The Stats Used To Support Cybercrime 'Threats' Just As Bogus As Hollywood's 'Loss' Claims

from the but-of-course... dept

Thu, Aug 2nd 2012 12:53pm — Mike Masnick

While the latest attempt to pass a cybersecurity bill may be on ice for now, it'll be back... and with it there will be a lot more hyperbole about how urgent this is because of various massive "losses" already happening due to cybersecurity problems. Of course, nearly all of the numbers and claims you hear will be 100% bogus.

For years, we've highlighted stories about how the claims of "losses" from the entertainment industry due to infringement are completely fictitious. In the past, we've seen Julian Sanchez go on a hunt to find the origin of some of the numbers being thrown around, and come up with evidence that they're based on nothing. For example, claims of $200 billion in losses due to counterfeiting... came from a 1993 Forbes article that just makes that claim with no citation and no backing info. But it became gospel among those arguing there was as problem.

With Congress and the President continuing to insist that we need a cybersecurity bill, politicians have been tossing around all sorts of questionable numbers. Just a few weeks ago, we noted that General Keith Alexander, the head of the NSA, had tossed out some numbers and claimed that cybersecurity was the "greatest transfer of wealth in history." Considering that we're living through the aftermath of a financial meltdown that involved a massive transfer of wealth, I find the original claim difficult to believe. Plus, as we noted, he seemed to only cite studies from McAfee and Symantec, two companies who have a massive vested interest in keeping the cybersecurity FUD going, because it helps them sell stuff.

Thankfully, the folks over at Pro Publica decided to take a much closer look at the numbers politicians are relying on in support of the massive "harm" that is already being caused by online security issues... and discovered that the numbers are completely and totally bogus. In fact, the full story (which is fascinating) parallels (very closely) the story with "piracy" stats from the industry.

One popular number is "$1 trillion" in losses due to cybersecurity breaches. That number gets thrown around a lot by politicians (and many in the press who merely parrot such numbers unquestioningly, even as that gives those politicians more cover to claim that there's a reputable source supporting the number). Yet, the Pro Publica report highlights that, not only is this number bogus, but the (quite well respected) researchers who put together the original report for McAfee did not use that number and, more importantly, many of them spoke out publicly with surprise that McAfee put out a press release with such a number -- which they thought was questionable and not supported by their data.

In fact, there were a number of methodological problems, including that the data was based on a self-reported "average" amount of the "worth of sensitive information stored in offshore computer systems." Who knows if the respondents are being accurate, first of all, but even more to the point, the "worth" of such information is a highly subjective number. People can find something "worthwhile" without paying for it, but by focusing on the "worth," they obscure the fact that the market price may be quite different than what people think something is worth. And, what people think something is worth has zero impact on any actual losses. But, from a very small number, McAfee just sprinkled some magic pixie dust on the already questionable number, and proceeded to extrapolate, massively:

“The companies surveyed estimated they lost a combined $4.6 billion worth of intellectual property last year alone, and spent approximately $600 million repairing damage from data breaches,” the release said. “Based on these numbers, McAfee projects that companies worldwide lost more than $1 trillion last year.” The release contained a quote from McAfee’s then-president and chief executive David DeWalt, in which he repeated the $1 trillion estimate. The headline of the news release was “Businesses Lose More than $1 Trillion in Intellectual Property Due to Data Theft and Cybercrime.”

The trillion-dollar estimate was picked up by the media, including Bloomberg and CNET, which expressed no skepticism.

Now, remember, this $1 trillion number is just in the press release. It's not in the report at all. And the report's researchers were just as baffled (and even more concerned) about this:

Among [the study's researchers] was Ross Anderson, a security engineering professor at University of Cambridge, who told ProPublica that he did not know about the $1 trillion estimate before it was announced. “I would have objected at the time had I known about it,” he said. “The intellectual quality of this ($1 trillion number) is below abysmal.”

.... The company’s method did not meet the standards of the Purdue researchers whom it had engaged to analyze the survey responses and help write the report. In phone interviews and emails to ProPublica, associate professor Jackie Rees Ulmer said she was disconcerted when, a few days before the report’s unveiling, she received a draft of the news release that contained the $1 trillion figure. “I expressed my concern with the number as we did not generate it,” Rees Ulmer said in an email. She added that although she couldn’t recall the particulars of the phone conversation in which she made her concerns known, “It is almost certainly the case that I would have told them the number was unsupportable.”

