Cyber criminals are out-spending the defenders two to one: HP

It's US$104 billion versus US$48 billion, claims HP Enterprise Services — but whether those annual figures are true or not, the bad guys are definitely getting better organised.
Written by Stilgherrian , Contributor

April, and in the new quarter blossoms a new crop of sweet, fragrant cyberstatistics. Such joy.

Some of these statistics are presented as so-called "infographics", a term which has come to mean a random scattering of factoids pulled back into an approximation of a unified narrative by some cornflake packet level design. Here's a bunch of these low information density pixel-burners, from which you may glean a factoid or two that you haven't encountered before, or guessed.

Others are presented as proper reports based on assumed-proper research, such as the Websense 2014 Threat Report released on Thursday. Websense analyses what's happening in the threat landscape, and how your organisation should respond, using a seven-stage kill chain model — from initial reconnaissance and crafting a lure to encourage the victim to click, redirecting them through a series of hacked servers to a final one, which deploys an exploit kit, dropping malware onto the victim's machine, calling home, and exfiltrating data.

They're not the only vendor using this sort of militarised language. With minor variations, it's the way things are done now. Get used to it. Vendors will be using it to explain how their products will disrupt the attacker at each stage.

And other cyberstats still just turn up in presentations, such as HP Enterprise Services' claim that organised cybercrime operations are outspending the defenders two-to-one.

"The number we came up with is about $104 billion dollars a year for the entire ecosystem, and these are estimates that have been done through studies from various groups, including Ponemon and others around the estimation of the entire ecosystem," Arthur Wong, HP senior vice-president and general manager of HP Enterprise Security Services (ESS) globally, told ZDNet at a media briefing in Sydney on Wednesday.

"This [figure] is around the development, trading of information — whether it's [personal] profiles, whether it's threats, whether it's exploits or vulnerabilities — it's a huge ecosystem out there, and an economy that's underground and available for hackers. You can take a look at an eBay-like environment to be able to buy, sell, and trade security information and credit cards and financial information and intellectual property," he said.

A hundred billion sounds a lot, and I'm normally sceptical of Big Numbers. But according to my back-of-the-envelope calculation, that's maybe US$30 per human on the internet per year. That's a lot for developing and even mid-rank nations, but it's certainly well within the bounds of what governments and corporations in the G20 absorb on behalf of their citizens and customers.

Globally, according to McAfee's estimates from mid-2013, cybercrime costs between US$100 billion and US$400 billion. That's a decent return on investment.

Meanwhile, says HP, the global information security market is "just" US$48 billion a year — though that, as well as the below-the-line internal costs to organisations, would be part of the cost figures.

HP is, of course, trying to persuade us to spend more on security, and to spend it with HP ESS. That's why they were telling journalists about their new Security Operations Centre in the Sydney suburb of Rhodes. It adds "30 to 40" new security staff to the "hundreds" HP already has in the country, and adds an eighth COS to those in Plano, Texas; Virginia (of course); Costa Rica; the UK; Bulgaria; India; and Malaysia.

But apart from their "buy our stuff" message, there's another message, one about coordination and cooperation. The bad guys are simply more agile. They don't need a corporate product manager to get the channel manager to organise a sales meeting with a potential client. They operate live online, fast and loose.

"The bad guys, the adversaries, they collaborate way more than governments, and way more than commercial industries do themselves," Wong told ZDNet. "When anyone wants to even launch an attack out there on a particular company, they're going to go into chat rooms ... and ask, 'Hey does anybody own a computer or a system inside this company?', and someone will put up their hand, or they'll know someone else, and a deal is negotiated".

The criminal ecosystem isn't just better organised, it's also becoming more specialised. According to Bob Hansmann, Websense's director of product marketing, the cybercrime vendors are now providing tailored services for every step of the kill chain.

"There are people who simply own botnets, and they rent it out to send spam or do phishing attacks, even denial of services. There are specialists in just crafting the emails. There are specialists for helping with encryption," Hansmann told ZDNet on Tuesday.

"Some of these cases can read like a Tom Clancy spy novel, where a Chinese credit card ring hires an ex-KGB agent living in Morocco to write code which he has no way of deploying, so he finds a friend in Turkey who actually controls a botnet, and so on and so forth. That's part of an actual attack that happened maybe five or six years ago."

This economy is now maturing. And growing. HP reckons that by 2020 there will be another million people working in cybercrime globally. In January, Cisco chief security officer John Stewart reckoned that before then we'll be short around a million infosec workers.

The consensus amongst infosec specialists is that after a bad year in 2013, this year will be better. After that, they're not so sure.

Editorial standards