications is available to anyone who wishes to communicate sensitively. The list, Gutenberg noted, is long. The pattern is consistent. The industry’s response, historically, has been some combination of access controls, monitoring, and what Gutenberg describes as “performative concern” — statements about security that satisfy the requirement to have said something without materially altering the economics that created the problem.
“When you build a bridge,” Gutenberg said, “you assume people on both sides want to cross it. Cloud architecture assumed only one kind of person wanted the data. Distance has been deprecated, as they say. The question is who benefits from that deprecation, and the honest answer is: everyone for whom proximity was previously an obstacle. The legitimate enterprise for whom flying a server to a remote data center was expensive and slow. And the practitioner for whom flying to the data was expensive and slow. Both problems are solved. Both constituencies are grateful. One of them sent a letter. The other one is still working on the press release.”
Gutenberg’s institute has submitted a working paper on the secondary market dynamics of cloud infrastructure to three peer-reviewed journals. He declined to share the title, describing it only as “pointed.” He expected a response from at least one journal within the quarter, he said, and noted that two of the three had previously rejected papers from the institute on grounds he described as “legibility concerns” — the reviewers had found the arguments coherent but the framing “uncomfortable.” He did not appear to consider this a problem. “Discomfort,” he said, “is frequently a sign that the accounting is correct.”
The Question of Liability, Briefly Raised and Set Aside
The association’s statement does not engage with the question of legal liability, which the communications director described as “outside our scope.” The question was raised nonetheless by at least one party: a regulatory analyst who reviewed the statement at this publication’s request and who found it, in their words, “clarifying in a way that might be useful in litigation, if anyone were inclined to pursue it.”
The specific observation was this: the association’s statement constitutes a documented, formal acknowledgment that cloud infrastructure, as currently designed and deployed, creates conditions that a professional organization of practitioners found materially beneficial to their operations — operations that are, in most jurisdictions, illegal. The association is not, therefore, arguing that cloud security is merely insufficient. It is arguing that cloud infrastructure is, from its members’ perspective, well-designed for their purposes. This is a different claim, with different implications, and the regulatory analyst noted that it was unlikely to have been the cloud providers’ intended contribution to the record.
The association’s legal committee, when this observation was relayed through the communications director, declined to respond. The communications director noted that the association “does not provide legal analysis on behalf of third parties” and that the statement “speaks for itself.” When asked whether the legal committee had anticipated this reading of the statement before publication, the communications director said: “I’m not in a position to speak to the committee’s deliberations.” A pause that lasted slightly longer than conversational norms would suggest was accidental. Then: “Next question.”
Industry Response: A Taxonomy of Non-Answers
In the days following the statement’s release, several of the larger cloud infrastructure providers were given the opportunity to respond substantively. What follows is a summary of those responses, presented in the order in which they were received.
The first provider issued a written statement through a communications intermediary noting that the company “takes the security of customer data seriously” and that it “invests significantly in security infrastructure, threat detection, and incident response capabilities.” The statement did not address the association’s specific observations. When a follow-up question was submitted asking whether the company’s security investments had been designed with the association’s membership in mind as a threat vector, the intermediary replied that the company “does not comment on specific threat actors or threat modeling approaches.” The association is not a specific threat actor. It is a professional association. The distinction was not addressed.
The second provider did not respond to initial inquiries and, following a second request, issued a two-sentence statement: “We are committed to the security and privacy of the data our customers entrust to us. Our security team reviews all relevant threat intelligence.” The association’s statement is not threat intelligence. It is a thank-you note. The distinction was, again, not addressed.
The third provider responded with a document that ran to four pages and addressed, in detail, the provider’s security certifications, compliance frameworks, geographic redundancy architecture, and commitment to what it described as “shared responsibility” — the model under which cloud providers secure the infrastructure and customers are responsible for securing what runs on top of it. The shared responsibility model was noted by two cybersecurity researchers contacted for this article as being, in the current context, “somewhat ironic” — the model explicitly distributes responsibility in a way that limits what the provider can be said to have failed to do. Dr. Gutenberg, reached by text message after the document was shared with him, replied: “Classic externalization. The cost is borne by someone else. This is the whole paper.”