...The news stories got the worried attention of some of the report’s contributors because McAfee was connecting their names to an estimate they had no previous knowledge of and were skeptical about. One of the contributors, Augusto Paes de Barros, a Brazilian security consultant, blogged a week after the news release that although he was glad to have been involved in the report, “I could not find any data in that report that could lead into that number.... I’d like to see how they found this number.”

I don't know about you, but when a super well respected security researcher tells you that the basis of a particular claim is based on a number whose "intellectual quality ... is below abysmal," that's the point at which you should probably stop using the number. But, instead, politicians and the press continue to parrot the line over and over again.

The slightly smaller number, from Symantec, is still equally questionable. They go with $250 billion... but the number has almost no support. It does come from a real Symantec report, but not from Symatec employees. Instead, they hired another firm to magically come up with the number, and it sounds like magic would have been equally as effective as what was eventually done. It raised concerns from actual experts in the field:

“Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population.”

Furthermore, even if we take these numbers at face value, the original reports on both of them say these numbers represent the value of the attacks in question, and not what was actually "lost" or how much it cost to deal with. However, when a politician quotes them, they almost always do so by at least suggesting that these made up "values" are very real "losses" to companies. In other words, the numbers (shocker, shocker) are being twisted by cybersecurity law supporters. For example, just recently, Senator Collins said that General Alexander "believes American companies have lost about $250 billion a year," but that's not true. Already, we know the number is suspect -- but even if we accepted the number, it only represents the "value" that various companies have put on things harmed by security issues, not any sense of actual losses. Claiming that these are losses isn't just misleading, it's wrong.

We've argued for years that actual data should inform the debate on these things -- but that data needs to be accurate and supportable. Unfortunately, with cybersecurity threats, the claims that are being thrown around have no basis in reality. If politicians really want to discuss the "threat" of cybersecurity, the least they can do is get some accurate research on the scope of the problem. Trusting a number from a McAfee press release is not credible and it's certainly no basis for passing a law that wipes out privacy rights of the public.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, fud, hype, losses, stats
Companies: mcafee, symantec

29 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Paul Renault (profile), 2 Aug 2012 @ 1:09pm

...and just as bogus as the claims that frakking is safe.
See here:
http://public-accountability.org/2012/07/contaminated-inquiry/

A lot of people need to get thrown in jail. Really.
[ link to this | view in chronology ]
- Dark Helmet (profile), 2 Aug 2012 @ 1:14pm
  
  Re: ...and just as bogus as the claims that frakking is safe.
  "A lot of people need to get thrown in jail. Really."
  
  Sorry, too busy throwing pot-smokers in the clink, friend. They are singlehandedly causing The Great Cheetohs And Mountain Dew Drought of 2012....
  [ link to this | view in chronology ]
  - Hephaestus (profile), 3 Aug 2012 @ 5:47am
    
    Re: Re: ...and just as bogus as the claims that frakking is safe.
    More snack foods are being created today than at any other time in human history. It's just that the big consumers are seeing less, and the remainder is being transferred to many others. It's not a drought, it is a re-appropriation ... hmmm ... that reminds me of ...
    [ link to this | view in chronology ]
- Timothy Campbell (profile), 7 Aug 2012 @ 1:27pm
  
  Re: ...and just as bogus as the claims that frakking is safe.
  "A lot of people need to get thrown in jail," eh? Yes, I guess so, Paul, but that's what THEY say about the rest of us.
  
  I'm reminded of a Pogo cartoon where a bear-like creature (who resembled Spiro Agnew) managed to throw EVERYBODY in jail except himself. In the end, he realized that ... he was lonely. :(
  [ link to this | view in chronology ]
gorehound (profile), 2 Aug 2012 @ 1:15pm

The Bill that will take away more of our Rights will be back to haunt us.As long as there are Republicans and Democrats in Office they will continue to hound us and take away our Rights.They already have again and again so I know what I say is true.
I intend on not Voting for either of these bloated corrupt Parties even if my Vote is considered a wasted one.I am sick of seeing those two Parties in Office.
I hate this Government and the only ways to really change it seems like either a Revolution or to just try and Vote them out.
[ link to this | view in chronology ]
Josh in CharlotteNC (profile), 2 Aug 2012 @ 1:16pm

No smoke, no fire
You know the numbers are bogus because the shareholders of these companies haven't revolted and lynched the board and execs. There have been few, if any, lawsuits filed against these companies for the massive losses.

JP Morgan loses $6 billion with poor trading practices and even though they can pretty easily absorb that loss, execs are fired and the whole company is looking to be re-org'ed.

