While governments hype the cost of cybercrime, the data contradicts them — and even IT companies are pulling back on their claims.
Quick quiz: is the cost of cybercrime going up or down?
Up, you say? Up rapidly? Isn’t it one of the fastest growing crimes?
Let’s test that. In mid-June, while most of us were preoccupied with other matters, the Australian Institute of Criminology released a report on online fraud, the latest instalment of an annual series. The report was based on a survey of more than 1500 people and covered various types of online fraud to which people had been subjected, and how much it cost them.
You’re unlikely to have heard of the report — it got minimal media coverage. For one thing, it came out at the same time as the Australian Competition and Consumer Commission put out a similar, but wider, report on the cost of scams both online and off. But for those of us with an interest in cybercrime, it had some interesting data.
According to the report, the median cost of cybercrime to consumers in 2012 fell, and fell a lot. In the 2011 report, the median cost to consumers who had fallen victim to online fraud of any kind was $700. In 2012 it was $500. That’s a nearly 30% fall in the cost of cybercrime in one year.
A one-off? Well, in 2010, the median had been $1065, although the sample size that year was small. Even so, in two years the cost of cybercrime had fallen by more than half. If you go back further, to 2008, the median cost was $1500, although again that was a small sample size.
Other data backs this up. The ACCC’s report on scams, the one that got all the attention, showed that since 2011 victims of scams of scams (online and off) were reporting lower levels of losses. The ACCC explained this as crooks shifting to “high volume scams” where they seek smaller amounts of money but from more people. Either way, the ACCC insisted, the costs were merely the “tip of the iceberg”.
But the trend is clear — after years of governments and IT security corporations telling us that online fraud is one of our fastest growing crimes and inflicting massive costs on the community, the data demonstrates exactly the opposite.
Even IT security companies, once the source of the most ludicrously over the top claims about the cost of cybercrime, are backtracking. In August, McAfee, one of the biggest of them all, apologised for and walked away from the nonsensical claim it had issued in 2012 that cybercrime cost $1 trillion (yes, trillion) a year globally — a claim that was mocked the moment it was issued.
That sheer implausibility of McAfee’s original claim didn’t stop the head of the National Security Agency from invoking it to justify more money and legislative power for cyberdefence. As we now know, of course, the NSA’s General Keith B Alexander was and is presiding over a vast cybercrime operation of his own.
McAfee’s backtrack is reminiscent of what happened when Greens senator Scott Ludlam asked the then-government to justify the claims of then-PM Julia Gillard about the cost of cybercrime when she announced the establishment of the Australian Cyber Security Centre in January. Busted using a discredited figure to justify establishing what, in the end, amounted to little more than a co-ordination body, Gillard’s department blamed the Australian Federal Police.
There’s been an uncannily similar moment in the UK recently. In 2011, a company issued a cybercrime cost considered even by the IT security industry as far too high. When a Cameron government minister used the figure and was subsequently asked to explain it, Cameron’s own department admitted earlier this year they hadn’t bothered checking it.
Both Gillard’s use of a dodgy cybercrime figure and more particularly Keith Alexander’s use of the McAfee claim to bolster the case for more money and power for the NSA demonstrates the direct link between the relentless hyping of cybercrime and government agencies extending their powers and deploying them against their citizens (or “adversaries” as the NSA calls them). This is a neat trick that the mainstream media falls for all the time.
No wonder the Institute of Criminology report vanished without trace.