It has to be assumed that Eugene Volokh didn’t post the analysis of his Mayer Brown colleague, Marcus Christian, without purpose. Christian, “an extremely experienced former federal prosecutor” who is now a Biglaw “white collar” defense lawyer, told a very scary tale of CyberVor, the sort designed to wrap oneself up in the comfort of government power to protect us from looming destruction.
Cybercrime is big business. According to a June 2014 study by the Center for Strategic and International Studies and McAfee, the annual economic cost of cybercrime is $475 billion and growing. The growth in costs result in part from the increasing productivity of cybercriminals.
Last month, Alex Holden, a cybercrime researcher, reported that a Russian cyber gang has built a database of 4.5 billion stolen Internet credentials. According to Holden, the records constituted the largest known assembly of stolen online credentials and included 1.2 billion user name and password combinations and more than 542 unique million e-mail addresses.
Huge numbers. It would appear that they’ve got us, all of us, and they could crush us like bugs, destroy our lives, undermine the very fabric of our society.
Holden described the group behind the illicit database as consisting of fewer than 12 Russian men in their 20s. Calling the group the “CyberVor” gang (a name that he created by adding the Russian word for thief to “cyber”), Holden said the members began working together in 2011 as amateur spammers.
But this is the first inkling that there is something less than savory about the analysis. So CyberVor isn’t their name, like Anonymous, but rather a name imposed on them? Whenever the government seeks to create a scary group out of whole cloth, it first manufactures a name to suggest a level of organization, conspiracy, so that they can point at something with which to strike fear in our hearts. And this is certainly fearful. 4.5 billion stolen credentials? That’s more than the population of this nation. $475 billion in losses? That’s astronomical. Where? Where is that money coming from? Where is it going to? How is this possible?
Businesses must assess and address their technological and human vulnerabilities vigilantly. But they also should collaborate with their peers, outside counsel and law enforcement agencies. . .
Moreover, working with industry groups can enable companies to pool resources and communicate regularly with policymakers to advocate for needed laws, including legislation to reduce cybercrime mitigation costs and to make cybercrime less profitable for organized crime groups. Individual businesses cannot afford to face cybercriminals alone.
Ah, there’s the rub. More cooperation with law enforcement. More laws to facilitate our saviors, the government, protecting us from this made-up group. And this, from a former government lawyer now selling his wares on the outside.
Upon reading this, it struck me as shocking that Eugene would publish such a vapid government press release. Sadly, it didn’t surprise me at all that a former government lawyer was still promoting the government talking points, but that’s Biglaw. Since when, however, did the Volokh Conspiracy use its soapbox to promote governmental fear-mongering, with law enforcement cooperation and facilitation as its solution?
Rob Graham, at Errata Security, wonders the same.
The “Volokh Conspiracy” is a wonderful libertarian law blog. Strangely, in the realm of cyber, Volokh ignores his libertarian roots and instead chooses authoritarian commentators, like NSA lawyer Stewart Baker or former prosecutor Marcus Christian. I suspect Volokh is insecure about his (lack of) cyber-knowledge, and therefore defers to these “experts” even when it goes against his libertarian instincts.
The latest example is a post by Marcus Christian about the CyberVor network — a network that stole 4.5 billion credentials, including 1.2 billion passwords. The data cited in support of its authoritarianism has little value.
While I was unprepared to accept the data for lack of supporting evidence, Rob didn’t really care much either way. It was nonsensical regardless of what numbers they used, and unworthy of the time to question something that could never be proven anyway.
A “billion” credentials sounds like a lot, but in reality, few of those credentials are valid. In a separate incident yesterday, 5 million Gmail passwords were dumped to the Internet. Google analyzed the passwords and found only 2% were valid, and that automated defenses would likely have blocked exploitation of most of them. Certainly, 100,000 valid passwords is a large number, but it’s not the headline 5 million number.
That’s the norm in cyber. Authoritarian types who want to sell you something can easily quote outrageous headline numbers, and while others can recognize the data are hyped, few have the technical expertise to adequately rebut them.
When Eugene offered Christian’s analysis, he gave him attributed credibility by blessing it with space on his blog, plus ascribed credibility by describing him as “an extremely experienced former federal prosecutor.” Not just a former prosecutor. Not just an experienced former prosecutor. Oh no. An “extremely experienced former federal prosecutor.” When he thus spilled numbers across the page, even in the absence of any supporting basis or analysis as to their efficacy, we bit. Who are we to question the assertions of “an extremely experienced former federal prosecutor.”
But Rob isn’t any of those things. He’s just a top InfoSec guy, the one who is asked to talk at Defcon by the top hackers. No official title at all.
That blog post also cites a study by CSIS/McAfee claiming the economic cost of cybercrime is $475 billion per year. This number is similarly inflated, between 10 to 100 times.
We know the sources of income for hackers, such as credit card fraud, ransomware, and DDoS extortion. Of these, credit card fraud is by far the leading source of income. According to a July 2014 study by the US DoJ and FTC, all credit card fraud world-wide amounts to $5.55 billion per year. Since we know that less than half of this is due to hackers, and that credit card fraud is more than half of what hackers earn, this sets the upper limit on hacker income — about 1% of what CSIS/McAfee claim as the cost of cybercrime. Of course, the costs incurred by hackers can be much higher than their income, but knowing their income puts us in the right ballpark.
Wait, so the total of credit card fraud, the hard source of revenue for those who steal credentials, is $5.5 billion, only half of which is due to hackers, where do they come up with $475 billion?
Where CSIS/McAfee get their eye-popping numbers is vague estimates about such things as “loss of reputation” and “intellectual property losses”.
So it’s like calculating loss under the fraud tables in the Sentencing Guidelines, imaginary numbers which make complete sense if one ignores all reality, fabricates bizarre assumptions, attributes made-up numbers to them, multiplies them by the number of ants in a hill, and then adds a few zeroes while telling the sad story of people who might have been harmed if only a meteor struck the earth. It could happen.
Rob goes on to eviscerate Marcus Christian’s government infomercial, ultimately reaching the point of explaining why the dire need for greater government control of cyberspace and your computer is nonsense.
I’m an expert in cybersecurity who helps companies defend against hackers, yet I’m regularly threatened and investigated by law enforcement thugs. They don’t understand what I do, it’s all witchcraft to them, so they see me as part of the problem rather than the solution. Law enforcement already has too much power in cyberspace, it needs to be rolled back, not extended.
While I may have enough experience in sifting through government-speak to smell a rat, I lacked the technical background to explain why it’s pandering to the fear and ignorance of the public. For those impressed by anything sounding lawyerish, or authoritative, coming from someone with credentials that impress you, this is why you don’t get to form an opinion in the absence of sufficient knowledge to discern reality from hyperbole.
But hey, isn’t everybody entitled to an opinion, no matter how little they know and how much less they understand? Isn’t fear-mongering and a decent story enough to make you willingly hand over your privacy to the government to protect you because the sky is falling?