The Association's Closing Remarks
The association’s statement concluded with what its authors appeared to intend as a collegial gesture toward the broader technology community — an expression of professional appreciation, offered from one sector to another, for work that has materially advanced the conditions under which the first sector operates. The final section of the statement is notably brief relative to the sections that precede it, a structural choice the communications director described as deliberate. “We wanted to end simply,” the director said. “The argument had been made. The appreciation had been expressed. There was nothing useful to add.”
“We appreciate the direction the industry is taking.”
The statement did not include recommendations, requests, or demands. It was described internally, according to one person familiar with its drafting, as “a thank-you note.” It took six weeks to draft, involved eleven contributors, and was reviewed by legal counsel in three jurisdictions. For a thank-you note, the person said, it had required an unusual amount of work. The communications director, when this characterization was shared, said: “We wanted to get it right.”
When asked whether the association intended to issue additional statements — whether this was the beginning of a more sustained engagement with the technology sector, or a one-time acknowledgment — the spokesperson paused before answering. The association had not, the spokesperson said, made any formal decision about future communications. It would, as always, respond to developments in the field as they occurred. Whether future developments warranted further statements would depend on the nature of those developments. “We’re watching,” the spokesperson said. “As we always are.”
At press time, the world’s data remained distributed across dozens of major cloud platforms, accessible via internet connection from any point on the globe with sufficient bandwidth, centralized in architecture if not in geography, and growing at a rate that industry analysts estimated at 2.5 quintillion bytes per day. The association did not issue a follow-up statement. It was not asked to. The cloud providers continued to build. The enterprise customers continued to migrate. The association continued to operate, at scale, without infrastructure, without travel, and without a forwarding address. Somewhere, in a location that declined to identify itself, eleven working group representatives were reviewing the draft agenda for the association’s annual meeting, scheduled, as always, for a date and location to be announced through channels to be specified. The agenda’s first item, according to a copy provided on background, was titled: “State of the Market.” The presenter was listed as TBD. The allocated time was ninety minutes. There was no item on the agenda concerning security concerns. There did not need to be.
The Bottom Line
The cloud computing industry spent two decades building an argument that centralization is convenience, that accessibility is progress, and that concentration of data in fewer, better-managed locations represents an unambiguous improvement over the distributed, physical architecture that preceded it. That argument was correct, and it was also incomplete. Every feature that makes cloud infrastructure attractive to a legitimate enterprise — global accessibility, reduced geographic friction, consolidated storage, scalable automated access, API-driven integration, programmatic reach across organizational boundaries — is equally attractive to an enterprise with different intentions. The Association of Data Thieves did not build anything. It did not lobby for anything. It did not pay for anything. It observed, correctly, that something had been built on its behalf, by people who were not thinking about it, funded by customers who were not thinking about it, and governed by a shared responsibility model specifically designed to ensure that no single party could be said to be fully responsible for the outcome. It then sent a thank-you note, which was more acknowledgment than the system had previously received. The technology industry has not yet responded. It is reviewing the correspondence.
[1] The Association of Data Thieves is a fictional organization. The operational improvements attributed to cloud computing in this piece accurately reflect documented trends in cybercrime: reduced attack costs, expanded geographic reach, increased automation, and scalability — all enabled by the same cloud infrastructure that legitimate enterprises rely on. The academic literature on this topic is extensive and largely confirms the association’s analysis, which is part of the joke and also not the funny part.
[2] Dr. Henry Gutenberg and the Port-au-Prince Institute for Market Dysfunction are recurring fictional constructs of this publication. The analysis attributed to Gutenberg reflects real arguments made by real security researchers and economists, none of whom would phrase it this way on the record, several of whom would recognize the argument and prefer not to be associated with having made it publicly.
[3] The “shared responsibility model” referenced in the industry response section is a real and widely-used framework in cloud security, under which cloud providers are responsible for the security of their infrastructure and customers are responsible for the security of what they build on top of it. Critics have noted that the model distributes responsibility in ways that are not always well-understood by enterprise customers, and that the resulting accountability gaps are well-documented in incident post-mortems. The model is not cited here as evidence of bad faith. It is cited because it is structurally relevant to the question of who bears the cost of the externality the association is writing to thank everyone for creating.
[4] The estimated 2.5 quintillion bytes of daily data generation is a figure that has appeared in industry reporting for several years and is broadly understood to be in the right order of magnitude, if not precisely accurate. The 2,847 percent addressable market expansion figure is fictional and should not be cited in grant applications, regulatory filings, or presentations to the board.