FUD marketing: a stick generated by the industry and wielded by governments
One of the things that worries me is the steady stream of inflated or unprovable statistics showing how dire the cyber threat has become. I am not alone in this concern. Ross Anderson and his team at the Cambridge University Computer Lab famously objected to statistics prepared by Detica for the Cabinet Office. On being invited by the Ministry of Defence to come up with their own defensible statistics, they produced a report showing that, statistically, government would achieve much better security by catching the crooks than by applying increasingly more expensive and sophisticated security systems.
But government doesn’t want to do that. As far as government is concerned, security is achieved by control. Having control of the internet and control over the internet’s users will provide the security they want (and the megalomaniac satisfaction they crave).
It is made worse by a huge security industry that can only survive if we buy its products. And the more afraid we are, the more money we will spend and the richer they will get.
So the poor bloody user is caught in an inescapable pincer: both the government and industry want us to be afraid – and horrific statistics and hyped up warnings created by industry and spread by government will do just that.
Here’s an announcement that came out the other day from NCC. Headline: “Hacking attempts to exceed one billion in the final quarter of 2012”. That’s pretty scary.
Rob Cotton, CEO of NCC Group, comments later in the announcement,
We’ve had copious initiatives and plans announced in the last quarter from bodies and governments aimed at addressing this issue, but the urgency just doesn’t seem to correlate with the growing threat… but these initiatives alone are not going to solve the problem. Public and private sector must work together, strategically and tactically, if we are going to be able to realistically defend against a billion hacks a quarter.”
Notice two things: government initiatives (including, I assume, the Communications Bill and GCHQ’s Incident Response Scheme and the Digital Economy Act and RIPA and Baroness Howe’s internet censorship – and that’s just in the UK) are not yet enough to tackle the hacking that has suddenly morphed from ‘attempts’ to “a billion [actual] hacks a quarter”.
A hack is generally speaking the unauthorised access of a computer. According to Mr Cotton, we are currently suffering from more than 333,000,000 every month (or more than 10,000,000 every day). Clearly the government must pass more laws and we must spend more money with the security industry so that we don’t suffer another 10 million hacks tomorrow.
It is only at the very end of the announcement we find the rider, “Stats do not necessarily indicate successful access, just unauthorised attempts.” On this basis, the quoted figure will include automated port scans. (I remember watching such scans click up on my PC at one every few seconds and being stopped by a very early version of ZoneAlarm – say, 5 per minute or 300 per hour or 7200 per day or around or 216,000 per month or around 648,000 per quarter – just for little me and all stopped by my little free firewall.) Add to this every spam email that carries a link to an exploit kit – which can be described as a hacking attempt – and suddenly the one billion figure seems rather conservative but not particularly frightening.
But this is what government and those parts of the security industry close to government do. Its called FUD marketing – they get what they want by disseminating fear, uncertainty and doubt; and they do that by huge, poorly defined and not often defended, scary figures and statistics. If you think we’re being manipulated, it’s because we are.