So, you’re a successful cyber security company, and you’re keen to maximise revenue from the sale of your online safety products. What do you do? If you’re Symantec, the company behind the Norton anti-virus software, you produce a spiffy-looking “report” about the cost of cybercrime with the biggest, most dramatic numbers possible, release it with a nice webpage that allows journalists from every country mentioned to examine a country-specific report, and let it rip.
That’s what the company did last week, and the media did the rest, at least in Australia.
“Cybercrime soaring and set to get even bigger”, declared News.com.au’s Technology section. “Cybercrime hits Aussies for $4.6b a year – more than burglary, assault combined” said Fairfax’s online edition, using information provided by a Symantec interviewee. “Cybercrime costs $US114bn a year: report” was the AAP copy. The ABC had a story on the report as well, but at least sought some independent verification, talking to a local cybersecurity figure.
One local report expressed scepticism, but it was sourced from the US.
More on the claims of the report in a second but it’s worthwhile checking out how clever the Symantec report is. It’s rich, dense even, with interesting factoids designed to appeal to journalists. Did you know, for example, at least according to the report, there are twice as many victims of cybercrime every day as there are newborn babies? No? How very interesting. Completely meaningless, but so very interesting. Did you know the cost of cybercrime was way over the global cost of the trade in cocaine, marijuana and heroin combined, and almost as much as the entire global trade in all drugs? No? There you go. And the cost of cybercrime is more than 100 — yes, 100! — times the annual budget of UNICEF. The report is littered with non sequitur facts like those
It isn’t just factoids on the cost. Symantec includes an explainer on who is more at risk (apparently the more people use the internet, the more likely they are to be victims of cybercrime — whodathunkit?), how people feel about cybercrime, and why they don’t take steps to protect themselves. You can’t accuse it of not being efficient: there’s much recycling of material from a report the company produced a year ago that didn’t get anywhere near as much coverage, on emotional reactions to cybercrime, including such shocking findings as the fact that 58% of people who are victims of cybercrime feel “angry”. That report included input from Dr Joseph LaBrie “associate professor of psychology at Loyola Marymount University”, and the good doc got a run this time as well, including in the accompanying press release.
This is the same high quality of scaremongering that prompted the company to run a “ThreatCon” graphical warning on its websites, showing the global cybersecurity threat level.
So how, exactly, has Symantec produced its startling figures? Well, some credit is due — they provide a methodology at the back to explain the derivation of their numbers, which is what too few of these sorts of reports ever feature. But the methodology lacks quite a bit of detail, particularly around the claims about the cost of cybercrime totalling $US114 billion in financial costs and $US274 billion in lost time (notably, AAP didn’t include the $274 billion figure in its report). And what exactly is cybercrime? Right at the back is a list of the experiences counting as cybercrime, including “computer viruses or malware appeared on my computer,” “I responded to a phishing message thinking it was a legitimate request,” “online harassment and “I experienced identity theft”.
Leaving aside the rather ill-defined nature of “online harassment” — some News Ltd bloggers, for example, seem to regard criticism of any kind as a form of harassment — the biggest form of “cybercrime” according to Symantec is getting a virus or malware — that’s what drives the huge figures Symantec has thrown around, with 54% (only 54%?) of people reporting malware. The next biggest forms of cybercrime are online scams, at 11%, and phishing, at 10%. The mere act of getting a virus, whether or not it did anything untoward, counts for Symantec’s purposes, and enables it to make such improbable claims about the massive cost of cybercrime.
And what’s ironic is that the cost of dealing with malware which drives Symantec’s $274 billion figure is of course the value of time spent installing products such as Norton, and keeping it updated — something the report encourages. “Good online security is like having a professional bodyguard,” says Dr LaBrie, who as an academic psychologist seems very well-versed on computer security. “Discreetly in the background, but there to spot all signs of danger and ready to step in to protect you against the attacks you expect and those you were never aware of.”
You know, like Norton.
So far, so boring. I’m hardly telling you anything you don’t already know in pointing out that Symantec’s report is designed to inflate fears that form the core of its business model. It’s what else is crammed into the report that makes it slightly more sinister. One of the supporting features of the report is its warning that cyber security is incompatible with online anonymity. Many victims of cybercrime “think you have the right to say or do anything online and not have it used negatively against you”, the report finds. But it’s not true. The report warns about “internet liars”, in which it includes people who refuse to use their real identity online. “The 2011 survey registered a 5% rise in the number of online liars,” it says. “The bad news for liars is that they are more likely to be a victim of cybercrime.”
Putting aside the leap in logic here — perhaps “liars” use the internet more and therefore are mathematically certain to have greater exposure to cyber crime — Symantec’s message is clear: online anonymity is bad and will get you into trouble. The 2010 report also scolded people for thinking that filesharing might be “legal”. “Shaky ethics and questionable behaviour” declared the report — and as with online anonymity, warned that “cyber criminals” were using filesharing to distribute “threats”.
Like Google and Facebook, Symantec is keen to see an end to online anonymity in order to monetise personal information. It has long seen big dollars in offering identity protection and supports the Obama Administration’s controversial “Trusted Identities” strategy. There’s some irony in that, because Symantec currently also makes money from online anonymity, by offering anonymised surfing as part of its Norton package. But then that’s consistent with the sort of online world to which governments and companies want us to move, where there’s no online anonymity except for governments and companies themselves, and people who can afford to protect themselves.
I’ve never yet found the ‘you don’t need any’ defence workable, so I’m not going to dive right in, but I do wonder: since Microsoft now offer a small, focussed virus scanner with daily updates *for free*.. well, I went there. And, it works.
like 99% of humanity on the internet, I am behind a NAT in the form of my home router. Even with IPv6 enabled, I have substantially less incoming un-solicited packetflows since the basic firewall rule ‘establish inside’ is running in both versions of the protocol stack, 4 and 6.
Sure, there is random acts of kindness in the form of spam attachments and stupid internet link risks, but thats what I believe the Microsoft Security Essentials does for me: it deals with that stuff.
What *is* the business model for Symantec, and other bloatware?
PS Vista closed off sapphire. I do a lot of measurement relating to Internet growth/usage and I can be quite confident in saying that there is a 50%+ overhang of Windows XP hosts out there, lost, alone, folorn and full of nasty bad behaviour but the world post Vista is quite different. As a confirmed Microsoft hater for 25 years+ this takes some saying: their current product is much less prone to being visibly a problem.
I think the cashflow of independent virus scanner writers is looking a bit iffy. The cost of some of these packages is less than the cost of replacing your OS with one more in line with modern coding expectations.
Oh yea. I think their threat marketing is bullshytte,
-G
Hmm….Symantec/Norton quoting online threat figures….. Always reminds me of a police spokesman, quoting the “street value” of a drug bust to the media.
Codswallop +10
“…such shocking findings as the fact that 58% of people who are victims of cybercrime feel ‘angry’…”
I wonder what the other 42% feel? Vaguely suspicious that their anti-virus software failed? Sad that they didn’t realise they were ‘victims’ as defined by their anti-virus software company? Turned off by meaningless, self-promoting statistics from vested interests? Or totally non-plussed that “Shaky ethics and questionable behaviour” was a category included in the compilation of those statistics?
The study I want to see is the one that looks at the cost of cybersecurity (e.g. the lost productivity arising from draconian privilege restrictions on work PCs, and consequent need to tie up IT staff), compared with the cost of cybercrime. Or the effectiveness of cybersecurity, such as requirements for passwords that are so ‘strong’ and have to be changed so often that…most people have to write them down, usually somewhere near their computer. Brilliant.