Schneier on Security
A blog covering security and security technology.
« Video Filter that Detects a Pulse |
| Fear and How it Scales »
August 23, 2012
Finally, someone takes a look at the $1 trillion number government officials are quoting as the cost of cybercrime. While it's a good figure to scare people, it doesn't have much of a basis in reality.
EDITED TO ADD (9/14): Older research debunking cybercrime surveys.
Posted on August 23, 2012 at 1:23 PM
• 16 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Y'know what would make for an amusing bit of information. Compile a total cost for all crimes based on the numbers attributed for each one and compare it to the GDP.
What are they doing? Adding up all the millions of dollars that are on offer from Nigerian 419 scams?
Checking my spam box, I think I'm out $275M already, and the day isn't over.
Not the first. The article mentions talking to Ross Anderson, but there was already a paper on the subject (to be found at lightbluetouchpaper.org) by Anderson and colleagues aimed more at a UK estimate that received some publicity.
Cost estimates like this are typically based on worst imaginable scenarios. E.g., what if bad guys zapped all the electrcity generating facilities in the country, at the same time? How much would it cost to replace all that stuff?
Plus, the bigger the number you take to Congress, the bigger the appropriation you might get.
It depends on your definition of "cybercrime". I'm sure almost all organized crime has some "cyber" component, and you could easily come up with a total of $1T if your definition of "cybercrime" is broad enough.
I think the real problem is more likely what a politician is trying to justify with such an ill-defined buzzword, which is most likely the typical knee-jerk reaction of passing ever more onerous, verbose, vague, and poorly written legislation rather than enforcing the laws we already have on the books.
The infosec scene, personal or corporate, has a long history of exaggeration of threats, skills, and needs. Remember those guys in '98 that told congress they could bring the internet down in 30 minutes? On the corporate side, exaggerated loss claims are the norm. Remember when we would hear the "millions" dollar amount due to defaced web sites? Unfortunately I don't think that once a number like this makes it out in to the wild, with a footnote, that it can ever be retracted. The NSA types will continue to quote it; the congress types will continue to believe.
First off, the artical is an interesting read but the comments make for a much more interesting and enlightening read and links.
However I did like the comment by Prof. Julie Ryan D.Sci in the article,
"From what I’ve seen of the big commercial surveys, they all suffer from major weaknesses, which means the data is worthless, scientificaly...
As a professor of engineering management and systems engineering from George Washington University, Julie Ryan should be fairly well qualified to make the statment due to similar work in the area .
However what the artical neglects to mention is that the problems run way way deeper than just "gut feelings on losses dressed up as scientific papers". Those gut feelings are likewise shams lacking in any scientific credability because the "industry" lacks metrics, measurands and methods of any form that are of use to suppport scientific investigation.
Or to put it another way, when you see a report from the ITSec division in a company and it's measurands consist of statments such as,
"The Firewall software reports indicate it stopped XXX intrusion attempts in the last month"
"The AV Software reports indicate it scanned YYY emails and stopped ZZZ attachments in Q3"
Of what use is such information?
It's why the idea of "Industry Collaboration" to fight "Cyber-crime" as envisaged by Governments is unlikely to be anything other than an "administrative success", and just one of the reasons "Cyber-crime Initiatives" are only ever going to succeed as tax money black holes.
 Julie J.C.H. Ryan D.Sci & Theresa I. Jefferson D.Sci "The Use, Misuse and Abuse of Statistics in Information Security Research" which analyses 14 of the major reports in the 1995-2000 period. ( http://attrition.org/archive/misc/... )
Dammit how can you sell silver bullets without convincing people of the existence of vampires???
Dammit how can you sell silver bullets without convincing people of the existence of vampires??
Easy make them "must have" fashion accessories, then you don't have to muck around with all those unstable chemicals, so you can make them in any old third world sweat shop not worry about arms limitations export controls.
Best of all as we know "must have fashion" is way way over priced so you could be looking at a nice safe profit of anything up to $100 / bullet ;-)
Is it good the scare people with this sort of figure? A little common sense calculation shows that if there are 250m people in the US this would mean every single person lost $4,000; the average US family lost about $20,000! Surely this cannot be true?
