[kictanet] Cyber-Spin: How the Internet gets framed as dangerous

alice alice at apc.org
Fri Apr 16 21:23:57 EAT 2010 

Cyber-Spin: How the Internet gets framed as dangerous

by Milton Mueller on Thu 08 Apr 2010 01:31 PM EDT

http://blog.internetgovernance.org/blog/_archives/2010/4/8/4499824.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+IGPBlog+(IGP+Blog+Main)

At the beginning of this year, a set of powerhouse organizations in
cybersecurity (CSO Magazine, Deloitte, Carnegie Mellon's CERT program, and
the U.S. Secret Service) released the results of a survey of 523 business
and government executives, professionals and consultants in the ICT
management field.

The reaction generated by this survey provides an unusually clear
illustration of how cyber-security discourse has become willfully detached
from facts. There is an organized industrial and political imperative to
drill into our heads the idea that the Internet is dangerous and its
threats are spiraling out of control, and it doesn't matter what facts are
uncovered - they are all interpreted to support this preconception.

With that intro, here is the lead sentence from the January 25 2010
Carnegie-Mellon University news release about the 2010 CyberSecurity Watch
Survey:

    "Cybercrime threats posed to targeted organizations are increasing
faster than many organizations can combat them, according to the 2010
CyberSecurity Watch Survey..."

Stop right there. A careful review of both the survey and the responses to
it quickly reveals that that conclusion did NOT come from the survey
itself, and was not supported by its data. In fact, the claim that
cyberthreats are increasing faster than many organizations can combat them
comes from a Deloitte "review of the results" of the survey. The Deloitte
"review" is entitled (in big, bold letters) CYBERCRIME: A CLEAR AND
PRESENT DANGER and it admits it is an "interpretation," which "goes beyond
simple reporting of results."

Apparently Deloitte, one of the sponsors of the survey, was not happy with
the results:

    "Deloitte believes...that some of the findings point to significant
incongruities between the views of many survey respondents and the
current reality of cyber crime." In other words, don't listen to what
the people actually facing and dealing with threats tell you, listen
to the scary stuff.

So what are the relevant facts in the survey?

    The survey "uncovered a drop in victims of cybercrimes (60% vs. 66% in
2007), however, the affected organizations have experienced
significantly more attacks than in previous years."

    "Since 2007, when the last cybercrime survey was conducted, the
average monetary value of losses resulting from cybercrimes declined
by 10%."

    "More than half of the respondents (58%) believe they are more
prepared to prevent, detect, respond to or recover from a cybercrime
incident compared to the previous year."

Isn't this interesting? How does Deloitte get from a drop in the number of
victims and a 10% drop in losses (despite more attacks) and a general
improvement in perceived preparedness, to the conclusion that crimes are
increasing "faster than potential victims can cope with them?" It's easy
when you've got something to sell.

Where do cyber-security threats come from? Once again, there is a very
interesting gap - perhaps we should say chasm - between the Deloitte
report and the actual survey results. In Deloitte's spin, the main threat
is external, and comes from "An increasing number of criminals and
criminally minded enterprises [that] have hired, purchased, or otherwise
acquired the ability to infiltrate systems with new penetration techniques
while developing a criminal e-business network." But Deloitte doesn't stop
there. Without adducing a shred of evidence it asserts that "There is a
likely nexus between cyber crime and a variety of other threats including
terrorism, industrial espionage, and foreign intelligence services."
Shudder. Oh my God.

Now what is the data in the survey report?

The survey respondent reported that the vast majority of attacks - and the
most costly ones - come from insiders. No less than 3/4 (75%) of all
cybercrime comes from KNOWN sources. Moreover, "Insider incidents are more
costly than external breaches, according to 67% of respondents."

The Deloitte "review" of the survey results shows they are simply unable
to accept an alternate, less exciting and scary view about the sources of
risk. And so it issued a glossy, bold pamphlet/advertisement that actually
garnered more media coverage than the actual survey. And the assertions of
its tract were often conflated with those of the survey.

To be fair to Deloitte, their tract does make some wise points. They
argue, convincingly, that organizations should focus security on a
"risk-based approach" that "starts with the assumption that an
unauthorized user can gain access to the system, and then design responses
based on the value of the data that could thus be compromised."

Equally wise, the Deloitte report urges enterprises to "shift away from
building a 'great wall' against all threats, toward identifying and
addressing the most significant ones. This entails prioritizing risks on
the basis of their likelihood, impact, and potential interactions with
other risks, then allocating resources accordingly."

But if Deloitte followed its own advice consistently, it would stop
promoting hysteria about unknown, unquantified, and as yet undemonstrated
risks "that can be imagined" (their words) from "terrorist organizations,
foreign intelligence services, and traditional organized crime entities"
and focus more directly on where the real risks are.

There may be a valid argument that the survey respondents are complacent
or ignorant about the real security risks - but Deloitte hasn't made it.
And it is hard to argue with the fact that the survey respondents know
more than Deloitte does about what incidents actually hit them and how
much money those incidents actually cost them. To posit risks and threats
that "could be imagined" sounds more like a sales job than analysis.


=======================================
APC Forum is a meeting place for the APC community - people and        institutions who are or have been involved in collaboration with
APC, and share the APC vision - a world in which all people have easy, equal and affordable access to the creative potential of information and communication technologies (ICTs) to improve their lives and create more
democratic and egalitarian societies.

_______________________________________________
apc.forum mailing list
apc.forum at lists.apc.org
http://lists.apc.org/cgi-bin/mailman/listinfo/apc.forum

More information about the KICTANet mailing list