Mapping Insights

Valdis Krebs is CEO of Orgnet. John Quarterman serves as CEO of Internet Perils. What follows is a partial transcript of their session at Supernova: Valdis Krebs: We’re going to talk about mapping today. We’re going to start with mapping networks of people, and then we’ll get into mapping computers and the devices that make up the Internet.


Valdis Krebs is CEO of Orgnet. John Quarterman serves as CEO of Internet Perils. What follows is a partial transcript of their session at Supernova:


Valdis Krebs: We’re going to talk about mapping today. We’re going to start with mapping networks of people, and then we’ll get into mapping computers and the devices that make up the Internet. What I’ve been working with since 1987 is the field of social network analysis. It’s a field that comes out of mathematical sociology and is a way of mapping how people and organizations are connected. It’s been around since the early ’30s. This is social network analysis and not social network software. We look at networks that already exist in organizations and communities where they are.

What we found is that we can apply a lot of what we learned to other kinds of networks. I wrote an article called the Social Life of Routers. If you want network data, it’s everywhere. You can get off your favorite TV show. You can get it out of your favorite book. There were recently some networks being passed around the Net on a book by Shakespeare. Networks are everywhere, and you just have to know what you want to look for.

After 911, my business ground to a halt. I got tired of watching CNN, but everyone was talking about terrorist networks, so I created a visual. I started looking around, and there was not that much research on terrorist networks. There was some research on criminal networks. So I read all that and started reading the newspapers, which started to report who these people were. Some of them were together in Germany. I started to add some nodes to the network, and the network grew. By December I had a pretty good map.

Another source of data are blogs and how blogs are connected. Blogs are connected via blogrolls, but a better way of mapping connections is looking at entries and see who links to what blogs. Some people in Spain had a database of Spanish blogs and how they were related. What were the most connected blogs? Then we backed up and added some more links. The same can be done with the social networking sites.

Connections are not always a good thing. They can also be a bad thing. This is a map of how a disease spreads in a network. This is a map of tuberculosis spreading. The black nodes are infectious and are passing it on. The nodes in pink are infected but cannot pass it on. And the green nodes are people who have been exposed to a node.

We got started doing this at a company called TRW, where we mapped networks as part of a workforce diversity project. TRW was losing women and people of color engineers at twice the rate of white male engineers. Why that turnover rate? MIT had done some research that started us mapping out inclusion and exclusion from key workflows. Not only can we map them, we can measure them and track that over time. Then we started measuring expert networks. There are the people that everyone believes, and then there are people who pop up as surprises to management. I may not have the expertise that Jerry seeks, but I’ll ask the right questions so he walks away smarter than he was. Who are the people who help others get things done? They’re not always recognized.


Here’s another knowledge network. More than 6,000 people, patent holders in Europe. Two people are connected if they’re co-holders of a patent. You can zoom into the various clusters to see what the knowledge domains and related concepts are. One of the things right now with social networking sites and pharmaceutical firms are that certain nodes are more respected and influential. Pharmaceutical firms want to identify who the key opinion leaders are. They dont want to sell a new drug to everyone, they want to sell to the 60 key oncologists. Who gets accessed the most for advice and information? We can figure out who the opinion leaders are.

You don’t always have to map out a network of people to understand the behavior of a certain group, though. This is a network of books. I went onto Amazon and found the list of people who bought this book also bought this book. When you look at those relationships, you get a better map. I looked at left-leaning and right-leaning books, and there’s only a few books in the middle.

So I’m in the process of writing a book. I should use this knowledge to help me position the book. I’m writing a book about networks, and there are basically three clusters about networks. There are the networking books, the viral and word-of-mouth books, and then there are the scientific network books. There’s not much in between, so that’s where I’ll position my book. We’ll see whether that does anything.

When you map networks, the kind of data you have is important. You need to know what you’re looking at. These are the project links, the task links to get things done in a Fortune 50 company and Al Qaeda. How people get things done isn’t really that different.

