A recent post on LinkedIn's Information Security Community piqued my
attention yesterday with the following teaser for a Webinar:
As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally.
The UK government report UK Cyber crime costs UKP 27BN/year
published on the BBC’s website offers a top-level breakdown of the
costs of cybercrime to Britain and is one of the most dubious reports I
have seen recently in a long list of security-vendor and political hype
around the cyber crime story.
Regardless of how badly UK businesses are hit by cybercrime, there are several extremely weak points in the work done by Detica for the UK government.
a) First - they don’t have any empirical data on actual cybercrime events.
Given the number of variables and lack of ‘official’ data, our methodology uses a scenario- based approach.
Which is a nice way of saying
The
UK government gave us some money to do a study so we put together a
fancy model, put our fingers in the air and picked a number.
b)
Second – reading through the report, there is a great deal of
information relating to fraud of all kinds, including Stuxnet which has
nothing to do with the UK cyber crime space.
Stuxnet does not
seem to have put much of a dent in the Iranian nuclear weapons program
although, it has given the American President even more time to hem and
haw about Iranian nuclear threats.
What this tells me is that
Stuxnet has become a wakeup call for politicians to the malware threat
that has existed for several years. This may be a good thing.
c)
Third – the UK study did not interview a single CEO in any of the
sectors they covered. This is shoddy research work, no matter how well
packaged. I do not know a single CEO and CFO that cannot quantify their
potential damage due to cyber crime – given a practical threat model
and coached by an expert not a marketing person.
So – who pays the cost of cyber crime?
The consumer (just ask your friends, you’ll get plenty of empirical data).
Retail
companies that have a credit card breach incur costs of management
attention, legal and PR which can always to leveraged into marketing
activities. This is rarely reported in the balance sheet as
extraordinary expenses so one may assume that it is part of the cost of
doing business.
Tech companies that have an IP breach is a
different story and I’ve spoken about that at length on the blog. I
believe that small to mid size companies are the hardest hit contrary
to the claims made in the UK government study.
I would not venture a guess on total global cost of cyber crime without empirical data.
What
gives me confidence that the 1 Trillion number is questionable is that
it just happens to be the same number that President Obama and other
leaders have used for the cost of IP theft – one could easily blame an
Obama staffer for not doing her homework….
If one takes a
parallel look at the world of software piracy and product
counterfeiting, one sees a similar phenomenon where political and
commercial organizations like the OECD and Microsoft have marketing
agendas and axes to grind leading to number inflation.
I have written on the problems associated with guessing and rounding up in the area of counterfeiting here and software piracy.
Getting
back to cyber crime, using counterfeiting as a paradigm, one sees
clearly that the consumer bears the brunt of the damage – whether it’s
having her identity stolen and having to spend the next 6 months
rebuilding her life or whether you crash on a mountain bike with fake
parts and get killed.
If consumers bear the brunt of the damage, what is the best way to improve consumer data security and safety?
Certainly – not by hyping the numbers of the damage of cyber crime to big business and government. That doesn’t help the consumer.
Then – considering that rapid rollout of new and even sexier consumer devices like the iPad 2, probably not by security awareness campaigns. When one buys an iPhone or iPad, one assumes that the security is built in.
My
most practical and cheapest countermeasure to cyber crime (and I will
distinctly separate civilian crime from terror ) would be education
starting in first grade. Just like they told you how to cross the
street, we should be educating our children on open, critical thinking
and not talking to strangers anywhere, not on the street and not on FB.
Regarding cyber terror – I have written at length how the Obama administration is clueless on cyber terror.
One
would hope that in defense of liberty – the Americans and their allies
will soon implement more offensive and more creative measures against
Islamic and Iranian sponsored cyber terror than stock answers like
installing host based intrusion detection on DoD PCs
Cross-posted from Israeli Software
Published by InfosecIsland.com
Only registered users can write comments.
Please login or register.
