Robert Metcalfe, co-inventor of Ethernet, is renowned for many things, but perhaps none more so than his namesake law: Metcalfe’s Law, which was initially presented in 1980 to describe the intrinsic value of a telecommunications network and has since been popularized as “The Network Effect” by economists and technologists.
The Network Effect describes the “the effect that a user of a good or service has on the value of a product to other people” and more notably, it posits that the value of the network itself increases with every added node or person using it.
While the Network Effect is not without its critics, we see its influence writ large across the digital economy. From social networks such as Facebook, whose utility and financial value can be directly correlated to the size of its user base, to peer-to-peer blockchain systems that grow more efficient with the incremental addition of each network node (though as proponents of Beckstrom’s Law will argue, Metcalfe’s Law does a poor job accounting for service degradation resulting from too many users or bad actors who steal value from the network).
Theoretical critiques aside, the foundational premise of the Network Effect speaks to the underlying utility of large connected networks to deliver value, both to its owners and its users. And while consumer-oriented brands such as Uber, Slack, and Twitter have become the superficial face of the Network Effect, we are now seeing its impact take hold in the cybersecurity industry in a variety of compelling ways.
The Calculus of Asymmetrical Cyber Warfare
Any seasoned cybersecurity practitioner is familiar with the maxim: “we have to be right 100% of the time, a cybercriminal only has to be right once.”
The notion of a hacker as a solitary hooded figure in a darkened basement is a convenient trope for Hollywood but of course, the reality is far different. Indeed, the most successful threat actors have proven to be highly organized ventures who might operate independently but have also shown an increasing willingness to collaborate and share intelligence with rival groups when it serves their mutual interests.
Moreover, the emergence of Dark Web hacker forums have effectively democratized many of the specialized hacking tools that were once the reserved province of a select technically-adept few, making them available in cost-effective subscription models that can be put to use by even the most inexperienced script kiddies.
By contrast, until recently, the industries that are under siege have largely operated like independent fiefdoms, holding their security-related intelligence close to the vest due to concerns about the potential negative hit to their stock price or damaging their brand reputation — despite the fact that sharing this intelligence could lead to a mutually beneficial outcome for both individual organizations as well as the entire industry over the long haul.
Consequently, hackers are incentivized to use the same tools and techniques to exploit similar vulnerabilities with other organizations within a targeted industry, which in turn results in the wide proliferation of these malicious tools, lowering the cost of attacks, while incurring greater financial losses on victim firms.
This is the asymmetrical imbalance that describes a situation in which one side — the threat actors — needs only to make a modest investment to achieve gains, while the other side — the cybersecurity industry — must invest heavily just to maintain an adequate defense. This disproportionate investment of time and resources is what makes this dynamic so asymmetrical and why the cyber battlefield has until recently been so lopsided.
Crowdsourcing the Network Effect for Real-Time Threat Intelligence
As hacking tools become more widely available by a broader group of threat actors, the result is predictable enough: the volume of attacks has skyrocketed. In 2019, Kaspersky reported that its antivirus platform identified more than 24.5 million “unique malicious objects” representing a 14% increase over 2018. Moreover, the industry currently faces a severe shortage of experienced cybersecurity experts with some firms estimating there will be as many as 3.5 million unfilled cybersecurity jobs globally by 2021.
In response, a number of security-based information sharing organizations such as Information Sharing and Analysis Centers (ISAC) and Computer Emergency Response Teams (CERT) have been established as a vehicle to promote cross-industry threat intelligence sharing. Meanwhile, organizations such as the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) have been formed with the mission of sharing industry-specific intelligence on incidents, threats, vulnerabilities, and security controls. Impressively, since its founding in 2014, this industry collaboration now encompasses more than 150 major brands that together have collected more than 40,000 Indicators of Compromise.
These types of information sharing activities leverage Network Effects to create what social scientists dub “positive externalities” which arise when the welfare of an individual member in a network is dependent on the contribution of other network participants, and hence the value of the network increases as more members join up.
Other examples of these types of crowdsourced initiatives that are looking to benefit from the Network Effect include:
- Crowdsourced Bug Bounty Programs: While bug bounty programs aren’t new, a number of new startups such as HackerOne, Bugcrowd, and Synack have productized these models, adding as many as 200,000 part-time hackers to the collective workforce;
- Intra-Industry Fraud Consortiums: In the battle against lending fraud, credit reporting giant TransUnion created Fraud Prevention Exchange, a consortium of diverse financial services organizations that share evidence of fraud with other members in its effort to curb the hundreds of millions of dollars that are lost to a variety of online lending fraud schemes every year;
- Federations of Anti-Phishing Security Analysts: As noted by Verizon in its annual Data Breach Report, 94% of all network attacks begin with an email, with phishing serving as the predominant attack vector. Given that it takes on average 82 seconds for an email recipient to click on a phishing email and spread its malicious payload across a network, the ability to flag and verify suspicious emails and share them in real-time across a federation of trained security analysts from a diverse network of organizations, will be essential in limiting the potential scope of the damage.
Meanwhile, some crowdsourced email security systems are also capable of taking automated actions based on how many people report an email as suspicious. Basically, when one user reports an email, that incident will have a certain weight assigned to it and as more users report that same email across the system, the incident weighting increases until it crosses a threshold upon which the response can be automated (for instance, the email is automatically deleted or all other recipients are automatically alerted, etc.).
In the context of threat intelligence sharing, the timeliness and accuracy of detection, analysis, and alerts depend critically on the amount of information collected and extrapolated. Likewise, as these crowdsourced hubs of human-enhanced threat intelligence continue to grow in scope and scale, we should be far better positioned to leverage these network effects and level the playing field back in our collective favor.