The Stats Used To Support Cybercrime 'Threats' Just As Bogus As Hollywood's 'Loss' Claims
from the but-of-course... dept
While the latest attempt to pass a cybersecurity bill may be on ice for now, it'll be back... and with it there will be a lot more hyperbole about how urgent this is because of various massive "losses" already happening due to cybersecurity problems. Of course, nearly all of the numbers and claims you hear will be 100% bogus.For years, we've highlighted stories about how the claims of "losses" from the entertainment industry due to infringement are completely fictitious. In the past, we've seen Julian Sanchez go on a hunt to find the origin of some of the numbers being thrown around, and come up with evidence that they're based on nothing. For example, claims of $200 billion in losses due to counterfeiting... came from a 1993 Forbes article that just makes that claim with no citation and no backing info. But it became gospel among those arguing there was as problem.
With Congress and the President continuing to insist that we need a cybersecurity bill, politicians have been tossing around all sorts of questionable numbers. Just a few weeks ago, we noted that General Keith Alexander, the head of the NSA, had tossed out some numbers and claimed that cybersecurity was the "greatest transfer of wealth in history." Considering that we're living through the aftermath of a financial meltdown that involved a massive transfer of wealth, I find the original claim difficult to believe. Plus, as we noted, he seemed to only cite studies from McAfee and Symantec, two companies who have a massive vested interest in keeping the cybersecurity FUD going, because it helps them sell stuff.
Thankfully, the folks over at Pro Publica decided to take a much closer look at the numbers politicians are relying on in support of the massive "harm" that is already being caused by online security issues... and discovered that the numbers are completely and totally bogus. In fact, the full story (which is fascinating) parallels (very closely) the story with "piracy" stats from the industry.
One popular number is "$1 trillion" in losses due to cybersecurity breaches. That number gets thrown around a lot by politicians (and many in the press who merely parrot such numbers unquestioningly, even as that gives those politicians more cover to claim that there's a reputable source supporting the number). Yet, the Pro Publica report highlights that, not only is this number bogus, but the (quite well respected) researchers who put together the original report for McAfee did not use that number and, more importantly, many of them spoke out publicly with surprise that McAfee put out a press release with such a number -- which they thought was questionable and not supported by their data.
In fact, there were a number of methodological problems, including that the data was based on a self-reported "average" amount of the "worth of sensitive information stored in offshore computer systems." Who knows if the respondents are being accurate, first of all, but even more to the point, the "worth" of such information is a highly subjective number. People can find something "worthwhile" without paying for it, but by focusing on the "worth," they obscure the fact that the market price may be quite different than what people think something is worth. And, what people think something is worth has zero impact on any actual losses. But, from a very small number, McAfee just sprinkled some magic pixie dust on the already questionable number, and proceeded to extrapolate, massively:
“The companies surveyed estimated they lost a combined $4.6 billion worth of intellectual property last year alone, and spent approximately $600 million repairing damage from data breaches,” the release said. “Based on these numbers, McAfee projects that companies worldwide lost more than $1 trillion last year.” The release contained a quote from McAfee’s then-president and chief executive David DeWalt, in which he repeated the $1 trillion estimate. The headline of the news release was “Businesses Lose More than $1 Trillion in Intellectual Property Due to Data Theft and Cybercrime.”Now, remember, this $1 trillion number is just in the press release. It's not in the report at all. And the report's researchers were just as baffled (and even more concerned) about this:
The trillion-dollar estimate was picked up by the media, including Bloomberg and CNET, which expressed no skepticism.
Among [the study's researchers] was Ross Anderson, a security engineering professor at University of Cambridge, who told ProPublica that he did not know about the $1 trillion estimate before it was announced. “I would have objected at the time had I known about it,” he said. “The intellectual quality of this ($1 trillion number) is below abysmal.”I don't know about you, but when a super well respected security researcher tells you that the basis of a particular claim is based on a number whose "intellectual quality ... is below abysmal," that's the point at which you should probably stop using the number. But, instead, politicians and the press continue to parrot the line over and over again.
.... The company’s method did not meet the standards of the Purdue researchers whom it had engaged to analyze the survey responses and help write the report. In phone interviews and emails to ProPublica, associate professor Jackie Rees Ulmer said she was disconcerted when, a few days before the report’s unveiling, she received a draft of the news release that contained the $1 trillion figure. “I expressed my concern with the number as we did not generate it,” Rees Ulmer said in an email. She added that although she couldn’t recall the particulars of the phone conversation in which she made her concerns known, “It is almost certainly the case that I would have told them the number was unsupportable.”
...The news stories got the worried attention of some of the report’s contributors because McAfee was connecting their names to an estimate they had no previous knowledge of and were skeptical about. One of the contributors, Augusto Paes de Barros, a Brazilian security consultant, blogged a week after the news release that although he was glad to have been involved in the report, “I could not find any data in that report that could lead into that number.... I’d like to see how they found this number.”
The slightly smaller number, from Symantec, is still equally questionable. They go with $250 billion... but the number has almost no support. It does come from a real Symantec report, but not from Symatec employees. Instead, they hired another firm to magically come up with the number, and it sounds like magic would have been equally as effective as what was eventually done. It raised concerns from actual experts in the field:
“Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population.”Furthermore, even if we take these numbers at face value, the original reports on both of them say these numbers represent the value of the attacks in question, and not what was actually "lost" or how much it cost to deal with. However, when a politician quotes them, they almost always do so by at least suggesting that these made up "values" are very real "losses" to companies. In other words, the numbers (shocker, shocker) are being twisted by cybersecurity law supporters. For example, just recently, Senator Collins said that General Alexander "believes American companies have lost about $250 billion a year," but that's not true. Already, we know the number is suspect -- but even if we accepted the number, it only represents the "value" that various companies have put on things harmed by security issues, not any sense of actual losses. Claiming that these are losses isn't just misleading, it's wrong.
