Slashdot Mirror
FBI Says Computer Crime Costs Billions Every Year
JamesAlfaro wrote to mention a C|Net article putting a pricetag on computer crime. From the article: "The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. "
Who responded to this survey? The accountants? The lawyers? The CFO? The CIO? I'm not saying that computer crime doesn't cost a whole lot of money. I'm just wary of reports like this, especially when the total is arrived at via simple straightline extrapolation from their 1300 respondents. This is simply a report designed to paint a bad picture so that they can secure extra funding for things like "online surveillance."
This article doesn't even mention the Computer Security Institute (CSI), the organization which conducts and publishes these surveys. The FBI allows them use of crime databases and is just presented the end result. On top of that, they present you with one graph and label it as referenced from the "Computer Crime Survey" when, in fact, this survey also had to do with security and is entitled 2005 Computer Crime and Security Survey. I believe you'll find a wealth of information in that PDF as it contains many graphs that break down respondents of crimes, average security expenditures, types of attacks, etc. If you're interested in what constitutes a "computer crime," check out the policy and sample cases (some amusing) as we all know that what is and isn't illegal with computers can get very fuzzy very fast.
I think this is a case of CSI running a survey and doing a damn fine job on the support but the media (and Slashdot) feel that FBI is better news than CSI.
My work here is dung.
Perhaps the problem is that companies aren't putting enough money into their security and not enforcing strict enough protocol among their staff. How many viruses felt by businesses do you assume were caused by a stupid employee? This could take the form of lazy tech staff, or even the assistant downloading something to pass the time. Then there is also the fact that alot of smaller businesses I have experience with do not have an employee that can properly setup and maintain the businesses networks and desktops. How much money are these companies spending on techie staff to remove stuff that otherwise could be done by any teenager who has experience with computers.
The number is huge, however the issue behind it I feel is being avoided and unseen. Businesses need a better method of using computers, perhaps a more business friendly OS. From the article, "Some are very small businesses that should have that technology, but they don't," and this is the problem. We won't be able to stop people from trying to bring down software and networks, however businesses can become more competent on how to prevent and protect.
do.what.promptcmds
I believe the FBI is correct, but I also believe that one should lock the door to their houses, offer potential robbers the thought that the family might be armed, get a decent alarm and security company and insure their belongings for the maximum amount.
My IT business makes about 40% of its income dealing with security issues. We have to turn new business away usually, as most new customers that we go visit are so insecure it isn't even funny. With insecurity comes more than just data theft but spyware and viruses and the rest, as we all know. It amazes me how many companies leave their homes unlocked, the lights on, the alarm off, and a big sign on the front steps saying "Come and get it!"
The solution to computer crime isn't using the FBI -- I'd like to turn their offices off and throw out the key. The solution to computer crime is:
1. Developing a good infrastructure and upgrade cycle
2. Commit to teaching users proper ways to set up their data and desktops
3. Purchasing security sofware and services from companies that do the best job finding the holes and plugging them.
Is the law useful? Not one bit. Most companies aren't going to bother suing civilly for damages, and no one wants to bother calling the cops. The chalk line around your stolen data isn't very useful. Get a good consultant, pay them well, and make them back it up with guarantees. Problem solved.
Word to the wise:
Next time someone says "XXX Trend is costing us YYY dollars every year", it's probably going to be followed up with "Therefore we should spend ZZZ dollars dealing with it."
XXX = overstated threat
YYY = some made up figure
ZZZ = profit
Now that even the FBI can put a quantifiable sum of money on this may we please begin dismembering the EULA which makes this such an enormous problem?
"We'll just create this broken product... and let everyone else deal with the billions of lost dollars which it causes."
fast as fast can be. you'll never catch me.
Why? Because that seemed like a good number? This inexplicable change causes me to question the validity of the whole study.
The world will not get better through technology. We must seek to be better people.
In old school government thinking, you're not supposed to "get rich off the government" as an employee. The government would often rather spend $2B for a stealth bomber that carries nuclear bombs, but will pinch pennies on the salary of the pilot of the bomber. The reality is that it costs the tax payers less to pay $80,000 starting out for a qualified security official, and let them retire making $200-$250K/year than it does to hire a less competent one at $45,000/year. The better qualified, better paid one will be more effective if not hampered by management and more crimes will get punished, reducing the reward for crimes of this nature, thus decreasing the amount of money that has to be spent on prison and other costs in the long run.
Ultimately, you get what you pay for is a fundamental law of life. If you're not willing to pay well, the people that have the skills won't sign up for the job unless the economy is dying and they're desperate.
I am curious how this would compare to the costs incurred due to defects in software. Back in 2002, NIST reported "Software bugs, or errors, are so prevalent and so detrimental that they cost the U.S. economy an estimated $59.5 billion annually":
0 .htm
http://www.nist.gov/public_affairs/releases/n02-1
Has anyone seen an update to this report?
With limited resources, organizations need to choose between fixing security problems or fixing others types of defects in their software.
FREE - Java, J2EE and Ajax Audiobooks for Software Developers - www.DeveloperAdvantage.com
Did they include the NSA's illegal wiretaps in that tally?
