The closing session of the Workshop on the Economics of Information Security (WEIS) was a very interesting debate between Dr. Ross Anderson and Bruce Schneier on the topic of spending on information security. Ross argued that we don’t spend enough, and Bruce argued maybe we spend too much.
Interestingly this is the same debate they had ten years ago at the first WEIS, except they switched sides.
His main point is the cyber threat is exaggerated. And it will likely be even more exaggerated as we enter a cyber arms race because “arms races are fueled by fear and ignorance”.
Bruce stressed that there are economic incentives to exaggerate the threat. Military and intelligence agencies exaggerate the threat to get more funding. Security product and consulting vendors exaggerate to get more sales. Even security staffs in company’s exaggerate the threat to get more staff and new shiny products.
He pointed to the US ~$100B annual spending on counter terrorism has grown to that level due to threat exaggeration because the expected loss would not come close to that value.
Ten years ago Ross argued that inefficient security spending was the main problem, not the amount spent. Bruce agreed with this today and pointed to the growth in compliance as the main culprit saying it is “critically wasting resources”. He talked about the difference in spending money to improve security or spending money to convince someone you improved security.
One surprise to Bruce over the last ten years is that insurance policies for cyber losses are not widespread. His assumption is this is because insurance companies don’t have good data to write and price the policies — and that the data can change so quickly.
Ross was convinced the problem is we don’t spend enough money catching cybercrooks. He had some data points and pointed statements:
- His strongest example was the takedown of the Rustock botnet. Rustock sent an estimated 30% of the spam in 2010. The cost of fighting spam was $1B in 2010 so he extrapolated the cost of fighting Rustock to be $300M. Therefore if spending $10M more in cyber cops to take down a large botnet it is a good expenditure. FYI, Rustock earned only an estimated $2.7M in 2010.
- The UK spends $170m for anti-virus yet the clean up costs for malware in the UK is still $500M. The cyber policing effort in the UK gets $15M. (all annual numbers)
- The US Government spents $100M on fighting cyber crime, about the same amount as Google and other large software companies.
- Cyberlobbyists are a problem driving money to intelligence budgets and security company products and services where they are not needed. In this, Bruce and Ross agreed.
- “You will get more results from funding FBI than NSA”
The follow on discussion was fantastic and too brief.
Bruce pointed out that a challenge for law enforcement is jurisdiction shopping where criminals go to countries that don’t have or choose to not enforce laws.
Ross was co-author of a paper that also had prioritize law enforcement as a conclusion. This was based on the fact that the direct costs (the cost to the affected company) were small and the indirect costs (the costs to large numbers of citizens or society) were large for some new categories of cybercrime. Therefore companies would not have an incentive to address the crime. Cyber cops would be the answer to reduce the crime and indirect costs.