At the beginning of this year, a set of powerhouse organizations in cybersecurity (CSO Magazine, Deloitte, Carnegie Mellon's CERT program, and the U.S. Secret Service) released the results of a survey of 523 business and government executives, professionals and consultants in the ICT management field.
The reaction generated by this survey provides an unusually clear illustration of how cyber-security discourse has become willfully detached from facts. There is an organized industrial and political imperative to drill into our heads the idea that the Internet is dangerous and its threats are spiraling out of control, and it doesn't matter what facts are uncovered – they are all interpreted to support this preconception.
With that intro, here is the lead sentence from the January 25 2010 Carnegie-Mellon University news release about the 2010 CyberSecurity Watch Survey:
“Cybercrime threats posed to targeted organizations are increasing faster than many organizations can combat them, according to the 2010 CyberSecurity Watch Survey…”
Stop right there. A careful review of both the survey and the responses to it quickly reveals that that conclusion did NOT come from the survey itself, and was not supported by its data. In fact, the claim that cyberthreats are increasing faster than many organizations can combat them comes from a Deloitte “review of the results” of the survey. The Deloitte “review” is entitled (in big, bold letters) CYBERCRIME: A CLEAR AND PRESENT DANGER and it admits it is an “interpretation,” which “goes beyond simple reporting of results.”
Apparently Deloitte, one of the sponsors of the survey, was not happy with the results:
“Deloitte believes…that some of the findings point to significant incongruities between the views of many survey respondents and the current reality of cyber crime.” In other words, don't listen to what the people actually facing and dealing with threats tell you, listen to the scary stuff.
So what are the relevant facts in the survey?
The survey “uncovered a drop in victims of cybercrimes (60% vs. 66% in 2007), however, the affected organizations have experienced significantly more attacks than in previous years.”
“Since 2007, when the last cybercrime survey was conducted, the average monetary value of losses resulting from cybercrimes declined by 10%.”
“More than half of the respondents (58%) believe they are more prepared to prevent, detect, respond to or recover from a cybercrime incident compared to the previous year.”
Isn't this interesting? How does Deloitte get from a drop in the number of victims and a 10% drop in losses (despite more attacks) and a general improvement in perceived preparedness, to the conclusion that crimes are increasing “faster than potential victims can cope with them?” It's easy when you've got something to sell.
Where do cyber-security threats come from? Once again, there is a very interesting gap – perhaps we should say chasm – between the Deloitte report and the actual survey results. In Deloitte's spin, the main threat is external, and comes from “An increasing number of criminals and criminally minded enterprises [that] have hired, purchased, or otherwise acquired the ability to infiltrate systems with new penetration techniques while developing a criminal e-business network.” But Deloitte doesn't stop there. Without adducing a shred of evidence it asserts that “There is a likely nexus between cyber crime and a variety of other threats including terrorism, industrial espionage, and foreign intelligence services.” Shudder. Oh my God.
Now what is the data in the survey report?
The survey respondent reported that the vast majority of attacks – and the most costly ones – come from insiders. No less than 3/4 (75%) of all cybercrime comes from KNOWN sources. Moreover, “Insider incidents are more costly than external breaches, according to 67% of respondents.”
The Deloitte “review” of the survey results shows they are simply unable to accept an alternate, less exciting and scary view about the sources of risk. And so it issued a glossy, bold pamphlet/advertisement that actually garnered more media coverage than the actual survey. And the assertions of its tract were often conflated with those of the survey.
To be fair to Deloitte, their tract does make some wise points. They argue, convincingly, that organizations should focus security on a “risk-based approach” that “starts with the assumption that an unauthorized user can gain access to the system, and then design responses based on the value of the data that could thus be compromised.”
Equally wise, the Deloitte report urges enterprises to “shift away from building a 'great wall' against all threats, toward identifying and addressing the most significant ones. This entails prioritizing risks on the basis of their likelihood, impact, and potential interactions with other risks, then allocating resources accordingly.”
But if Deloitte followed its own advice consistently, it would stop promoting hysteria about unknown, unquantified, and as yet undemonstrated risks “that can be imagined” (their words) from “terrorist organizations, foreign intelligence services, and traditional organized crime entities” and focus more directly on where the real risks are.
There may be a valid argument that the survey respondents are complacent or ignorant about the real security risks – but Deloitte hasn't made it. And it is hard to argue with the fact that the survey respondents know more than Deloitte does about what incidents actually hit them and how much money those incidents actually cost them. To posit risks and threats that “could be imagined” sounds more like a sales job than analysis.