By Benjamin Dean Another month, another data breach , and another set of proposals for what is seemingly a...
By Benjamin Dean
Another month, another data breach, and another set of
proposals for what is seemingly an intensifying cyber-attack problem.
When
we examine the evidence, though, the actual expenses from the recent and
high-profile breaches at Sony, Target and Home Depot amount to less than 1% of
each company’s annual revenues. After reimbursement from insurance and minus
tax deductions, the losses are even less.
This
indicates that the financial incentives for companies to invest in greater
information security are low and suggests that government intervention might be
needed.
To
date, though, few of the policy proposals aimed at improving information
security are directed towards the root cause of this problem. Rather than
creating incentives for companies to invest in better information security, the
Australian, UK and US government proposals are for more information sharing
than securing. In all cases, this sharing is to be done with intelligence
agencies. Why is this and what does it tell us about what the real cyberthreat
to our information is?
The real fallout from data
breaches
The
now infamous Sony breach supposedly perpetrated by North Korea at the end of
2014 drew initial loss estimates of more than $100 million.
In the end, the breach did not actually cost Sony very much at all.
In
its Q3 2014 financial statements, the company
wrote that the breach resulted in “just $15 million in ‘investigation and
remediation costs’ and that it doesn’t expect to suffer any long-term
consequences.” A senior general manager later said the figure would be closer to $35 million for the fiscal year ending March 31.
To
give some scale to these losses, they represent from 0.9% to 2% of Sony’s total
projected sales for 2014 and a fraction of the initial estimates.
How
about costs like reputation damage and lost sales? Sony’s bottom line actually
wasn’t hurt by the hack. Consider that around a quarter of the typical movie
budget is marketing. The Interview cost $44 million to make, which implies a
conservative estimate of $11 million for marketing. This amount was likely
ratcheted down following the breach and the subsequent free worldwide media
frenzy.
The
film made a profit and has so far grossed $40 million in online sales and $6.7
million in cinemas worldwide. If anything, the free publicity for a new movie
on cable news, across social networks and daily newspapers, at Christmas to
boot, represents a net financial benefit to Sony. There’s no such thing as bad
press, after all.
Target
was also subjected to a particularly nasty data breach in late 2013 involving
40 million credit and debit card records and 70 million other records
(including addresses and phone numbers).
In its latest financial statements, Target said
the gross expenses from the data breach were $252 million. When we subtract
insurance reimbursement, the losses fall to $162 million. If we subtract tax
deductions (yes, breach-related expenses are deductible), the net losses tally $105
million.
Target |
This
is the equivalent of 0.1% of 2014 sales.
Finally,
Home Depot suffered a breach last year that resulted in 56 million credit and
debit card numbers and 53 million email addresses being stolen.
The
net expenses incurred by Home Depot ended up at $28 million following an insurance reimbursement of $15 million. This represents less than 0.01% of Home Depot’s sales for
2014.
Moral hazard rears its head
These
numbers suggest that we have a market failure relating to asymmetric
information, which results in the problem of “moral hazard” for private
companies in the area of information security. Moral hazard occurs when one
person or organization takes greater risks because others bear the burden or
costs of those risks.
For
an example, credit and debit card providers incurred the most costly part of
the Home Depot breach. Credit unions claim to have spent $60 million in
September 2014 alone replacing compromised cards. Each customer whose card had
to be replaced also incurred a cost in terms of inconvenience.
It
therefore does not make economic sense for companies like Home Depot to make
large investments in information security. As a result, they do not. The
insurance pay-outs and tax deductible breach-related expenses weaken the
incentives even more.
Reliable
data on the amounts companies spend on information security are scarce.
However, due to the nature of their business and the vital role that
information security plays in it, we know that banks and financial institutions
are some of the biggest investors in robust information security.
JP
Morgan’s CEO, Jamie Dimon, says his firm spends $250 million each
year on cyber-security. To put that in perspective, that constitutes 0.35% of the
JP Morgan’s annual expenses.
