Cybercrime costs the world hundreds of billions of dollars a year, according to a leading cyber security firm. But it depends on what you call cybercrime.
So, you're a successful cyber security company, and you're keen to maximise revenue from the sale of your online safety products. What do you do? If you're Symantec, the company behind the Norton anti-virus software, you produce a spiffy-looking "report" about the cost of cybercrime with the biggest, most dramatic numbers possible, release it with a nice webpage that allows journalists from every country mentioned to examine a country-specific report, and let it rip.
That's what the company did last week, and the media did the rest, at least in Australia.
"Cybercrime soaring and set to get even bigger"
, declared News.com.au's Technology section. "Cybercrime hits Aussies for $4.6b a year
– more than burglary, assault combined" said Fairfax's online edition, using information provided by a Symantec interviewee. "Cybercrime costs $US114bn a year: report"
was the AAP copy. The ABC had a story on the report as well, but at least sought some independent verification, talking to a local cybersecurity figure
One local report expressed scepticism
, but it was sourced from the US.
More on the claims of the report in a second but it's worthwhile checking out how clever the Symantec report is
. It's rich, dense even, with interesting factoids designed to appeal to journalists. Did you know, for example, at least according to the report, there are twice as many victims of cybercrime every day as there are newborn babies? No? How very interesting. Completely meaningless, but so very interesting. Did you know the cost of cybercrime was way over the global cost of the trade in cocaine, marijuana and heroin combined, and almost as much as the entire global trade in all drugs? No? There you go. And the cost of cybercrime is more than 100 -- yes, 100! -- times the annual budget of UNICEF. The report is littered with non sequitur
facts like those
It isn't just factoids on the cost. Symantec includes an explainer on who is more at risk (apparently the more people use the internet, the more likely they are to be victims of cybercrime -- whodathunkit?), how people feel
about cybercrime, and why they don't take steps to protect themselves. You can't accuse it of not being efficient: there's much recycling of material from a report
the company produced a year ago that didn't get anywhere near as much coverage, on emotional reactions to cybercrime, including such shocking findings as the fact that 58% of people who are victims of cybercrime feel "angry". That report included input from Dr Joseph LaBrie "associate professor of psychology at Loyola Marymount University", and the good doc got a run this time as well, including in the accompanying press release.
This is the same high quality of scaremongering that prompted the company to run a "ThreatCon" graphical warning on its websites, showing the global cybersecurity threat level.
So how, exactly, has Symantec produced its startling figures? Well, some credit is due -- they provide a methodology at the back to explain the derivation of their numbers, which is what too few of these sorts of reports ever feature. But the methodology lacks quite a bit of detail, particularly around the claims about the cost of cybercrime totalling $US114 billion in financial costs and $US274 billion in lost time (notably, AAP didn't include the $274 billion figure in its report). And what exactly is
cybercrime? Right at the back is a list of the experiences counting as cybercrime, including "computer viruses or malware appeared on my computer," "I responded to a phishing message thinking it was a legitimate request," "online harassment and "I experienced identity theft".
Leaving aside the rather ill-defined nature of "online harassment" -- some News Ltd bloggers, for example, seem to regard criticism of any kind as a form of harassment -- the biggest form of "cybercrime" according to Symantec is getting a virus or malware -- that's what drives the huge figures Symantec has thrown around, with 54% (only 54%?) of people reporting malware. The next biggest forms of cybercrime are online scams, at 11%, and phishing, at 10%. The mere act of getting a virus, whether or not it did anything untoward, counts for Symantec's purposes, and enables it to make such improbable claims about the massive cost of cybercrime.
And what's ironic is that the cost of dealing with malware which drives Symantec's $274 billion figure is of course the value of time spent installing products such as Norton, and keeping it updated -- something the report encourages. "Good online security is like having a professional bodyguard," says Dr LaBrie, who as an academic psychologist seems very well-versed on computer security. "Discreetly in the background, but there to spot all signs of danger and ready to step in to protect you against the attacks you expect and those you were never aware of."
You know, like Norton.
So far, so boring. I'm hardly telling you anything you don't already know in pointing out that Symantec's report is designed to inflate fears that form the core of its business model. It's what else is crammed into the report that makes it slightly more sinister. One of the supporting features of the report is its warning that cyber security is incompatible with online anonymity. Many victims of cybercrime "think you have the right to say or do anything online and not have it used negatively against you", the report finds. But it's not true. The report warns about "internet liars", in which it includes people who refuse to use their real identity online. "The 2011 survey registered a 5% rise in the number of online liars," it says. "The bad news for liars is that they are more likely to be a victim of cybercrime."
Putting aside the leap in logic here -- perhaps "liars" use the internet more and therefore are mathematically certain to have greater exposure to cyber crime -- Symantec's message is clear: online anonymity is bad and will get you into trouble. The 2010 report also scolded people for thinking that filesharing might be "legal". "Shaky ethics and questionable behaviour" declared the report -- and as with online anonymity, warned that "cyber criminals" were using filesharing to distribute "threats".
Like Google and Facebook, Symantec is keen to see an end to online anonymity in order to monetise personal information. It has long seen big dollars in offering identity protection
the Obama Administration's controversial "Trusted Identities"
strategy. There's some irony in that, because Symantec currently also makes money from online anonymity, by offering anonymised surfing as part of its Norton package. But then that's consistent with the sort of online world to which governments and companies want us to move, where there's no online anonymity except for governments and companies themselves, and people who can afford to protect themselves.