Monday, February 24, 2020

Crime metrics matter: two charts of the big mess we're in, even if we're not sure how big it is

[Update: Advancing Accurate and Objective Cybercrime Metrics, my article in the Journal of National Security Law & Policy is now available online.]

We are now about 50 years into the information age, so let me ask you: How secure is your personal information? If you're like most adults in America, the answer is probably: "not as secure as it used to be."
 Chart linked to original report.

That is what the social scientists at Pew Research Center found last year when they carried out the survey behind the chart on the right (click to access the full report).

As you can see, 70% of folks said that they felt their personal information was less secure than it was five years ago; furthermore, they were more likely to think that way if they were 50 or older, more educated, or in a higher income bracket.

My take on these numbers is that they reflect the relentless increase cybercrime, or what my good friend, the gifted security researcher Cameron Camp, calls cyberbadness: the apparently never-ending litany of technology-enabled scams, frauds, thefts, losses, and disruptions that seem to be victimizing more and more people and organizations. Note that I used the word "seem" intentionally because some observers will point out that public perception of criminal activity is not always in sync with reality. At times that may be true, but before we can determine whether people are over- or under-reacting to cybercrime, we need to ask: what is the true scale and impact of cybercrime? And quite frankly, nobody has a good answer at the moment.

Why? Well, I've said it before, years ago, and again last year: "the importance of metrics to crime deterrence would appear to be both critical and obvious, but despite this there is a persistent cybercrime metrics gap." As far as I am concerned, that is a problem, one that I addressed at some length in a recent law journal article that is currently available online. The following quote may help to put the problem in perspective:

“[u]ntil there are accepted measures and benchmarks for the incidence and damage caused by computer-related crime, it will remain a guess whether we are spending enough resources to investigate or protect against such crimes… In short, metrics matter.”

Those words were spoken 16 years ago by an FBI agent, Edward J. Appel, someone who knew thing or two about metrics (his father, Charles A. Appel, founded the FBI's Technical Laboratory).

Unfortunately, casual use of Google gives the impression that we have an abundance of metrics of about cybercrime, with search results like "300+ Terrifying Cybercrime & Cybersecurity Statistics" and "110 Must-Know Cybersecurity Statistics for 2020." The problem is, the sources for such numbers are often suspect in terms of methodology and/or confirmation bias.

I addressed these issues in the Journal of National Security Law & Policy article mentioned above (Advancing Accurate and Objective Cybercrime Metrics (publication pending, but currently available online). And I had spoken at length about the problem at the 2015 Virus Bulletin security conference (you can find my paper, a video of my talk, and my slides here: Sizing Cybercrime: incidents and accidents, hints and allegations. The sad reality is that, when it comes to timely and objective official statistics about crimes committed in cyberspace, they are in short supply.

Even sadder is that fact that the metrics we do have, such the Internet Crimes Reports issued by the FBI and IC3, make for depressing reading, not to mention depressing charts like the one on the right. This documents the rise in total annual crime losses reported to the Internet Crime Complaint Center or IC3 from 2003 through 2019.

As you can see, the year-on-year increase has become quite acute. Yes, I know the chart is somewhat compressed to fit this page layout, but you would have to spread it quite wide to get rid of the "hockey stick" that is the last five years. I certainly wouldn't bet against it blowing through $4 billion in the next report.

And yes, there are issues with using the IC3 numbers as crime metrics. They are not collected as an exercise in crime metrics, but rather as part of just one avenue of attack against the crimes they represent. However, I have studied each annual report and am satisfied that collectively they provide solid evidence of a real world cybercrime impact trend that looks very much like the line shown here.

My law review article was one of several generated by a range of independent subject matter experts as part of the Third Way Cyber Enforcement Initiative. The initiative was an impressive multi-stage effort to coordinate inter-disciplinary input on efforts to tackle the cybercrime problem. When commissioned papers reached draft stage, authors attended a day-long, mid-summer workshop at New York University School of Law for live peer review. By October, this Third Way initiative had already produced results, including an excellent summary of the metrics issue in The Need for Better Metrics on Cybercrime, from Third Way Policy Advisor, Ishan Mehta.

