“We share hundreds of millions of cyber threat events daily with entities across the planet.” Shadowserver’s core mission is, at its most basic level, delivering such valuable information for free to threat defenders so that they can better secure their networks. To sustain their operations – including helping critical infrastructure and supporting multi-year law enforcement operations to actively take down threats – Piotr Kijewski, the nonprofit’s CEO, calculates that $5 million are needed yearly and admits there is no fully sustainable guaranteed pipeline for the coming years. Common Good Cyber aims at guaranteeing that funding, so the nonprofit can stay devoted to bringing value to the ecosystem.
Question: How does Shadowserver positively impact society and enhance community wellbeing?
Answer: Shadowserver is a nonprofit organization that is a large-scale threat data collection and threat data sharing project. We take data about cybersecurity events that we see across the Internet, and we report them, in a responsible manner, to the entities that are affected. We provide free cyber threat intelligence to Internet defenders: information about threats or vulnerabilities we see originating on or in an organization’s networks and provide their staff essential information so that they can fix their networks to be more secure. This creates an online environment that is not only more secure for commercial business but also for critical systems essential for our society such as utilities, healthcare or education, etc. Shadowserver identifies and collects hundreds of millions of security events (or observations) every day and shares them for free with entities across the entire planet.
At the most basic level, what we do is give this information out daily to Internet defenders for free: people with technical knowledge that are then able to secure their networks. They receive information directly relevant to them. This includes entities that typically cannot afford large investments in cybersecurity. This focus is different to other entities operating in the space – commercial vendors and government entities do not provide this kind of support at scale to the extent we do. That is our core mission.
At the same time, we help improve the security of critical national infrastructures because we report security problems discovered on very specific devices or software that is employed in the nation’s critical infrastructure. By providing this information we improve safety and security at the national level (not just individual level) as well.
We also provide free technical support to multi-year law enforcement operations to actively disrupt cyber threats. So, we don’t just report threats or tell you where the vulnerabilities are in people’s networks, but we also work with law enforcement to make sure that the threat actors and their infrastructure are disrupted, imposing costs on the attackers. That’s our core work.
We collaborate with academic institutions and independent researchers that can produce academic results and hopefully help push the field forward in terms of threat detection, understanding how attacks work, and how to remediate them.
And finally, we also have become more public with the data we are collecting in the form of a public Dashboard, kindly sponsored by the UK Foreign Commonwealth and Development Office (FCDO). Our public dashboard allows third parties, including policymakers and journalists, to see the cybersecurity trends and obtain access to high-level data which hopefully helps in amplifying the message on improving cyber resilience and raising cybersecurity awareness. This also helps policymakers to make better data-driven decisions on topics like IoT security, for instance, advice to device manufacturers to reduce exposure/improve default security or advice to countries on how to better defend themselves.
I know that your organization faced challenges with its sustainability. Could you share those and tell us a bit more on what resources – financial or otherwise – are essential for your survival and continued operations?
Our core operations are free at the point of delivery. Everything we give out and all the support we provide is typically a free public benefit service, which is an unusual way to operate in this field. It’s completely reversed to most other business models that associate quite a lot of commercial value with what we do.
To be able to give away the data for free, we need quite a large capacity in terms of handling all this data. So, to be able to provide our free public benefit services, we operate our own data center with over 1,000 servers hosted in nearly 70 racks in California. This data center is equivalent to any kind of medium size business in Silicon Valley in terms of capacity. And that comes also with large associated costs.
If you want to make an impact on a global scale, you need to have lots of data and you must have ways to automate it, which is what we focus on. Our basic costs to maintain the data center is over $80,000 per month, just to maintain the co-location space. Operating the data center as such, with uplinks, can amount to close to a million dollars per year. On top of that, we need talented, specialized staff to be able to carry out the work, which is no longer possible solely with volunteers. We require a mix of employees, contractors, and volunteers to run the organization. Overall, our costs across the US and the EU, where we also have a second legal entity, are a bare minimum $5 million a year just to sustain our current level of operations.
In the past, we were kindly sponsored by Cisco, but that ceased a couple of years ago. And since that time, we have had to raise these funds from the community that has hopefully appreciated our work. This is mostly government related funding, over 60% or 70%. The UK government has been a big funder in recent years, and we’ve also benefited from funding from the EU for various projects we have been running as part of Horizon 2020, and others. We have also received very generous funding from Craig Newmark, who is our second biggest funding source. And unfortunately, only about 5% of our funding now is from the commercial sector.
We face challenges in sustainability and raising this money on a regular basis. Most of the money is raised in a very ad hoc manner. There is no fully sustainable pipeline for the next couple of years that could guarantee us funding, which means that we spend a lot of time searching for it, instead of necessarily focusing on the technical work for the public good. This is a challenge we face, and this is a challenge we still need to solve as we seek a path to sustainability.
Your work is valued by the community. What would be the consequences if your organization were to shut down? What would it take for other entities, governments, or industry to fill the gap left by your absence and continue the services you provide?
I think it would take quite a lot of work and much more than $5 million per year that we currently need to operate. If you consider that we have been around for 20 years, and typically received a couple of million dollars per year to build up our infrastructure, I would say that replicating us on a similar scale would probably cost tens of millions of dollars, with annual operating costs well exceeding $5 million per year to maintain and achieve just the same impact. And that’s just if we were set up as one entity.
If Shadowserver disappears, each of the 175 countries we currently serve would probably try to replicate us but on a much smaller scale. The result would be an inefficient patchwork of providers which each country would be responsible for maintaining at a cost of tens of millions of dollars annually. So, I think it’s financially advantageous for everyone that Shadowserver exists and can provide free public benefit services, instead of leaving it to each country to find their own solution at a much higher cost.