Wednesday, February 18, 2009

Cyber Attacks Against US Gov Rise Dramatically in 2008; Meanwhile, Total Losses for Cyber Attacks on Business Estimated @ $1 Trillion

Cyber Attacks Against US Gov Rise Dramatically in 2008; Meanwhile, Total Losses for Cyber Attacks on Business Estimated @ $1 Trillion

Along with sharing insight from within the dynamic matrix that is CyLab, CyBlog will also be providing you with news and analysis on issues and trends in cyber security, privacy and mobility.

Two recent stories cry out for some comment --

The number of reported cyber attacks on US government computer networks rose by more than 40 percent last year, USA Today reported on Tuesday.
The newspaper, citing data obtained from the US Computer Emergency Readiness Team (US-CERT), said there were 5,488 tracked incidents of unauthorized access to US government computers and installations of hostile programs in 2008.
There were a combined 3,928 such incidents in 2007, USA Today said, and 2,172 in 2006. ... The newspaper also said the data obtained from US-CERT may represent only a "small sampling" of the total number of incidents because "just one percent of federal agencies have fully developed tracking systems."
Agence France-Presse, 2-17-09

Data theft and breaches from cyber crime may have cost businesses as much as $1 trillion globally in lost intellectual property and expenditures for repairing the damage last year, according to a new study from McAfee.
McAfee made the projection based on responses to a survey of more than 800 chief information officers in the U.S., United Kingdom, Germany, Japan, China, India, Brazil, and Dubai.
The respondents estimated that they lost data worth a total of $4.6 billion and spent about $600 million cleaning up after breaches, McAfee said.
CNET, 1-28-09

In regard to the reported 40% rise in cyber attacks on the US government, I have two observations --

First, year by year, day by day, hour by hour, millisecond by millisecond, we are going deeper and deeper into the Information Age, and as we go deeper and deeper into the Digital Light, we are also going deeper and deeper into the Digital Dark, and just as all commerce, and all culture are becoming increasingly cyber-intensive, and so is all cloak and dagger.

Second, there are many dedicated and talented cyber security professionals in government, but the challenges they confront are both immense and immensely complex. Although there was considerably momentum in the late 1990a, too little progress has been made in the first decade of the 21st Century. Attending an all day briefing in D.C. last year, I found myself hearing the theme music to the Bill Murray film, Groundhog Day in my head. It does seem as if we are going over the same ground again and again. But hope springs eternal, and with each new administration there is another opportunity to make meaningful progress faster; to wit, the Obama-Biden administration has revealed its cyber security strategy. Click here for some background on the plan from Brian Krebs of the Washington Post (and a member of the CyLab Business Risk Forum).

In regard to McAfee's estimate of $1 trillion in losses related to cyber crime and other types of cyber security breaches, I also have two comments --

First, as one who spent most of the 1990s quantifying financial losses in the legendary FBI/CSI Computer Crime and Security Survey, I will venture a prediction that in time -- if we ever come up with a real measure -- this $1 trillion figure, like those hundreds of millions we documented in the CSI/FBI survey, will prove to be on the conservative end of the spectrum of informed guestimates.

Second, the McAfee guestimate takes on a poignant significance in the light of the current financial meltdown and resultant economic crisis: if almost three quarters of a trillion dollars could be reasonably expected to thwart the collapse of the US banking system, and over three quarters of a trillion dollars could be reasonably expected to significantly impact the world's single largest economy, then saying that cyber attacks on business could total $1 trillion dollars is saying a great deal about the importance of investment in both cyber security research and cyber security implementation. It also begs the question, what is the silent, overlooked impact of such losses?

Stay tuned ...

-- Richard Power, Distinguished Fellow, Carnegie Mellon CyLab