Tag Archives: DOD

Cyber crime costs over $1 trillion

A pitch from Alex Whitson from SC TV for a Webinar on the LinkedIn Information Security Community piqued my attention with the following teaser:

As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally.

Sponsored by security and compliance auditing vendor nCircle, the Webinar pitch didn’t cite any sources for the $1 trillion number nor the $43.5 billion number.

A little googling revealed the UK government report UK Cyber crime costs UKP 27BN/year. Published on the BBC’s website, the report offers a top-level breakdown of the costs of cybercrime to Britain using a fairly detailed scheme of classification and models. Regardless of how badly UK businesses are hit by cybercrime, there are several extremely weak points in the work done by Detica for the UK government.

a) First  – they don’t have any empirical data on actual cybercrime events.

Given the number of variables and lack of ‘official’ data, our methodology uses a scenario- based approach.

Which is a nice way of saying

the UK government gave us some money to do a study so we put together a fancy model, put our fingers in the air and picked a number.

b) Second – reading through the report, there is a great deal of information relating to fraud of all kinds, including Stuxnet which has nothing to do with the UK cyber crime space. Stuxnet does not seem to have put much of a dent in the Iranian nuclear weapons program although, it has given the American President even more time to hem and haw about Iranian nuclear threats.

What this tells me is that Stuxnet  has become a wakeup call for politicians to the malware threat that has existed for several years. This may be a good thing.

c) Third – the UK study did not interview a single CEO in any of the sectors they covered. This is shoddy research work, no matter how well packaged. I do not know a single CEO and CFO that cannot quantify their potential damage due to cyber crime – given a practical threat model and coached by an expert not a marketing person.

So – who pays the cost of cyber crime?

The consumer (just ask your friends, you’ll get plenty of empirical data).

Retail companies that have a credit card breach incur costs of management attention, legal and PR which can always to leveraged into marketing activities. This is rarely reported in the balance sheet as extraordinary expenses so one may assume that it is part of the cost of doing business.

Tech companies that have an IP breach is a different story and I’ve spoken about that at length on the blog. I believe that small to mid size companies are the hardest hit contrary to the claims made in the UK government study.

I would not venture a guess on total global cost of cyber crime without empirical data.

What gives me confidence that the 1 Trillion number is questionable is that it just happens to be the same number that President Obama and other leaders have used for the cost of IP theft – one could easily blame an Obama staffer for not doing her homework….

If one takes a parallel look at the world of software piracy and product counterfeiting, one sees a similar phenomenon where political and commercial organizations like the OECD and Microsoft have marketing agendas and axes to grind leading to number inflation.

I have written on the problems associated with guessing and rounding up in the area of counterfeiting here  and software piracy.

Getting back to cyber crime, using counterfeiting as a paradigm, one sees clearly that the consumer bears the brunt of the damage – whether it’s having her identity stolen and having to spend the next 6 months rebuilding her life or whether you crash on a mountain bike with fake parts and get killed.

If consumers bear the brunt of the damage, what is the best way to improve consumer data security and safety?

Certainly – not by hyping the numbers of the damage of cyber crime to big business and government. That doesn’t help the consumer.

Then – considering that rapid rollout of new and even sexier consumer devices like the iPad 2, probably not by security awareness campaigns. When one buys an iPhone or iPad, one assumes that the security is built in.

My most practical and cheapest countermeasure to cyber crime (and I will distinctly separate civilian crime from terror ) would be education starting in first grade. Just like they told you how to cross the street, we should be educating our children on open, critical thinking and not talking to strangers anywhere, not on the street and not on FB.

Regarding cyber terror – I have written at length how the Obama administration is clueless on cyber terror

One would hope that in defense of liberty – the Americans and their allies will soon implement more offensive and more creative measures against Islamic and Iranian sponsored cyber terror than stock answers like installing host based intrusion detection on DoD PCs

Tell your friends and colleagues about us. Thanks!
Share this

What if al-Qaeda Got Stuxnet?

