Aug. 1, 2012, Does Cybercrime Really Cost $1 Trillion? by Peter Maass and Megha Rajagopalan, ProPublica Gen.

Keith Alexander is the director of the National Security Agency and oversee s U.S. Cyber Command, which means he leads the governments effort to protect Amer ica from cyberattacks. Due to the secretive nature of his job, he maintains a re latively low profile, so when he does speak, people listen closely. On July 9, A lexander addressed a crowded room at the American Enterprise Institute in Washin gton, D.C., and though he started with a few jokes his mother said he had a face for radio, behind every general is a stunned father-in-law he soon got down to business. Alexander warned that cyberattacks are causing "the greatest transfer of wealth in history," and he cited statistics from, among other sources, Symantec Corp. a nd McAfee Inc., which both sell software to protect computers from hackers. Cred iting Symantec, he said the theft of intellectual property costs American compan ies $250 billion a year. He also mentioned a McAfee estimate that the global cos t of cybercrime is $1 trillion. "Thats our future disappearing in front of us," h e said, urging Congress to enact legislation to improve Americas cyberdefenses. These estimates have been cited on many occasions by government officials, who p ortray them as evidence of the threat against America. They are hardly the only cyberstatistics used by officials, but they are recurring ones that get a lot of attention. In his first major cybersecurity speech in 2009, President Obama pro minently referred to McAfees $1 trillion estimate. Sen. Joseph Lieberman, I-Conn. , and Sen. Susan Collins, R-Maine, the main sponsors of the Cybersecurity Act of 2012 that is expected to be voted on this week, have also mentioned $1 trillion in cybercrime costs. Last week, arguing on the Senate floor in favor of putting their bill up for a vote, they both referenced the $250 billion estimate and re peated Alexanders warning about the greatest transfer of wealth in history. A handful of media stories, blog posts and academic studies have previously expr essed skepticism about these attention-getting estimates, but this has not stopp ed an array of government officials and politicians from continuing to publicly cite them as authoritative. Now, an examination of their origins by ProPublica h as found new grounds to question the data and methods used to generate these num bers, which McAfee and Symantec say they stand behind. One of the figures Alexander attributed to Symantec the $250 billion in annual l osses from intellectual property theft was indeed mentioned in a Symantec report , but it is not a Symantec number and its source remains a mystery. McAfees trillion-dollar estimate is questioned even by the three independent rese archers from Purdue University whom McAfee credits with analyzing the raw data f rom which the estimate was derived. "I was really kind of appalled when the numb er came out in news reports, the trillion dollars, because that was just way, wa y large," said Eugene Spafford, a computer science professor at Purdue. Spafford was a key contributor to McAfees 2009 report, "Unsecured Economies: Prot ecting Vital Information" (PDF). The trillion-dollar estimate was first publishe d in a news release that McAfee issued to announce the report; the number does n ot appear in the report itself. A McAfee spokesman told ProPublica the estimate was an extrapolation by the company, based on data from the report. McAfee execu tives have mentioned the trillion-dollar figure on a number of occasions, and in 2011 McAfee published it once more in a new report, "Underground Economies: Int ellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currenc

y" (PDF). In addition to the three Purdue researchers who were the reports key contributors , 17 other researchers and experts were listed as contributors to the original 2 009 report, though at least some of them were only interviewed by the Purdue res earchers. Among them was Ross Anderson, a security engineering professor at Univ ersity of Cambridge, who told ProPublica that he did not know about the $1 trill ion estimate before it was announced. "I would have objected at the time had I k nown about it," he said. "The intellectual quality of this ($1 trillion number) is below abysmal." The use of these estimates comes amid increased debate about cyberattacks; warni ngs of a digital Pearl Harbor are becoming almost routine. "A cyberattack could stop our society in its tracks," Gen. Martin Dempsey, chairman of the Joint Chie fs of Staff, said earlier this year. Bloomberg reported just last week that a gr oup of Chinese hackers, whom U.S. intelligence agencies referred to as "Byzantin e Candor," have stolen sensitive or classified information from 20 organizations , including Halliburton