Cyber Insecurity: Black Swan or Headline?
The Iron Triangle
President Dwight D. Eisenhower coined the term, “military industrial complex” during his farewell address to Congress on January 17, 1961. The phrase stuck and is now used to describe an ironclad triangle binding together private-sector companies, the military, and government appropriations for the purpose of promoting defense spending. According to Wikipedia, the triangle contains, “…relationships includ[ing] political contributions, political approval for military spending, lobbying to support bureaucracies, and oversight of the industry.”
The military industrial complex grew during the Cold War, but slowed after the fall of the Former Soviet Union. During Eisenhower’s tenure as President, and through most of the 1950s, military spending remained above 10% of GDP; it dropped slightly during the Vietnam War (about 9 percent of US GDP); and then declined even further to about 5 percent through the 1970s. President Ronald Reagan ramped it back up to 6 percent until the fall of the Soviet Union. By 2000, it had settled down to 3% and has inched up slightly to its current level of 5.5 percent – a far cry from its 9-10% level during the “glory days” of the Cold War.
But a new requirement may be emerging to replace tanks, warships, missiles, and airplanes as the next growth area for the complex: cyber insecurity. Cyber insecurity is the term I use to describe real and imagined security gaps in the global information and communication network infrastructure. It is the opposite of cyber security.
Suddenly, vast sums of money are pouring into cyber insecurity because of perceived increases in cyber threats, growing vulnerabilities created by connecting everything to the TCP/IP monoculture (mobile devices and cloud computing), flawed software, and lack of adequate precautions on the part of government agencies, infrastructure companies, and the public.
It seems governments and companies are rushing to the Internet because it improves efficiencies and reduces costs. But this rush also opens up new vulnerabilities. According to eWeek, government spending to combat cyber insecurity was forecast, “to reach $60 billion in 2011 and is forecast to grow 10 percent every year during the next three to five years.”
Financial institutions spent $17 billion on cyber insecurity in 2012. AT&T estimates spending to reach $40 billion annually, and “Frank Kendall, defense undersecretary for acquisition, technology and logistics, says there is still ‘a lot of money’ to be made in the defense business, despite mounting budget pressures… in cyber security.”
President Obama is seeking $500 million for research into cyber security with emphasis on industrial control systems that control water, power, and transportation systems. Gartner Corp, a market research company, claims total spending on cyber insecurity will reach $86 billion by 2016.
On the surface it would seem that cyber insecurity is emerging as the next big opportunity for the military industrial complex. There is money to be made by extending the military industrial complex to embrace the cyber security industrial complex. With billions of dollars pouring into research and development, how can the iron triangle resist?
The Check, Please
A 2012 survey of 56 corporate and governmental organizations conducted by the Ponemon Institute found that cyber attacks cost an average of $8.9 million per organization in the US, $5.9 million in Germany, $5.1 million in Japan, $3.2 million in UK, and $3.2 million in Australia. Most attacks were perpetrated by malicious insiders or through network exploits such as denial of service attacks.
Compare this with exploits committed against consumers, such as phishing ($687 million, globally, according to RSA Inc.) and online fraud (1% of retail sales or $3.4 billion, globally). There are many problems with estimates of cyber insecurity costs, so readers should be skeptical of these estimates.
The Ponemon study raises questions regarding methodology: how were these costs calculated? Generally, costs are associated with loss of productivity — business disruption, information loss or theft, revenue loss, equipment damages, and the cost of detection, investigation, containment, recovery and measures to fend off future attacks.
Contrast these numbers with $4.5 billion in car theft annually in the USA, and 275,000 accidental deaths of patients in hospitals, annually. [Barbara Starfield, J. AMERICAN MEDICAL ASSOCIATION (JAMA) Vol 284, No 4, (July 26th 2000) reports that medical errors may be the third leading cause of death in the United States: 225,000 deaths per year from unnecessary surgery; medication and other errors; infections in hospitals.]
So far, nobody has died from a cyber attack.
Cyber crime, loss of intellectual property due to cyber exploits, and damages done to banks, consumers, and retail web sites may be on the rise, but the consequences barely compare with traditional crime. In 1999, David Anderson estimated the total cost of crime in the US to exceed $1 trillion – a number several orders of magnitude greater than the most pessimistic scholarly estimates of cyber crime.
So we face two questions: how were estimates of cyber insecurity derived, and how do they compare with other threat statistics?
The Wrong Questions
The superficial numbers cited above suggest that cyber insecurity is a relatively minor problem as compared with more mundane problems such as car accidents, medical accidents, natural disasters, and plain ordinary crime. In addition, cyber insecurity statistics based on surveys are highly unreliable and often misleading.
Julie Ryan and Theresa Jefferson, scientists at George Washington University, conclude in their paper (The Use, Misuse, and Abuse of statistics in Information Security Research), “In the information security arena, there is no reliable data upon which to base decisions. Unfortunately, there is unreliable data that is masquerading as reliable data. The people using that data appear not to question the reliability of the data, but simply quote it with no caveats or constraints. This is of great concern because it may mean that resources are being allocated inappropriately or ineffectively.”
Are these unsubstantiated claims merely a continuation of the 50-year old military industrial complex iron triangle? Claims of an impending “cyber pearl harbor” are very conducive to increasing government spending. After 9/11, perception of an impending black swan event has gone from remotely possible random events to almost inevitable high-impact events without the benefit of solid research.
Instead of hyping a poorly understood potential threat to stimulate government spending, perhaps we should be asking a different question, “what policies and strategies are there to prevent both imagined and real cyber insecurities?”
In other words, cyber security should be about policies instead of headlines.
——————
Ted Lewis is Professor of Computer Science and National Security Affairs at the Naval Postgraduate School. He is the director of the NPS Center for Homeland Defense and Security. His most recent book is Bak’s Sand Pile: Strategies for a Catastrophic World.