If
that’s how much a firm whose very existence rests on preventing data breaches,
one can only imagine how much the average firm invests in information security.
The growing slew of government
proposals
In
the presence of this market failure, the case for government intervention
becomes strong. When we look at the proposals currently on offer though, rather
than better securing information they seek to increase access to it – for
certain organizations only.
The
most recent of these proposals in Australia is the mandatory metadata retention
scheme. This will involve retaining and sharing people’s metadata for two years
(representing an additional information security risk in of itself due to the
centralization of information), cost $400 million a year and be overseen by the
nation’s Intelligence agencies. According to Prime Minister Tony Abbott, if not
passed, this will represent a “a form of ‘unilateral disarmament’ in the fight against crime.” (these crimes include, “cyber attacks, child exploitation, terrorism activity and
other crimes”.)
To
try and put this spending in perspective, figures released by the Western
Australian government suggest that $17 million was lost to online scammers last year.
If we scale this up to the total Australian population and add the $254 million lost to online (“card-not-present”) credit and debit card fraud nationally
in 2013, the total losses from these online crimes still don’t exceed the
yearly cost of Abbott’s proposal! There must be some other reason to justify
this spending.
One
possible answer: in 2010, one of same the agencies within the Australian
Intelligence community that is proposed to oversee the metadata retention
scheme “obtained nearly 1.8 million encryption keys from Indonesian telco Telkomsel,” for
the purposes of “conducting surveillance of a US law firm retained by the
Indonesian government for trade talks.” This last phrase suggests that the real
value in greater information sharing with Intelligence agencies does not come
from fighting online crimes.
In
the US, President Barack Obama recently announced a Cyber Threat Intelligence Integration Center.
Tasked with facilitating information sharing between private and public sector
entities, it will start with a budget of $35 million and will be overseen by the director
of national intelligence. Information security experts widely agree this
will not significantly reduce data breaches.
Prime
Minister David Cameron also has proposals to combat cyber-crimes ranging from banning encryption in the event the government has no
backdoor to decrypt communications (again, something that would undermine the
security instead of improving it) to a number of information sharing measures between the UK and US. This would
include “establishing a joint cyber cell” between the UK’s Government
Communications Headquarters and MI5 and their US partners, the National
Security Agency and the Federal Bureau of Investigation.
These
organizations already collaborate quite a bit and it is not for improving
information security. The news broke two weeks ago that operatives from the NSA
and GCHQ “joined forces in April 2010 to crack mobile phone encryption”
by stealing billions of encryption keys from Dutch SIM card provider Gemalto.
This has some of the biggest negative repercussions on information security
we’ve ever seen to everyone, globally, as Australian Senator Scott Ludlam tried in vain to explain last month.
More questions than answers
Given
that the losses to companies due to data breaches are so low, typically less
than 1% of a company’s annual sales, and the losses so widely distributed, why
are so many costly proposals being made by governments around the world to do
something about the online threat?
The
presence of moral hazard does suggest that there is a role for government to
play in creating incentives for private companies to invest more in information
security.
Why
then do none of the current crop of government proposals address this problem?
More costly than the problems they supposedly address, if anything, they create
a disincentive for companies to make this needed investment by promising
blanket protection from cyber-attacks. The Australian and UK proposals may
actually degrade information security by centralizing data and undermining
encryption.
This
might be exactly the point, though, when we look at which agencies are to be
engaged in these proposals.
Improving
information security should fundamentally involve securing information, yet all
the current proposals involve greater information sharing with intelligence
agencies. Why are the same agencies that have been shown to be active in
undermining the information security of private firms such as Indonesia’s Telkomsel or the Dutch Gemalto – and all of their customers (anyone
with a cell phone - so all of us) – as a consequence of these actions, being
tasked with better securing our information?
If
we don’t identify and address these contradictions, we run the risk of creating
something much worse than the current information security problem. The latest
slew of government proposals raise more questions than answers regarding
information security - and they are very concerning questions indeed.
This article was first published at The Conversation on March 5, 2015
ABOUT THE AUTHOR:
Fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University