Archive for 'Cyber security'
Michael D. Moberly October 7, 2014 ‘A long form blog where attention span really matters’.
In 2013, CSIS (Center for Strategic and International Studies) and McAfee partnered to examine cyber – economic espionage impact in a manner more inclusive than what I have previously observed over the past 25+ years. Dr. James Lewis, Senior Fellow and Director of CSIS’ Center for Technology and Public Policy Program, who directed the study, offered his best guess that ‘the upper limit of the costs-losses attributed to cyber – economic espionage might be under one percent of the GDP’ (gross domestic product). Lewis also states, and I paraphrase, ‘U.S. economic costs-losses to cybercrime and economic espionage attributed specifically to – originating in China, may reach as much as $140 billion annually’.
Lewis translates the $140 billion annual IP loss to 508,000 jobs…
While I have no basis to dispute those figures, or question Dr. Lewis’ experienced and respected record of achievements in the cyber crime – economic espionage arena, I do suggest there are two key factors necessary to arrive at the $140 billion annual loss figure, i.e.,
- determining which assets and/or impacts to include (factor) and
- the methodology for determining the lost assets’ near and long term value in terms of costs and losses companies will experience with respect to such things as market space, competitive advantages, profitability, sustainability, etc.
But, Lewis claims, and I agree, describing value loss – impact estimates with broad ranges is indicative of the difficulty in calculating losses. Accordingly, companies may be reluctant to reveal (their) victimization impacts, i.e., victim companies may be inclined to (a.) conceal particular portions of their losses, or, (b.) not know how to distinguish which/what intangible assets were targeted, stolen, comprised, or misappropriated. But, Lewis wisely, casts wide ranging estimates of losses attributed to cyber – economic espionage in other contexts, starting with World Bank reports which state global GDP stood at about $70 trillion for the year 2011. Thus, a $400 billion loss representing the high end range of probable losses attributed to cyber crime and cyber espionage is a fraction of a percent of the global GDP figure. This, Lewis says, prompts additional questions, several of which I have been examining for many years, e.g. who are recipients and/or ultimate beneficiaries of the acquired (intangible) assets; can they expect to – be positioned to maximize those benefits, e.g., market (space) position, sector competitive advantages, reputation, value, sources of revenue, profitability, etc.
Conventional loss surveys assess – assign dollar value to losses… Some IP and intangible asset theft – loss estimates rely on surveys, which Lewis correctly points out, generally produce imprecise findings because among other things respondents, are inclined to “self-select” which can become a source of distortion to the findings. Lewis suggests loss estimates should be based on “scale and effect” which ‘will likely produce quite different and possibly more objective and accurate results in terms of adverse impacts and loss values’.
CSIS – McAfee Assessment model… Lewis’ intent was to bring greater clarity and validity to the loss figures being reported, so data from ‘car crashes’, ‘retail pilferage/shrinkage’, ‘crime stats’, and ‘drug usage’ were examined for their relevance and comparison as methodologies to draw upon insofar devising CSIS’ assessment (valuation) model. By incorporating these analogies into the design of their loss valuation assessment model, Lewis, and McAfee were suggesting it’s problematic to rely on conventional (existing) survey methodologies to calculate dollar value for losses, because, among other things…
- companies that (publicly) reveal their losses are frequently unfamiliar with distinguishing the actual (proprietary, IP, intangible) assets which were stolen, compromised, or infringed, thus more guesstimates.
- intellectual property – intangible asset losses are difficult to quantify because relevant dependant variables are often absent from the equation, and, often
- the self-selection process associated with most conventional survey methodologies, frequently produces distortion in the findings.
CSIS model includes components – classifications of malicious cyber activity and economic espionage…
This, Lewis gleans, by asking ‘what should be included and counted insofar as arriving at more precise loss estimates’, i.e., there…
- was a loss of intangible assets, i.e., intellectual property, sensitive business confidential/- proprietary information.
- was an actual crime committed, i.e., a violation of federal law.
- were opportunity costs, i.e., business and/or service disruptions that adversely effected consumer/customer expectations, particularly those related to the victimized company’s online activities.
- would be additional costs incurred relative to…
- re-securing their IT networks.
- achieving greater company resilience insofar as to recovering from future cyber – economic espionage attacks, and
- developing/executing business continuity plans designed to provide more rapid and fuller recovery when future attacks occur.
- were damages to company reputations which tend to have a longer period for recovery, and lastly,
- were costs to re-establish and re-secure company supply chain networks.
What’s the harm…?
If Lewis is correct in inferring there have, inadvertently, become “tolerated costs” and/or ‘ceilings’ for estimating losses.
So, a different perspective; is economic-cyber espionage the greatest transfer of wealth in history, or merely a rounding error in countries’ GDP…?
This, of course represents a perspective intended to elevate the significance and acknowledge the adverse impact of cybercrime-economic espionage, while the former represents a perspective intended to diminish the ‘sticker shock’ of the adverse economic impacts by characterizing them as percentages of national GDP’s.
As always reader comments are most welcome.
Michael D. Moberly February 14, 2013
Some time ago, I’m not really sure precisely when, a transition (change) in language occurred with respect to computer/IT system security with respect to what had traditionally been referred to as primarily defensive actions to prevent and/or mitigate (computer/IT system) vulnerabilities and infiltrations by hackers or economic-competitive advantage adversaries. The terms now widely used to describe, at least what I believe, are similar phenomena, are cyber-security and cyber-warfare. The distinction between the two is that the latter is generally presumed to occur on a larger scale, with greater frequency, sophistication, and asymmetric elements, which can destroy, deploy malware, or siphon (extract) specifically targeted intangible assets from a single company and/or a ‘pillar’ of our national infrastructure literally, in nanoseconds.