Is that including rootkits and other crimes from industry or just the ordinary non-corporate (i.e. punishable) crimes?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Most, nearly all, of the "cost" of computer crime comes from running a full security audit of your systems and locking down the security procedures and controls you will use to keep it from happenng again. If these companies had a competent computer security policy in the first place, they would find thier "costs" much less.
It's like a thief crashing through your dry-rot, termite-infested walls and then blaming HIM that you have to rebuild your whole house now. This money is almost always money that *should* have been spent, but wasn't in the name of cost-cutting or just general laziness.
"Your superior intellect is no match for our puny weapons!"
Microsoft had two or three possibilities for fixing the security problems in Windows and we are still seeing security issues that are 10 years old...
--
This sig suck...
Evaluating the amount of losses due to a security break where information might have been stolen (when the perpetrator was found, but no evidence of stolen data was found) was initially in vogue during the big "Hacker Crackdown". In some cases evidence of stolen credit card numbers were found, and in that case, evaluating the losses again is an elusive task depending on how these numbers were used. The RIAA and MPIAA crack at uploaders, assuming they have the capability to assist infinite number of downloaders and therefore evaluate the losses at some skyrocketing unearthly sum. There have already been debates about a ceiling for such losses particularly when a P2P crackdown is on. Recently there was someone who used an anonymous remailer to create a bombscare in the Indian parliament. Anonymous remailers are possible due to the very RFC that allows email and most usually can't be traced back (not that easily unless the perpetrator was too careless to have used unencrypted remailers.) Obviously there is no easy "damage evaluation" except the cost of the Bomb squad deployment, cost of Halt of Parliamentary business (this happens not just due to bomb scares too). But the perpetrator will be prosecuted under an "Anti-Terror" law, and therefore in most likelihood won't be just fined. I see the following in tandem
The second being dependant on the first. So FBI, CIA or name the agency, name the country, a proper crackdown is going to be very difficult until definition and procedures are established. Trouble is red tape or Ph.D, hire either group and you will have to wait for these procedures and definitions to come in. Until then, Law firms will define things in whatever way they choose, the same way they handle other criminal investigations. SPAM perpetrators - should they be fined for the volume of network traffic they generated (and therefore choked others, infringing on others rights) which can be mathematically calculated should you recover intact evidence. I believe Anti-SPAM laws in some countries are slowly coming in play and they do have a proper definition and a procedure for evaluating losses and severity of the crime. These numbers are hardly indicative of malicious activity or of any potential threat. Warranted products (like Microsoft Windows) having known/unknown security holes in them that create problems to consumers should obviously be dealt with using consumer-friendly laws where the company is unable to provide timely solutions. This is a hornet's nest, and one has to clearly separate a lot of variables before attempting to define crimes, severity, liability and all responsible entities.
No Greater Friend, No Greater Enemy! (Lucius Cornelius Sulla)
It sounds like a lot, but $24,000 is substantially less than the cost of 1 IT staff. Besides, it's not mentioned how large these companies are (on average). For a 1 person operation $24,000 is a lot, for a Fortune 500 company with hundreds/thousands of employees, it isn't.
SCO employee? Check out the bounty
was thiiiiiiiiiiiiiiiiiisssssss big.
and when they hacked our system, it cost us a trillion, billion dollars.
In a related note, the costs associated with train robberies is way down. And cattle rustling related costs have virtually dissapeared.
As the world changes, so does the crime.
Accountants enjoy new freedom of book keeping with "theoretical losses" of arbitrary fitgures they pulled off the top of their head:
Accountant: So how much did you think we lost because of computer crime?
IT Guy: I dunno... Our server web server went down for a while and I joked that it was because some guy was hitting F5 in China.
Accountant: Ah! Excellent... *writes something down* So how much do you think it cost us.
IT Guy: Oh I dunno... Whats the cost of me getting up out of my seat to make a phone call to the guy down in the server room to boot it... Oh $0.35 cents?
Accountant: Hrm... *scratches chin* No good. But if I multiply it by inflation and theoretical estimates and carry the zero. By golly! I think we've lost over $2,000,000.35 to computer crime! Thats one hell of a tax break. Daddies going to be rolling in the bonus this year!
IT Guy: But... I... Oh never mind...
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent.
So basically they think their method of obtaining information is flawed, they have no idea by how much, but since 64% "feels" too high the decide to create a whole new number out of the blue that was felt to be subjectively acceptable to the committee.
Wow who funded THAT?
Seven puppies were harmed during the making of this post.
This isn't really news. It seems like the numbers are just pretty much made up. They knew that the polling was completely inaccurate, so they just decided to change the number from 64 to 20. This number has no more meaning than one made up entirely randomly.
I'd guess that most companies are losing more money due to stolen office supplies than computer crime. I get annoyed at computer crime being treated as some magical force, as if it is some how different from every other sort of crime.
Politicians repeat after me: "Computers are not Magic!, Computers are not Magic!"
Big ones, small ones, some as big as yer 'ead!
Give 'em a twist, a flick o' the wrist...