The Signal That Can Be Spoofed
Critical infrastructure runs on borrowed certainty: satellite time, name resolution, certificate authorities. In 2026 those signals started failing in public, and the only durable answer is a record you can verify with no network and no external authority.
Most of the systems you trust every day are standing on a signal that someone can fake.
That is not a metaphor. It is an engineering fact, and in 2026 it stopped being theoretical. Think of the aircraft over the Gulf, the cellular tower three streets away, the certificate that turns the padlock green in your browser, the name that resolves a website into an address you can reach. Each of these leans on an external signal that arrives from somewhere else, that you did not produce, that you cannot independently confirm, and that a competent adversary can forge or simply switch off. We built the modern world on borrowed certainty. The bill is now arriving.
The signal everyone trusts and nobody verifies
Start with the Global Positioning System, because it is the cleanest example of the problem. People think of it as a map. It is really a clock. The Global Positioning System broadcasts time, and an astonishing amount of infrastructure synchronises itself to that time. Telecommunications networks, power grids, financial trading systems, and air traffic surveillance all lean on it. The signal that reaches the receiver is faint, unauthenticated, and predictable, which means it can be imitated by equipment that costs less than a laptop.
The numbers from this year are not subtle. The Federal Aviation Administration reported that spoofing reports more than doubled between January and June of 2025. The International Air Transport Association recorded interference rising roughly 193 percent in 2025 against 2023. By March 2026, more than 700 flights in Gulf air corridors had logged suspected spoofing events, and in a single 24 hour window over 1,100 vessels reported interference in the Strait of Hormuz. Across the Baltic, tens of thousands of interference events have been recorded since late 2023, hitting Sweden, Poland, Finland, Estonia, Latvia, and Lithuania. A cockpit screen places the aircraft miles from where it actually is. A ship sees a coastline that is not there. The receiver does exactly what it was built to do. It believes the signal.
A dependency is a decision you forgot you made
Here is the systemic principle underneath the headlines. Every external signal you depend on is a single point of failure you have chosen, usually without choosing it. Convenience installs these dependencies quietly. Satellite timing was free and accurate, so timing got built on it. One cloud region was cheap and close, so half the internet got built on it. One certificate authority was already trusted, so a generation of websites got built on it. None of these were decisions anyone debated. They were defaults that hardened into foundations.
The Domain Name System tells the same story in a different accent. On 20 October 2025, a latent race condition in the way one cloud provider managed Domain Name System records inside its busiest region cascaded outward for more than 14 hours. Over 140 services degraded. Independent measurements put 20 to 30 percent of internet-facing services into disruption, roughly a third of the web, with insured losses estimated near 581 million dollars. The servers were healthy. The infrastructure was fine. The names simply stopped resolving, and without the name the working machine behind it might as well not exist. In May 2026 large parts of the German web went dark for hours because of one broken cryptographic record at the registry running the .de top-level domain. One record. A continent of services depended on it.
Trust is not a feeling, it is a system property
The third pillar is the one most people never see, because it works almost all of the time. When your browser shows a secure connection, it is trusting a certificate authority to have told the truth about who owns a site. That trust is not earned per transaction. It is delegated, in advance, to a small set of organisations whose incentives do not always point at the public interest.
Consider what surfaced over the past two years. One major authority was distrusted by the browser root programmes after a pattern of issuance failures and, more tellingly, a habit of arguing that the rules should not apply rather than fixing the practice. Another authority issued twelve certificates for the address 1.1.1.1 without the permission of the operator that runs it, between early 2024 and August 2025. In May 2026 a halt at a large free certificate authority reminded everyone how much of the web now depends on a single issuer for the credentials that make encryption trustworthy. In each case the cryptography worked perfectly. The failure was not mathematical. It was a failure of the institution we had agreed to trust, and trust delegated to an institution is only as strong as that institution's worst quarter.
What resilience actually requires
Put the three failures side by side and the common shape appears. In every case the system depended on an external authority to vouch for something at the moment it was needed. The satellite to vouch for the time. The resolver to vouch for the name. The certificate authority to vouch for the identity. Resilience is not adding a second authority to vouch for the first. That just moves the single point of failure one hop down the road. Real resilience means you no longer need anyone to vouch at all. It means a record you can verify yourself, on the spot, with no live signal and no external party in the loop.
This is the principle I built Mickai around. Mickai is a Sovereign Intelligence Operating System, and at its core is the Open Audit Record. Every action the system takes is signed before it executes, not logged after the fact, and written to an append-only hash-chained ledger. The signatures use the post-quantum standard finalised by the National Institute of Standards and Technology in August 2024, the module-lattice signature scheme known as ML-DSA, at the 65 parameter level. The record is designed to outlast the cryptography that everyone else is still relying on.
A record you can check with the lights off
The part that matters for everything above is how you check it. The Open Audit Record can be verified by a tool that runs entirely inside a browser, with no network connection and no trust placed in the vendor, including me. You do not phone home to a satellite, a resolver, or a certificate authority to confirm the chain is intact. You hold the record and you check the mathematics. The audit root anchors to Pantheon, Mickai's sovereign Layer 1 blockchain, which in turn anchors to Bitcoin, so the chain of custody does not rest on my word or my servers staying up.
I am not guessing that this approach matters. Mickai is built and in production, fifty brains, twenty five domain and twenty five operational, running on the Poseidon silicon substrate, and the audit architecture sits underneath all of it. The work is covered by 101 filed United Kingdom patent applications carrying roughly 2,234 claims, owned by Mickai LTD, registered in the United Kingdom as company 17166618, with myself, Micky Irons, named as the inventor. These are filed applications, and I name them as such.
The lesson of 2026 is not that satellite timing is bad, or that the cloud is fragile, or that certificate authorities are careless, though some are. The lesson is older and harder. Anything you cannot verify yourself, you are trusting on faith, and faith is not a security control. The signal can be spoofed. The name can vanish. The authority can fail, be compromised, or simply decide the rules do not apply to it this quarter. The only record worth building a civilisation on is one you can hold in your own hands and prove, with no network, no satellite, and no permission from anyone. That is the standard. We built to it. Everyone else should too.