Cyber-Spin: How the Internet gets framed as dangerous

At the beginning of this year, a set of powerhouse organizations in cybersecurity (CSO Magazine, Deloitte, Carnegie Mellon's CERT program, and the U.S. Secret Service) released the results of a survey of 523 business and government executives, professionals and consultants in the ICT management field.

The reaction generated by this survey provides an unusually clear illustration of how cyber-security discourse has become willfully detached from facts. There is an organized industrial and political imperative to drill into our heads the idea that the Internet is dangerous and its threats are spiraling out of control, and it doesn't matter what facts are uncovered – they are all interpreted to support this preconception.

With that intro, here is the lead sentence from the January 25 2010 Carnegie-Mellon University news release about the 2010 CyberSecurity Watch Survey:

“Cybercrime threats posed to targeted organizations are increasing faster than many organizations can combat them, according to the 2010 CyberSecurity Watch Survey…”

Stop right there. A careful review of both the survey and the responses to it quickly reveals that that conclusion did NOT come from the survey itself, and was not supported by its data. In fact, the claim that cyberthreats are increasing faster than many organizations can combat them comes from a Deloitte “review of the results” of the survey. The Deloitte “review” is entitled (in big, bold letters) CYBERCRIME: A CLEAR AND PRESENT DANGER and it admits it is an “interpretation,” which “goes beyond simple reporting of results.”

Apparently Deloitte, one of the sponsors of the survey, was not happy with the results:

“Deloitte believes…that some of the findings point to significant incongruities between the views of many survey respondents and the current reality of cyber crime.” In other words, don't listen to what the people actually facing and dealing with threats tell you, listen to the scary stuff.

So what are the relevant facts in the survey?

The survey “uncovered a drop in victims of cybercrimes (60% vs. 66% in 2007), however, the affected organizations have experienced significantly more attacks than in previous years.”

“Since 2007, when the last cybercrime survey was conducted, the average monetary value of losses resulting from cybercrimes declined by 10%.”

“More than half of the respondents (58%) believe they are more prepared to prevent, detect, respond to or recover from a cybercrime incident compared to the previous year.”

Isn't this interesting? How does Deloitte get from a drop in the number of victims and a 10% drop in losses (despite more attacks) and a general improvement in perceived preparedness, to the conclusion that crimes are increasing “faster than potential victims can cope with them?” It's easy when you've got something to sell.

Where do cyber-security threats come from? Once again, there is a very interesting gap – perhaps we should say chasm – between the Deloitte report and the actual survey results. In Deloitte's spin, the main threat is external, and comes from “An increasing number of criminals and criminally minded enterprises [that] have hired, purchased, or otherwise acquired the ability to infiltrate systems with new penetration techniques while developing a criminal e-business network.” But Deloitte doesn't stop there. Without adducing a shred of evidence it asserts that “There is a likely nexus between cyber crime and a variety of other threats including terrorism, industrial espionage, and foreign intelligence services.” Shudder. Oh my God.

Now what is the data in the survey report?

The survey respondent reported that the vast majority of attacks – and the most costly ones – come from insiders. No less than 3/4 (75%) of all cybercrime comes from KNOWN sources. Moreover, “Insider incidents are more costly than external breaches, according to 67% of respondents.”

The Deloitte “review” of the survey results shows they are simply unable to accept an alternate, less exciting and scary view about the sources of risk. And so it issued a glossy, bold pamphlet/advertisement that actually garnered more media coverage than the actual survey. And the assertions of its tract were often conflated with those of the survey.

To be fair to Deloitte, their tract does make some wise points. They argue, convincingly, that organizations should focus security on a “risk-based approach” that “starts with the assumption that an unauthorized user can gain access to the system, and then design responses based on the value of the data that could thus be compromised.”

Equally wise, the Deloitte report urges enterprises to “shift away from building a 'great wall' against all threats, toward identifying and addressing the most significant ones. This entails prioritizing risks on the basis of their likelihood, impact, and potential interactions with other risks, then allocating resources accordingly.”

But if Deloitte followed its own advice consistently, it would stop promoting hysteria about unknown, unquantified, and as yet undemonstrated risks “that can be imagined” (their words) from “terrorist organizations, foreign intelligence services, and traditional organized crime entities” and focus more directly on where the real risks are.

There may be a valid argument that the survey respondents are complacent or ignorant about the real security risks – but Deloitte hasn't made it. And it is hard to argue with the fact that the survey respondents know more than Deloitte does about what incidents actually hit them and how much money those incidents actually cost them. To posit risks and threats that “could be imagined” sounds more like a sales job than analysis.

