The U.S. Department of Justice yesterday released the results of a cybercrime survey in which they polled nearly 8,000 businesses about their experience with cybercrime. Not surprisingly, they found that 67% of their respondents had detected at least one cyberattack in 2005 (the period studied). In addition, more than 90% of respondents that had detected an attack acknowledged financial loss as a result. When it came to the specific threats posed by outright cybertheft, only about 10% of respondents claim to have been victimized. What's truly disturbing, however, is that only half of those victimized reported the theft to law enforcement.
Three Thoughts That Struck Me
-If enterprises aren't going to adopt the same reporting standards for cybertheft that they'd have if a thief broke in and raided the company safe, we're never going to win this war. For the ethically challenged, if there's only 50/50 chance of a crime even being reported let alone prosecuted, there's little incentive to pursue an honest line of work. It's going to take relentless collaboration between the public and private sector if we're ever going to reduce the amount of cybercrime.
-I actually think these numbers are skewed low for two reasons. First, I'm betting that the 33% of businesses that did not detect any criminal activity are simply not paying attention. Our friend Richard Clarke, former White House Counter-terrorism advisor, likes to tell the story about the day he ordered the Pentagon to install an intrusion detection system on its network. A few weeks later one of the generals called to request permission to remove the IDS because, "since we installed this system, we seem to be under constant attack." I suspect there's something similar going on in these survey results.
-I realize these surveys are a huge undertaking and this one is particularly thorough, BUT I'm having a hard time understanding why in this era of automated survey tools and laptops with the computing power of a 1980s supercomputer we're only now getting a snapshot of what was going on in 2005. You wouldn't make a strategic business decision based on data that old and we shouldn't be trying to formulate cybercrime policy based on data that is of more interest to historians than policy makers.