[ISN] DHS, DOJ plan cybercrime survey
isn at c4i.org
Fri Jan 14 03:15:25 EST 2005
Forwarded from: William Knowles <wk at c4i.org>
By Dibya Sarkar
Jan. 13, 2005
In what they hope will become the premier measure of national
cybercrime statistics, officials at the Homeland Security and Justice
departments plan to survey 36,000 businesses this spring to examine
the type and frequency of computer security incidents.
Officials from both departments said there are currently no surveys
that do what they envision the Computer Security Survey will do
annually: provide statistically relevant national data on cybercrime
across all U.S. businesses, especially those in critical
Patrick Morrissey, deputy director for law enforcement and
intelligence in DHS' National Cyber Security Division, said no one
really knows if the problem is getting better or worse or what sectors
cybercriminals may be targeting.
"We are awash in anecdotal evidence but little or nothing scientific
or verifiable," he told members of the National Infrastructure
Advisory Council Jan. 11 during a presentation. "With that being the
case, decisions are being made in this area on incomplete information.
Among other things this initiative is designed to help us address this
Better data could help form policy and improve resource allocation for
government and the commercial sector, but few datasets are available
on the national level. Other datasets such as the Computer Security
Institute's annual survey examine only the organizations' members.
That doesn't provide nationally representative data, officials said.
Ramona Rantala, a statistician in the Justice Department's Bureau of
Justice Statistics, said DHS and DOJ officials will ask about the
prevalence and types of computer security incidents, where systems
were vulnerable, and whether vulnerability was caused by an insecure
wireless connection. It will also inquire about monetary losses and
who committed the crimes, meaning whether they were general hackers,
foreign competitors or current or former employees.
The Computer Security Survey, which has been vetted by some groups,
including the FBI and the President's Information Technology Advisory
Committee, is still being reviewed by other organizations before
distribution. Officials hope to get preliminary results by the end of
the year if they get enough responses, and have final results within
12 to 15 months. The project will cost about $3.1 million, officials
The full-scale survey is based on a questionnaire that was sent in
2001 to 500 businesses, 208 of which responded. Of the 198 responding
companies that used computers -- 10 did not -- 74 percent reported
they were victims of a cybercrime, such as embezzlement, fraud or
theft of proprietary information. Two-thirds were victimized by a
computer virus at least once, a quarter experienced denial-of-service
attacks and a fifth said their computer systems were vandalized or
Rantala said the full-scale survey will help determine what types of
attacks are most common nationally. She said people tend to think that
if you have one computer attack, you shore up everything and that
prevents anything else from happening. But they fail to consider that
hackers develop methods of attack quicker than businesses can respond
to them. "In other words, they can open the door faster than we can
relock it," she said.
>From the survey, participating companies could also receive tailored
reports of where they stand within their industry in terms of how many
attacks they've been subject to, what kinds of technologies they used
for protection, and percentage of their budget was used for that.
"We'll give them a report with the industry total and with their
specific values so that they'll know where they sit in that industry,"
Rantala said. "A lot of the [chief information officers] said they
would love to be able to take this kind of information to their
president and say, 'We need to put more money in this area. We need to
put a higher percentage of our budget into this kind of technology
because this is what everyone else in our industry is using.'"
She also said the full-scale survey could help estimate losses from
cybercrimes that many news publications publish. "Honestly, nobody
I've talked to has any idea where they come from," she said. "I can't
say the methodology isn't sound. I'm just saying I'm not aware of what
it is because there are no national data out there."
However, results will depend mainly on participation of the officials
at the 36,000 businesses that will receive the questionnaire. For
instance, the pilot survey, Rantala said, found that larger companies
were less likely to respond than smaller companies. Officials at most
of the large companies said they did not respond to voluntary surveys
and that they receive too many surveys for them to answer.
Rantala said it would take an act of Congress to make a survey
mandatory, but officials from both departments prefer it be voluntary.
However, she said Information Sharing Analysis Centers, trade
associations and private-sector leaders could help urge participation
in the full-scale survey.
"What we're trying to avoid is having the businesses get multiple
surveys," she said. "If they're only going to answer one, then we want
it to be ours."
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
More information about the ISN