Cybersecurity is about to become decentralized! Why does it need to be?
The current digital and online environment are characterized by several issues.
- The first is that the world is becoming more interconnected and digital.
- The second is that bad actors, ransomware and other online threats are on the rise. This is also fuelled by the fact that talented cybersecurity experts are often tempted by the economic rewards of Black Hat rather than White Hat activity.
The threat is also exacerbated by a protection environment that is notoriously “backward” rather than “emerging threat” focussed. The result? A global marketplace where bad behaviour is frequently more lucrative than good.
One blockchain startup wants to change all that. PolySwarm intends to create a unique, decentralized cybersecurity platform and marketplace that incentives good if not White Hat behavior.
We recently sat down with Steve Bassi, the founder of PolySwarm to have a chat with him about the project as well as finding out his thoughts and insights.
Hi, Steve. Thanks for joining us today. Can you tell us more about yourself and PolySwarm?
Sure, I grew up in a small farming town in California. Broke into a company’s computers when I was like, 11, they caught me but some of the IT guys took me under their wings and gave me a summer job through high school. That’s how I got started in security. From there, my team and I have built up Narf Industries and done a lot of cool projects for everyone from DARPA to Commercial clients. We’ve also played a lot of hacking competitions or CTFs at Defcon and the like.
PolySwarm grew out of frustration we had doing work on Narf. We’d developed all these cool tools that had narrow, but, deep applications to cyber threat detection and mitigation but didn’t have a way to get them looking at real stuff the enterprise was facing. That’s why we made PolySwarm, we knew there were other small security shops like us that had tools that could protect users. Additionally, there was no good way to get access to all of these tools through one interface. That’s also where PolySwarm comes in: it serves as one big umbrella built from a collection of the best security expertise.
First off, please quantify the real threat “bad actors” pose to an increasingly digital economy.
I’ll cite some stats that others have put out and then qualify the risk. First CSO online claims damaged from cybercrime hit $6 trillion annually. We see this reflected in spending on cyber risk insurance, it’s growing at 28% (CAGR) a year and is expected to hit $14B by 2022. So that gives you an idea of how serious the bad actor problem is.
The problem with insurance is that businesses and people still get hurt by bad actors. It’s tough to quantify the actual losses: proprietary designs, financial information, and credit scores are all at risk when bad actors are successful. Our position at PolySwarm is that insurance plays a role, sure, but we’re really focused on creating better threat detection so users don’t get hit in the first place.
How did you come up with the idea and what was the thought process behind it?
I covered this a bit in an earlier question, but I’ve been involved in bitcoin since 2010. When Ethereum came onto the scene I got really excited for this ability to, literally, build markets to old problems without intervention by anyone, really.
We came up with PolySwarm mainly out of frustration, as described previously, but we quickly got excited about coupling an economic solution with micropayments and smart contracts to *actually* solve this frustration of making a bunch of security solutions available through a cohesive platform.
What is the biggest problem within the industry or do you think there is a gap in the market for PolySwarm to fill?
I think it’s that for the past 20 years we’ve had the same economic model for threat detection: centralize, hire a small team of developers locally, and de-prioritize R&D and addressing current threats once the company achieves customer stability. Our thesis has always been that security expertise works better in a competitive environment where they’re incentivized to stay up to date. That’s the gap we’re trying to fill: make it continually profitable to protect users.
What do you think is the biggest problem PolySwarm will solve and why is the problem important to solve?
This economics problem: always incentivizing security experts to keep their solutions up to date for better protecting users against new threats. The problem is important because it ultimately increases costs for attackers by increasing compensation and vigilance for the defense across a wide range of viewpoints.
Where did you come up with the inspiration of rewarding experts who could potentially turn into “Black Hat” operators because of prevailing local economic conditions?
I’m not sure I’d call it inspired, but thank you. Maybe it’s just the courage to point out that this is probably happening? If we want to truly solve the problem, maybe fixing the economics of threat detection would help? That’s what we’re going with, we actually think most people are inherently good which I’m sure is rare for a security group.
In the whitepaper, you talk about the role of “Ambassadors” who will post bounties for determining the maliciousness of a file, URL or other digital assets. How did you come up with the concept of this, as well as bounties and rewards? It all feels a bit “Dungeons and Dragons.”
There’s a great book called “Who Gets What and Why” by Alvin Roth. He talks about market design for a ton of things: organ donation, public school lotteries, and how doctors get picked for residency. We felt that bounties and offers were the best ways to incentivize experts to do what we wanted, detect threats, while still providing the ability to reward them.
For bounties, specifically, they’re based on the prediction market concept. We needed a way to have multiple security experts weigh in on the malintent of files without shrinking the reward pile each time one weighed in. So if it feels dungeons and dragons, blame market design and game theory! This is also why we’ve hired a Chief Economist, Evelyn, who is here to monitor the performance of the marketplaces and suggest bounty amounts, fees, and other settings that will help the market be both thick (read: enough transactions to be interesting) and safe for participants.
Regulation-wise, what are the toughest challenges you will have to overcome (on a global basis)? And from where?
Explaining this technology to people is challenging in the first place. Try explaining a blockchain to your parents, etc. I think there’s this natural tendency for regulators for look for harm in new tech and not benefits. So our strategy is to show the benefits.
The way we plan to overcome this is by, first, developing PolySwarm into something that actually *helps* protect users. Our focus is on demonstrating the value of the model for regulators for actually protecting the people and sectors they care about from harm.
