Will McAfee's hacking hyperbole hatchet job kill the trillion-dollar myth?
The information security industry must be founded on trust, yet many vendors have form for publish dodgy statistics. As just one example, market leader Symantec, at least until a year or so ago, were publishing reports that smudged the boundaries between different kinds of crime, sometimes totalling people who'd experienced certain crimes "in the last year" and sometimes "ever", while keeping their working-out to themselves.
I've given the other vendors plenty of stick as well.
But hats off to McAfee this week. The latest McAfee-funded research — a preliminary report from the Washington-based Center for Strategic and International Studies released Monday and titled The Economic Impact of Cybercrime and Cyber Espionage — starts to admit honestly the limitations of these high-level guesstimates.
McAfee had previously claimed that cybercrime costs the global economy US$1 trillion a year. The US administration has recently been using that claim to justify more spending for so-called cyber defences, and the trillion-dollar figure has been used in policy circles since at least 2009 — but it can be traced back much further. Some PriceWaterhouseCoopers-funded Information Week Research from July 2000 reckoned that hacking was costing us a whopping $1.6 trillion a year, even back then.
McAfee now admits that you can't run a small-N survey in a couple dozen large, wealthy nations — often a self-selected sample of known crime victims at that — and extrapolate the data globally.
Their new figure is "probably measured in the hundreds of billions of dollars", although they never quite commit to one specific number.
This includes both direct and indirect costs, including the loss of intellectual property and business-confidential information (which they admit is hard to value); the possibility of stock market manipulation; opportunity costs, "including service and employment disruptions, and reduced trust for online activities"; the additional cost of securing networks, insurance, and recovery from attacks; and damage to reputation.
"This initial research suggest an upper limit of the cost of cyber espionage and crime somewhere between 0.5% and 1% of national income — for the US, this would be about $70 billion to $140 billion. A lower limit might be $20 billion to $25 billion," McAfee's report says.
Globally, that's somewhere between maybe US$100 billion and US$400 billion. At best, less than half the previous claim.
"In the context of a $70 trillion global economy, these losses are small, but that does not mean it is not in the national interest to try to reduce the loss, and the theft of sensitive military technology creates damage whose full cost is not easily quantifiable in monetary terms," McAfee writes.
True, but as McAfee themselves point out, this supposed cybercrime explosion is really down at the level of shoplifting. Retailers generally budget between 0.5% and 2% for pilferage and other such "shrinkage".
There's also — finally — an admission that money doesn't disappear from the global economy, it generally moves elsewhere. "A store knocked offline for a day may lose $10,000, but if customers wait or go to another store, the net loss to the economy is much smaller," for example.
With luck, this McAfee research will finally kill that ludicrous trillion-dollar claim. What continues to astound me, though, is that it ever got media oxygen to begin with. Give it one quick sniff and it smells more like a gas from the other end.
The world population today is 7.1 billion. A trillion a year represents US$140 for every man, woman and child on Planet Earth — including three billion who don't use the internet at all, or a billion or two for whom a few hundred dollars represents their household income for an entire year.
Put another way, a trillion dollars is most of the gross national income of Australia, the world's thirteenth-largest economy, just... gone. Coal, iron ore, gold, wool, souvenir koalas-shaped flip-flops printed with amusing slogans, the lot.
Yeah right.
If we're killing one cybercrime myth, let's kill another — one which coincidentally emerged from McAfee — namely that the wealth transfer due to hacking represents some historically-unprecedented economic disaster.
This meme seems to have been spawned two years ago by Dmitri Alperovitch, then McAfee's vice president of threat research, now a cyberhawk suggesting that companies be able to hack back — much as Venetian trading ships of the renaissance were armed and would open fire on commercial rivals.
"Economic espionage and political espionage that we've been seeing for the last five or six years is much more insidious, much more serious, and may perhaps be an existential threat to our economies," Alperovitch told ZDNet's Patch Monday podcast.
Cybercrime was "the greatest transfer of wealth in history", Alperovitch said in 2011, and soon after the exact same words were coming put of the mouth of General Keith Alexander, director of the US National Security Agency (NSA).
In 2013, this meme has been hyped beyond all credibility. "Let's put it this way, we are currently living through the greatest period of grand larceny in history. There is more crime on the digital network every year than decades, if not centuries, added together before now," said Dr Mark Gregory, senior lecturer in electrical and computer engineering at RMIT University in Melbourne, on ABC Radio earlier this month.
"Centuries added together"? Seriously?
Even my shoddy memory of arithmetic tells me that if you multiply a number of around a percent or two by "decades if not centuries" — that is, tens or hundreds — you soon end up with more than 100 percent of what you started with. Unless you forget that a century ago we didn't even have 2 billion people on the planet, let alone 7.1 billion, and each of them had far less money. Such historical claims must factor in population growth and monetary inflation.
As we enter the Blackhat-Defcon hacker conference season when infosec vendors will be pimping their wares so strongly, we'll be bombarded with yet another round of reasons to be fearful. Might I suggest that the infosec industry, relying as it does on trust, follow McAfee's example and start to deliver even this barely-acceptable start or a beginning at honesty.
And learn arithmetic.