Entries Tagged "risk assessment"

Page 6 of 21

The Problem with Using the Cold War Metaphor to Describe Cyberspace Risks

Nice essay on the problems with talking about cyberspace risks using “Cold War” metaphors:

The problem with threat inflation and misapplied history is that there are extremely serious risks, but also manageable responses, from which they steer us away. Massive, simultaneous, all-encompassing cyberattacks on the power grid, the banking system, transportation networks, etc. along the lines of a Cold War first strike or what Defense Secretary Leon Panetta has called the “next Pearl Harbor” (another overused and ill-suited analogy) would certainly have major consequences, but they also remain completely theoretical, and the nation would recover. In the meantime, a real national security danger is being ignored: the combination of online crime and espionage that’s gradually undermining our finances, our know-how and our entrepreneurial edge. While would-be cyber Cold Warriors stare at the sky and wait for it to fall, they’re getting their wallets stolen and their offices robbed.


If the most apt parallel is not the Cold War, then what are some alternatives we could turn to for guidance, especially when it comes to the problem of building up international cooperation in this space? Cybersecurity’s parallels, and some of its solutions, lie more in the 1840s and ’50s than they do in the 1940s and ’50s.

Much like the Internet is becoming today, in centuries past the sea was a primary domain of commerce and communication upon which no one single actor could claim complete control. What is notable is that the actors that related to maritime security and war at sea back then parallel many of the situations on our networks today. They scaled from individual pirates to state fleets with a global presence like the British Navy. In between were state-sanctioned pirates, or privateers. Much like today’s “patriotic hackers” (or NSA contractors), these forces were used both to augment traditional military forces and to add challenges of attribution to those trying to defend far-flung maritime assets. In the Golden Age of privateering, an attacker could quickly shift identity and locale, often taking advantage of third-party harbors with loose local laws. The actions that attacker might take ranged from trade blockades (akin to a denial of service) to theft and hijacking to actual assaults on military assets or underlying economic infrastructure to great effect.

Ross Anderson is the first person I heard comparing today’s cybercrime threats to global piracy in the 19th century.

Posted on August 26, 2011 at 1:58 PMView Comments

Terrorism in the U.S. Since 9/11

John Mueller and his students analyze the 33 cases of attempted [EDITED TO ADD: Islamic extremist] terrorism in the U.S. since 9/11. So few of them are actually real, and so many of them were created or otherwise facilitated by law enforcement.

The death toll of all these is fourteen: thirteen at Ft. Hood and one in Little Rock. I think it’s fair to add to this the 2002 incident at Los Angeles Airport where a lone gunman killed two people at the El Al ticket counter, so that’s sixteen deaths in the U.S. to terrorism in the past ten years.

Given the credible estimate that we’ve spent $1 trillion on anti-terrorism security (this does not include our many foreign wars), that’s $62.5 billion per life [EDITED: lost]. Is there any other risk that we are even remotely as crazy about?

Note that everyone who died was shot with a gun. No Islamic extremist has been able to successfully detonate a bomb in the U.S. in the past ten years, not even a Molotov cocktail. (In the U.K. there has only been one successful terrorist bombing in the last ten years; the 2005 London Underground attacks.) And almost all of the 33 incidents (34 if you add LAX) have been lone actors, with no ties to al Qaeda.

I remember the government fear mongering after 9/11. How there were hundreds of sleeper cells in the U.S. How terrorism would become the new normal unless we implemented all sorts of Draconian security measures. You’d think that — if this were even remotely true — we would have seen more attempted terrorism in the U.S. over the past decade.

And I think arguments like “the government has secretly stopped lots of plots” don’t hold any water. Just look at the list, and remember how the Bush administration would hype even the most tenuous terrorist incident. Stoking fear was the policy. If the government stopped any other plots, they would have made as much of a big deal of them as they did of these 33 incidents.

EDITED TO ADD (8/26): According to the State Department’s recent report, fifteen American private citizens died in terrorist attacks in 2010: thirteen in Afghanistan and one each in Iraq and Uganda. Worldwide, 13,186 people died from terrorism in 2010. These numbers pale even in comparison to things that aren’t very risky.