Inc., and a prominent Washington law firm, Wiley Rein LL P. There is little doubt that a lot of cybercrime, cyberespionage and even acts of cyberwar are occurring, but the exact scale is unclear and the financial costs a re difficult to calculate because solid data is hard to get. Relying on inaccura te or unverifiable estimates is perilous, experts say, because it can tilt the c ountrys spending priorities and its relations with foreign nations. The costs cou ld be worse than the most dire estimates but they could be less, too. Computer security companies like McAfee and Symantec have stepped into the data void. Both sell anti-virus software to consumers, and McAfee also sells a range of network security products for government agencies and private companies, incl uding operators of critical infrastructure like power plants and pipelines. Both firms conduct and publish cybercrime research, too. "Symantec is doing outstand ing work on threat analysis," said Thomas Rid, a cybersecurity expert at Kings C ollege London. "But still, of course they have a vested interest in portraying a more dangerous environment because they stand to gain for it." The companies disagree. Sal Viveros, a McAfee public relations official who over saw the 2009 report, said in an email to ProPublica, "We work with think tanks a nd universities to make sure our reports are non-biased and as accurate as possi ble. The goal of our papers [is] to really educate on the issues and risks facin g businesses. Our customers look to us to provide them with our expert knowledge ." Symantec said its estimates are developed with standard methods used by governme nts and businesses to conduct consumer surveys and come from "one of the few, la rge, multi-country studies on cybercrime that asks consumers what forms of cyber crime they have actually experienced and what it cost them." * * * Cyberattacks come in many flavors. There are everyday crimes in which hackers ac cess personal or financial information, such as credit card numbers. There are i ndustrial crimes and espionage in which the attacker perhaps a foreign country o r company breaks into a corporate or government network to obtain blueprints or classified information; sometimes the attacker gets inside a network and lurks t here for months or years, scooping up whatever is of interest. One of the bigges t categories of cybercrime is one of the least discussed insider theft, by disgr untled or ex-employees. Theres also a category of attacks that do not have overt financial motives and that can constitute acts of war: Attempts to create havoc in computer systems that control nuclear power plants, dams and the electrical g

rid. This category is of the greatest concern to national security officials. One reason its a challenge to measure the financial costs of cybercrimes is that the victims often dont know theyve been attacked. When intellectual property is st olen, the original can remain in place, seemingly untouched. Even when the breac h is known, how do you put a dollar value on a Social Security number, a formula for a new drug, the blueprints for a new car, or the bidding strategy of an oil firm? It may be impossible to know whether an attacker uses intellectual proper ty in a way that causes economic harm to the victim; maybe the data isnt of much use to the attacker, or maybe the attacker, though using the data to quickly bri ng out a new product, is not successful in gaining market share. Theres an added complication in some attacks: Companies can be reluctant to admit they have been hacked because they fear a loss in confidence from consumers or clients. This can lead to underreporting of the problem. "How do you even start to measure the monetary damages?" asked Nick Akerman, a p artner at the law firm of Dorsey & Whitney LLP who specializes in computer cases and one of the contributors to the McAfee report. "I would argue it is impossib le. Not to say the problem isnt enormous. It is enormous. But I dont see how you c an adequately come up with dollar figures." Companies that sell security software are not bound by the same professional pra ctices as academics, whose studies tend to refrain from sweeping estimates. Even when corporate reports involve academic researchers, the results can be suspect . Industry-sponsored studies pharmaceuticals are an example, according to a 2003 study published by BMJ (formerly known as the British Medical Journal) can have a bias toward the industrys economic interests. Unlike academic journals, which use a peer review process, theres no formal system of oversight for studies publi shed by industry. The economic interest of security companies is clear: The grea ter the apparent threat, the greater the reason to buy their anti-intruder softw are. Norton, which is owned by Symantec and sells a popular suite of