Today’s NYT published an Op-Ed by Microsoft researcher Cormac Herley and Dinei Florêncio that informed us that reports of cybercrime have been greatly over exaggerated. Their article suffers two major flaws. First, they never define cybercrime. Second, their premise is both naïve and irrelevant.
Take a look at the article. Cybercrime isn’t defined. The authors apparently assume we know what they’re talking about. No, we don’t. Is cybercrime Internet facilitated crime that results in financial loss? Is it any activity defined by law as a crime facilitated by the Internet? What, exactly, are they talking about?
By every account, 2011 saw more data breaches than have ever. The first quarter of 2012 is on track to break that record. Online trafficking in child abuse images and infringement of intellectual property is not subsiding as more people enter the Internet community. It increases. We lack the ability to measure the rate at which these activities occur.
Their premise is that cybercriminals don’t make a lot of money from their crimes. Individual losses are small. But the thesis isn’t why we’re all concerned about cybercrime, is it? The loss in terms of dollars actually stolen is not what matters. What is important is the cost of mitigation, and that cost is very large.
Anyone who has suffered a virus infection on their home pc knows that the down time required to wipe a hard drive and reinstall your operating system is significant. Many people don’t bother. They buy a new computer. Identity theft on the smallest scale requires a great deal of time to contact credit agencies, banks and creditors, get new cards issued, and check credit reports.
Businesses spend a lot of money guarding against cybercrime because the threat of data breach is great. Data breaches require assembly of a team of experts, response and mitigation. Clean up following a breach can be costly, requiring identification of account holders whose information may have been compromised. The cost to reputation and good will for businesses charged with protecting client data when they fail to protect it is incalculable.
When government databases are breached and private data exposed, the direct individual cost may be small. However, it is irrelevant, isn’t it? Who can place a value on your social security number combined with your name, birthdate and address? It isn’t the small financial gain per
person per incident, if that was what the authors of the op-ed article were talking about.
person per incident, if that was what the authors of the op-ed article were talking about.
The important consequence of data breaches, at least, are the exposure of private personal data that makes people vulnerable to financial and personal attack. Do not negate the inherent value of privacy. Many countries protect personal privacy as something that is as valuable as property. It has value and the authors completely ignore the host of violent crimes and other crimes against persons facilitated by the Internet. Most prominent among those crimes is the trafficking in child abuse images. We certainly have not seen any abatement in the flow of child pornography on the web, nor have we seen a drop in the rate of arrests or prosecutions for the crimes.
Thankfully, we have seen a reduction in online auction fraud due to improvements in security and practices at the major auction sites. We have seen a drastic reduction in the number of minors lured by predators as well. Today, it is fairly safe to say that the only 13 year olds who are on chat rooms being enticed into sexual relationships are more than likely police officers.
Thankfully, we have seen a reduction in online auction fraud due to improvements in security and practices at the major auction sites. We have seen a drastic reduction in the number of minors lured by predators as well. Today, it is fairly safe to say that the only 13 year olds who are on chat rooms being enticed into sexual relationships are more than likely police officers.
One is left to wonder what the authors' were really saying, then. What's the motivation? Being a skeptic, I look to who wrote the article and what they didn't talk about. I also look at what has been going on lately. One of the authors works at Microsoft. They didn't define 'cybercrime.' They focused on the costs to individual victims of small events like identity theft and didn't calculate the remediation costs. In the past eighteen months there have been hacks of government networks and major corporations unparalleled. My conclusion is that the article is an attempt to salve our legitimate concerns about a very real threat.
No comments:
Post a Comment