Here’s data on incidents from 1970 to 2004. And here’s Nate Silver with data showing that the 1970s and 1980s were more dangerous with respect to airplane terrorism than the 2000s.

Also, look at Table 3 on page 16. The risk of dying in the U.S. from terrorism is substantially less than the risk of drowning in your bathtub, the risk of a home appliance killing you, or the risk of dying in an accident caused by a deer. Remember that more people die every month in automobile crashes than died in 9/11.

EDITED TO ADD (8/26): Looking over the incidents again, some of them would make pretty good movie plots. The point of my “movie-plot threat” phrase is not that terrorist attacks are never like that, but that concentrating defensive resources against them is pointless because 1) there are too many of them and 2) it is too easy for the terrorists to change tactics or targets.

EDITED TO ADD (9/1): As was pointed out here, I accidentally typed “lives saved” when I meant to type “lives lost.” I corrected that, above. We generally have a regulatory safety goal of $1 – $10M per life saved. In order for the $100B we have spent per year on counterterrorism to be worth it, it would need to have saved 10,000 lives per year.

Posted on August 26, 2011 at 6:26 AMView Comments

Is There a Hacking Epidemic?

Freakonomics asks: “Why has there been such a spike in hacking recently? Or is it merely a function of us paying closer attention and of institutions being more open about reporting security breaches?”

They posted five answers, including mine:

The apparent recent hacking epidemic is more a function of news reporting than an actual epidemic. Like shark attacks or school violence, natural fluctuations in data become press epidemics, as more reporters write about more events, and more people read about them. Just because the average person reads more articles about more events doesn’t mean that there are more events—just more articles.

Hacking for fun—like LulzSec—has been around for decades. It’s where hacking started, before criminals discovered the Internet in the 1990s. Criminal hacking for profit—like the Citibank hack—has been around for over a decade. International espionage existed for millennia before the Internet, and has never taken a holiday.

The past several months have brought us a string of newsworthy hacking incidents. First there was the hacking group Anonymous, and its hacktivism attacks as a response to the pressure to interdict contributions to Julian Assange‘s legal defense fund and the torture of Bradley Manning. Then there was the probably espionage-related attack against RSA, Inc. and its authentication token—made more newsworthy because of the bungling of the disclosure by the company—and the subsequent attack against Lockheed Martin. And finally, there were the very public attacks against Sony, which became the company to attack simply because everyone else was attacking it, and the public hacktivism by LulzSec.

None of this is new. None of this is unprecedented. To a security professional, most of it isn’t even interesting. And while national intelligence organizations and some criminal groups are organized, hacker groups like Anonymous and LulzSec are much more informal. Despite the impression we get from movies, there is no organization. There’s no membership, there are no dues, there is no initiation. It’s just a bunch of guys. You too can join Anonymous—just hack something, and claim you’re a member. That’s probably what the members of Anonymous arrested in Turkey were: 32 people who just decided to use that name.

It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.

Posted on July 21, 2011 at 6:07 AMView Comments

The Problem with Cyber-crime Surveys

Good paper: “Sex, Lies and Cyber-crime Surveys,” Dinei Florêncio and Cormac Herley, Microsoft Research.

Abstract: Much of the information we have on cyber-crime losses is derived from surveys. We examine some of the difficulties of forming an accurate estimate by survey. First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverified self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two responses). Finally, the fact that losses are confined to a small segment of the population magnifies the difficulties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N=1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion.

I’ve been complaining about our reliance on self-reported statistics for cyber-crime.

Posted on June 21, 2011 at 5:58 AMView Comments

Bin Laden's Death Causes Spike in Suspicious Package Reports

It’s not that the risk is greater, it’s that the fear is greater. Data from New York:

There were 10,566 reports of suspicious objects across the five boroughs in 2010. So far this year, the total was 2,775 as of Tuesday compared with 2,477 through the same period last year.


The daily totals typically spike when terrorist plot makes headlines here or overseas, NYPD spokesman Paul Browne said Tuesday. The false alarms themselves sometimes get break-in cable news coverage or feed chatter online, fueling further fright.

On Monday, with news of the dramatic military raid of bin Laden’s Pakistani lair at full throttle, there were 62 reports of suspicious packages. The previous Monday, the 24-hour total was 18. All were deemed non-threats.