anti-virus software, advises in its latest cybercrime report: "Dont get angry. Get Norton." Computer scientists Dinei Florencio and Cormac Herley, who work at Microsoft Res earch, the software giants computer science lab, recently wrote a paper, "Sex, Li es and Cyber-crime Surveys," (PDF) that sharply criticized these sorts of survey s. "Our assessment of the quality of cyber-crime surveys is harsh: they are so c ompromised and biased that no faith whatever can be placed in their findings," t heir report said. "We are not alone in this judgement. Most research teams who h ave looked at the survey data on cyber-crime have reached similarly negative con clusions." Julie Ryan, a professor of engineering management and systems engineering at Geo rge Washington University, co-authored a paper, "The Use, Misuse, and Abuse of S tatistics in Information Security Research" (PDF). In an interview with ProPubli ca, she said: "From what Ive seen of the big commercial surveys, they all suffer from major weaknesses, which means the data is worthless, scientifically worthle ss. But its very valuable from a marketing perspective." Yet corporate cybersurveys are repeatedly invoked; the NSAs Alexander is merely a mong the most prominent senior officials to do it. ProPublica provided the NSAs m edia office with links to critical studies, stories and blog posts about the Sym antec and McAfee numbers and asked whether Alexander or the agency was aware of them or, alternately, had other data to support the numbers he cited. The NSA me dia office responded: "The information is publicly available and was appropriate ly sourced." * * *

McAfee was founded by John McAfee, a software engineer who wrote some of the fir st anti-virus software in the 1980s. The company grew quickly, thanks in part to a novel marketing strategy in those days McAfee gave away its software, chargin g only for tech support. The company went public in 1992 and remained a leader i n its field; last year it was acquired by Intel Corp. for $7.68 billion. "We hav e had just one mission: to help our customers stay safe," McAfee says on its web site. "We achieve this by creating proactive security solutions for securing you r digital world." In 2008, McAfee decided to commission a report that would look at how the global economic downturn was affecting data theft against companies. McAfee put one of its public relations officials, Viveros, in charge of the project. Viveros, in a phone interview, said a technology marketing company was hired to create and d istribute a survey to about 1,000 information and technology executives across t he globe. Purdue Universitys Center for Education and Research in Information Ass urance and Security, headed by Spafford, analyzed the survey results, conducted follow-up interviews and helped write the report. McAfee confirmed that it helpe d steer $30,000 from a foundation to Purdue for the work. The 31-page report found that the companies surveyed had an average of $12 milli on worth of sensitive information stored in offshore computer systems in 2008, a nd that each lost an average $4.6 million worth of intellectual property in 2008 . The report was released on Jan. 29, 2009, in Davos, Switzerland, during a meet ing of the World Economic Forum. McAfee issued a news release to announce it, an d the release included dramatic numbers that were not in the report. "The companies surveyed estimated they lost a combined $4.6 billion worth of int ellectual property last year alone, and spent approximately $600 million repairi ng damage from data breaches," the release said. "Based on these numbers, McAfee projects that companies worldwide lost more than $1 trillion last year." The re lease contained a quote from McAfees then-president and chief executive David DeW alt, in which he repeated the $1 trillion estimate. The headline of the news rel ease was "Businesses Lose More than $1 Trillion in Intellectual Property Due to Data Theft and Cybercrime." The trillion-dollar estimate was picked up by the media, including Bloomberg and CNET, which expressed no skepticism. But at least one observer had immediate do ubts. Amrit Williams, a security consultant, wrote on his blog a few days later, "$1 trillion a year? Seriously? Where the hell did the figure come from? To giv e you some perspective of size the total US GDP is about 14 trillion and that in cludes EVERYTHING." The news stories got the worried attention of some of the reports contributors be cause McAfee was connecting their names to an estimate they had no previous know ledge of and were skeptical about. One of the contributors, Augusto Paes de Barr os, a Brazilian security consultant, blogged a week after the news release that although he was glad to have been involved in the report, "I could not find any data in that report that could lead into that number. Id like to see how they fou nd this number." When the number was announced in 2009, McAfee provided no public explanation of how it was derived. "Initially we were just going to do the report, but a lot of people were asking us what was the total number, so we worked on a model," said McAfees Viveros. This week, in response to queries from ProPublica, he disclosed details about the methodology. He said the calculations were done by a group of technology, marketing and sales officials at McAfee and were based on the surve y responses. "McAfee extrapolated the $1 trillion based on the average data loss per company, multiplied by the number of similar companies in the countries we studied," Viv

