What are Beckstrom’s Laws of Cyber Security?

Prioritizing security efforts – critical for the IoT to survive – may best be done by considering the value of transactions over the size of the network.

The Internet of Things (IoT) has many defining characteristics, such as tiny, cheap and low power sensors, embedded computers, and connectivity. But one characteristic will rule them all, namely, security. In the very near future, the IoT will probably not exist if it isn’t secure.

Beckstrom’s Laws of Cyber Security sums it up nicely:

  1. Everything that is connected to the Internet can be hacked
  2. Everything is being connected to the Internet
  3. Everything else follows from the first two laws.

Perhaps this should be called a corollary to Beckstrom’s law, as it provides a short proof to the existing law. Originally, Beckstrom’s law (or theorem) was formulated to determine the real valuable or a given network. Postulated by Rod Beckstrom, former director of the National Cybersecurity Center, the law states that, the value of a network, “equals the net value added to each user’s transactions conducted through that network, summed over all the users.”

Image Source: Beckstrom.com

According to Beckstrom, his law can be used to value any network be it social networks, computer networks, and even the Internet as a whole. In his model, the values of the network are determined by looking at all of the transactions conducted and the value added by each transaction.

To determine the value of a network, Becktrom used an economic point-of-view which considers what the additional transactions cost or loss would be if the existing network was turned off. For example, if a goods delivery service is shut down, then customers will go without those goods or obtain them in a different manner (i.e. driving to the store).

This focus on transactions is what distinguishes Beckstrom’s Law from its more famous cousin, Metcalfe’s Law. For Metcalfe, the value of a network was based purely on the size of the network, specifically the number of nodes. Conversely, Beckstrom’s Law focused on transactions, which makes it more applicable to current experiences on the Internet. This means that Metcalfe’s Law doesn’t account for a decreasing value of the network from an increase number of users or hackers who steal value.

Focusing on transactions makes Beckstrom’s Law of immediate value to the cyber security industry, i.e., the number of desired transactions versus the number of undesired transactions. To illustrate this point, consider a simplified equation:

V = B - C’ - SI - L

Where:

V = value of the network

B = benefit of the network

C = remaining costs outside of the security investments and losses

SI = security investment that a company or person spends to avoid losses

L = actual losses due to poor security.

With this equation, cyber security professionals can prioritize their efforts by focusing to minimize the costs of computer security, “SI” and “L”. Conversely, law enforcement can focus on raising the security costs of the bad actors and hackers.

Regardless of your point of view, the costs of cyber-attacks are staggering. Indeed, one is tempted to ask what hasn’t been hacked? Here are but a few example of seriously hacked networks:

1. IOT Botnet Devices Hack

Back in October of 2016, the largest DDoS attack ever was launched on service provider Dyn using an IoT botnet, i.e., a string of connected computer nodes coordinated together to perform a task. Unfortunately, the IoT botnet was easily infected by a malware called Mirai. Once infected, connected computers continually search the internet for vulnerable IoT devices (e.g., digital cameras, DVD players, etc) and then use known default usernames and passwords to login, infecting them with malware. This attack led to huge portions of the internet going down, including Twitter, the Guardian, Netflix, Reddit, and CNN.

2. The Hackable Cardiac Devices from St. Jude

Early this year, CNN wrote, “The FDA confirmed that St. Jude Medical’s implantable cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shocks, the FDA said. The article continued to say, “The vulnerability occurred in the transmitter that reads the device’s data and remotely shares it with physicians. The FDA said hackers could control a device by accessing its transmitter.”

3. The Jeep Hack

The IBM SecurityIntelligence website reported the Jeep hack a few years ago, saying, “It was just one, but it was enough. In July [2015], a team of researchers was able to take total control of a Jeep SUV using the vehicle’s CAN bus.

By exploiting a firmware update vulnerability, they hijacked the vehicle over a cellular network and discovered they could make the vehicle speed up or down and even veer off the road

In conclusion, the IoT has ushered in a need for even more robust network security. Beckman’s Law will help cyber security managers and law enforcements prioritize their efforts by focusing on the value of transactions.

Comments (0)

Please log in or to post comments.
  • Oldest First
  • Newest First
Loading Comments...