We've argued for years that actual data should inform the debate on these things -- but that data needs to be accurate and supportable. Unfortunately, with cybersecurity threats, the claims that are being thrown around have no basis in reality. If politicians really want to discuss the "threat" of cybersecurity, the least they can do is get some accurate research on the scope of the problem. Trusting a number from a McAfee press release is not credible and it's certainly no basis for passing a law that wipes out privacy rights of the public.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, fud, hype, losses, stats
Companies: mcafee, symantec
Reader Comments
Subscribe: RSS
View by: Time | Thread
...and just as bogus as the claims that frakking is safe.
http://public-accountability.org/2012/07/contaminated-inquiry/
A lot of people need to get thrown in jail. Really.
[ link to this | view in thread ]
Re: ...and just as bogus as the claims that frakking is safe.
Sorry, too busy throwing pot-smokers in the clink, friend. They are singlehandedly causing The Great Cheetohs And Mountain Dew Drought of 2012....
[ link to this | view in thread ]
I intend on not Voting for either of these bloated corrupt Parties even if my Vote is considered a wasted one.I am sick of seeing those two Parties in Office.
I hate this Government and the only ways to really change it seems like either a Revolution or to just try and Vote them out.
[ link to this | view in thread ]
No smoke, no fire
JP Morgan loses $6 billion with poor trading practices and even though they can pretty easily absorb that loss, execs are fired and the whole company is looking to be re-org'ed.
If American companies, even in aggregate, were losing a trillion dollars, there'd be no end to the news. And yet... we hear nothing of the sort. There's not even a wisp of smoke - so there isn't any fire here.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Collective Bargaining
Anyone from the US (especially from Wisconsin or Ohio) would understand this problem very much so. There were several editorial articles that were taken that had data portraying the public school teachers were making more than $50,000 US a year by the end of their careers and tax payer money was being wasted (especially in Ohio...I'll use Ohio because I know how it all went down where I live) on union dues. What did our local law makers do? They took away the rights of the State workers unions to collectively bargain for benefits....it was later repealed by hand written signature. The bill also gave the town council the final word on an individual teacher's wages, not the school board
For those outside the US who might not understand, States are not forced to provide benefits for their workers in the US. Some of them (like Ohio) do not provide medical or health insurance and no pension plan for retirement for public servants such as teachers. Unions were given the right to bargain for said wages and benefits so the teachers could have something to retire upon. With the collective bargaining rights gone, teachers couldn't get a raise when they deserve it. How much of your pay as a public school teacher that went to union dues for retirement was up to the individual.
Needless to say I know all about the issues of senators using eronious figures in editorials to pass bad baseless laws.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Fixed that for ya ;)
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
After all it wouldn't matter a whit if the entire population was filled to the rafters with literal geniuses, so long as the ones who rule are either gullible enough to swallow such blatant lies and falsehoods, or corrupt and paid off enough to go along with the lies.
[ link to this | view in thread ]
The white man ain't shit cause he got a complex.
-graffiti on a wall in the movie "Being There"
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Intensity matching
Step one: Substitution. >> A difficult question "How much does cybercrime cost?" is replaced with a simpler question "How much do we care about cybercrime?"
Step two: Intensity matching. >> Relative importance of the cybercrime issue is expressed on the monetary scale. A trillion dollars seems like a good match for something that's related to cyber warfare.
And there you have it.
[ link to this | view in thread ]
Re: Intensity matching
[ link to this | view in thread ]
How is this possible?
How do you even know how much IP you have lost??? How do you lose intangibles???
Think about that. They estimate they lost $4.6 billion worth of thoughts.
[ link to this | view in thread ]
Re: How is this possible?
[ link to this | view in thread ]
Re: No smoke, no fire
Clearly, if we'd had tougher cybersecurity legislation on the books, this sort of stuff would never have happened.
I'm actually surprised nobody has actually tried using this line of reasoning to push these bills.
[ link to this | view in thread ]
Re: Re: No smoke, no fire
How's that working for copyright? Or drugs?
[ link to this | view in thread ]
It's also on par with the amount of money thrown around the world to bail out the "ailing economy" btw. And it's 6,7% of the American GDP.
So when you put the numbers in perspective it sounds much less reasonable (the 1 trillion figure).
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: ...and just as bogus as the claims that frakking is safe.
[ link to this | view in thread ]
[ link to this | view in thread ]
this just in...
Lies and blatant misinformation used to manipulate masses!
Further attempts to enable government contract recipients and their shareholders to profit on citizen data imminent!
Horrified observers .. resist.
How long can the Founding Documents resist this onslaught?
Are the governed at risk of catastrophic casualties?
Are our children safe!?
These questions and more could just possibly be answered .. in about six weeks.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
It's not the money, dude!
[ link to this | view in thread ]
Re: ...and just as bogus as the claims that frakking is safe.
I'm reminded of a Pogo cartoon where a bear-like creature (who resembled Spiro Agnew) managed to throw EVERYBODY in jail except himself. In the end, he realized that ... he was lonely. :(
[ link to this | view in thread ]