Speaking at this years RSA Security conference in San Francisco, Deputy Defense Secretary William Lynn was worried about al-Qaeda getting Stuxnet:

al-Qaeda operates as a network comprising both a multinational, stateless army and a radical SunniMuslim movement calling for global Jihad…Characteristic techniques include suicide attacks and simultaneous bombings of different targets…beliefs include that a ChristianJewish alliance is conspiring to destroy Islam,  embodied in theU.S.-Israel alliance, and that the killing of bystanders and civilians is religiously justified in jihad. (From Wikipedia)

William Lynn is the same official at the US Department of Defense who doesn’t believe in offensive measures to combat cyber terror. In his article several months ago in Foreign Affairs Lynn claims:

Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.To stay ahead of its pursuers, the United States must constantly adjust and improve its defenses.

Let’s see if we can connect the dots.

1. Who is the attacker?

Lynn has just reiterated that the Obama administration officially considers al-Qaeda a threat to the US, markedly ignoring the Muslim Brotherhood – since the US considers the Muslim Brotherhood a secular, democratic political organization.  Neither is Mr. Lynn concerned with other Islamic terror groups like Hamas or the PLO.

2. What are the best security countermeasures against the attack?
Despite believing in good cyber security defenses, Mr Lynn does not offer any security countermeasures against al-Qaeda deploying Stuxnet and falls back on the American shoe bomber security philosophy, considering yesterday’s attack, not tomorrow’s attack. This is the same security management strategy that resulted in millions of airline passengers taking off their shoes in a fruitless, ineffective security countermeasure against a one-time, one in a million attack.

3. Is Stuxnet a cost-effective attack against the great Satan?
Of course – al-Qaeda might deploy Stuxnet against US critical national infrastructures but then again it might be cheaper and more effective for a Muslim terror organization to do something different – like use Facebook to make friends with a DC college student, make a date with her in Manhattan and have her ride the Red Line to Reagan Airport in DC, go through the non-security measures there, not get profiled and use a text message to a bomb in her bag to blow up in the line of people taking off their shoes, killing 20-30 civilians and taking down the US transportation infrastructure for the day.

4. Is the Obama administration more concerned with media exposure than with combating Islamic cyber terror?

Director of National Intelligence James Clapper told a House panel. al-Qaeda appears more focused on making inroads to unsuspecting Muslim youth through social media. Is Mr Clapper speaking with Mr Lynn, or is the Obama administration making the same mistake that the Bush and Clinton administrations made where the CIA collects intelligence, the DOD defends, the FBI investigates civilian crimes but no one connects the dots?

As I wrote in April 2009 about the Obama cyber security policy review, I was reminded of Melissa Hathaway’s 2009 speech to the RSA Security conference which featured a few cute gems like this one:

“….Matthew Broderick in War Games, Robert Redford in Sneakers, Sandra Bullock in The Net, and Bruce Willis in Live Free and Die Hard. These and other movies present the types of issues that we should care about and solve together.“.

Ms. Hathaway’s perspective on security appears to be influenced by the movies, which is consistent with President Obama, who thinks he’s living in an episode of “The West Wing“.

As I wrote back in April 2009 – I thought we should wait 6 months after the report is made public and see how many cost-effective security countermeasures the government Cyberspace security task force has produced.

Less than 6 months later, Ms. Hathaway resigned. People familiar with the matter said Ms. Hathaway had been “spinning her wheels” in the White House, where the president’s economic advisers sought to marginalize her politically. (See Siobhan Gorman’s Wall Street Journal piece from August 2009. Gorman covers national intelligence issues at WSJ and has written stories exposing the NSA’s computer problems—including those in its multibillion-dollar Trailblazer program aimed at identifying electronic data crucial to the nation’s safety).

Tell your friends and colleagues about us. Thanks!
Share this