[ISN] DHS, DOJ plan cybercrime survey

InfoSec News isn at c4i.org
Fri Jan 14 03:15:25 EST 2005

Forwarded from: William Knowles <wk at c4i.org>


By Dibya Sarkar 
Jan. 13, 2005

In what they hope will become the premier measure of national 
cybercrime statistics, officials at the Homeland Security and Justice 
departments plan to survey 36,000 businesses this spring to examine 
the type and frequency of computer security incidents.

Officials from both departments said there are currently no surveys 
that do what they envision the Computer Security Survey will do 
annually: provide statistically relevant national data on cybercrime 
across all U.S. businesses, especially those in critical 
infrastructure sectors.

Patrick Morrissey, deputy director for law enforcement and 
intelligence in DHS' National Cyber Security Division, said no one 
really knows if the problem is getting better or worse or what sectors 
cybercriminals may be targeting.

"We are awash in anecdotal evidence but little or nothing scientific 
or verifiable," he told members of the National Infrastructure 
Advisory Council Jan. 11 during a presentation. "With that being the 
case, decisions are being made in this area on incomplete information. 
Among other things this initiative is designed to help us address this 

Better data could help form policy and improve resource allocation for 
government and the commercial sector, but few datasets are available 
on the national level. Other datasets such as the Computer Security 
Institute's annual survey examine only the organizations' members. 
That doesn't provide nationally representative data, officials said.

Ramona Rantala, a statistician in the Justice Department's Bureau of 
Justice Statistics, said DHS and DOJ officials will ask about the 
prevalence and types of computer security incidents, where systems 
were vulnerable, and whether vulnerability was caused by an insecure 
wireless connection. It will also inquire about monetary losses and 
who committed the crimes, meaning whether they were general hackers, 
foreign competitors or current or former employees.

The Computer Security Survey, which has been vetted by some groups, 
including the FBI and the President's Information Technology Advisory 
Committee, is still being reviewed by other organizations before 
distribution. Officials hope to get preliminary results by the end of 
the year if they get enough responses, and have final results within 
12 to 15 months. The project will cost about $3.1 million, officials 

The full-scale survey is based on a questionnaire that was sent in 
2001 to 500 businesses, 208 of which responded. Of the 198 responding 
companies that used computers -- 10 did not -- 74 percent reported 
they were victims of a cybercrime, such as embezzlement, fraud or 
theft of proprietary information. Two-thirds were victimized by a 
computer virus at least once, a quarter experienced denial-of-service 
attacks and a fifth said their computer systems were vandalized or 

Rantala said the full-scale survey will help determine what types of 
attacks are most common nationally. She said people tend to think that 
if you have one computer attack, you shore up everything and that 
prevents anything else from happening. But they fail to consider that 
hackers develop methods of attack quicker than businesses can respond 
to them. "In other words, they can open the door faster than we can 
relock it," she said.

>From the survey, participating companies could also receive tailored 
reports of where they stand within their industry in terms of how many 
attacks they've been subject to, what kinds of technologies they used 
for protection, and percentage of their budget was used for that.

"We'll give them a report with the industry total and with their 
specific values so that they'll know where they sit in that industry," 
Rantala said. "A lot of the [chief information officers] said they 
would love to be able to take this kind of information to their 
president and say, 'We need to put more money in this area. We need to 
put a higher percentage of our budget into this kind of technology 
because this is what everyone else in our industry is using.'"

She also said the full-scale survey could help estimate losses from 
cybercrimes that many news publications publish. "Honestly, nobody 
I've talked to has any idea where they come from," she said. "I can't 
say the methodology isn't sound. I'm just saying I'm not aware of what 
it is because there are no national data out there."

However, results will depend mainly on participation of the officials 
at the 36,000 businesses that will receive the questionnaire. For 
instance, the pilot survey, Rantala said, found that larger companies 
were less likely to respond than smaller companies. Officials at most 
of the large companies said they did not respond to voluntary surveys 
and that they receive too many surveys for them to answer.

Rantala said it would take an act of Congress to make a survey 
mandatory, but officials from both departments prefer it be voluntary. 
However, she said Information Sharing Analysis Centers, trade 
associations and private-sector leaders could help urge participation 
in the full-scale survey.

"What we're trying to avoid is having the businesses get multiple 
surveys," she said. "If they're only going to answer one, then we want 
it to be ours."

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

More information about the ISN mailing list