Saturday, December 17, 2022

Digital Baitballs and Shrinkage: a cybersecurity lesson from 2022

A school of fish forming a baitball to minimize predation
A school of baitfish forming a ball to reduce predation (Shutterstock) 

If 2022 has taught us anything about cybersecurity, it is this: our combined efforts to protect the world's digital systems and the vital data that they process are capable of thwarting very high levels of sustained criminal activity, where "thwart" means preventing the complete collapse of trust in digital technology and limiting casualties to levels that appear to be survivable, if not acceptable.  

In other words, despite all the efforts of bad actors, from local scammers to nation states, abusing all manner of digital technologies, to commit everything from petty crimes to war crimes, humans are surviving, and we are continuing to expand our reliance on said technologies.

Of course, this lesson would appear to offer little comfort to the victims of digital crime in 2022, the countless companies, consumers, non-profit organizations, and government entities that lost money and peace of mind to the hordes of ethically challenged and maliciously motivated perpetrators of cyber-badness.*

Is survival enough?

Swordfish checking out a baitball
Baitball and a swordfish (Shutterstock)
You could argue that humans are in deep trouble if the best we can say about the struggle between cybersecurity and cybercrime at the end of 2022 is: "most of us survived." However, other species on our planet have endured for millions of years by embracing "most of us survive" as the goal of their defensive strategy. 

For example, small fish that spend most of their lives in the open ocean form a tight group when predators approach; then they swirl around in a ball to make it harder for predators to select targets. I wrote about this phenomenon—the baitball—in a recent article on LinkedIn.

So, the good news for 2022 is that we can head into 2023 knowing that the world can survive a large amount of ongoing cyberbadness. We have seen that levels of criminal abuse of digital technology can rise quite high without resulting in the breakdown of society. 

(You could even argue that cybercrime is falling in relation to the growing number of criminal opportunities created by the ongoing deployment of new digital technologies and devices, but that's for a different article.)

The bad news is that surviving is not as enjoyable and fulfilling as thriving. Living just this side of the breakdown of society means the other side is a looming presence, a constant stress factor, as is the knowledge that any one of us could be the next cybercrime victim.

Shrinkage

So what will it take to get from surviving to thriving, to a state in which cybercrime is either eliminated or reduced to a manageable level? Unfortunately, the short answer is: it will take a lot. The countries of the world need to agree to, and enforce, norms of ethical behaviour in the digital realm. If that sounds almost impossible given the current state of the world, then you have a measure of how much effort it is going to take to eliminate cybercrime or reduce it to a manageable level. However, it should be noted that the idea of reducing crime to a manageable level is not unprecedented. 

Shopkeepers learned long ago that it is almost impossible to stop their stock from shrinking. Some employees will swipe stock from the stockroom. Some customers will shoplift. Furthermore, some vendors will over-charge and under-deliver. Taken together, these money-losing phenomena are known as shrinkage. 

Despite efforts to reduce shrinkage, including the use of technology, it still cuts into retail revenue in America to the tune of 1.5% per year on average, equating to losses in the order of $100 billion in 2021. Nevertheless, despite shrinkage, the retail sector keeps going. Retailers don't expect to eliminate shrinkage, but they will spend time and money on measures to keep it to a relatively low percentage.

So what are the prospects for reducing the impact of cybercrime to a very low level, perhaps a very small percentage of GDP? I honestly don't know. We are still a long way from getting a full picture of cybercrime's impact; this is particularly true of the psychological and health impacts. There are hidden social and economic costs as well, given the not insignificant percentage of people who don't go online due to fear of cybercrime.

Some would argue that the term cybercrime is becoming problematic in discussions like this, given that most predatory crime today has "cyber" aspects. Fortunately, there is plenty of evidence that people who commit predatory crime can stop, and many do so as they get older, start families, get a "proper" job. In criminology this is known as desistance and may actually be easier for people with digital skills to desist.

In the broad scheme of things, the most intractable obstacle to reducing cyberbadness may not be predatory criminals clinging to a crooked lifestyle; it could well be humans who are prepared to use digital technologies like social media to spread disinformation, undermine truth, and foster hatred in furtherance of selfish agendas.