As papers continue to appear, check the website of the Journal of National Security Law & Policy. For example, right now you can access this important contribution from Amy Jordan and Allison Peters on Countering the Cyber Enforcement Gap: Strengthening Global Capacity on Cybercrime, and this excellent review of the use of criminal charges as a response to nation-state hacking from Tim Maurer.

(Acknowledgement: I am deeply grateful to all who participated in this project, for their input, insight, enthusiasm, and support.)

Monday, January 20, 2020

Happy New Year? Decade? 2020?

Greetings! I am happy you're here, reading this page, because now that I'm no longer writing for We Live Security, this blog is one of the ways I will continue to share what I hope is useful research and analysis. (There's more on the big changes I made in 2019 here.)

I really do hope that you have a happy and safe and satisfying 2020, and a fulfilling decade, but I put those question marks up there in the title because right now I see serious challenges ahead. Frankly, I'm not sure the world is ready, or able, or even willing, to meet them.

But gloomy as that may sound, I do see some bright spots; I mean, the 2020 puns are bound to wear out soon, right? And people will eventually stop saying things like "I can see clearly now that 2020 is here." Which reminds me of the 2015 TEDx event in San Diego that was actually called 20/20 Vision.

I had the honor of speaking at that event. My topic was cybersecurity, cybercrime, and the need for more women and minorities in technology leadership. I framed these remarks (yes there's a pun there if you like), as a choice between two futures.

The first future that I sketch out is one in which technology enables humans to tackle existential risks like climate change and make life on the planet better for everyone. The second future turns out to be a dismal one because we failed to get to grips with core problems facing technology. Well, now that 2020 is here I have to say that the world pretty much went with Future #2, and we are no nearer to the bright and shining Future #1 now than we were in 2015.

And of course, that means I have a lot more work ahead of me - explaining what we're doing wrong, why we're doing it wrong, and how critical it is that we change. But just for the record, here's that 2015 talk. Happy 2020?

Wednesday, November 13, 2019

Cybercrime deterrence begins with metrics


The importance of metrics to crime deterrence would appear to be both critical and obvious and yet there is clearly a large cybercrime metrics gap: official statistics about crimes committed in cyberspace seem scarce relative to those documenting the incidence and impact of traditional or “meatspace” crimes. 

I have been talking about the cybercrime metrics problem for many years, notably at Virus Bulletin in 2015 (you can find my paper, a video of my talk, and my slides here: Sizing cybercrime: incidents and accidents, hints and allegations). 

More recently, namely Q3 of 2019, I wrote a law review article titled Advancing Accurate and Objective Cybercrime Metrics (publication pending). I did this as part of the Third Way Cyber Enforcement Initiative, an impressive effort to bring together an inter-disciplinary group of experts to develop ways forward on the cybercrime problem. This has already produced results, an excellent summary of input on The Need for Better Metrics on Cybercrime, from Third Way Policy Advisor, Ishan Mehta.

My paper for this project situates the efforts needed to obtain accurate and objective cybercrime metrics within the broader work of reforming traditional crime reporting which currently fails to meet the needs of information-based criminal policy. With a case study of identity theft, the paper illustrates disparities between current government and private-sector metrics while highlighting the importance of timely metrics to the work of countering rapidly evolving cybercrimes. After reviewing promising ways forward already developed by a range of experts, the paper concludes that meaningful action to improve crime metrics is possible; however, this will take more political will than has so far been mustered and so suggestions for how this might be generated are provided.

I will be giving a flashtalk on the paper at the upcoming symposium at New York University: Catching the Cybercriminal: Reforming Global Law Enforcement. Then I will report back here.

Friday, August 30, 2019

Potentially malicious use of QR codes and NFC chips

Like any technology,  QR codes and NFC chips can be abused and misused for selfish or criminal purposes. I was reminded of this by a recent Dark Reading article by Chris Franklin, Jr. titled "9 Things That Don't Worry You Today (But Should)."

One of the things that Chris highlighted was QR codes and when I saw this particular page it reminded me that I had written about the abuse of these codes myself (seven years ago). In fact, I not only wrote about them, I did some research on them and an adjacent technology, the NFC chip (both can be used to trigger events in an information system, and they are cheap to implement, easy to program, and also very thin). 

