The Intersection of human Factors, Acidents, Security and BusinessSpafford Global Consulting - A Technology Business Consultancy Focusing on Human Factors, Accidents and Security
People are the key to success!

 

Protecting the Internet’s

Potential Value

By: George Spafford

June 1, 2005

In the early years of networking, Metcalfe's Law seemed like a utopia. It promised that the value of a network was n(n-1)/2 where "n"is the number of nodes. Reed came along and suggested the value was really 2^n and in 2005, Odlyzko and Tilly suggested a formula of n log(n). Now, with the hype cooled down and reality setting in we can look at these formulas through a different lens. When we look at these traditional network value formulas, we are not truly seeing value, price or cost – only potential connections. If we have 2^32 connections and all lack value then the value of network is zero but the potential could hold promise over a relatively smaller network of 2^16 connections given that all nodes have equal positive value, which we know immediately will never be the case. We can safely assume that for any network only 20% of the nodes will create 80% of the value. Conversely, we can also assume that the majority, or 80%, of the nodes will contribute very little value – perhaps 20%, or some relatively small portion. While possible connections and potential values are interesting to contemplate, any formula aimed ascertaining theoretical network potential value (NPV) can only go so far in the real world due to factors that impair incremental value or even create negative value for each additional node added. This latter part is very concerning because of the possibility that some or all of the total value created could be destroyed following a curve more like a logistics growth curve that reaches a asymptotic peak with diminishing returns but as the threats overwhelm the value, the tail end of the curve begins to fall at a rapid rate. The challenge that we must come to grips with as a society is that any hope of attaining the NPV of the Internet necessitates a degree of globally coordinated care that has not been evidenced to date.

For just about any technology, be it an operating system, application or network, when a sufficient level of adoption is reached, that technology then becomes a threat vector. This is why Microsoft Windows is threatened by thousands of forms of malicious software and in contrast, specialized super computers have relatively few. This is also why as the adoption of the Internet grew and the number of nodes increased, the Internet as a whole became a threat vector and then as multiple popular systems began to coalesce, they too, in turn, became threat vectors. From a simple cost benefit view as a hacker, why work hard on an attack that can only compromise a small handful of obscure machines when you can devise one attack that compromises thousands, or even tens of thousands, of systems globally that can then be used to further additional exploits or to stop and collect data? Unless, of course, the value in that handful is viewed by the hacker as worth the effort!

The fact that the Internet, the largest network on the planet, has an extremely large number of active threat vectors is best evidenced by constant news of security problems and an awareness that there are nodes which only add negative value to the net. When these predatory hosts are used to compromise hosts that do add value, then not only is that total value lost to the sponsoring organizations and society during the course of the initial breach, assuming it is detected, but tremendous costs, both accounting and economic, are associated with restoring the systems, purchasing, implementing and maintaining countermeasures, etc. These costs play havoc with potential value models because they create equations with multiple unknown variables that can not be readily solved.

For many organizations, connecting to the Internet, having email and web capabilities are simply viewed as the costs of doing business and can be readily tallied each month by looking at bills from vendors. The value proposition, in comparison, is nebulous at best to many homeowners and businesses that are not engaged in commerce on the Internet. As a result, many spend as little as possible for the connection and put in as few controls as possible because they can't measure the value of the Internet to them but can very much track the costs. In other words, they know they are spending money but really don’t know if the benefits merit the costs. Looking at past history and trying to establish rudimentary risks, the “it hasn’t happened to me before” mentality can create an environment wherein individuals and businesses, even large ones, spend very little on controls such as Internet security, firewalls, antivirus, antispam, etc. The final nail in the coffin is a fixation on self-interest and an unwillingness to spend personal/organizational funds to protect the Internet, which is a digital commons.

Perhaps the core issue surrounding the Internet is the fact that it is a global public commons much like the environment, albeit a virtual one. As such, the Internet is a resource that needs safeguarding to prevent its misuse and ultimate destruction. In fact, one can apply the Tragedy of the Commons to the Internet in a number of ways. First, since people are not held accountable for responsible use, an "anything goes" mentality exists and is perpetuated by a lack of coordinated action by lawmakers worldwide. Second, there are diminishing returns, much like Garrett Hardin pointed out in his classic article on pollution. With the Internet, for each additional node added that doesn't have adequate security and behave in a responsible manner, we observe diminishing returns, or even altogether negative returns and lose a portion of total value. How many tens of thousands of zombie hosts are on the Internet right now due to clueless small businesses and home owners who have no idea what is going on yet are unknowingly allowing coordinated attacks to happen on high-value targets all over the world? How many virii are running wild causing havoc? How much time is wasted and opportunity costs incurred due to SPAM? These example risks, and many more, threaten the real value of the of the Internet to society.

Because the Internet is a commons and is being exploited, it needs regulation to safeguard both it and society. Adam Smith’s “Free Hand of the Market”. appears to be a relatively effective control to coerce corrective action after the fact but it fails abysmally until consumer pressure, real or perceived, exists. What Internet disaster will be needed next for the free hand of the market to wake up? Take privacy for example. It is certainly on everyone's minds and that involves issues beyond just the Internet. It extends to backup tapes, documentation, multimedia, email, instant messaging, etc. It took the losses of hundreds of thousands of records over the course of a few months before anybody woke up and took notice despite the fact that the danger was well known and privacy “loss” issues have been going on for years before the debacles of 2005.

Governments world wide must act now in a coordinated manner to protect their national economies and security to put in a sensible set of baseline security requirements and enforcement to ensure compliance. Far too much is at stake to keep allowing the free hand of the market to whip up fervor and cause another set of inconsistent, vague, fear-driven regulations that are ultimately useless to be enacted.

The Internet has the potential to continue adding value to the global economy but its security and that of its nodes must be protected, which requires coordinated global regulations and enforcement. If not, then the system will become so saturated with threats and uncoordinated ad hoc countermeasures that a great deal of the network's value will be lost and future value suppressed. To citizens this means the potential to lose another Library of Alexandria. To corporations it means accounting costs, opportunity costs and lost revenue from dealing with security breaches, unreliable service levels and constantly escalating security and compliance requirements. For nations, there will be constant pressure to protect the economy and national security that can not be dealt with effectively due to the global nature of the Internet. In closing, the Internet is amazing and its potential value may well be beyond reckoning but to even pursue it effectively we must proactively implement globally consistent regulations that include enforcement provisions to safeguard our future.

 

Google
Web spaffordconsulting.com



Copyright (C) Spafford Global Consulting, 2004-2008. All Rights Reserved.