Cybercrime may not be as bad as CISPA’s supporters say it is
If you haven’t heard, Internet activists and members of Congress are in another heated battle over legislation, echoing last January’s debate over the Stop Online Piracy Act. This time, the fight is over a proposed amendment to the National Security Act called the Cyber Intelligence Sharing and Protection Act or CISPA. CISPA would allow the government greater latitude when pursuing cyber-threats, though critics say the bill’s vague language could result in unintended consequences (for more, read the Daily Dot’s explainer).
One way CISPA supporters help justify their arguments: by rattling off statistics about how cybercrime sucks $1 trillion out of the global economy each year. Some members of congress have even branded next week, “Cybersecurity Week” to help trump up support for their cause.
But Dinei Florencio and Cormac Herley, two Microsoft researchers writing in the New York Times, say that many cybrercrime estimates are vastly overblown and the methods used to determine those figures are monumentally flawed:
“Most cybercrime estimates are based on surveys of consumers and companies. They borrow credibility from election polls, which we have learned to trust. However, when extrapolating from a surveyed group to the overall population, there is an enormous difference between preference questions (which are used in election polls) and numerical questions (as in cybercrime surveys).”
In other words, if 2,500 out of 5,000 people within a statistically-diverse sample set say they will vote for President Obama, then it’s reasonable to assume Obama will win roughly half the popular vote in this year’s election. But if you ask 5,000 people to estimate their cybercrime losses, and one respondent falsely reports a loss of $25,000, that extrapolates to an added $1 billion in estimated worldwide losses.
Since there’s no such thing as “negative losses” caused by cybercrime, Florencio and Herley say these statistical outliers result in an upward bias in nearly every study. So even if the unlucky respondent is telling the truth about the $25,000, the method still attaches too much weight to the response of one individual.
While it’s important to address security concerns on the Web, it’s not okay to fast-track a piece of legislation by trumpeting flawed statistics.
Stodgy congressmembers, such as U.S. Representative Mike Rogers, and old media behemoths, like AT&T, aren’t the only ones backing CISPA. Last Friday, Facebook’s Vice President-U.S. Public Policy Joel Kaplan wrote a blog post explaining why Facebook supports the proposed legislation.
Photo by Alan Cleaver