Note: 
To the best of my knowledge, the term cyber-badness was first coined by Cameron Camp, my friend and colleague at ESET.

Friday, July 22, 2022

Cobb's Guide to PC and LAN Security: the 30th anniversary of the first version

The Stephen Cobb Complete Book of PC and LAN Security first appeared in print in 1992, an amazing 30 years ago. In celebration of this anniversary, I'm reminding people that a PDF copy of the last version of the book is freely downloadable under a Creative Commons license. 

While a lot of the book's technical content is now dated—a polite way of saying it is stuck in the late 1990s and thus mainly of historical interest—much of the theory and strategy still rings true 

The large file size of this 700 page tome led me to publish it in three easily digestible parts: Part One; Part Two; and Part Three. (You can also scroll down the column on the right of this page for download inks.)

Despite the original title, which was imposed by the publisher, the volume that appeared 30 years ago was by no means a "complete book" on the subject; nor is it now a contemporary guide. However, you can still find it on Amazon, even though Amazon.com did not exist when the first version was published. The images on the left of this article are the current Amazon listings of the three versions (which I will explain shortly).

If you are inclined to take this particular trip down computer security's memory lane, I suggest you download the free electronic version rather than purchase on Amazon. On that trip you will find a few items of note, such as this observation:
"The goal of personal computer security is to protect and foster the increased creativity and productivity made possible by a technology that has so far flourished with a minimum of controls, but which finds itself increasingly threatened by the very openness that led to its early success. To achieve this goal, you must step from an age of trusting innocence into a new era of realism and responsibility, without lurching into paranoia and repression."
I'd say that's a decent piece of prognostication for 1992. It's one of the reasons I have kept the book available all these years, a mix of nostalgia, history, and first principles. Along with a number of friends and fellow security professionals—like Winn Schwartau, Bruce Schneier, and Jeff Moss—I am inclined to think that the parlous state of cybersecurity in 2022, relative to the level of cybercriminal activity, could have been avoided is only more people had taken our advice more seriiously in the 1990s.

Three Versions and a Free Version

I made a lot of changes when I turned that 1992 volume into The NCSA Guide to PC and LAN Security—a 700 page paperback that was published in 1995—but that edition is also very outdated these days. Around 12 years ago I obtained the copyright to these works and, through an arrangement with the Authors Guild, got it reprinted as Cobb's Guide to PC and LAN Security. This was done largely for sentimental reasons and the copies are only printed on demand. 

However, in that process I obtained a high resolution scan of the entire book. I then converted this to text using Adobe OCR software. The result is what I have put online. (Warning: you may encounter OCR errors and artifacts; no claims are made as to accuracy of the information in this document; use at your own risk and discretion, etc.).
LEGAL STUFF: THIS FREE ELECTRONIC EDITION IS LICENSED BY THE AUTHOR FOR USE UNDER CREATIVE COMMONS, ATTRIBUTION, NONCOMMERCIAL, NO DERIVATES. 

Computer Security Prognosis and Predictions 

I plan to post more thoughts on computer security "then and now" but for now I leave you with another quote from the 1992 Stephen Cobb Complete Book of PC and LAN Security:
"The most cost-effective long-term approach to personal computer security is the promotion of mature and responsible attitudes among users. Lasting security will not be achieved by technology, nor by constraints on those who use it. True security can only be achieved through the willing compliance of users with universally accepted principles of behavior. Such compliance will increase as society as a whole becomes increasingly computer literate, and users understand the personal value of the technology they use."

Monday, March 28, 2022

Big jump in losses due to Internet crimes in 2021, up 64% according to latest IC3/FBI report

IC3/FBI internet crime data graphed by S. Cobb
In 2021, the world came to rely on digital technologies even more than it had in 2020. Sadly, but quite predictably, at least from my perspective, 2021 also saw a lot more sleazy digital scams and dastardly data breaches than 2020. 

How much more were the estimated losses suffered by individuals and businesses who reported internet crimes to IC3 in 2021? They were up 64% over 2020 according to the recently published 2021 Internet Crimes Report from the FBI and IC3, the Internet Crime Complaint Center.