If American companies, even in aggregate, were losing a trillion dollars, there'd be no end to the news. And yet... we hear nothing of the sort. There's not even a wisp of smoke - so there isn't any fire here.
[ link to this | view in chronology ]
- Anonymous Coward, 3 Aug 2012 @ 3:53am
  
  Re: No smoke, no fire
  The number are not bogus. After all, most financial transactions are conducted by computers these days, and look how much money was lost (if not outright stolen) by the likes of Bear Sterns, Goldman Sachs, Fannie Mae, Freddie Mac and the likes.
  
  Clearly, if we'd had tougher cybersecurity legislation on the books, this sort of stuff would never have happened.
  
  I'm actually surprised nobody has actually tried using this line of reasoning to push these bills.
  [ link to this | view in chronology ]
  - Josh in CharlotteNC (profile), 3 Aug 2012 @ 4:34am
    
    Re: Re: No smoke, no fire
    Clearly, if we'd had tougher cybersecurity legislation on the books, this sort of stuff would never have happened.
    
    How's that working for copyright? Or drugs?
    [ link to this | view in chronology ]
Anonymous Coward, 2 Aug 2012 @ 1:21pm

In my study I have found that bad decisions by politions cost taxpayers 1 million$ a day.
[ link to this | view in chronology ]
- Keroberos (profile), 2 Aug 2012 @ 3:25pm
  
  Re:
  In my study I have found that bad decisions by politions cost taxpayers 1 million$ a day for each taxpayer.
  
  Fixed that for ya ;)
  [ link to this | view in chronology ]
Anonymous Coward, 2 Aug 2012 @ 1:46pm

what difference does it make to the politicians and other powerful people? idiots though they may well be, they take notice of this sort of bogus information so they can then introduce or back previously introduced bull shit laws. all they succeed in doing is hurting the people by removing privacy and freedom, hurting other companies that have to spend thousands of dollars conforming to the new, waste of time law and increase the profits of certain security companies. oh, i forgot. those are the same companies the powerful have vested interests in!
[ link to this | view in chronology ]
Wally (profile), 2 Aug 2012 @ 2:22pm

Collective Bargaining
Being from Ohio, United States, the concept of representatives at the state government level taking erroneous data from the editorials of major news papers is nothing new to me. I'm not surprised that things at the federal level are the same.

Anyone from the US (especially from Wisconsin or Ohio) would understand this problem very much so. There were several editorial articles that were taken that had data portraying the public school teachers were making more than $50,000 US a year by the end of their careers and tax payer money was being wasted (especially in Ohio...I'll use Ohio because I know how it all went down where I live) on union dues. What did our local law makers do? They took away the rights of the State workers unions to collectively bargain for benefits....it was later repealed by hand written signature. The bill also gave the town council the final word on an individual teacher's wages, not the school board

For those outside the US who might not understand, States are not forced to provide benefits for their workers in the US. Some of them (like Ohio) do not provide medical or health insurance and no pension plan for retirement for public servants such as teachers. Unions were given the right to bargain for said wages and benefits so the teachers could have something to retire upon. With the collective bargaining rights gone, teachers couldn't get a raise when they deserve it. How much of your pay as a public school teacher that went to union dues for retirement was up to the individual.

Needless to say I know all about the issues of senators using eronious figures in editorials to pass bad baseless laws.
[ link to this | view in chronology ]
Anonymous Coward, 2 Aug 2012 @ 2:34pm

Those Nigerian princess are in trouble now.
[ link to this | view in chronology ]
Anonymous Coward, 2 Aug 2012 @ 3:09pm

It was obvious for me from DAY ONE, that what they used was copyright math, as soon as they said the IP theft is valued at $1 trillion. Do politicians or the NSA really think the whole population is brain-dead or something?
[ link to this | view in chronology ]
- Anonymous Coward, 2 Aug 2012 @ 3:51pm
  
  Re:
  Not the whole population... just the majority. Unless you have any evidence to suggest otherwise?
  [ link to this | view in chronology ]
- That One Guy (profile), 2 Aug 2012 @ 4:11pm
  
  Re:
  Oh not the whole population, just the ruling class.
  
  After all it wouldn't matter a whit if the entire population was filled to the rafters with literal geniuses, so long as the ones who rule are either gullible enough to swallow such blatant lies and falsehoods, or corrupt and paid off enough to go along with the lies.
  [ link to this | view in chronology ]
- Dave (profile), 2 Aug 2012 @ 5:58pm
  
  Re:
  No, no, you don't understand. It ain't the populace that's braindead (see response to SOPA, PIPA, ACTA, etc.), it's the Politicians. Their meager brains have been so overwhelmed by all of that green and white stuff, including money, they are inundated with that they can't think. How many sane, rational people do you know that would make the kinds of decisions and judgements that they do? What do you expect?
  [ link to this | view in chronology ]
Anonymous Coward, 2 Aug 2012 @ 4:46pm

My thoughts on all this loss stuff is that it most likely parallels losses in the real world. Whether it be music, movies, cyber security breaches or what have you. In any case, in the real world we call it shrinkage. You're gonna have it, It's part of the human condition.