What troubles me most about this ‘language change’ is that the term cyber-warfare particularly, comes with the inference that ‘all things evil’ to a companies’ computer/IT system(s) emanate from afar, that is primarily (foreign) state sponsored, non-state actors, or the growing numbers of global legacy free players. Let’s be clear, I am in no way questioning whether either of the above are regular, if not the primary initiators, as there is ample evidence (anecdotal and otherwise) that is the case.
The attention and the alarms both the private sector and government agencies furnish regarding cyber threats, security, and warfare are obviously warranted and I seek not to dispute nor diminish their significance. After all, the cascading infrastructure havoc created by a significant offensive cyber attack could be incalculably cataclysmic.
But, identifying the absolute best strategy, tools, and/or practices to address these persistent challenges, especially considering there is no reason to believe (they) will dissipate in the future, represents where much debate lies today in c-suites globally, e.g., amongst CSO’s (chief security officers), CRO’s (chief risk officers), CISO’s (chief information security officers), CIPO’s (chief intellectual property officers) and certainly legal counsel.
That is, with respect to the private sector, is it best to remain primarily in a defensive mode consisting of repelling, preventing, and containing? Or, should the private sector engage in independent offensive and/or pre-emptive initiatives, e.g., mounting IT system (cyber) attacks toward known adversaries in hopes such undertakings will produce a deterrent effect versus an escalation?
Before we get too far down a particular strategic path on this issue, it’s important to refresh our memories that the U.S. remains distinctive from most other countries because the key pillars of our national infrastructure are generally privately owned and operated, apart from direct government control. This distinction suggests independent offensive or pre-emptive action taken by the private sector toward known state sponsored actors (cyber adversaries) would produce some unknown reactions and/or consequences that may well exceed our natural inclination to publicly expose ‘who’s doing what to whom’.
From an information (intangible) asset protection practitioners’ perspective, I believe the subject is being too narrowly framed and perhaps overly influenced by an IT – computer security orientation ala cyber security and cyber-warfare. By continuing to frame this issue in this manner, little or no space is left for recognizing that companies’ mission critical, sensitive, and proprietary information (intangible) assets routinely exist in formats other than electronic ‘ones and zeros and bits and bytes’.
I am certainly not suggesting the prevailing perception regarding the origins of adversaries, cyber attacks, and cyber warfare (directed against the private sector) are misguided or misplaced. I am suggesting, that perception and its accompanying strategies gives short shrift to the economic fact that 65+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, sustainability, and profitability today lie in – evolve directly from intangible assets e.g., intellectual property, competitive advantages, brand, reputation, and intellectual, structural, and relationship capital. Thus, the real advantages (value, profitability) belonging to companies may not always be found or housed in a computer or IT system and therefore not specifically vulnerable to the exclusivity of cyber attacks or cyber warfare.
Too, information asset protection policies and practices which are dominated by an IT or cyber (risk, threat) orientation tend to minimize the reality that most companies today operate in an extraordinarily fast-paced, competitive, and predatorial knowledge-intangible asset based global economy. In this irreversible global environment, information (intangible) assets are developed, acquired, used, and disseminated in extraordinarily short time frames. Endeavoring to safeguard or secure these assets, in my view, should not be exclusively conceived or practiced through an IT – cyber security lens. Instead, responsibilities for safeguarding valuable information (intangible) assets must become embedded in peoples’ respective orientation, ethic, and (company) culture, because increasingly that information – those assets exist in the form of intellectual capital.
As information (intangible) asset protection specialists know well, proprietary – sensitive business information will percolate throughout a company and is not confined or limited to what is accessible solely through one’s laptop, desktop, or ‘from the cloud’. Too, intellectual capital cannot be reduced solely to those electronic ‘ones and zeros or bits and bytes’.
But, information safeguard policies and practices that infer, by having a presumptively superior IT – cyber security program, can send a misleading message, e.g., if an organization’s IT system is proclaimed to be secure, presumably then, a company’s proprietary information is also secure, which we know is not the case. In today’s increasingly predatorial and incessantly thirsty global business environment for information assets, that’s a message no company should accept.
It is certainly not my intent here to be dismissive about the absolute necessity to rapidly identify, assess, and successfully and consistently thwart the very real risks and threats posed by state-sponsored and independent cyber-attacks.
But, it’s equally important to recognize that both (cyber) terrorist organizations and economic/competitive advantage adversaries can acquire, with varying degrees of ease, a single company’s most valuable and treasured trade secrets and literally wreak economic, competitive advantage, and market havoc, one company at a time.
(This post was inspired by NPR’s Tom Gjelten’s three part series on cyber attacks and cyber warfare, February 11th, 12th, and 13th on Morning Edition.)
My blog posts are researched and written by me with the genuine intent they serve as a worthy and respectful venue to elevate awareness and appreciation for intangible assets throughout the global business community. Most of my posts focus on issues related to identifying, unraveling, and sustaining control, use, ownership, and monitoring asset value, materiality, and risk. As such, my blog posts are not intended to be quick bites of information, unsubstantiated commentary, or single paragraphed platforms to reference other media.
Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of any of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction. I always welcome your inquiry at 314-440-3593 or firstname.lastname@example.org