08.01.12
Our Cyberdefense Shoeshine Boys — and their reports
Two journalists at ProPublica blow Mr. Keith Alexander and corporate computer security firm reports on trillion dollar losses to computer crime out of the water here.
The news piece stems from the NSA chief’s recent talk at the America Enterprise Institute, critiqued here at GlobalSecurity.Org, by me.
The piece drills in on the much publicized claim that this constitutes “the greatest transfer of wealth in history” and its foundation. Or total lack of one.
The disembowelment is something to behold:
A handful of media stories, blog posts and academic studies have previously expressed skepticism about these attention-getting estimates, but this has not stopped an array of government officials and politicians from continuing to publicly cite them as authoritative. Now, an examination of their origins by ProPublica has found new grounds to question the data and methods used to generate these numbers, which McAfee and Symantec say they stand behind.
One of the figures Alexander attributed to Symantec — the $250 billion in annual losses from intellectual property theft — was indeed mentioned in a Symantec report, but it is not a Symantec number and its source remains a mystery.
McAfee’s trillion-dollar estimate is questioned even by the three independent researchers from Purdue University whom McAfee credits with analyzing the raw data from which the estimate was derived. “I was really kind of appalled when the number came out in news reports, the trillion dollars, because that was just way, way large,” said Eugene Spafford, a computer science professor at Purdue.
Ross Anderson, a security engineering professor at University of Cambridge [who participated in the research] … told ProPublica that he did not know about the $1 trillion estimate before it was announced. “I would have objected at the time had I known about it,” he said. “The intellectual quality of this ($1 trillion number) is below abysmal.”
The use of these estimates comes amid increased debate about cyberattacks; warnings of a digital Pearl Harbor are becoming almost routine.
Computer scientists Dinei Florencio and Cormac Herley, who work at Microsoft Research, the software giant’s computer science lab, recently wrote a paper, “Sex, Lies and Cyber-crime Surveys,” (PDF) that sharply criticized these sorts of surveys. “Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings,” their report said. “We are not alone in this judgment. Most research teams who have looked at the survey data on cyber-crime have reached similarly negative conclusions.”
The figures from the Shoeshine Service are “scientifically worthless … but valuable from a marketing perspective,” adds another boffin.
Compromised. Biased. No faith, whatsoever. Scientifically worthless. A quality below abysmal.
The greatest transfer of wealth in history … according to the sticker on this here box of McAfee Cracker Jack.
The President’s invocation of the same questionable material, for the Wall Street Journal, dissected at GlobalSecurity.Org.
The ProPublica article briefly goes into the history of McAfee Associates. The firm’s founder, John McAfee — long gone, misled journalists and others on computer virus infections for publicity, most famously, in 1992, with the Michelangelo computer virus.
And that story is excerpted from the book, The Virus Creation Labs, here.