I made a very short video to demonstrate one potential type of abuse - tricking people into visiting a malicious website. Here is the video, with thanks to my former employer, ESET, for giving me the time and resources to make this demo:


As you can see, there is plenty of potential for hijacking or misdirecting people's interests via both QR and NFC technology, and I am indebted to my former ESET colleague, Cameron Camp, for pointing some of these out, way back in early 2012.

(Funny story: about that time, Cameron was in Hong Kong to speak at a security conference and noticed the extensive use of QR codes in public transportation vehicles. He pointed this out to a company exec who was there and said, "How about I write a blog post showing how someone could print their own codes on sticky labels and just plaster them over these legit codes?" Apparently, this produced a lot of head-shaking. ESET decided to go with the more low key demo you see here.)

Back then I wrote a couple of related articles on this blog:
Enjoy!

Thursday, August 08, 2019

DEFCON III flashback: why hacking sucks


My session at DEFCON III back in 1995 has lived on as an audio recording (.m4b). Just scroll down this page: DEFCON III Archive. The title was intentionally provocative:

The Party's Over: Why Hacking Sucks

The idea was to generate dialogue about the ethics of hacking, and I think I succeeded. In fact, the audio captures that quite well.

(Bear in mind that this was 1995 and I've been to events in 2019 where organizers seemed incapable of capturing audio this well.

As someone who had been working on the computer security problem since the 1980s, I have to say I learned a lot from this session and really appreciated everyone's input.

I was invited back the next year and I will post a link to that DEFCON IV session when I find it again. My topic was how to go from hacker to infosec professional, but like many early DEFCON talks it went in several other directions as well (steam trains?).

Here is a link to initiate the audio file download for the DEFCON III talk, and yes, it is safe to do so. The audio is about 49 minutes long and while the sound starts out rough, it gets better quickly. The file is 18.2MB and the filename is: DEF CON 3 Hacking Conference Presentation By Stephen Cobb - Why Hacking Sucks - Audio.m4b

Monday, August 05, 2019

Experienced vendor-neutral panelist available to talk cybersecurity, cybercrime, data privacy, and more

Has this happened to you? You have this great idea for a panel at a conference, but you need to find great panelists, preferably people who are subject matter experts, but are not employed by a vendor, yet they do have experience as a panelist.

Well, I am one such person: a completely independent researcher specializing in cybersecurity and data privacy who is also an award-winning technologist with 30 years of industry experience. And yes, I have a track record of well-received panel appearances.

So, if you're putting together a panel proposal, or your proposed panel was accepted but now you need panelists, take a look at my areas of expertise. If you think I might be right for your panel, let's discuss - you can reach me on LinkedIn and DMs are open on Twitter.

Here are some of my areas of expertise and interest:
  • Cybercrime and cybercrime metrics
  • Cybersecurity education, skills gap, and workforce issues
  • Cyber-war and cyber-conflict
  • Data privacy and data abuse
  • New technology = risks and attacks (e.g. AI, IoT)
  • Public-interest technology and public policy related to the above
Here is me on video:

Friday, July 12, 2019

The big news from where I am, which will soon be somewhere else

Dateline San Diego, California, July 12:
Today is my last day at ESET, the company that I have worked for since 2011, and from which I am now retiring.

But wait there's more news! In early September, Chey and I will be relocating to the city of Coventry, England, birthplace of the pedal-chain bicycle, Jaguar carsthe turbojet, my parents, my brother, and me.

I will be writing more about this move as time permits, with the latest developments signposted on this blog (scobb.net).

If you want to stay in touch, and I hope you do, you can use email to reach me (use scobb at scobb dot net). You can also find me on Twitter, where I am @zcobb. I'm on LinkedIn as well and you may even spot me on Facebook - where my profile is stcobb - but I don't go there very often. In the past I have published on Medium and I may write some more articles there in the future.

So, that's the news of the day from where I am. What follows are a few random thoughts on the occasion of my departure, retirement, and relocation.

For the record, we will be flying to England, not sailing. I say this because I have twice moved from North America to England on ships. Once when I was six, and again in 1975 on the TSS Stefan Batory.

