LIES, DAMN LIES, and statistics. Those were the first words that crossed my mind when the FBI and the Computer Security Institute released the sixth annual Computer Crime and Security Survey a couple of weeks ago. After all, there's a long tradition in the federal government of padding the numbers, whether it be inflating body counts in Vietnam or using the street price of a joint to calculate the value of a seized shipment of drugs. Although the new administration portrays itself as a foe of regulation, I expect to see these numbers used to advance the interests of what I call the law enforcement-military-industrial complex.

I understand that bureaucrats have to justify their funding and that the best way to get Congress to authorize the increase in their budget appropriation is to point to a "rising wave of crime." Of course, few columnists earn their space without being cynical, so you shouldn't be surprised that I wonder what's behind the numbers. Not that I suspect any sinister intent, mind you. I just have my own interpretations of these figures.

For example let's take intellectual property theft, which Network World reported rose from 20 percent of last year's respondents to 26 percent this year. I have to wonder how broad the definition of intellectual property was because only a third, 34 percent, of those reporting any loss could -- or would -- quantify the damage. Sounds to me as if the other two-thirds didn't lose much at all. Sure, the assets themselves were intangible, but people find ways to value intangibles every day. These usually wind up being round numbers, but at least it's a start.

What doesn't surprise me is that the dollar amounts involved are huge. I sometimes believe that every project has at least two sets of costs: a low one that gets used to justify the project and the other, more accurate cost, that includes everything from coffee to paper clips. And I posit the existence of a third cost dimension that tallies the price of every bad decision a company makes. I remember the case of the Bell South E911 document that federal prosecutors admitted into evidence with a value of $79,449, which turned out to be available to the public for $13 -- an excellent example of kitchen-sink cost tracking. I wonder if any of the companies that reported losses to the survey are going to be claiming those losses with the Internal Revenue Service as well.

Another number I want to deconstruct is the number of respondents reporting "outside-system penetration" -- which is what I call a break-in -- doubling from 20 percent in 1997 to 40 percent in 2001. Given the weakness of intrusion-detection methods in the mid-'90s, I suspect that this really means that twice as many people are noticing that their pockets got picked.

Law enforcement is hearing more about computer crime, according to 36 percent of respondents. The reporting of these crimes is up significantly from last year, when only a quarter of the respondents reported crimes to the cops, and from 1996, when a mere 16 percent bothered to do so. I hope that the investigations went beyond reading the report and filing it, but I reckon that law enforcement finds it as difficult as any other industry to retain people with computer skills. Law enforcement is much more aware of computer crime than it was 10 years ago, but there's still a way to go.

Of course, if every security breach were a law enforcement issue, the police would have little time for other duties. Although 85 percent of the survey's respondents reported security breaches, I wonder how manyy of those were "technical" breaches that resulted in little loss of data or services -- maybe "leakages" is a better term for these smaller problems? After all, there's a big difference between a levee that's leaking and one that has been breached.

I'm also not surprised that 70 percent of the respondents indicated that their Internet connections were frequent points of attack. After all, once you're connected to the Internet, it's you against the world, baby. Home computers in California are regularly probed by systems scattered from Sweden to Japan, and the servers of big-name public companies are like honey jars at an ant convention. I was startled when I read that almost a third of the respondents, 31 percent, reported that their internal systems were a frequent point of attack. It just goes to show that you can trust almost everyone except the person in the next cubicle.

Before you accuse me of harshing on the Computer Security Institute and the Fibbies, I'll add that the survey does a good job of pointing out what's at stake here. With the 186 respondents who put a value on last year's losses, the total came to almost $378 million. That's an average of $2 million a pop, folks. Now that's a demonstration of the price of inadequate security if ever I saw one.

» posted by ITworld staff

InfoWorld

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine