Benjamin Disraeli’s famous quip about lies, damned lies, and statistics rears its ugly head in the cybersecurity battle intended to wall off ever larger portions of the internet. The militarization of cybersecurity is one of those phenomena defined by a cluture of fear which is controlled by organizations whose primary motivation is not to protect you, but to keep you scared. The bigger the perceived threat, the bigger the premium companies like Symantec and McAfee can charge for their products. Its a product loop that promises endless profit. Because the moment a new vulnerability emerges its time for a new product update. And so what are we protecting? What are we building these walls around? The short answer: intellectual property. But the difficulty seems to be providing a meaningful estimate of what is being protected:
One of the figures … attributed to Symantec — the $250 billion in annual losses from intellectual property theft — was indeed mentioned in a Symantec report, but it is not a Symantec number and its source remains a mystery.
McAfee’s trillion-dollar estimate is questioned even by the three independent researchers from Purdue University whom McAfee credits with analyzing the raw data from which the estimate was derived. “I was really kind of appalled when the number came out in news reports, the trillion dollars, because that was just way, way large,” said Eugene Spafford, a computer science professor at Purdue.
The numbers that these companies are citing are problematic not just in terms of their motivation, but also due to the impossiblity of the number they are trying to conjure. The value of intellectual property is intangible and in many ways resets entirely in the imagination of the “owner”.
When intellectual property is stolen, the original can remain in place, seemingly untouched. Even when the breach is known, how do you put a dollar value on a Social Security number, a formula for a new drug, the blueprints for a new car, or the bidding strategy of an oil firm? It may be impossible to know whether an attacker uses intellectual property in a way that causes economic harm to the victim; maybe the data isn’t of much use to the attacker, or maybe the attacker, though using the data to quickly bring out a new product, is not successful in gaining market share.