Government Cyber Crime Report Debunked

An IT security professor claims the government’s cyber crime report is merely sales bumf for BAE

A government report detailing the shocking cost of cyber crime to the UK economy has been dismissed by an information security professor at the London School of Economics as a “sales promotion exercise” by BAE Systems.

The report released last week by the Office of Cyber Security and Information Assurance (OCSIA) and information intelligence firm Detica (owned by BAE Systems) claims that cyber crime costs the UK economy £27 billion annually, with IP theft and industrial espionage being the main culprits.

However, Professor Peter Sommer told ZDNet that OSCIA should not have allied itself with the report, which he described as an “unfortunate item of British Aerospace puffery”. He said that the report was full of “fake precision,” and that no agreement has yet been made about what to include in the calculation of losses.

“The whole report has been orientated to areas in which BAE can offer its facilities and services,” he said.

Based on assumption

The report claims that IP theft from businesses has the greatest economic impact of any type of cyber crime, costing £9.2 billion per annum, with the hardest hit sectors being pharmaceuticals and biotech, electronics, IT and chemicals.

Meanwhile industrial espionage has the second greatest impact at £7.6 billion, according to the report, followed by £2.2 billion from extortion, £1.3 billion from direct online theft, and £1 billion from the loss or theft of customer data.

The study was welcomed by the Federation Against Software Theft (FAST), which claims that it should act as an alarm call for government and businesses. “There needs to be a number of ongoing debates to examine and secure a handle on these issues and if necessary improve legal as well as technological tools to reduce these figures over the short, medium and long term,” said FAST’s chief executive, John Lovelock.

However, even FAST acknowledged that the OCS’ assessments are “based on assumption rather than solid research,” and said that a truly accurate figure for cyber crime losses could only come from a “centralised reporting hub”.

Difficult to measure

Tyler Moore, a Harvard University cyber-security expert, also responded to the report with a blog post, criticising the researchers’ failure to describe the methodology and calculations for ascribing the probabilities used to calculate the estimate.

“Very small changes to the probabilities could mean the true cost of cyber crime is much smaller or larger,” explained Moore. “The authors try to account for this by also computing best- and worst-case probabilities, but there is no indication how different these values are, nor how they were derived. Consequently, stating that the true cost of cyber crime lies between the best and worst case scenarios is meaningless.”

Previous attempts have been made to calculate the true impact of cyber crime, but Moore explains that it is very difficult to make estimates because outside researchers do not have access to the same level of information on attacks as the victims do. In the case of espionage, many victims may even be unaware that they have been attacked.

Last week, home secretary Theresa May announced that the UK government has apportioned £63 million of its promised £650 million cyber security fund to tackling cyber crime. The news follows a warning last year by the director of the Government Communications Headquarters (GCHQ), that the UK is facing ‘real and credible’ threats from cyber attacks on its critical infrastructure.