by Mike Masnick

Filed Under:
cybersecurity, fud, hype, losses, stats

mcafee, symantec

The Stats Used To Support Cybercrime 'Threats' Just As Bogus As Hollywood's 'Loss' Claims

from the but-of-course... dept

While the latest attempt to pass a cybersecurity bill may be on ice for now, it'll be back... and with it there will be a lot more hyperbole about how urgent this is because of various massive "losses" already happening due to cybersecurity problems. Of course, nearly all of the numbers and claims you hear will be 100% bogus.

For years, we've highlighted stories about how the claims of "losses" from the entertainment industry due to infringement are completely fictitious. In the past, we've seen Julian Sanchez go on a hunt to find the origin of some of the numbers being thrown around, and come up with evidence that they're based on nothing. For example, claims of $200 billion in losses due to counterfeiting... came from a 1993 Forbes article that just makes that claim with no citation and no backing info. But it became gospel among those arguing there was as problem.

With Congress and the President continuing to insist that we need a cybersecurity bill, politicians have been tossing around all sorts of questionable numbers. Just a few weeks ago, we noted that General Keith Alexander, the head of the NSA, had tossed out some numbers and claimed that cybersecurity was the "greatest transfer of wealth in history." Considering that we're living through the aftermath of a financial meltdown that involved a massive transfer of wealth, I find the original claim difficult to believe. Plus, as we noted, he seemed to only cite studies from McAfee and Symantec, two companies who have a massive vested interest in keeping the cybersecurity FUD going, because it helps them sell stuff.

Thankfully, the folks over at Pro Publica decided to take a much closer look at the numbers politicians are relying on in support of the massive "harm" that is already being caused by online security issues... and discovered that the numbers are completely and totally bogus. In fact, the full story (which is fascinating) parallels (very closely) the story with "piracy" stats from the industry.

One popular number is "$1 trillion" in losses due to cybersecurity breaches. That number gets thrown around a lot by politicians (and many in the press who merely parrot such numbers unquestioningly, even as that gives those politicians more cover to claim that there's a reputable source supporting the number). Yet, the Pro Publica report highlights that, not only is this number bogus, but the (quite well respected) researchers who put together the original report for McAfee did not use that number and, more importantly, many of them spoke out publicly with surprise that McAfee put out a press release with such a number -- which they thought was questionable and not supported by their data.

In fact, there were a number of methodological problems, including that the data was based on a self-reported "average" amount of the "worth of sensitive information stored in offshore computer systems." Who knows if the respondents are being accurate, first of all, but even more to the point, the "worth" of such information is a highly subjective number. People can find something "worthwhile" without paying for it, but by focusing on the "worth," they obscure the fact that the market price may be quite different than what people think something is worth. And, what people think something is worth has zero impact on any actual losses. But, from a very small number, McAfee just sprinkled some magic pixie dust on the already questionable number, and proceeded to extrapolate, massively:
“The companies surveyed estimated they lost a combined $4.6 billion worth of intellectual property last year alone, and spent approximately $600 million repairing damage from data breaches,” the release said. “Based on these numbers, McAfee projects that companies worldwide lost more than $1 trillion last year.” The release contained a quote from McAfee’s then-president and chief executive David DeWalt, in which he repeated the $1 trillion estimate. The headline of the news release was “Businesses Lose More than $1 Trillion in Intellectual Property Due to Data Theft and Cybercrime.”

The trillion-dollar estimate was picked up by the media, including Bloomberg and CNET, which expressed no skepticism.
Now, remember, this $1 trillion number is just in the press release. It's not in the report at all. And the report's researchers were just as baffled (and even more concerned) about this:
Among [the study's researchers] was Ross Anderson, a security engineering professor at University of Cambridge, who told ProPublica that he did not know about the $1 trillion estimate before it was announced. “I would have objected at the time had I known about it,” he said. “The intellectual quality of this ($1 trillion number) is below abysmal.”

.... The company’s method did not meet the standards of the Purdue researchers whom it had engaged to analyze the survey responses and help write the report. In phone interviews and emails to ProPublica, associate professor Jackie Rees Ulmer said she was disconcerted when, a few days before the report’s unveiling, she received a draft of the news release that contained the $1 trillion figure. “I expressed my concern with the number as we did not generate it,” Rees Ulmer said in an email. She added that although she couldn’t recall the particulars of the phone conversation in which she made her concerns known, “It is almost certainly the case that I would have told them the number was unsupportable.”