Despite all the false alarms, the New York Police Department still wants to hear them:

“We anticipate that with increased public vigilance comes an increase in false alarms for suspicious packages,” Kelly said at the Monday news conference. “This typically happens at times of heightened awareness. But we don’t want to discourage the public. If you see something, say something.”

That slogan, oddly enough, is owned by New York’s transit authority.

I have a different opinion: “If you ask amateurs to act as front-line security personnel, you shouldn’t be surprised when you get amateur security.”

People have always come forward to tell the police when they see something genuinely suspicious, and should continue to do so. But encouraging people to raise an alarm every time they’re spooked only squanders our security resources and makes no one safer.

Refuse to be terrorized,” people.

Posted on May 5, 2011 at 6:43 AMView Comments

The Cyberwar Arms Race

Good paper: “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy,” by Jerry Brito and Tate Watkins.

Over the past two years there has been a steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cyber threats. For example, at a Senate Armed Services Committee hearing last year, Chairman Carl Levin said that “cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects.” Proposed responses include increased federal spending on cybersecurity and the regulation of private network security practices.

The rhetoric of “cyber doom” employed by proponents of increased federal intervention, however, lacks clear evidence of a serious threat that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well.

Part I of this article draws a parallel between today’s cybersecurity debate and the run-up to the Iraq War and looks at how an inflated public conception of the threat we face may lead to unnecessary regulation of the Internet. Part II draws a parallel between the emerging cybersecurity establishment and the military-industrial complex of the Cold War and looks at how unwarranted external influence can lead to unnecessary federal spending. Finally, Part III surveys several federal cybersecurity proposals and presents a framework for analyzing the cybersecurity threat.

Also worth reading is an earlier paper by Sean Lawson: “Beyond Cyber Doom.”

EDITED TO ADD (5/3): Good article on the paper.

Posted on April 28, 2011 at 6:56 AMView Comments

Counterterrorism Security Cost-Benefit Analysis

Terror, Security, and Money: Balancing the Risks, Benefits, and Costs of Homeland Security,” by John Mueller and Mark Stewart:

Abstract:The cumulative increase in expenditures on US domestic homeland security over the decade since 9/11 exceeds one trillion dollars. It is clearly time to examine these massive expenditures applying risk assessment and cost-benefit approaches that have been standard for decades. Thus far, officials do not seem to have done so and have engaged in various forms of probability neglect by focusing on worst case scenarios; adding, rather than multiplying, the probabilities; assessing relative, rather than absolute, risk; and inflating terrorist capacities and the importance of potential terrorist targets. We find that enhanced expenditures have been excessive: to be deemed cost-effective in analyses that substantially bias the consideration toward the opposite conclusion, they would have to deter, prevent, foil, or protect against 1,667 otherwise successful Times-Square type attacks per year, or more than four per day. Although there are emotional and political pressures on the terrorism issue, this does not relieve politicians and bureaucrats of the fundamental responsibility of informing the public of the limited risk that terrorism presents and of seeking to expend funds wisely. Moreover, political concerns may be over-wrought: restrained reaction has often proved to be entirely acceptable politically.

Posted on April 6, 2011 at 6:03 AMView Comments

Good Article About the Terrorist Non-Threat

From Reason:

Know thy enemy is an ancient principle of warfare. And if America had
heeded it, it might have refrained from a full-scale “war” on terrorism whose price tag is touching $2 TRILLION. That’s because the Islamist enemy it is confronting is not some hyper-power capable of inflicting existential — or even grave — harm. It is, rather, a rag-tag band of peasants whose malevolent ambitions are far beyond the capacity of their shallow talent pool to deliver.

Posted on February 24, 2011 at 6:44 AMView Comments


I’d never heard the term “micromort” before. It’s a probability: a one-in-a-million probability of death. For example, one-micromort activities are “travelling 230 miles (370 km) by car (accident),” and “living 2 days in New York or Boston (air pollution).”

I don’t know if that data is accurate; it’s from the Wikipedia entry. In any case, I think it’s a useful term.

EDITED TO ADD (2/12): Discussion here.

Posted on February 8, 2011 at 5:46 AMView Comments

1 4 5 6 7 8 21

Sidebar photo of Bruce Schneier by Joe MacInnis.