7 comments

  1. Anonymous

    Have you been following the .JOBS TLD fiasco ?
    When the dust settles (tomorrow?) the world will
    get to see how 5 or 6 PBS-like Corporate structures
    were ALL capable of turning their heads to deny
    their apathy, collusion, greed and now resignation.
    ICANN should be dissolved. The .JOBS fiasco is
    worth a Harvard Business Journal article. Maybe
    Lessig can add it to his (funded) 5-year study on
    Institutional Corruption?

  2. Anonymous

    Executive Summary on the .JOBS TLD
    1. Slip a TLD under the ICANN Radar with a well-orchestrated group of insiders, V$ Registry, State Governor & CLUELESS SPONSOR.
    2. Muddle along and “sell” 15,000 domains plus
    other services never accounted for to the Registry.
    [Note: What Registry ? V$ does the back-end,
    and Registrars do the retail, and the SPONSOR?
    they are clueless and out to lunch.
    3. Arrive in 2009 and GREED arrives and notes
    a little-used .JOBS vehicle. Lawyers find loop-holes
    in the “Sell” domains and now they are “loaned”.
    That opens the door to ANY domain. Is the
    SPONSOR aware ? NOOOOOOOO of course not.
    They are clueless and are not even aware there
    is a web-site claiming they said thus and so, all
    operated by “The Registry” the ICANN Partner.
    4. Fast forward to 2010 and Greed has now grown
    into a movement with a roll-out of 25,000 new
    sub-domains with NO APPROVALS from all the
    parties in the structure. Now, heads turn, it is too
    late. ICANN can not police the world. Oh Well.
    Just like .PRO another TLD being carted off to be
    RE-Purposed. They have some exposure for .JOBS
    via the various Roots & DNS providers. Greed now
    drives the selling of anything under .JOBS
    This of course was all handled by Suits and
    PBS-like “Boards” with all the Checks & Balances
    ICANN prides themselves on creating. This is
    not a Russian Mafia deal, or a Columbian Cartel.
    This is good old American corruption & greed.
    Would it not be better to put the cards on the table
    and have a fish-bowl drawing ? What is the Public
    Benefit of years of ICANN mis-management
    and Charades ?

  3. Anonymous

    Maybe the 15,000 .JOBS Registrations could be used to create the Trademark Clearing House ?
    At least something can be salvaged from the failed attempt at a Sponsored TLD.
    How does one get the .JOBS Zone File ?

  4. Anonymous

    Will you agree anyway that this is data from a survey, not an attempt at some comprehensive reporting of the problem? Any statements about the real state of cybercrime based on a survey of 523 businesses isn't likely to be indicative of the overall scope and magnitude of the problem, right? It might tell us whether it is going up or down, or it might not, depending a lot on survey methodology.
    Plenty of other evidence such as the series Krebs is doing on ACH fraud against SMB tells us that maybe there are problems not being accounted for in this survey.

  5. Anonymous

    2010 and Milton Mueller is WASTING his time
    debating with geeks who !!think!! they run the
    Internet.
    https://www.arin.net/about_us/ac.html
    BGP is not required to run routers
    when you hear Full Routing Tables you are
    talking to amateurs and wasting your time
    YES, they travel to their love fests and all
    debate how many angels can dance on the
    head of a /24. BOOOOOORING
    Now they have found IPv6 so they have a new
    toy to toss around like a light saber. Anything
    that adds to their minuscule fantasy empire.
    Fortunately, they are harmless and anyone that
    wastes their time with them … um… wastes their life

  6. Anonymous

    http://en.wikipedia.org/wiki/Narcissistic_personality_disorder
    Narcissistic personality disorder (NPD) is a personality disorder defined by the Diagnostic and Statistical Manual of Mental Disorders, the diagnostic classification system used in the United States, as “a pervasive pattern of grandiosity, need for admiration, and a lack of empathy.”[1]
    The narcissist is described as being excessively preoccupied with issues of personal adequacy, power, and prestige.[2] Narcissistic personality disorder is closely linked to self-centeredness.

  7. Anonymous

    In order for a person to be diagnosed with narcissistic personality disorder (NPD) they must meet five or more of the following symptoms:
    * Has a grandiose sense of self-importance (e.g., exaggerates achievements and talents, expects to be recognized as superior without commensurate achievements)
    * Is preoccupied with fantasies of unlimited success, power, brilliance, beauty, or ideal love
    * Believes that he or she is “special” and unique and can only be understood by, or should associate with, other special or high-status people (or institutions)
    * Requires excessive admiration
    * Has a sense of entitlement, i.e., unreasonable expectations of especially favorable treatment or automatic compliance with his or her expectations
    * Is interpersonally exploitative, i.e., takes advantage of others to achieve his or her own ends
    * Lacks empathy: is unwilling to recognize or identify with the feelings and needs of others
    * Is often envious of others or believes that others are envious of him or her
    * Shows arrogant, haughty behaviors or attitudes.