The Economics of Cyber Attacks
In the late 1800s, a gentleman named Charles Duryea had an idea. While attending the Ohio state fair in 1886, Duryea saw a 4HP, single-cylinder gasoline motor that he thought was sufficient to power a horseless carriage. As accomplished bicycle makers, Charles and his brother, Frank, went to work and in 1893 they tested their new invention, the first American-made automobile. By 1896, they had produced 13 automobiles and America’s first commercially-produced vehicle.
Chances are you’ve never heard of the Duryeas (or didn’t remember them). It’s common to hear that people think Henry Ford built the first vehicle, but in fact, he didn’t start building cars until 1901, and the Ford Motor Company wasn’t incorporated until 1903. Around the same time, there were over two hundred other automobile manufacturers operating in the US.
Henry Ford didn’t invent the automobile, but he did change the world with it.
By perfecting his product, pricing it right, and perfecting its creation with an assembly line, Henry Ford sold over one million cars by 1920. With the availability of the right resources, as well as a great product and making it within reach for much of the population, Henry Ford became the success that we still know today.
I had the honor of telling that story at a SecureWorld conference held at the Ford Motor Company Conference Center in Dearborn, MI, a few weeks ago. It’s an interesting example because the right recipe yielded a great success. And it bred the success of many other great companies as well. It’s a lesson worth revisiting.
Cyber attacks reaching a tipping point
We have recently seen tremendous growth and change in the attack marketplace. Today, the people who attack our networks have access to unprecedented options and resources that cause harm to our organizations. Businesses exist whose sole purpose is to attack other networks for pay. We hear about this, but few of us actually get to see or understand what’s truly out there.
It’s absolutely fascinating. And it’s familiar. We have the right economic conditions, the right innovation by attackers, and more valuable assets on the network. It’s extremely inexpensive to generate very strong attacks. One example that I like to give is $6 for a 5-10Gbps DDoS that will last 10 minutes. It usually costs me more than that to mail a small package!
As with any business ecosystem, the ones who are successful are doing things differently. Maybe they do it more efficiently, or maybe they are stronger or faster or have the best customer service. Does this sound familiar? The competition to be the best does exist and today, users have their choice of very professional options in attack companies.
Let’s be clear that we’re not saying Henry Ford is comparable to today’s attackers. One is a great man who arguably changed the world and certainly changed the lives of his employees, customers, and vendors. The other is a criminal. But both have leveraged the right recipe at the right time to achieve unprecedented success.
The ease and proliferation of attack resources means that we have to be prepared to defend ourselves. Even if you aren’t ready now, every business should be at least considering what their plan would be if they are attacked. If you are already thinking about it, make sure to include defense automation in your criteria. The tools available today can easily change vectors and fingerprints, making manual responses challenging.
We explore these ideas in our current keynote talk, which we’re sharing at regional SecureWorld conferences, NANOG 68, Canadian ISP Summit, and many other upcoming events. I hope to see you at one of these soon. If you’re there, please come and say hello!