Postcard of TSS Stefan Batory from the collection of VMF at http://vmf-cruiseshipsandliners.blogspot.com/

Also for the record, I am leaving ESET with very positive feelings. I have never worked this long for anyone other than myself. In my opinion, ESET continues to set the standard for technical excellence, customer support, and dedication to helping the world enjoy safer technology. It was a privilege to work with such a great team of security researchers and I know that they will carry on the mission with courage, integrity, reliability, and passion. (Disclaimer: nobody's paying me to say this, I don't own stock or have any other financial stake in ESET.)

My relationship with ESET began exactly eight years ago this week, with a phone call about a job. The company wanted someone to do vendor neutral security research and education, which was great for me because that's been a passion of mine since the late 1980s. Adding to the appeal: the company wanted me to be based in California, my favorite state. (Chey and I met in California over 30 years ago, but left in the late 1980s to live in Scotland.)

As for my future, who knows? I do know I will keep researching and opining, mainly about technology. I will continue to blog, and there is a book I want to write. Coventry is home to a pair of excellent universities and there are more in the surrounding area - often referred to as "The Midlands" - including my alma mater, the University of Leicester. Doing some form of teaching is a possibility.

So, when Chey and I get properly settled into our new home, it is possible that I will reemerge, maybe as a something like a part-time, semi-retired, independent researcher and public-interest technologist. (I have been watching fellow security veteran Bruce Schneier move in this direction.)

At this point, and if this was a press conference, I would take questions. But I only have time for one right now, so I will answer the one I've been asked many times in recent weeks: Do you think you will miss San Diego?

Yes, I will miss San Diego, and not just because of the weather and the views. We have met so many wonderful people here, many of whom I have worked with in a business climate that is unique in my experience: San Diego has to be the Capital of Collaboration. This is great place to work on technology projects that benefit the community, the nation, and the world. I have often said that cybersecurity is the healthcare of IT, and San Diego is a center of excellence in both meatspace healthcare and cyberspace security. (The cuisine is pretty awesome too.)

On that note, I thank you for reading this far and wish you all the best. As the saying goes:

So long, and thanks for all the fish tacos!

Stephen

(Note: Image of ESET/Coventry combines a photo that I took plus photography by Si Chun Lam. Some rights reserved. This image is licensed under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) Licence.)

Monday, April 15, 2019

Dark markets, threat cumulativity, siegeware, and a cybercrime barometer

This is an update on five parts of my research and writing so far this year. The first part built on a suggestion from ESET PR Manager Anna Keeve: help people better understand the cybercrime threat by showing them the "dark markets" that are used to sell stolen information and buy the tools with which to steal it. So I decided to highlight their “evolution” into mainstream online services for enabling cybercrime.

1. Next Generation Dark Markets? Think Amazon or eBay for the criminally-inclined
In addition, Anna set up a session with the wonderful folks at Markeplace on NPR. So, if you want to hear more about the dark web, close your eyes and take this audio tour: Exploring the dark web with Kai Ryssdal on Marketplace


A reflection on how, by acknowledging the cumulative nature of cyber-threats and understanding its implications, we can improve our approach to digital security.

I presented my analysis of the data from a large survey, paid for by ESET and designed to uncover attitudes to cybercrime and cybersecurity in North America. This confirmed that the majority of Americans fear the misuse of personal data they supply to websites, and view cybercrime as a threat to their country.

Recent news articles show that a vital part of the IT ecosystem - MSPs - are now being targeted by criminals for a variety of nefarious reasons. I wrote about why this is happening, and what MSPs should do about it.



Siegeware is what you get when cybercriminals mix the concept of ransomware with building automation systems: abuse of equipment control software to threaten access to physical facilities. It is real and it needs to be openly addressed.

Wednesday, February 20, 2019

It's official: I'm an award-winning technologist

Earlier this month I was delighted to receive the CompTIA Tech Champion Award, "recognizing leaders focused on driving innovation, job growth and advancements for the information technology (IT) industry." There was even a press release and a video!


