The real numbers behind cyberhype

Politicians and the InfoSec industry has plenty to gain by ramping up the threat of cyberwar and cybercrime. But with realistic figures finally starting to emerge whether we're on the verge of a cybergeddon remains to be seen.

"The threat of a cyber attack to the UK is so serious it is marked as a higher threat than a nuclear attack," said Rt Hon Keith Vaz MP, chair of the UK parliament's Home Affairs Select Committee, earlier this month. His committee's report, the result of a 10-month inquiry, paints the now-familiar, apocalyptic picture.

"We are not winning the war on online criminal activity. We are being too complacent about these E-wars because the victims are hidden in cyberspace," Vaz said. Banks suffer countless low-level frauds which are simply never reported. "Online criminals in 25 countries have chosen the UK as their number one target. Astonishingly, some are operating from EU countries." Goodness, not EU countries!

The murders of April Jones and Tia Sharp were thrown into the mix too, as were some excuses for the UK's latest internet censorship plans. "Young people are increasingly radicalised online by the words of radical clerics such as Anwar al-Awlaki on YouTube or internet magazine Inspire. What starts on the web, ends up on the streets of Woolwich."

Cyber scaremongers

Vaz is just one of the latest in a long series of cyber scaremongers, desperate to convince us that criminals and mysterious nation-state actors — they mean China — pose a Cold War scale threat to our economies and societies.

Dmitri Alperovitch is another. In 2011, as vice-president of threat research at infosec vendor McAfee, he unravelled what he dubbed Operation Shady RAT (PDF), a sophisticated hacking operation that had been running for more than five years, infiltrating more than 70 organisations.

"Economic espionage and political espionage that we've been seeing for the last five or six years is much more insidious, much more serious, and may perhaps be an existential threat to our economies," Alperovitch told the Patch Monday podcast at the time.

Cybercrime represented "the greatest transfer of wealth in history", he said. Soon after, the head of the US National Security Agency (NSA) and chief of US Cyber Command (CYBERCOM), General Keith Alexander, was using the exact same words to talk up the cyberthreat.

Alperovitch has since co-founded CrowdStrike, a security vendor with a focus on "pro-active defence" — though he stops short of advocating hacking back. "In most cases that is illegal," he told FOXBusiness.

Blurred boundaries

In this rhetoric, the boundaries of crime, espionage and war are blurred, seemingly deliberately — perhaps because war sounds more dramatic, perhaps because calling it a war brings it into the realm of national defence, where profit margins are fatter and secret-squirrel procedures deflect annoying questions.

Whether we're on the verge of a cybergeddon remains to be seen. Russian infosec leader Eugene Kaspersky tells me the risk is real, as do others, and the detail-free report on the 2010 exercise Cyber Storm III suggests that our defences were embarrassingly bad.

Yet war studies academic Thomas Rid thinks cyberwar is mostly hype, bluntly tilting his new book, based on a journal article of the same name, Cyber War Will Not Take Place.

The bad guys are out there, that much we know, but until recently there was little in the way of hard facts — at least outside classified realms. Finally, though, the overblown statistics are gradually being replaced by something more realistic.

Cold, hard figures 

The emerging consensus is that malicious activity in all its forms — "cyber attacks", as they're called these days — cost businesses somewhere between 0.5 and 2.5 per cent of revenue.

Last month McAfee blew holes in their own previous claims that cybercrime costs the global economy US$1 trillion a year. Their brief, readable report, The Economic Impact of Cybercrime and Cyber Espionage, discusses the limitations of high-level estimates, and starts to put some rigour into the numbers.

"This initial research suggest an upper limit of the cost of cyber espionage and crime somewhere between 0.5 per cent and 1 per cent of national income — for the US, this would be about $70 billion to $140 billion. A lower limit might be $20 billion to $25 billion," McAfee's report says, and that's including both direct and indirect costs such as service and employment disruptions, insurance, recovery from attacks and loss of reputation.

Translated into global figures, that's somewhere between $US100 and $US400 billion — small change in a $US70 trillion global economy, and hardly an existential threat, but still  worth some attention. Compare it with the 0.5 to two per cent losses that retailers experience due to pilferage and other "shrinkage".

A new report from Deloitte delivers a similar figure, claiming that cybercrime costs Irish organisations, on average, 2.7 per cent of annual turnover — but their figure is clearly skewed up by a small number of surveyed organisations at the high end. Only 15 per cent of respondents said their costs were above 10 per cent of turnover.

More worrying is Deloitte's finding that more than a quarter of respondents (28 per cent) didn't even know how many security breaches their organisation had suffered.

"These findings reinforce the need to proactively identify incidents and to keep up with technology advancements as only 40 per cent of serious incidents were identified proactively," Deloitte writes — that is, the organisations had to be told they were hacked.

It's a figure that confirms what Verizon's Data Breach Investigation Report (DBIR) tells us. Most data breaches go undetected for months, and we're not getting any better.