I think our biggest challenge will come from our home, the US, as they clarify how PolySwarm and Nectar fit in our markets. We’re actively, and civically, engaged here but it’s going to take time which is why we’re doing the token sale from our Japanese subsidiary to non-US residents. We’re going to start building.
What are the services you plan to offer that excite you the most?
Post token-sale we plan on spinning up identification and vetting services for security experts. These services are focused on vetting high-performing experts so that enterprises can work with them at higher volumes. I’m personally excited about this because we’ll, necessarily, get to meet a ton of our experts who are very smart. I’m excited to have a beer with these guys and hear about how they’ve approached building their micro engines and maybe a bit more about their secret sauce.
What has been your happiest moment so far working on PolySwarm?
Watching my team connect with the community online and at conferences. Working in R&D its rare that ideas see the light of day, getting support from people in public and getting *actually constructive* criticism from people has been really cool for me.
On the flipside, what has been the most painful, or perhaps the most regretful decision you’ve made with PolySwarm?
Having to close the public sale to US residents. This is my home and I wish my government was interested in providing more expedient clarity here.
Editors Pick: PolySwarm ICO
Cybersecurity threats are only growing in an increasingly digital and interconnected world. Blockchained threat response might help alleviate some of the risk and vulnerabilities of individuals and businesses alike. Experts in the cybersecurity space expect a continuing and dramatic increase and risk from cyber threats. The world is becoming increasingly
How do you know that the marketplace you are hoping to create will adequately turn the economic tables on malware and bad actors? What are the indicators and metrics you will use to determine if your approach is successful?
We don’t know it will work, which is why I appreciated the question about metrics. However, we do know what’s not working and hasn’t been working for 20 years: anti-virus in the traditional model.
On metrics, I think the really simple to understand one is Enterprise/Ambassador to Expert Nectar volumes. The AV market is an $8.5B/yr market and the top 3 players have 10-15% of that pie. The next 5 have 3-9%, and the remaining are 1% or less. If we can, quickly, approach that 3-9% of $8.5B in yearly Nectar flows to security experts, then I think that’s a great metric.
I’d love to also compare how many artifacts the big guys are handling a day with PolySwarm’s but those aren’t public numbers … yet.
Tell us more about NECTAR. What are its selling points and what does it do in the system?
Nectar’s main selling point is being able to obtain threat detection services from security experts, where ever they are because they all speak the same language: binary. We see it as the goto token for Enterprises and Users to purchase for anti-virus protection and threat intel.
Enterprises/Users/Ambassadors use it in the system to incentivize security experts to weigh in on files they’re unsure about. Malicious or not?
Security Experts use Nectar to stake their predictions against artifacts. Really sure that binary is malicious? Stake a lot of Nectar. Not sure? Don’t bother or stake very little. Security experts can also sell accrued Nectar back to consumers/enterprises.
What do you think is the biggest challenge or obstacle PolySwarm will face? How do you plan to tackle that challenge?
PolySwarm is going to have to be a single reliable interface for lots of micro-engines. Scaling this and making sure the market is thick and safe for participants is the biggest challenge.
We realized this early on which is why we added an Economist and Data Scientist to our development team. We plan to use this partnership to constantly look at the parameters of bounties and offers such that expertise is compensated and Enterprises are protected at an acceptible cost.
Moving on to more personal stuff, what does a typical day in your life look like?
When I hit thirty I, oddly, started waking up really early, like 4 AM. I start the day most of the time there because its quiet and I can do most of my thinking about PolySwarm and the market then. When the team wakes up, around 9AM, we have our morning chat sessions to discuss issues/blockers and we’re all heads down on code.
I get to usually head home in the evenings to two young kids but a couple times a week I make a stop at the muai thai gym to blow off some steam.
Can you express one personal opinion of yours about the blockchain? It doesn’t matter if it’s negative or positive, we just want to hear your thoughts on it. What are you going to solve with it?
We have this amazing opportunity, for really the first time in history, to build a complete market solution to a problem. You don’t need anyone’s permission to write a public smart contract and solve a problem. That’s really cool and I hope more people focus on that.
What’s something that you believed to be true for a long time until you found out that you were wrong, or if you don’t like that dichotomy of right versus wrong, what’s something significant that you really changed your mind about over time?
I used to think people couldn’t be trusted if you didn’t know them really well. After we had our first son, about 2 years ago, I was amazed at how caring and helpful complete strangers are to kids. I’ve been in public and on airplanes solo with the kiddo and complete strangers have done the nicest things for my son, from calming him down to helping entertain cross-economy-seat on a 10-hour flight. There’s some good there that I wasn’t seeing, so I was completely wrong on the need-to-know-to-trust aspect.
Finally, what other personal goals (besides your career) do you have in life? Is there anything else in life you want to achieve?
Keep building. There is a guy that my Dad worked with growing up. Old Japanese dude. Smoke until 85, worked until 98, passed away at 100. He always had something to build within his farming company and derived great joy from it. That’s my goal, make it to 98 building stuff and having fun doing it.
That concludes our Interview with Steve Bassi
We’ll be scheduling even more exclusive interviews like this in the coming weeks to delve into the minds of what makes a blockchain startup tick as well asking the questions you want to know the most.
To make sure you don’t miss out on our exclusive interviews, go ahead and sign-up to our mailing list and subscribe to our social media channels.
Get in touch to let us know who you want us to interview as well as the questions you want us to ask.
You’ll get notifications on the latest exclusive articles as soon as they appear on our website – we won’t and will never spam you.