...The news stories got the worried attention of some of the report’s contributors because McAfee was connecting their names to an estimate they had no previous knowledge of and were skeptical about. One of the contributors, Augusto Paes de Barros, a Brazilian security consultant, blogged a week after the news release that although he was glad to have been involved in the report, “I could not find any data in that report that could lead into that number.... I’d like to see how they found this number.”
I don't know about you, but when a super well respected security researcher tells you that the basis of a particular claim is based on a number whose "intellectual quality ... is below abysmal," that's the point at which you should probably stop using the number. But, instead, politicians and the press continue to parrot the line over and over again.

The slightly smaller number, from Symantec, is still equally questionable. They go with $250 billion... but the number has almost no support. It does come from a real Symantec report, but not from Symatec employees. Instead, they hired another firm to magically come up with the number, and it sounds like magic would have been equally as effective as what was eventually done. It raised concerns from actual experts in the field:
“Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population.”
Furthermore, even if we take these numbers at face value, the original reports on both of them say these numbers represent the value of the attacks in question, and not what was actually "lost" or how much it cost to deal with. However, when a politician quotes them, they almost always do so by at least suggesting that these made up "values" are very real "losses" to companies. In other words, the numbers (shocker, shocker) are being twisted by cybersecurity law supporters. For example, just recently, Senator Collins said that General Alexander "believes American companies have lost about $250 billion a year," but that's not true. Already, we know the number is suspect -- but even if we accepted the number, it only represents the "value" that various companies have put on things harmed by security issues, not any sense of actual losses. Claiming that these are losses isn't just misleading, it's wrong.

We've argued for years that actual data should inform the debate on these things -- but that data needs to be accurate and supportable. Unfortunately, with cybersecurity threats, the claims that are being thrown around have no basis in reality. If politicians really want to discuss the "threat" of cybersecurity, the least they can do is get some accurate research on the scope of the problem. Trusting a number from a McAfee press release is not credible and it's certainly no basis for passing a law that wipes out privacy rights of the public.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Paul Renault (profile), 2 Aug 2012 @ 1:09pm

    ...and just as bogus as the claims that frakking is safe.

    See here:

    A lot of people need to get thrown in jail. Really.

    reply to this | link to this | view in thread ]

  2. icon
    Dark Helmet (profile), 2 Aug 2012 @ 1:14pm

    Re: ...and just as bogus as the claims that frakking is safe.

    "A lot of people need to get thrown in jail. Really."

    Sorry, too busy throwing pot-smokers in the clink, friend. They are singlehandedly causing The Great Cheetohs And Mountain Dew Drought of 2012....

    reply to this | link to this | view in thread ]

  3. icon
    gorehound (profile), 2 Aug 2012 @ 1:15pm

    The Bill that will take away more of our Rights will be back to haunt us.As long as there are Republicans and Democrats in Office they will continue to hound us and take away our Rights.They already have again and again so I know what I say is true.
    I intend on not Voting for either of these bloated corrupt Parties even if my Vote is considered a wasted one.I am sick of seeing those two Parties in Office.
    I hate this Government and the only ways to really change it seems like either a Revolution or to just try and Vote them out.

    reply to this | link to this | view in thread ]

  4. icon
    Josh in CharlotteNC (profile), 2 Aug 2012 @ 1:16pm

    No smoke, no fire

    You know the numbers are bogus because the shareholders of these companies haven't revolted and lynched the board and execs. There have been few, if any, lawsuits filed against these companies for the massive losses.

    JP Morgan loses $6 billion with poor trading practices and even though they can pretty easily absorb that loss, execs are fired and the whole company is looking to be re-org'ed.

    If American companies, even in aggregate, were losing a trillion dollars, there'd be no end to the news. And yet... we hear nothing of the sort. There's not even a wisp of smoke - so there isn't any fire here.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 2 Aug 2012 @ 1:21pm

    In my study I have found that bad decisions by politions cost taxpayers 1 million$ a day.

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 2 Aug 2012 @ 1:46pm

    what difference does it make to the politicians and other powerful people? idiots though they may well be, they take notice of this sort of bogus information so they can then introduce or back previously introduced bull shit laws. all they succeed in doing is hurting the people by removing privacy and freedom, hurting other companies that have to spend thousands of dollars conforming to the new, waste of time law and increase the profits of certain security companies. oh, i forgot. those are the same companies the powerful have vested interests in!

    reply to this | link to this | view in thread ]

  7. icon
    Wally (profile), 2 Aug 2012 @ 2:22pm

    Collective Bargaining

    Being from Ohio, United States, the concept of representatives at the state government level taking erroneous data from the editorials of major news papers is nothing new to me. I'm not surprised that things at the federal level are the same.