Read "Sex, Lies and Cyber-crime Surveys"
for a very good explanation of how this happens
Does publishing these crazy figures undermine a more rational reasoning needed to manage a real problem?
First off define Cybercrime. Is it intrusion and theft by computer or are we including malware, bots, pranks and their ilk? If the later well I work in IT and I often wonder about how much time we spend cleaning up after the run of the mill malware. Sure I advise my clients to go with a managed Linux environment but they are largely stuck with Microsoft office and some stupid Windows App. So my firm is likely over 200k billed per year in malware cleanup and we're a pretty small shop. It's not inconceivable that it adds up to a Trillion I don't know but Millions easily maybe billions. Problem is good data means honesty, and a lot of work anonymizing data sets. By the same token a lack of honesty means people can be lazy and "ballpark" numbers like I did above. Now I need to get to work.
Clearly, your numbers, which are much lower, are grounded in what reality?
Exactly how many APT related defense contractor and recent energy sector IR events have you been a part of?
When .mil receives delivery on a $100 billion contract, do you think that jet is really worth only 100 b, or is there an accumulative effect from previous R&D? When an adversary steals that tech, could never generate that tech on their own, and dominates a region in the long run with that tech, how much has been lost?
He's definitely NOT the first to challenge the ridiculously high $$$ claimed about cyber-crime, etc. Take a look at the March 2012 TEDTalk by Rob Reid titled "the $8 Billion iPod" challenging the RIAA et al on losses due to downloads, etc. Link is http://www.ted.com/talks/...
When .mil receives delivery on a $100 billion contract, do you think that jet is really worth only 100 b
Not a good choice to use as Mil Contractors have "previous" with what has been variously described as the "$600 Hammer Problem". Some estimates of the "secrecy cost multiplier" range from x10 to x1000 depending on just how secret a project is.
From a certain perspective "secrecy costs" are sunk costs especialy when facilities are "one offs" specific to a project and then abandoned or bulldozed. Thus such projects have little or no legacy benifit.
As for an accumulative benifit from previous R&D this is debatable. Much of the R&D is not carried out in a vacuum of a specific Mil Project, but by companies that do broad base R&D for mainly commercial reasons. Even "bleeding edge" R&D is usually carried out with the intent of industrial exploitation. Now something that most engineers know but few investors seem to realize is that "ideas come of age". That is most of the fundemental work has been done long long ago and any "primary patents" issued on it have expired by the time the market is ready for them. It is thus the secondary pattents that apply the fundemental work to specific products that earn the money. Now the problem is in many cases it's not the holders of the primary patents that get the secondary patents.
Further "bleading edge research" is about making the unknown known and this is a very expensive process. However once something is known to be possible it is usually comparitively inexpensive to re-invent it. Thus it is usually secondary research that pays dividends not primary research.
Another issue is monopolies stifle markets in many ways, where as competition usually develops markets. One aspect of this is that having invested money in R&D your investors want it back with significant profit. Thus the products will with a monopoly be priced very high to provide the return to investors. However this usually results in the product being to expensive for all but a few so sales are low. Without competition there is no incentive to change this. However with competition the price drops to a point where considerably more items are sold and a as part of this process profits actuall increase for all who chose to participate effectivly.
It is this that creates the top part of the product value S-Curve. The trick is to maximise this before other inovation starts to make the product type obsolescent. Thus all products have in effect a finite life and competition actually increases the total economic benifit for all participents in that limited time period.
A good example of such a market place was stand alone "Fax Machines" where they went through several stages of development and now don't realy exist any more as their function is in effect just a "software add on" in other more generalised products.
Whilst I'm not arguing IP theft is good I am saying that the argument about the value of "Secret IP" is actually seriously flawed and very over inflated and should not be projected in the way it currently is to make "loss estimates".
When an adversary steals that tech, could never generate that tech on their own, and dominates a region in the long run with that tech, how much has been lost?
Admittedly, if one thinks in terms of cornering markets/resources or dominating regions, it is probably fair to say that 1 trillion is hugely underestimated. IMHO, the problem is not so much with the calculations, but with the state of mind with which they are made and the value to which things are estimated. The death of a single woman may mean zilch to your average government, but to her young children their entire world, incalculable in terms of money.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.