GCHQ And AV Firms ‘Scaring People Into Buying Security Kit’

GCHQ has yet again warned organisations about cyber threats, as figures today indicated Internet-based crime cost the UK over £1.8 billion in the last 12 months.

But the government intelligence agency has been accused of stoking fears, alongside anti-virus vendors, to scare  people into buying security products.

Thousands of IT systems are compromised every day, according to GCHQ director Ian Lobban, in a foreword to  ‘Executive Companion – 10 Steps to Cyber-Security’, published today by the Department for Business, Innovation and Skills. The government  and the intelligence agency are looking to inform private businesses on how to improve security, introducing fresh advice today.

“GCHQ now sees real and credible threats to cybersecurity of an unprecedented scale, diversity and complexity,” Lobban wrote. But observers, including  University of Cambridge professor Ross Anderson, believe such statements are often overblown.

GCHQ, which is getting a large chunk of the government’s £650 million cyber crime pot, has repeatedly warned about the growing threat of cyber crime. In October, Lobban warned of “disturbing” levels of illicit online activity. A year before that he said there were “real and credible” threats from cyber attacks on the UK’s critical infrastructure.

Lies, damned lies, and cybercrime stats

GCHQ’s warning came as Norton, the consumer arm of security giant Symantec, estimated more than 12.5 million people were victims of cybercrime in the past 12 months, suffering over £1.8 billion in direct financial losses. Norton also calculated that the direct costs associated with global consumer cybercrime stood at £69 billion. The stats were based on self-reported experiences of more than 13,000 adults across 24 countries.

Such figures are often called into question, viewed as marketing ploys by more cynical members of the security community. When Detica, the cyber arm of BAE Systems, released figures claiming the annual cost of cyber crime to UK businesses stood at £27 million, many scoffed at the statistic, claiming it was far too high to be realistic.

One cynic, the University of Cambridge’s Ross Anderson, said the figures from Symantec amounted to “just marketing”, whilst claiming the firm and GCHQ were trying to scare companies into buying security products.

“There’s a lot of stuff in here that isn’t consistent at all with more careful work,” Anderson told TechWeekEurope. “It’s worth bearing in mind that the total social cost of cybercrime is not just the loot stolen by the bad guys. In fact that’s about one percent of the total, according to our report.

“Most of the costs are indirect – money spent in anticipation of cybercrime, such as AV software purchases, and in consequence, such as clean-up. In fact a lot of the imposed cost is the money that the AV companies and GCHQ scare people into spending.”

Symantec responded to Anderson’s claims, as Simon Ellson, Norton security expert, said it was the company’s job “to understand the latest Internet security trends and people’s online social and mobile behaviours.”

“By doing so, we can better educate consumers about cybercrime, how threats are evolving and how to help people minimise their exposure to online risks by offering advice and solutions to keep safe online.”

GCHQ denied scaremongering. “GCHQ is not trying to scare businesses into buying new security software,” a spokesperson told TechWeekEurope. “The recommendations in the guidance from GCHQ, BIS and CPNI [Centre for the Protection of National Infrastructure] concern basic information security procedures around people, process and technology.  We know that about 80 percent of known attacks would be defeated by embedding these basic security practices.  This will make the bad guys’ job a lot harder without costing a fortune.”

Anderson released a report in June, which claimed real cybercrime, relating to Internet-based activity only, was only costing people “a few tens of pence per year directly”. Yet the indirect costs, which included funds spent on anti-virus software, could be “a hundred times that”.

Are you a security guru? Try our quiz!