Cyber crime is *not* bigger than illegal drug trade

How many times is this meme going to circle the globe? It is as bad as the modem tax or the business card boy.
Written by Richard Stiennon, Contributor

How many times is this meme going to circle the globe? It is as bad as the modem tax or the business card boy. Now the newly annointed CEO of McAfee has picked up on the idea that cyber crime exceeds the world wide drug trade. This is just wrong. It is way wrong.

First some history. As I pointed out here this all began when a Reuters journalist attended a conference in Riyadh. He managed to get a juicy quote from a lawyer who used to have a privacy position for the State of Colorado and claims to have consulted for the US Treasury Department (on what I ask?). The original quote, from 2005:

"Last year was the first year that proceeds from cyber-crime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $105 billion,"

And now the quote from the CEO of McAfee speaking at a conference in Tucson this week:

DeWalt said that cyber-crime has become a US$105 billion business that now surpasses the value of the illegal drug trade worldwide.

Yup, same figures, two years later.

No matter how you look at it - people involved, law enforcement resources, lives destroyed, countries in anarchy, there is no way you can compare cyber crime to the illegal drug trade. This is hype of the worst sort. Any reader of my blog, or attendee at one of my cyber crime scenario seminars knows that I believe cyber crime is a real and present danger and that we are not prepared for the escalation now in process. But it is wrong to site numbers that are off by at least an order of magnitude. Please help to kill this persistent meme.

And then, to add frosting to the cake, the McAfee CEO goes on to cite one of my other favorite topics. Security industry consolidation:

"The security market will go through the same transition that other industries have," DeWalt said. "Right now you've got 50 or 60 vendors out there, and customers are faced with the questions of how do you integrate all those solutions, and create interoperability between them? It's not sustainable."

Where do I start? First of all there are over 70 anti-virus vendors "out there", not to mention the 1,200 or so security vendors. If you are researching the number of security vendors it would be good to check out the exhibitors signed up for RSA 2008 next April. 315 to date.

Now, about the consolidation thing. Where is the evidence for that? Yes there are acquisitions going on but as I have pointed out over and over, they are examples of bigger companies such as McAfee, RSA, IBM, getting into new areas. The only sign of consolidation in recent history was Websense buying Surfcontrol. The security industry is not consolidating and it will not even begin to consolidate until the theats stop changing. That is the difference between "other industries" and the security market. The requirements for ERP, CRM, BCP, are fixed. Companies evolve until they all supply the same products and services with very little differentiation. Then consolidation occurs.

Editorial standards