The white man ain't shit cause he got a complex.

-graffiti on a wall in the movie "Being There"
[ link to this | view in chronology ]
iBlvk (profile), 2 Aug 2012 @ 8:36pm

Intensity matching
Here's my view of the political thought process in this case.

Step one: Substitution. >> A difficult question "How much does cybercrime cost?" is replaced with a simpler question "How much do we care about cybercrime?"
Step two: Intensity matching. >> Relative importance of the cybercrime issue is expressed on the monetary scale. A trillion dollars seems like a good match for something that's related to cyber warfare.

And there you have it.
[ link to this | view in chronology ]
- Dave (profile), 2 Aug 2012 @ 9:51pm
  
  Re: Intensity matching
  IMHO, you're giving them too much credit. I see NO thought processes going on here, just blind obedience to their masters, and they ain't us.
  [ link to this | view in chronology ]
Josef Anvil (profile), 3 Aug 2012 @ 12:58am

How is this possible?
"The companies surveyed estimated they lost a combined $4.6 billion worth of intellectual property last year alone."

How do you even know how much IP you have lost??? How do you lose intangibles???

Think about that. They estimate they lost $4.6 billion worth of thoughts.
[ link to this | view in chronology ]
- Anonymous Coward, 3 Aug 2012 @ 1:40am
  
  Re: How is this possible?
  I lose my thoughts every time I read their bullshit propaganda estimated by 15 trillion, gazzilion, zipilion, dollars. so where's my reparation?
  [ link to this | view in chronology ]
Ninja (profile), 3 Aug 2012 @ 4:47am

How much is the world GDP worth today? According to http://data.worldbank.org/indicator/NY.GDP.MKTP.CD/countries?display=graph it's near 70 trillion. That would make cybersecurity alone cost 1,43% of the world GDP. That's almost 1 South Korea in losses. That's a whole freaking lot. But there are other losses aren't there? There's the MAFIAA losses. There's the losses to natural phenomena (extreme conditions). There's the losses to pollution. There's the losses to corruption. To organized crime. To counterfeiting. Somehow I don't think all the claimed losses along with the very real ones add up in the end.

It's also on par with the amount of money thrown around the world to bail out the "ailing economy" btw. And it's 6,7% of the American GDP.

So when you put the numbers in perspective it sounds much less reasonable (the 1 trillion figure).
[ link to this | view in chronology ]
- Ninja (profile), 3 Aug 2012 @ 4:55am
  
  Re:
  Oh and horray to numbers taken out of collective behinds! (It's easier to use that in daily conversation than I thought)
  [ link to this | view in chronology ]
Anonymous Coward, 3 Aug 2012 @ 5:47am

Yet another reason why algebra is important.
[ link to this | view in chronology ]
- Anonymous Coward, 3 Aug 2012 @ 9:52am
  
  Re:
  ah, but you see they use the calculus and sum over histories to come by there estimates
  [ link to this | view in chronology ]
  - Anonymous Coward, 3 Aug 2012 @ 9:54am
    
    Re: Re:
    and when you divide by zero the science breaks down. It's hard to deal with infinity.
    [ link to this | view in chronology ]
Rapnel (profile), 3 Aug 2012 @ 9:48am

this just in...
Politicians Caught Propagating Lies and Deceit In Support of Industry Insiders in Quest for Tax Funded Contracts!

Lies and blatant misinformation used to manipulate masses!

Further attempts to enable government contract recipients and their shareholders to profit on citizen data imminent!

Horrified observers .. resist.

How long can the Founding Documents resist this onslaught?

Are the governed at risk of catastrophic casualties?

Are our children safe!?

These questions and more could just possibly be answered .. in about six weeks.
[ link to this | view in chronology ]
Hondo1, 4 Aug 2012 @ 5:30pm

It's not the money, dude!
Anyone who tries to absolute $$$ to not only the reality of the threat but the damage already done (which has been clearly documented),is a fool. To throw cyber into the political arena for a contender's benefit is an insult to concerned Americans. Carry on, fools, with your insane use of unsecured WI-FI and hooking up things never meant to be so on the Internet. The next "whoosh" you [might] hear will be that of our infra structure being sucked out by the hep cyber criminals.
[ link to this | view in chronology ]