The true cost of cybercrime
From a cybercrime perspective, the opportunities are boundless: Seemingly everything has a computer in it, cars and pacemakers included. It’s almost certain that the sophistication of exploits and attacks will increase, and that new exploit modes will surface with the ongoing computing and mobility revolution.
You might think it is a safe bet that the cost of cybercrime will grow year-over-year. When the Ponemon Institute predicted in 2012 that the cost of cybercrime would decline, we were surprised – after all, every indicator pointed toward the opposite. Then just recently, Ponemon released their 2013 “Cost of Cybercrime Study,” which shows that they now project that the cost trends are indeed increasing- 26% up in 2013 from the 2012 reported figures.
Certainly the landscape of cybercrime is broad, and as expected cybercrime has become much more sophisticated. Techniques you might only consider in the realm of espionage have become part of the tradecraft of cybercrime. Over the past few decades as the world economy globalized, so too has cybercrime.
In a June 2013 report by the Council on Foreign Relations, the annual cost of cybercrime to the global economy is estimated to be between $114 Billion and $1 trillion. These figures cover everything from cyber-attacks, identity theft and hacking. These costs cover actual damages, loss of intellectual property and the immense cost of resetting and sterilizing every component in a compromised network.
There is so much motivation to exploit and profit from cybercrime that it’s hard to imagine what Ponemon was thinking in 2012. Actually, they told us what they were thinking: The studies they released were built using different methodologies. In the 2011 estimates, Ponemon put value on a set of cost factors (notifications) that dropped in 2011. The 2012 model focused on data theft and cyber crime.
The first problem is that these are different models and the reports can’t easily be compared. Secondly, as before in their 2011 projections, Ponemon believes that the adoption of various cyber-defenses would reduce the consequences and costs of cybercrime, and that these are maturing and their use will pay off. But I think they are missing the point completely.
As questions go, the elephant in the room is: Why can’t we protect ourselves more effectively against cybercrime? The answer has a lot to do with the nature of the technologies and practices that underlie IT systems and networks. The hallmark of commodity IT is that it is cheap. Complicating matters, most IT solutions appear to be cobbled together with more regard to delivering functionality and access than to do so reliably and securely. By our actions, we seem to value access more than we value the information itself.
In my estimation, regardless of what cyber-defenses we add to the mix, we are complicating cyber-security because of how we build the core IT systems themselves. In our core IT systems we are building for success-only rather than anticipating the kinds of activities we need to engage in when systems or networks are breached. This is “happy-path” architecture, not defensive or prudent architecture.
Contrast this with such real-world analogies as building construction practices where building and electrical codes are the result of assessing prior disasters for what we need to do differently in the future. When enough electrical fires are caused by similar wiring practices, the electrical codes change to “design it out” for future electrical work. This is hardly what we do with IT. When there are breaches, we generally do not learn any lasting lessons from them other than within the small teams that undo the fiasco.
So, other than build better IT systems what can we really do to reduce the cost of cybercrime? We can value the information by protecting it throughout its life-cycle. I am not advocating that whole disk encryption or encrypted pipes are enough- just the opposite. I am advocating that if you value a piece of data- a sensitive file or record- then you should be using technology that allows you to control who can do what with it and under what conditions they will be allowed to do so.
This isn’t simply encryption, it is encryption combined with what we variously describe as Information Rights Management or Digital Rights Management. Doing so entails a mind shift toward data governance and IT maturity and a shift away from “wishing for the best.” There are various real-world solutions in this space, and they are getting real traction as we share more in a mobile and cloud-friendly IT world. If every copy of a piece of data has equal protection, and if the originator of such data can control access regardless of where the data is, only then do you “own your data.”
As potential victims we present very different opportunities to attackers and our defenses and awareness about the risks are all over the map. Everyone seemingly knows that they are at risk, but the evidence suggests that few of us take the kind of cyber measures which would reflect that we understand that we must protect not only our IT networks and systems but also the information itself.
As data moves further from the center of the organization and business is increasingly conducted over untrusted networks and devices, it seems logical and rational to expect the cost of cybercrime to rise. Therefore, it should be no surprise that the costs of cyber crime exceeded the projections made by the 2012 Ponemon Study and continued on an upward path.