The annual figure for this Internet crime metric rose from US$4.2 billion in 2020 to US$6.9 billion in 2021. That's almost a doubling in two years, from the 2019 figure of US$3.5 billion. The rise in losses from 2020 to 2021 was the second steepest annual increase in the last decade (2017-2018 saw a 91% jump).
 
While there are some issues with using the IC3 numbers as crime metrics—they were not originally collected as an exercise in crime metrics, but rather as an avenue of attack against the crimes they represent—I have studied each IC3 annual report and am satisfied that they reflect real world trends in cybercrime's impact on victims, as measured by direct monetary loss. (You can find out more about this in my article, Advancing Accurate and Objective Cybercrime Metrics in the Journal of National Security Law & Policy.)

When you put a 64% rise in annual internet crime losses in the context of record levels of spending on cybersecurity in recent years, it says to me that current strategies for securing our digital world against criminal activity are not working as well as they should. For more on cybercrime metrics relative to cybersecurity efforts, see this blog post from last year.

For more on the work that IC3 and the FBI do, please download the 2021 report, and any of the previous reports. If you're a criminology or risk and security geek like me, they make for interesting reading. The report lets you see which types of crime were on the increase in 2021—e.g. there is a growing overlap between romance scams and cryptocurrency fraud—and what steps IC3 has been taking to mitigate scams. The report's chart of losses by age group in 2021 was frankly depressing: older members of society are being hit hard by digital scammers.

What's next for cybercrime and its victims?

Firstly, I think we have to be honest with ourselves and acknowledge that, as human activities go, the abuse of digital systems for selfish ends has been a runaway success. Second, we need to realize that we are all victims of this success, regardless of whether or not we have lost any money as a direct result on such abuse. 

As I have said elsewhere, the psychological impact of internet crime creates significant costs, to victims and to society. People lose self-esteem, confidence, and trust. They may need counselling. Their productivity may suffer. Unfortunately, we have not done a good job of measuring harms from criminal abuse of digital systems that are not easily summed up as "how much did you lose?" 

One recent step in the right direction was research in the UK prompted by the consumer group Which? and reported here by the BBC. As the article states, the annual cost of the impact of scams on wellbeing was calculated to be £9.3 billion (roughly US$13 billion). The research suggested  that "scam victims faced a drop in life satisfaction, significantly higher levels of anxiety, and lower levels of happiness." In addition, some victims reported "worse general health." Those findings echo this one in 2014 from the non-profit senior support organization Age UK: "older [scam] victims are 2.4 times more likely to die or go into a care home than those who are not scammed." 

When you translate these non-financial harms into the costs they produce: "The average drop in wellbeing for victims of fraud has been valued at £2,509 per year. For online fraud, this estimate is even higher at £3,684" (Which?). 

Now, if assume that this UK estimate holds true in the US and turn £3,684 into US dollars we get roughly $5,000 per victim. I know this is guesswork, but I'd really love to see some entity replicate the Which? research in the US. Because, if that $5,000 proves to be a valid assumption, and we multiply it  by the number of people reporting crimes to IC3 (847,376 in 2021) we get a figure that represents: "the personal and social cost of Internet crimes reported to IC3 in 2021 in addition to the reported financial losses." 

And that number is a whopping US$4.2 billion (which is a bit uncanny because that same figure was the IC3 financial loss total for 2020). Then, if you put that US$4.2 billion together with the IC3 loss number for 2021 (US$6.9 billion) you're looking at an attention-grabbing annual impact for reported Internet crime of more than US$11 billion; hopefully, enough attention to get more public resources channeled into Internet crime prevention and victim support.

Notes:
  • A detailed look at the impact of fraud in general, 24-page PDF of a chapter from the book Cyber Frauds, Scams and Their Victims by Cassandra Cross and Mark Button, 2017.
  • The Fight Cybercrime website which has a lot of helpful info for victims of online fraud, in 12 languages!
  • The source for the statistic that "older [scam] victims are 2.4 times more likely to die or go into a care home than those who are not scammed" — PDF of Age UK report, 2016.