Computer Crime Research Center

library/ihpower.jpg

Interview: Richard Power -How difficult is it to quantify the effects of cyber criminal activity?

Date: October 15, 2003
Source: Computer Crime Research Center


Quantifying financial losses from cyber attacks is one of our major problems. Really, you're still doing "guesstimates." Sometimes you'll see tens of thousands, and hundreds of thousands of dollars lost in an attack, and that's mostly the cost of clean-up and investigation. But the real costs are the soft costs--lost business opportunities. If you're conducting e-business and you're counting on $600,000 an hour in revenue, like Amazon, and your service is disrupted by a denial of service attack, you can start with the figure $600,000 for every hour that you're down. If you're Cisco and you're making $7 million a day online, and you're down for a day, you've lost $7 million. That's where you start. . . .


There were estimates that the "Love Bug" virus did damage in the billions and billions of dollars. That scale leaves most people saying, "That's beyond any kind of comprehension."


Right. It staggers the imagination, and there's a tendency to disbelieve that four lines of code literally cost $80 million, or $10 billion in damages. But if you think about it in terms of a 24/7 global corporation, a Fortune 500 corporation, there's a little meter inside it, ticking all the time. . . . A Fortune 50 corporation was hit by the "Melissa" virus when it came out, and their own internal tabulation was that they lost $10 million. When you ask them how they lost it, it was lost productivity, lost network operation time. All of this is factored into their budgets. They have a dollar sign attached to each minute of network time, and when you disrupt that minute of network time, you cost that much money.


And every serious corporation values their information. This trade secret is worth X amount of money. If that trade secret is compromised online, or through some kind of hacking, insider or outsider, then that much money is lost.


Why do so many of these people insist on suffering in silence, instead making a big noise about the amount of the losses because of this kind of activity?


They're very afraid. . . . There are all kinds of reasons they want to keep it quiet. When there's blood in the water, the sharks get excited, and there are all kinds of sharks--not just hackers. There are civil liability lawyers, government regulators, stockholders, people who are looking at your company for hostile takeovers--all kinds of reasons not to draw attention to your vulnerabilities in cyberspace.


If the victims are opting to keep it quiet for their own proprietary reasons, how much will this delay the ability of society or of this new security industry to deal with the real problems out there?


They're banking on the hunch that their profits will still outweigh the losses--that they'll be able to absorb it and things will go on quietly. But I don't think that that's going to be the case. And they are thwarting the progress of a secure internet, of a secure global cyberspace, because law enforcement, globally--not only in the United States and Canada--but law enforcement in other countries has come a long way. . . . They've gotten up to speed on tracking down, arresting, trying, and convicting cyber criminals. But corporations are way behind on building their own cyber fences, and committing the resources in staffing and money needed to defend their own systems.



Law enforcement's role has never been to secure your business. Law enforcement isn't expected to put in your sprinkler system or your burglar alarm, or to make sure your doors are locked at night. Their job is to respond to your call when there's been a crime committed against you or your property. It's the fiduciary responsibility of those corporations to defend themselves and their customers and their clients against cyber attack. . . .


But there's a kind of a contrast here. On the one hand, you have the victims of cyber crime trying to say that they'll look after it. On the other hand, you see the elements of this new industry scaring the hell out of everybody, saying things like, "Osama bin Laden is going to get you, the hackers are going to get you, the sky is falling." Where does the truth lie in between this sort of self-interested silence and this self-interested racket?


Well, there's the zone of responsibility in there. It's not that easy to find, and you've articulated the problem really well, because you have a bunch of people running around saying, "The sky is falling. The sky is falling. Give us your money, and we'll keep it up for you." And then you have another group of people running around saying, "This guy's crying wolf. There's no problem here. Your credit card is safe over the internet." . . . There's been a kind of a shift in the security industry over the last few years, and you see a lot of people thinking about cashing in with their own IPOs, and their own dotcom security companies, and making a fortune off the danger to other people's fortune. . . .


Not so long ago, when you wanted to talk about security of corporations, the security of software, people like Microsoft would say, "We're not talking." Now, not only are they talking, but they're telling us that they're really doing something about it. How comforted can we be by the reassurances that we're getting from them now?


Well, that's a loaded question. Windows NT came out a few years ago. It was heralded as the secure operating system. And the hackers had a few good whacks at that tree, and fruit started falling off it right away. And now there are hundreds of vulnerabilities for NT. In fact, the hackers joke among themselves that "NT" stands for "Nice Try." So it's not that simple to slap some marketing hype on an operating system and say, "This is a secure operating system." It takes a lot more than that, and they haven't advanced internet security with their product.


But Microsoft is telling us that now they're taking it a lot more seriously, that with Windows 2000, security is a deal-breaker. Their security people say, "If we don't like the security components of Windows 2000, it ain't going out." Is it secure?


Well, ask that question six months from now, or a year from now. The tree will be given a few good shakes, and there'll be some fruit fall off it. There'll be vulnerabilities. There'll be exploits. How those vulnerabilities and exploits are dealt with is another question.


There's a debate in the security community about what kind of operating system we should have. NT Windows 2000 is a closed system. You can't look at the source codes. That means only Microsoft and whatever hackers have succeeded in stealing it know how good it is. The good guys don't know how good the code is. The good guys can't look at the code and fix it, and adjust it to their own needs. With UNIX, for instance, the other major operating system, you can look at the code, and you can see where it looks like. You can see where the vulnerabilities are, and you can have your own smart people address that. So there are fundamentally different approaches there. Most internet security experts believe you should have an open system, so that everybody sees, and everybody is on the same playing field.


Whether I'm speaking as a person with just an internet account or somebody with a business, when the cyber goblin gets me, who should I be mad at? Should I be mad at the goblin? Should I be mad at the guy who sold me the software? Should I be mad at the government for not protecting me?


You might start with yourself in terms of how badly you were gouged. If you're doing your banking online, if you're doing your stock trading online, if you're buying a house or a car online, you might want to think a little bit about how you're doing it, why you're doing it, what the consequences are, how to monitor your online identity. Leave a paper trail for yourself, leave back-ups of your activity for yourself, check things out, check your credit rating every few months to see if there's something strange on there. There's a whole range of activities that you have to now take part in, just like a homeowner has to have insurance, has to have locks and fire alarms and everything for their house. You, as a citizen of cyberspace, and somebody doing business out there has to take some responsibility for your money, and for what's happening.


Beyond that, you have to look at the merchants and the financial institutions that you're doing business with, and what responsibility they take for what is going on with your online activity, and the vendors of the software that are supposedly making it secure for you. . . .


So where does the big burden lie--on me, the user, or on the company that is selling me the tool?


Well, it's only been in the last few weeks that Visa International has issued a new set of regulations for the merchants using its credit cards online to adhere to. And if you look at this set of new regulations, they are the most fundamental things about internet security: have a firewall in place, have the latest version of software in place, use encryption for any files that are accessible from the internet. It's hard to believe that this basic level of internet security is what is being required of people now. . . . We're already tens of millions, billions of dollars into e-commerce, aren't we? This is the second or third Christmas where we're going to be talking about how much is being spent online. So there's some culpability there. There's some need for a more serious look. . . .


...
Page 1 2 3 Next
Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-08-25 20:19:58 - Your blog is realy very interesting.... Ivailo
Total 1 comments
Copyright © 2001-2024 Computer Crime Research Center
CCRC logo