    Anyone from the US (especially from Wisconsin or Ohio) would understand this problem very much so. There were several editorial articles that were taken that had data portraying the public school teachers were making more than $50,000 US a year by the end of their careers and tax payer money was being wasted (especially in Ohio...I'll use Ohio because I know how it all went down where I live) on union dues. What did our local law makers do? They took away the rights of the State workers unions to collectively bargain for was later repealed by hand written signature. The bill also gave the town council the final word on an individual teacher's wages, not the school board

    For those outside the US who might not understand, States are not forced to provide benefits for their workers in the US. Some of them (like Ohio) do not provide medical or health insurance and no pension plan for retirement for public servants such as teachers. Unions were given the right to bargain for said wages and benefits so the teachers could have something to retire upon. With the collective bargaining rights gone, teachers couldn't get a raise when they deserve it. How much of your pay as a public school teacher that went to union dues for retirement was up to the individual.

    Needless to say I know all about the issues of senators using eronious figures in editorials to pass bad baseless laws.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 2 Aug 2012 @ 2:34pm

    Those Nigerian princess are in trouble now.

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, 2 Aug 2012 @ 3:09pm

    It was obvious for me from DAY ONE, that what they used was copyright math, as soon as they said the IP theft is valued at $1 trillion. Do politicians or the NSA really think the whole population is brain-dead or something?

    reply to this | link to this | view in thread ]

  10. icon
    Keroberos (profile), 2 Aug 2012 @ 3:25pm


    In my study I have found that bad decisions by politions cost taxpayers 1 million$ a day for each taxpayer.

    Fixed that for ya ;)

    reply to this | link to this | view in thread ]

  11. identicon
    Anonymous Coward, 2 Aug 2012 @ 3:51pm


    Not the whole population... just the majority. Unless you have any evidence to suggest otherwise?

    reply to this | link to this | view in thread ]

  12. icon
    That One Guy (profile), 2 Aug 2012 @ 4:11pm


    Oh not the whole population, just the ruling class.

    After all it wouldn't matter a whit if the entire population was filled to the rafters with literal geniuses, so long as the ones who rule are either gullible enough to swallow such blatant lies and falsehoods, or corrupt and paid off enough to go along with the lies.

    reply to this | link to this | view in thread ]

  13. identicon
    Anonymous Coward, 2 Aug 2012 @ 4:46pm

    My thoughts on all this loss stuff is that it most likely parallels losses in the real world. Whether it be music, movies, cyber security breaches or what have you. In any case, in the real world we call it shrinkage. You're gonna have it, It's part of the human condition.

    The white man ain't shit cause he got a complex.

    -graffiti on a wall in the movie "Being There"

    reply to this | link to this | view in thread ]

  14. icon
    Dave (profile), 2 Aug 2012 @ 5:58pm


    No, no, you don't understand. It ain't the populace that's braindead (see response to SOPA, PIPA, ACTA, etc.), it's the Politicians. Their meager brains have been so overwhelmed by all of that green and white stuff, including money, they are inundated with that they can't think. How many sane, rational people do you know that would make the kinds of decisions and judgements that they do? What do you expect?

    reply to this | link to this | view in thread ]

  15. icon
    iBlvk (profile), 2 Aug 2012 @ 8:36pm

    Intensity matching

    Here's my view of the political thought process in this case.

    Step one: Substitution. >> A difficult question "How much does cybercrime cost?" is replaced with a simpler question "How much do we care about cybercrime?"
    Step two: Intensity matching. >> Relative importance of the cybercrime issue is expressed on the monetary scale. A trillion dollars seems like a good match for something that's related to cyber warfare.

    And there you have it.

    reply to this | link to this | view in thread ]

  16. icon
    Dave (profile), 2 Aug 2012 @ 9:51pm

    Re: Intensity matching

    IMHO, you're giving them too much credit. I see NO thought processes going on here, just blind obedience to their masters, and they ain't us.

    reply to this | link to this | view in thread ]

  17. icon
    Josef Anvil (profile), 3 Aug 2012 @ 12:58am

    How is this possible?

    "The companies surveyed estimated they lost a combined $4.6 billion worth of intellectual property last year alone."

    How do you even know how much IP you have lost??? How do you lose intangibles???

    Think about that. They estimate they lost $4.6 billion worth of thoughts.

    reply to this | link to this | view in thread ]

  18. identicon
    Anonymous Coward, 3 Aug 2012 @ 1:40am

    Re: How is this possible?

    I lose my thoughts every time I read their bullshit propaganda estimated by 15 trillion, gazzilion, zipilion, dollars. so where's my reparation?

