In the past few years, threats in cyberspace have risen dramatically. The policy of the United States is to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States.
Nearly a decade later, the basic message from the White House sounds much the same, if louder and more urgent. But there is a big difference. President Obama, and the rest of the Beltway insiders, have now formally defined cyberspace as a "strategic national asset."
On the face of it, this appears to be a reasonable approach for a world that has become, in a relatively short time, totally dependent on digital resources. Unfortunately, it is an approach that provides a straight path to the militarization of the Internet and the loss of liberty that will follow. It is an approach that will elevate the most common forms of cybercrime (bank robbery, credit card theft) to the high-alert status of a cyberwar attack.
This government mindset will lead to the same abrogation of individual rights in cyberspace as the National Defense Appropriations Act of 2012 has codified in "Battlefield America."
Given the integrated nature of cyberspace, computer-induced failures of power grids, transportation networks, or financial systems could cause massive physical damage and economic disruption. DoD operations -- both at home and abroad -- are dependent on this critical infrastructure. As military strength ultimately depends on economic vitality, sustained intellectual property losses erode both U.S. military effectiveness and national competitiveness in the global economy. Cyber hygiene must be practiced by everyone at all times; it is just as important for individuals to be focused on protecting themselves as it is to keep security software and operating systems up to date. (Department of Defense Strategy for Operating in Cyberspace, July 2011)
Many Internet experts and cybersecurity professionals have deemed 2011 "The Year of the Hack," in recognition of the unending stream of headlines related to data breaches and thefts. We believe that -- aside from any real uptick in cybercrime or cyberwarfare skirmishes -- this perception is the result of the government's determination to soften up the public to meekly accept an upcoming barrage of Internet regulation. It is a digital-age version of the tried and true fear mongering that is always employed to further empower the president and further enrich the military/industrial and Homeland Security complex. The government says it's not fear mongering, just education.
The national dialogue on cybersecurity must begin today. The government, working with industry, should explain this challenge and discuss what the Nation can do to solve problems in a way that the American people can appreciate the need for action. People cannot value security without first understanding how much is at risk. Therefore, the Federal government should initiate a national public awareness and education campaign informed by previous successful campaigns. (White House Cyberspace Policy Review, 2011)
The Prominence of the Non-military Aspects of Warfare. Non-military means of warfare, such as cyber, economic, resource, psychological, and information-based forms of conflict will become more prevalent in conflicts over the next two decades. In the future, states and non-state adversaries will engage in "media warfare" to dominate the 24-hour news cycle and manipulate public opinion to advance their own agenda and gain popular support for their cause. ("Global Trends 2025," National Intelligence Council, 2008)
The Money Card A key point being used to "educate" the public is the putative astronomical monetary loss caused by cybercrime in all its forms. There is, of course, no way to ascertain the validity of these numbers or even to figure out just what kind of losses are included in the estimates, which are generally arrived at by the large cybersecurity corporations. Some loss-figures appear to include the fall in a company's stock price that usually follows revelation of a major hack (but doesn't adjust that figure when the stock price climbs back up), as well as adding in an arbitrary sum attributable to time lost in recovery.
The largest global estimate of money lost to cybercrime currently floating around -- as totted up by McAfee, the world's largest cybersecurity company and endorsed by the White House -- is $1 trillion a year. Symantec Corp., another cybersecurity giant, calculates the annual toll of global cybercrime to be about $388 billion. For dramatic impact, Symantec notes that figure is greater than the black market in marijuana, cocaine and heroin combined. Either of those (wildly divergent) sums is impressive, but do they mean anything? Or are they just part of a government "education campaign modeled on previous successful campaigns," such as selling the public on the certainty of WMDs in Hussein's Iraq?
Far from being broadly based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N = 1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion.
Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings.
There has long been a shortage of hard data about information security failures, as many of the available statistics are not only poor but are collected by parties such as security vendors or law enforcement agencies that have a vested interest in under- or over-reporting. ("Sex, Lies and Cyber-crime Surveys," Microsoft Research)
The Cybersecurity-Industrial Complex The fear, uncertainty, and doubt (FUD) surrounding cyberspace has helped turn cybersecurity into an enormously profitable business, worth between $60 and $100 billion a year, depending on who's providing the statistics. The sector is expected to grow 10 percent annually for at least the next five years. You don't have to attribute any ethical lapses in the cybersecurity industry to recognize that it, like the government, has a great interest in "educating" the public in cybersecurity awareness.
Security experts say that it is virtually impossible for any company or government agency to build a security network that hackers will be unable to penetrate. (Reuters, 27 May 2011)
"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact ". In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they've been compromised and those that don't yet know." -- Dmitri Alperovitch, Vice President of Threat Research for McAfee
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).