To put this award in context, CompTIA is the Computing Technology Industry Association:"the leading voice and advocate for..industry and tech professionals who design, implement, manage, and safeguard the technology that powers the world’s economy."

Saturday, February 16, 2019

Risk assessment and situational awareness: minding the gender gap

Man and woman in elevator iconConsider this: a man and a woman get into an elevator.

Which one is doing risk assessment:

the man or the woman?

I've been posing this question to random groups of people on the fringes of information security and cyber-workforce events for about a year now and the results have been very interesting to say the least. Almost without exception women respond by saying "the woman." And while I can honestly say that this is what I had expected, I continue to be surprised by two things.
  • How quickly that response is voiced, usually in less than a few seconds. 
  • How many women, after answering, proceed to share - without any encouragement - their personal elevator strategies (more on these later).
Also interesting: I have not yet heard a woman say: "I've never really thought about it."

How do men answer? A lot of them do eventually say "the woman" and I take that as a positive sign. It suggests that those men understand one of the fundamental realities of gender inequality in our society: women have had to adapt to living with a higher base level of fear for their personal safety than men.

But there are some men who hesitate before answering. You see quite interesting facial expressions when someone in mixed company answers "the woman" very quickly and decisively. And yes, some men seem genuinely puzzled. For those in doubt, I suggest some reading, like Rage Becomes Her.

Fear, risk perception and social science 

My original motivation in asking this question was to get a quick sanity check on a hypothesis that I had formed while researching risk perception as it relates to technology: women tend to see more risk in technology than men and so increasing female participation in technology development and cybersecurity may reduce risk and increase security.

Some results from the more formal research into risk perception as it relates to gender and technology are illustrated in the graph below - read more about the work here.


Of course, posing the elevator question to random groups of people does not count as formal social science. The reactions that I get may be influenced by the uncontrolled demographics of the group (all male, all male, mixed). That said, I'd love to hear from anyone who is in a position to do a more formal study.

What the graph above illustrates is the gender gap in technology-related risk perception. Numerous studies have documented this over the course of several decades (see the 1994 paper "Gender, race, and perception of environmental health risks" by Flynn, Slovic, and Mertz for early references: Risk Analysis, 14, pp. 1101-1108).

As far as I know, it was studies of public sentiment around environmental issues that led to the first documentation of a gender gap in technology-related risk perception. The research that I did with my colleague at ESET, Lysa Myers, was to the best of my knowledge the first to show that this gender gap also exists with respect to risks related to digital technologies. That finding led me to hypothesize that women - on average or in the aggregate - are more risk aware than men when it comes to technology.

A counter-argument might be that men are more realistic in their assessment of risk because the true level of risk is lower than women think and closer to the population mean. However, it is my opinion that many technology risks are higher than the mean, therefore I would argue that women are more accurate in their technology risk perception than men (on average or in the aggregate).

Research into the gender and ethnic variations in risk perception has shown that white males, as a whole, see less risk in technology than black males, white females, or black females (these were the names of the categories used by the researchers). But that score - which has been dubbed the white male effect - is the result of a subset of while males seeing drastically less risk than anybody else. The group, possibly 30% of white males, lowers the overall risk scores for all white males, creating the gap you see in this chart from the 1994 Flynn, Slovic, and Mertz study (adapted):
As I indicated earlier, this study was not an outlier, other studies point in the same direction and I am not aware of any that point in the opposite direction (I did look for them). You can find quite a few studies, as well as deep dives into why some people see less risk in technology than others, at the Cultural Cognition Project at Yale Law School.

What does it all mean? As I suggested in my TEDx talk a few years ago, I think it means that the rate at which new technology risks are created would go down if decision-making roles in tech companies were more evenly distributed between genders.

Back then I said "we need more women in decision-making roles" and some surveys suggest that there are now more women in such roles than there used to be; but I think we are nowhere near the level of gender equality needed to put the brakes on fresh technological blunders.

In the coming months and years I will continue to articulate these views. In the meantime, I have another study concept you might want to consider. Document what happens when you ask women this question: "What goes through your mind if you're alone in an elevator and a man gets on."

I think you will hear some interesting personal elevator strategies. The ones that I have heard certainly gave me a better sense of just how different life still is for women and men.