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, 3 Aug 2012 @ 3:53am

    Re: No smoke, no fire

    The number are not bogus. After all, most financial transactions are conducted by computers these days, and look how much money was lost (if not outright stolen) by the likes of Bear Sterns, Goldman Sachs, Fannie Mae, Freddie Mac and the likes.

    Clearly, if we'd had tougher cybersecurity legislation on the books, this sort of stuff would never have happened.

    I'm actually surprised nobody has actually tried using this line of reasoning to push these bills.

    reply to this | link to this | view in thread ]

  20. icon
    Josh in CharlotteNC (profile), 3 Aug 2012 @ 4:34am

    Re: Re: No smoke, no fire

    Clearly, if we'd had tougher cybersecurity legislation on the books, this sort of stuff would never have happened.

    How's that working for copyright? Or drugs?

    reply to this | link to this | view in thread ]

  21. icon
    Ninja (profile), 3 Aug 2012 @ 4:47am

    How much is the world GDP worth today? According to it's near 70 trillion. That would make cybersecurity alone cost 1,43% of the world GDP. That's almost 1 South Korea in losses. That's a whole freaking lot. But there are other losses aren't there? There's the MAFIAA losses. There's the losses to natural phenomena (extreme conditions). There's the losses to pollution. There's the losses to corruption. To organized crime. To counterfeiting. Somehow I don't think all the claimed losses along with the very real ones add up in the end.

    It's also on par with the amount of money thrown around the world to bail out the "ailing economy" btw. And it's 6,7% of the American GDP.

    So when you put the numbers in perspective it sounds much less reasonable (the 1 trillion figure).

    reply to this | link to this | view in thread ]

  22. icon
    Ninja (profile), 3 Aug 2012 @ 4:55am


    Oh and horray to numbers taken out of collective behinds! (It's easier to use that in daily conversation than I thought)

    reply to this | link to this | view in thread ]

  23. icon
    Hephaestus (profile), 3 Aug 2012 @ 5:47am

    Re: Re: ...and just as bogus as the claims that frakking is safe.

    More snack foods are being created today than at any other time in human history. It's just that the big consumers are seeing less, and the remainder is being transferred to many others. It's not a drought, it is a re-appropriation ... hmmm ... that reminds me of ...

    reply to this | link to this | view in thread ]

  24. identicon
    Anonymous Coward, 3 Aug 2012 @ 5:47am

    Yet another reason why algebra is important.

    reply to this | link to this | view in thread ]

  25. icon
    Rapnel (profile), 3 Aug 2012 @ 9:48am

    this just in...

    Politicians Caught Propagating Lies and Deceit In Support of Industry Insiders in Quest for Tax Funded Contracts!

    Lies and blatant misinformation used to manipulate masses!

    Further attempts to enable government contract recipients and their shareholders to profit on citizen data imminent!

    Horrified observers .. resist.

    How long can the Founding Documents resist this onslaught?

    Are the governed at risk of catastrophic casualties?

    Are our children safe!?

    These questions and more could just possibly be answered .. in about six weeks.

    reply to this | link to this | view in thread ]

  26. identicon
    Anonymous Coward, 3 Aug 2012 @ 9:52am


    ah, but you see they use the calculus and sum over histories to come by there estimates

    reply to this | link to this | view in thread ]

  27. identicon
    Anonymous Coward, 3 Aug 2012 @ 9:54am

    Re: Re:

    and when you divide by zero the science breaks down. It's hard to deal with infinity.

    reply to this | link to this | view in thread ]

  28. identicon
    Hondo1, 4 Aug 2012 @ 5:30pm

    It's not the money, dude!

    Anyone who tries to absolute $$$ to not only the reality of the threat but the damage already done (which has been clearly documented),is a fool. To throw cyber into the political arena for a contender's benefit is an insult to concerned Americans. Carry on, fools, with your insane use of unsecured WI-FI and hooking up things never meant to be so on the Internet. The next "whoosh" you [might] hear will be that of our infra structure being sucked out by the hep cyber criminals.

    reply to this | link to this | view in thread ]

  29. icon
    Timothy Campbell (profile), 7 Aug 2012 @ 1:27pm

    Re: ...and just as bogus as the claims that frakking is safe.

    "A lot of people need to get thrown in jail," eh? Yes, I guess so, Paul, but that's what THEY say about the rest of us.

    I'm reminded of a Pogo cartoon where a bear-like creature (who resembled Spiro Agnew) managed to throw EVERYBODY in jail except himself. In the end, he realized that ... he was lonely. :(

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.