Slashdot Mirror
FBI Says Computer Crime Costs Billions Every Year
JamesAlfaro wrote to mention a C|Net article putting a pricetag on computer crime. From the article: "The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. "
This article doesn't even mention the Computer Security Institute (CSI), the organization which conducts and publishes these surveys. The FBI allows them use of crime databases and is just presented the end result. On top of that, they present you with one graph and label it as referenced from the "Computer Crime Survey" when, in fact, this survey also had to do with security and is entitled 2005 Computer Crime and Security Survey. I believe you'll find a wealth of information in that PDF as it contains many graphs that break down respondents of crimes, average security expenditures, types of attacks, etc. If you're interested in what constitutes a "computer crime," check out the policy and sample cases (some amusing) as we all know that what is and isn't illegal with computers can get very fuzzy very fast.
I think this is a case of CSI running a survey and doing a damn fine job on the support but the media (and Slashdot) feel that FBI is better news than CSI.
My work here is dung.
At the company I used to work at (Small to Med Cap Engineering firm), I got a copy of this letter asking me (as the head IT guy, we didn't have a CIO) to fill out the online form.
I filled it out, and really I used numbers off the top of my head. We really never had actual security breeches by hackers, but they were asking for an aggregate of security incidents and measures. I included budgetary expenditures for preventative as well as reactionary security.
I've filled out surveys like this for Gartner and others and I have to say, while the overall methodology followed norms, I really did not get a sense that they had much of a clue as to what the IT industry would classify as loss related to computer crime. Under their model, as I understood it - if you had to buy anti-virus software, that was a business loss due to cybercrime!
Evaluating the amount of losses due to a security break where information might have been stolen (when the perpetrator was found, but no evidence of stolen data was found) was initially in vogue during the big "Hacker Crackdown". In some cases evidence of stolen credit card numbers were found, and in that case, evaluating the losses again is an elusive task depending on how these numbers were used. The RIAA and MPIAA crack at uploaders, assuming they have the capability to assist infinite number of downloaders and therefore evaluate the losses at some skyrocketing unearthly sum. There have already been debates about a ceiling for such losses particularly when a P2P crackdown is on. Recently there was someone who used an anonymous remailer to create a bombscare in the Indian parliament. Anonymous remailers are possible due to the very RFC that allows email and most usually can't be traced back (not that easily unless the perpetrator was too careless to have used unencrypted remailers.) Obviously there is no easy "damage evaluation" except the cost of the Bomb squad deployment, cost of Halt of Parliamentary business (this happens not just due to bomb scares too). But the perpetrator will be prosecuted under an "Anti-Terror" law, and therefore in most likelihood won't be just fined. I see the following in tandem
The second being dependant on the first. So FBI, CIA or name the agency, name the country, a proper crackdown is going to be very difficult until definition and procedures are established. Trouble is red tape or Ph.D, hire either group and you will have to wait for these procedures and definitions to come in. Until then, Law firms will define things in whatever way they choose, the same way they handle other criminal investigations. SPAM perpetrators - should they be fined for the volume of network traffic they generated (and therefore choked others, infringing on others rights) which can be mathematically calculated should you recover intact evidence. I believe Anti-SPAM laws in some countries are slowly coming in play and they do have a proper definition and a procedure for evaluating losses and severity of the crime. These numbers are hardly indicative of malicious activity or of any potential threat. Warranted products (like Microsoft Windows) having known/unknown security holes in them that create problems to consumers should obviously be dealt with using consumer-friendly laws where the company is unable to provide timely solutions. This is a hornet's nest, and one has to clearly separate a lot of variables before attempting to define crimes, severity, liability and all responsible entities.
No Greater Friend, No Greater Enemy! (Lucius Cornelius Sulla)
If the computer crime causes an estimated loss of potential business, there is a lost opportunity to the company. Opportunity losses, although real, are not recorded on the books of the company, only actual losses. The costs to repair the crime would be expenses that the company would book.