The battle for cybermetrics
27 Aug 2013|

This July the Australian Crime Commission (ACC) released the Organised Crime in Australia – 2013 Report, an unclassified version of the Organised Crime Threat Assessment. Pointing at globalisation and technology as key enablers for the nefarious work of organised crime, the report gave cybercrime its rightful due. However, despite the trending appreciation Canberra has afforded to cybersecurity and cybercrimes, the larger public and business community hasn’t been similarly mobilised.

Labelling cybercrime a ‘significant’ threat to Australia, the report looks to the 2012 Norton Cybercrime Report pegging the global cost for cybercrime at US$110 billion annually and US$1.7 billion per year for Australia alone. With the Pomenon Institute estimating an US$2.16 million average cost per major cyber intrusion, it’s shocking that the public and business community isn’t up in arms.

With the Department of Defence suggesting that relatively simple measures like application white listing, patch applications, patching operating systems, and minimising the number of users with domain or local administrator privileges alone could mitigate up to 85% of cyber intrusions, one could easily question why such large reported costs haven’t spurred universal adoption of even the most basic security measures.

No doubt there are a number of factors at play, but the metrics themselves might explain some of the apparent disconnect. The US$1.7 billion cited by the ACC report, a number that’s slightly less daunting when considered as 0.11% of the estimated US$1.54 trillion Australian economy, is nearly as intangible as many of the cybercrimes themselves. Simply put, the cost evaluation of cybercrimes on an individual and business level, as well as on a national and global economic level, is an inexact and underdeveloped art.

Cybercrimes usually lack the tangibility of shoplifting; the pilfering of intellectual property can take years to materialize (if ever) and often go undetected, and a computer can be commandeered by hackers with little noticeable impact to the users themselves. With such intangibility to the crime, reliable metrics are an absolute necessity, not only for the study of cybersecurity but also to help individuals and businesses to recognise and respond to the threat appropriately.

The Economic Impact of Cybercrime and Cyber Espionage report, a production of the Center for Strategic and International Studies (CSIS) in partnership with McAfee, is the latest foray into the noble but thankless battle for metrics. This first instalment, an interim report, is designed as an introduction to the campaign and is successful in expressing to the reader the absolute enormity of the task at hand.

With the simple question of ‘how do I actually know it is as bad as we say it is’, the co-authors, James A. Lewis and former Assistant Secretary for Policy, US Department of Homeland Security Stewart A. Baker, break down malicious cyber activity into six distinct but interconnected areas. Examined from a whole-of-society perspective, the ‘component parts’ are organised into (1) the loss of intellectual property and business confidential information, (2) direct financial loss, (3) the loss of sensitive business information, (4) opportunity costs, (5) additional costs of security, insurance, and recovery, and (6) reputation damage.

As an interim report, the study naturally reveals little in regards to final metrics and conclusions, but it does present a unique approach to the challenge of quantifying the economic impact of cybercrimes. Applying traditional economic modelling, the CSIS methodology utilises ‘net’ loss calculations and market values to bound and help quantify somewhat more subjective costs, such as those involving intellectual property, opportunity costs, and reputation.

Examined in the context of national economic and trade policy, one of the most novel areas of inquiry comes from the choice to include the politically hefty and often controversial metric of job losses. The use of the analogies of car crashes, piracy, pilferage and crime and drugs to determine ‘rough bounds’ and ‘tolerated costs’ of cybercrime is equally compelling. However, there’s a very real and, to be fair, recognised danger in the over-extrapolation of these analogies, the generalised comparative application of international data, and the utilisation of the US Commerce Department’s export-to-job figures. How the delicate balance between the pursuit of real data and forced data creation is achieved will have to play out in the final report.

In the grand scheme of things, these challenges resemble those in any standard economic study. The value in this report is in the development of a dependable and standardised methodology that brings a more defined framework to the study of cybercrime metrics. While an assessment of this methodology’s success will have to wait until a final report’s published, there’s real potential to bring the field away from an over-reliance on inaccurate surveying. The ability to translate this data into real change in policy, business practices, and individual cyber activities however, is a whole other challenge, if not a responsibility, for the cyber community to tackle.

Klee Aiken will be joining ASPI as an analyst in the International Cyber Policy Centre.