Let’s look at computer networks. Has anybody read the article in Nature called “The Achilles Heel of the Internet”? A friend of mine sent me a map of how autonomous systems on the Internet are related. The good news is that we have this information and can shore up our infrastructure. The bad news is that if the bad guys get that information, they can damage the Internet. But that might not be how the Internet really looks. Just as there’s a formal hierarchy and an informal hierarchy within organizations, when something goes wrong, the maps don’t necessarily stay the same. I think John has more accurate maps.

John Quarterman: I want to talk about decentralized risk. That might not sound like it has a lot to do with what Valdis talked about, but it does. Decentralization combined with automation can create epidemics, epidemic risks. You can have worms and viruses distributing like that disease Valdis showed us. There were $200 million fraud and theft losses in 2002. Some people say that’s too low. Some people say $10 billion in 2003. And some people say CEOs face $100 billion in risk for what people call the “cyber hurricane.” If the Internet were down for a day or two, that’s a huge risk for any business.


Last fall, many of the same Fortune 500 CEOs said it wasn’t a problem. But what with the blackout, the SoBig worm, and other worms, they’ve certainly changed their tune. Why is this the case? We have encryption. Encryption works fine as long as packets get there. If they don’t get there it doesn’t matter if they’re encrypted. Firewalls are good if customers can get as far as your firewall. Patching bugs is a good thing to do but what about your neighbors on the network? Routing optimization is also a very good thing, but it also has its limits. There might be problems you can’t route around. Then there’s things like blackouts, hurricanes, and earthquakes. Even if you outsource your Web service, even Akamai, a very good company, can fail.

What happens if you depend heavily on something you can’t control? There is a traditional solution to this. In insurance parlance, they’re known as force majeur risks, acts of god. Why don’t we have insurance to deal with these kinds of things? People haven’t been demanding it, but they’re asking for it now. Also, the insurers didn’t believe it was possible because they couldn’t get the tables to do the insurance. That’s where my company comes in.

If we want to continue using the Internet for commerce, we have to deal with this problem. Failures have been radically increasing and will continue to do so. If we want to have the Internet serve as a sea for the transport of commerce, we’re going to have to do the same thing we did in the 1700s to ensure the voyages of commerce on the Internet.

I keep saying insurance, but the general topic is risk management. We need to extend risk management strategies. Security and performance are very related to insurance even though they’ve been treated as different pigeonholes. These aren’t new ideas. They’ve been used in other industries. In Thomas Malone’s book, chapter eight, even he talks about controlling quality and risk.

How many of you have heard of a catastrophe bond before? It’s a financial instrument that didn’t exist until around 1994, when the Northridge earthquake happened down in LA. After that earthquake, a number of householders couldn’t get earthquake insurance any more. Catastrophe bonds are sold like other bonds, only when the catastrophe happens, the principle vanishes. It’s a risk, but it diversifies your risk. That kind of bond wasn’t actually issued because Warren Buffet stepped in, but those bonds have become quite popular.

There’s also a variation on the catastrophe bond called the performance bond. There aren’t just blackouts, there are brownouts, degradation of service. ISP’s could use those for terms of service agreements. Then there’s self-insurance. In some sense, you can do that yourself. Grid computing could be used as a form of self-insurance in terms of using redundant servers. But that’s different than the financial instrument, in which you set aside capital to deal with the risk. Who can afford to do that? Large, international banks, it turns out.


When the right incentives are in place, just sharing information can be enough to maintain quality and control risk. We need timely reports of what actually happens. If we look at the Akamai outage reports, how many of you can say how long it lasted? What time of day? I’m not picking on Akamai, but it’s an easy example because it happened last week. Peril reporting could also be useful. And sharing information could involve a visual language, something very useful in dealing with different consumers of that information. The CFO of a given company doesn’t necessarily speak the same language as the CIO or CTO. A picture of the problem could help with that.

If private industry can deal with other risk management strategies, it would help. Suppose you have insurance. Why should you be concerned with risk management? Well, you don’t want your customers to be unhappy. Another reason is that you see these sprinklers in this room? Chances are good the hotel also has fire insurance. I bet they had to install these sprinklers to get that insurance. The same will be true for Internet insurance.