I’ve written on computer security hysteria for twenty years and I can tell you this: the U.S. federal bureaucracy has never produced a good economic figure for computer security damages. It’s all about hype, not accuracy.
The problem isn’t in the size or the scope of the numbers. Rather, the feds can’t settle on a ballpark figure and they refuse to show their homework. I believe the former problem stems from every bureaucrat’s desire to mouth their very own brown-tinged guesstimate … and we know the latter problem stems from every bureaucrat’s desire to overclassify their use of public domain knowledge sources.
Obama’s intel chief can do nothing more than quote wild dollar values spouted by two companies — one of them not even involved in economic assessments.
The latter problem encourages a bizarre situation that begins when Fearmonger “A” confidently gives reporters a number he pulled out of his butt, and no reporter calls him on it. Fearmonger “B” reads it in the newspaper and says “I’ll use the number from ‘A’ as my own ballpark figure,” and no reporter calls him on it. Fearmonger “C” reads both numbers online and says “I’ll average the numbers from ‘A’ and ‘B’ when I give lectures,” and no reporter calls him on it. Fearmonger “D” finds those three numbers in a Wikipedia citation and says “I’ll normalize the values from ‘A’ and ‘B’ and ‘C’ in my master’s thesis,” and his professor doesn’t force him to disclose where the “raw data” came from…
For the very longest time — and by that I mean for well over a decade — no one bothered to collect empirical data for their guesstimates, not even the feds. But hey, a complete lack of data never stopped bureaucrats from pulling numbers out of their butts and using newspaper stories as their primary source of expertise. Pray tell, who can forget White House cyber czar Richard Clarke’s famous flip-flop before a senate subcommittee in 2002?
Let me repeat myself, folks. The U.S. federal bureaucracy has never produced a good economic figure for computer security damages. It’s all about hype, not accuracy.
Okay, so now along comes Barack Obama with his “open” government. He picks Dennis Blair as his top intelligence advisor. Blair gives his first congressional briefing almost seven years to the day after Richard Clarke’s famous flip-flop. What kind of numbers does Blair’s solar calculator yield?
“Ferris Research estimates that the total cost of spam and all of the types of fraud that take advantage of spam’s impact is $42 billion in the United States and $140 billion worldwide in last year, while McAfee estimates that global companies may have lost over $1 trillion worth of intellectual property to data theft in 2008.”
I, uh … well, okay: I expected Blair to pull numbers out of his butt. Instead, he all but admits the entire U.S. intelligence community lacks data concerning one of the five most important threats America now faces. The mighty Blair himself can do nothing more than quote wild dollar values spouted by two companies—
—one of them not even involved in economic assessments. What’s wrong with this picture?
We’re talking about the new head of U.S. intelligence, a career naval leader with underlings who knew well enough to publish a detailed Congressional statement less than a month after he took the oath of office. And yet these underlings couldn’t muster up the nerve to ask the Commerce Department for authoritative figures from a government statistician with a PhD in economics?
We’re getting bad intelligence from the head of U.S. intelligence, folks. And bad intel is worse than no intel at all.
I wish someone on the committee had asked Blair how McAfee derived that $1+ trillion guesstimate. The transcript of his response might read something like this:
“Well, uh, you see, these guys, they— they analyze malicious software code all day long. And I imagine a lot of the damage was caused by the offensive cyber warfare technology that McAfee freely turned over to the Chinese government right under our very noses. So, um, they’re eminently qualified to be global claims adjusters. If I was, you know— an, an insurance firm, and these ‘combat coders‘ at McAfee told me that I owed the world over a trillion dollars— I’d certainly be inclined to believe the accuracy of their figures…”
Obama took office on a mandate to “change” government. And yet he picked an intelligence director who takes computer security rhetoric at face value. That’s straight-up status quo, folks.
Memo to Dennis Blair: I cannot believe you cited McAfee. Seriously, Admiral: your underlings let you down. Ask the NSC to brief you on McAfee’s deep involvement in arming China with cyber smallpox technology. You’ll discover the NSC called me in March 2001 for details. Called my home. At 7am…