Re-Calibrating Cybercrime Costs and Responses

A few days ago the NYT published an article called "The Cybercrime Wave That Wasn't". What !?!

I read the title again, cleaned my glasses, counted to ten, took a deep cleansing breath, and looked at it again.

It still said the same thing. How disappointing. But maybe, I thought, it was just another piece of anti-sensationalist faux-journalism.

Here's a slice for you:

Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.

If you read the article, the authors unpack their analysis that shows the upward bias and roundup errors that appear "among dozens of surveys, from security vendors, industry analysts and government agencies" and they note that they "have not found one that appears free of this upward bias."

They don't go as far you'd think they would if they were true anti-sensationalists, because they remind the reader that despite the fact that it appears actual cybercrime losses are much lower than the many reports on the subject seem to indicate, there's still major cause for concern:

... this is not a zero-sum game: the difficulty of getting rich for bad guys doesn’t imply that the
consequences are small for good guys. Profit estimates may be enormously exaggerated, but it would be a mistake not to consider cybercrime a serious problem.

Sounds pretty fair and balanced to me. And so I was well prepared when Computerworld (and many others) reported yesterday that an analyst firm called Group-IB after reviewing the Russia cyber underworld's 10Q and 10K reports, audited by an unnamed Big 4 accounting firm, estimated that Russian cyber criminals bagged $4.5 billion last year.

Inclined now to be skeptical of large numbers in this area, I asked someone who should know, and he said the absence of a methodology section in the report made it hard to take the claims seriously.

Of course, since you already know I'm a card carrying member of AAAJOA - Anti-sensationalist, Anti-alarmist Amateur Journalists of America, it may be hard to take my post entirely seriously. But I like the fresh perspective the NYT authors, Dinei Florencio and Cormac Herley, brought to a topic which we've all been rather slow to question in the past. Kudos.

Image credit: Public Domain Photos on Flickr.com

How much Smart Grid has been deployed so far?

Not all questions can be answered on the fly.  In fact, not all questions can be answered, period:

• What, for instance, is black matter?
• What is my cat thinking?
• Is there intelligent life on Earth?
• How does Tim Thomas stop so many shots?

Heck, 99% of us can't even agree on what the Smart Grid is, let alone have a clue about when it's going to be here. Nevertheless, after being asked the question in the title above, I pledged to do some digging and post a response here on the SGSB as soon as I thought I had something. This came at the tail end of the recent Virtual Energy Forum (VEF) session called: "Lessons from the Smart Grid Security No FUD Zone." You can try getting to it by clicking HERE, but good luck.

Now without further delay, procrastination or obfuscation, here we go. If you look at this SmartGridNews write-up of a recent IDC Smart Grid market report, the picture may begin to come into view for you. Sometimes you can infer the past by getting a glimpse of the future (a nifty reversal of common wisdom that you can better imagine the future by studying the past).

Around the world, Smart Meters are being deployed in ever increasing rates. Home energy management systems are expected to go through the roof (so to speak). And grid automation is coming on strong. So, question: how much is deployed today vs. what will be ultimately deployed in 5, 10, or 20 years?

Answer: Some of it, not all of it. We're still in the early days. Given the pace of technology change, probably the very early days. It's a good question to keep asking, though, and for some of us to try to keep answering. But I reckon it ain't ever going to be fully answered, because the Smart Grid (if it's still called that in the future) won't ever be fully here.

Photo credit: Radar Communication on Flickr.com

Smart Grid Vendor Universe Charted

Thanks to David Leeds and his Smart Grid team at GreenTech Media (GTM) for building this novel and helpful view of the Smart Grid vendor world. In this end-to-end view, some companies are listed once; others have entries in multiple offerings categories.. (Click on image above for larger view) or follow THIS LINK to get more info on the report and see a larger, hi rez version of the map.)

I note the listing of primarily boutique outfits in the security column. I've had experience with all of them and can report that all are solid. It's been my experience that the bigger outfits with significant, more scalable security capabilities in other sectors are working on tuning their offerings to the energy space and are at varying stages of maturity in this effort. In coming weeks will try to ferret out more info from GTM and the other analysis firms covering Smart Grid security to get a more comprehensive view for you.

Forrester and other Analyst Firms on Smart Grid and Smart Grid Security

More IT security specialists will begin to understand smart grid security as analysis firms like Forrester Research join the bandwagon. Recent post here from Forrester's "Security & Risk" Professionals blog. An IT-based analysis firm that's much larger than Forrester and with more smart (they say, "intelligent") grid coverage, is found in Gartner Group. Lastly, Cambridge Energy Research Associates (CERA) is an energy focused analysis firm, though as with Forrester and Gartner, Smart Grid seems to be a relatively new topic for them. Note: most of these co's only give you a taste of what they know and hold most of the potentially helpful detail behind their paid subscription firewalls. Repeat: potentially helpful.