Unscrewing Security

RSSSubscribe to this blog
About Author

Alec Muffett is a veteran security geek who believes strongly in common sense, full disclosure, defence in depth, privacy, integrity, simplicity and open source. He is an independent consultant, writer, and speaker specialising in security education.

Contact Author

Email Alec

Twitter Profile

Linked-in Profile


#LondonCyber: our very own Star Trek conference

Billions and billions... shields to maximum until it's all over

Article comments

So the FCO's London Conference on Cyberspace is here - and on Twitter - and you cannot have missed yesterday's press trailers:

BBC

Cyber attacks on the UK are at "disturbing" levels, according to the director of Britain's biggest intelligence agency.

Government computers, along with defence, technology and engineering firms' designs have been targeted, Iain Lobban, the head of GCHQ, has said.

...it's all over Reuters, it's on El Reg, and it was in the Times to which nobody can link, so yesterday I had to go and buy a copy during lunch.

I really can't wait to be over-and-done with this; when politicians start talking about network security I get the same sinking feeling that I imagine NASA employees feel when unhinged Star Trek fans turn up at Cape Kennedy and demand to see the transporter beams.

The conference byline is:

The London Conference will launch a focused and inclusive dialogue to help guide the behaviour of all in cyberspace.

Re-read that; they're talking about censorship and regulation but will wrap it up as A Geneva Convention for Cyberspace - and by the time any such accord arises it will have the timeliness of:

"...if you don't attack my MySpace account, I won't nuke your GeoCities..."

The only thing we can guarantee about the web is that it will be insanely different five years hence - the first iPhone was announced less than five years ago, and five years previously there were essentially two general purpose browsers: Netscape and IE. By comparison it took the USA 18 years to ratify the first Geneva Convention.

What annoys me most is that I've written - hell, I am touring an entire presentation to debunk the dubious statistics that are thrown around in support of cybersecurity policy; so when the FCO says:

The annual cost of cyber crime to the global economy could be as much as $1 trillion.

...I believe that they are quoting US General Keith Alexander:

The cost of cybercrime to the global economy is estimated at $1 trillion Alexander stated and malware is being introduced at a rate of 55,000 pieces per day, or one per second. As troubling as these statistics may be, Alexander said his bigger concern is, "what's coming: a destructive element."

...and though I am not sure from where he got his $1 trillion figure, but General Alexander almost certainly got his "55,000 pieces per day" statistic from some McAfee marketing material, page 7:

Malware Reaches Record Numbers

Malicious code, in its seemingly infinite forms and ever expanding targets, is the largest threat that McAfee Labs combats daily. We have seen its functionality increase every year. We have seen its sophistication increase every year. We have seen the platforms it targets evolve every year with increasingly clever ways of stealing data. In 2010 McAfee Labs identified more than 20 million new pieces of malware.

Stop. We'll repeat that figure.

More than 20 million new pieces of malware appearing last year means that we identify nearly 55,000 malware threats every day. That figure is up from 2009. That figure is up from 2008. That figure is way up from 2007. Of the almost 55 million pieces of malware McAfee Labs has identified and protected against, 36 percent of it was written in 2010!

Let's dig into some of the numbers and popular classes of malware [...]

Note the exclamation marks and folksy "Stop. We'll repeat that figure" - no dry technical report for General Alexander, this. There follows a remarkably straight graph with hyperbolic analysis that As the preceding chart clearly shows, the onslaught of malware, especially in the last three years, seems to have no end - albeit that the graph only shows two years' worth of data and does in fact have a linear and finite scale.

Also: a popular anti-malware marketing trick is to cite unique software "signatures" as requiring different database entries, and thus count them as being distinct; due to the issue of polymorphic malware this is akin to arresting 20 rioters, taking 10 mugshots of each of them, and then reporting you've added 200 criminals' pictures to the national crime database.

It's an easy way to inflate the numbers, and I suspect that this is what is meant by the graph's byline: (my emphasis)

Total count of unique malware (including variants) in the McAfee Labs database

...so I feel confident about doubting the General's 55,000-per-day figure.

Theresa May has certainly fallen for this trick.

Around the same time that General Alexander announced his trillion-dollar figure, Symantec announced a figure of $388 billion instead - except their figure decomposes into $114 billion of actual cost, and an additional $274 billion's worth of "lost time".

$1 trillion versus $114 billion? That's a bit of a difference, even if there is any accuracy to either number.

So the Foreign and Commonwealth office are quoting figures like these, and you should be tremendously worried about the sources and veracity of them, because the numbers are being used to frame spending. William Hague's opening restated the Government's £650 million cybersecurity fund - analysed in my blog last April - and as I was not present I can only wonder whether he finally reconciled the Government's position on the importance of Cybercrime with the fact that only 9% of that budget - £59 million - was previously earmarked for fighting it.

In other conference news: Hillary Clinton is speaking, William Hague is moderating a panel with Carl Bildt (Swedish Minister for Foreign Affairs) and Jimmy Wales (Wikipedia) - and I would love to hear if Piratpartiet or PRQ get mentioned, let alone WikiLeaks.

A typo towards the bottom of the conference programme page duplicates a paragraph in "old" and "new" forms:

Improving international cooperation between governments, industry and society to tackle cyber crime. Striking a balance between protection of intellectual property and access, innovation and creation of markets. Government regulation and industry self-regulation - working together to best effect. Industry development of products and services to combat cyber crime.

Improving practical international cooperation between government, law enforcement, industry and society to tackle cyber crime. Striking a balance between protection of intellectual property and access, innovation, legislation and creation of markets. Regulation versus self-regulation and development of products and services to prevent cyber crime.

Again, my emphasis. I suspect the latter was meant to be final copy - it's slightly more polished - and if I'm right it's interesting to see the shift in tone towards "regulation versus self-regulation", rather than "regulation versus laissez-faire".

I wonder who buffed it and what was their brief?

And regards the "disturbing" Times headline story that that led the charge into monday's media, and which could only be read by Times subscribers? It was a 2-page spread, with...

  • a front page preamble where William Hague laments that Before the First World War a new type of battleship came out every 10 years or so, but in this [cyberarms? -ed] race, new techniques are adopted every day.

  • A main article further lamenting that credit-card details are now available from criminals for 70 pence apiece, but somehow managing to avoid a discussion of marginal cost theory.

  • A hysterically funny sidebar dramatically titled States take first steps to taming a lawless realm - except that the internet is not lawless, nor is it a borderless territory that states have yet to agree how to govern. It's not a place of any sort - instead it's just communication. It's people and computers, talking.

  • Yet another restatement of General Alexander's $1 trillion figure, amongst a glossary segment, and finally...

  • At the foot of this whirlwind a rather pleasant, mostly well-grounded mini-article from the Director of GCHQ, drawing the status quo of internet security, highlighting a number of potential upcoming cyber risks, some benefits and opportunities, and notable in my mind solely for its complete lack of any quotable statistics whatsoever.

Clearly the work of a clever man who understands when not to say something; but my buying the paper only to discover that which I already knew, was a dead waste of a quid.

Follow me as @alecmuffett on Twitter and this blog via the RSS feed.

Email this to a friend

* indicates mandatory field






ComputerWorldUK Webcast

ComputerworldUK
Share
x
Open