# Cyber-security's dirty little secret: It's not as bad as you think

New research from the Global Commission on Internet Governance has reached a surprising conclusion: cyberspace is actually getting safer. The report [PDF] starts from a simple enough premise: while we are constantly told that incidents of cyberattacks and online security threats are increasing, are they growing relative to the …

1. #### It's not a dirty secret

It's a dubious assumption based on dirty logic.

1. #### Re: It's not a dirty secret

Yep funny how volume goes down when things start becoming more targeted. 1000 DDOS attacks against government web sites doesn't come close to the damage caused by a handful of attacks gaining security clearance application data.

2. If I follow this correctly (and it's possible I didn't because my eyes glazed over almost immediately) he's saying that if, for instance, the number of zero day vulnerabilities in a piece of software increases by 10% but the number of users doubles then on the whole things have got safer. He normalises the defects as being per user so instead of saying faults are now 110% of what they were they're actually 55% because you have to divide the number of faults by the increased number of users. Hmm. But if each of those users have copies of the same software the faults out there are now 220% of what they were - twice the number of users with S/W with 110% of the faults.

1. #### calling all Mathematicians

Can someone explain how 10 out of 1000 is equal to 100 out of 10,000,000.

I'd like to know before I continue reading the article.

1. #### Re: calling all Mathematicians

"... explain how 10 out of 1000 is equal to 100 out of 10,000,000."

You need to compare blogs.

2. #### Re: calling all Mathematicians

It isn't.

I think you're referring to this:

"while 10 homicides in a small town of 1,000 is terrifying, 100 in a city of 10 million would be considered low. The second is still 10 times the first."

It might have been altered since your comment, I suppose.

3. #### Compare...

Consider a zero day vulnerability afflicting 1 million websites that have small traffic

Now compare that with a zero day vulnerability that has found itself onto a site such as google.

The number of websites does not matter, it is the number of distinct visitors to those websites which is of importance.

4. #### Logic is flawed

Rather than number of zero day vulnerabilities, it should be based on number of sites and applications affected by those vulnerabilities. That will give a clearer picture of the potential damage!

1. #### Re: Logic is flawed

...and people.

I can think of several 100 million who have been affected in the last couple of years and 22 million just recently.

Not to mention ransomware is still very popular. Got an outbreak going around right now.

Statistics.

1. #### Re: Tricky stuff

Indeed, it is tricky. The paper's author seems to be juggling things to produce a pre-determined result, in my opinion. He's doing number juggling and not real world metrics to produce a warm, fuzzy result of "we're all safer now".

1. #### Re: Tricky stuff

"juggling things to produce a pre-determined result, in my opinion. He's doing number juggling and not real world metrics to produce a warm, fuzzy result of "we're all safer now".

And why might that be?

1. #### Re: Tricky stuff

"And why might that be?"

Maybe that's what he's paid to do.

6. #### Correlation, causation, and conclusions

While it isn't a bad thing, in and of itself, to attempt to collect data, and make sense of it, there's bit of a problem with collecting data, finding that it is inadequate to draw conclusions from, and then...draw conclusions from it.

Botnets are decreasing in abolute terms? Interesting. Botnets decreasing in relationship to aggregating personal computers numbers with devices/platforms that may, or may not have relevance to botnets? What does that mean? Anything?

The zero day conclusions: I don't have complete data, yeah, there's a bunch of scary zero day things, and I don't have any way to figure out how "dangerous" they are or how exposed people are to them, but hey, if I increase the pool of potentially impacted people, the ratio goes down. Yay, we're safer?

If we add in the human population to the bird population, and then calculate the ratio of creatures dying from avian flu on an annual basis...are humans getting safer? Or is the question so unrelated to the available data that attempting to answer the question with the data silly?

1. #### Re: Correlation, causation, and conclusions

Botnets are decreasing in abolute terms? Interesting. Botnets decreasing in relationship to aggregating personal computers numbers with devices/platforms that may, or may not have relevance to botnets? What does that mean? Anything?

It also appears to ignore the fact that higher value targets are seemingly being preferred when building/adding to a botnet.

Commandeering a few crappy PCs on crappy DSL connections vs commandeering a single server on a high-quality 10/100/1000 connection..... statistically, the botnet is smaller if you do the latter, but it's also far more capable for certain tasks.

7. #### Good one.

The OPM hack potentially affected 1 in 15 U.S. residents. The Target attack potentially affected 40 million. At this rate, almost everyone in the U.S. will have been potentially attacked (to say nothing of the letter agencies' spying), at which point we might as well call it a day and stop worrying about malware at all, because they would be the normalized norm by then.

1. #### Re: Good one.

Ah, I see someone else sees the flaw in his thinking.

Exactly veganvegan.

8. #### Not a fair comparison

One homicide has exactly one victim plus family friends etc who are impacted by it. One botnet or one security vulnerability can have many victims, and the potential number of victims per incident grows with the population.

9. More noobs with more devices, VPSes, and wordpress sites, with more plugins and cloud services ... does not dilute the level of vulnerability.

10. I've often thought that all the usual suspects we see talking about security - are people who have a vested interest in talking up the danger. I've often wanted to see some counterpoint to the general wails of buy-me-buy-me-now alarmism.

But this? This is very disappointing material. Can't we do better?

1. Snake oil salesmen have always sold false cures for real diseases.

If they were honestly trying to fix things, they'd push execs to prioritize security. Or find a way to make consumers all paranoid about slick software that's rotten on the inside. Good luck with that though.

11. Figures never lie but liars figure.

12. #### Equality in a population of inequality

The key mistake I see is that the population of cyberspace does not poses an equal probability of being hit by malicious actors, so safety is not a function of size.

If 1/10 people are criminals, and the population increases from 100 to 1000, then the proportion and probability is the same if each citizen had an equal chance of being robbed, and robberies happened 1 per month per criminal, etc.

It's however less likely to rob other criminals, police, soldiers, bigger people or babies, and you don't have an equal distribution across all physical locations. The population of criminals is supported by the more prosperous local economy and those criminals target either vulnerabilities (people/things) or known valuable targets/areas.

Collections of criminals maybe able to target higher value businesses with more security hitting the news, others may go undetected such as cyber shoplifting or pickpockets. With losses either unattributed or taken as an operational risk and not reported.

That said, the recent investment increase private/public sector and focus/competition within the security industry, coupled with the relative maturity of technology may mean that defence is starting to erode criminal returns.

As we white list the IPV6 range, apply better heuristics, cryptography and increase awareness, the widow of opportunity will narrow as the attack becomes more sophisticated and cannot be rolled out in a timely or resource efficient manner. The threat will then shift to underdeveloped physical regions or areas of technology. The unknown nature of surveillance and high tariffs when caught will also reduce the population of occasional criminals.

Cloud, IPv6 and firmware will be the growth sectors in my opinion, internal threat will continue as focus turns inward to the unpredictable through the fog of BAU; increasing statistics due to that focus, not the risk.

## POST COMMENT House rules

Not a member of The Register? Create a new account here.