eros said in an email. The companys method did not meet the standards of the Purdue researchers whom it had engaged to analyze the survey responses and help write the report. In phone interviews and emails to ProPublica, associate professor Jackie Rees Ulmer said she was disconcerted when, a few days before the report s unveiling, she receive d a draft of the news release that contained the $1 trillion figure. "I expresse d my concern with the number as we did not generate it," Rees Ulmer said in an e mail. She added that although she couldn t recall the particulars of the phone c onversation in which she made her concerns known, "It is almost certainly the ca se that I would have told them the number was unsupportable." Viveros said McAfee was never told by Purdue that the number could not be suppor ted by the survey data. The company moved ahead with the news release and, Viver os noted, the trillion-dollar estimate "got a life of its own." In February 2009, President Obama ordered a 60-day cybersecurity review to look into ways to better protect the country from cyberattacks, and he appointed Meli ssa Hathaway, who served as a cybersecurity adviser in the Bush administration, to oversee the effort. On May 29, Obama unveiled the review and delivered his fi rst major cybersecurity speech. The second page of the 38-page review cited McAf ees trillion-dollar figure, and the president used it in his speech, saying, "Its been estimated that last year alone cybercriminals stole intellectual property f rom businesses worldwide worth up to $1 trillion." The administrations Cyberspace Policy Review (PDF) includes footnotes, and the on e for the $1 trillion estimate directs readers to McAfees news release. It is not an ordinary occurrence that a president relies on the contents of a corporate n ews release to warn Americans of a major threat to the homelands economic and nat ional security, but Hathaway, now a security consultant, told ProPublica that at the time of the presidents speech she was comfortable with McAfees estimate becau se it appeared to be associated with Purdue researchers. However, she became war y of it once she began making more inquiries after the speech. "I tend not to us e that number anymore," she said. "I was surprised that there wasnt proved method ology behind the number." In March 2011, McAfee published its "Underground Economies" report, which repeat ed the $1 trillion estimate. Criticism of it continued, too. Robert Richardson, then director of the Computer Security Institute, skeptically wrote on the groups website in the spring of 2011 that "The trillion dollar number is just too good to kill." Later in 2011, Wireds British edition reported that "if true, the figu re amounts to a massive 1.6 percent of global GDP." This year, Microsoft Researc hs Florencio and Herley wrote an opinion piece in The New York Times that describ ed widely circulated cybercrime estimates as "generated using absurdly bad stati stical methods, making them wholly unreliable." These critiques have now taken on added importance because government officials are citing a variety of industry-generated numbers in their efforts to bolster s upport for major cybersecurity legislation. The House passed its version of a cy bersecurity bill this spring; the pending Senate bill, known as the Cybersecurit y Act of 2012, would enable the U.S. government and private companies to more ea sily share information about cyberthreats and create a set of voluntary cybersec urity standards for operators of critical infrastructure. * * * In his speech at the American Enterprise Institute, Gen. Alexander said Symantec placed the cost of intellectual property theft to the U.S. at $250 billion a ye ar. Tracing the origins of this statistic as both the U.S. Government Accountabi lity Office (PDF) and technology writer Julian Sanchez have attempted before is

not unlike pulling a piece of yarn to unravel an old sweater. Although Symantec mentioned the $250 billion estimate in a 2011 report, "Behavioral Risk Indicator s of IP Theft," the estimate is not Symantecs. The report mentions the figure in passing, sourcing it in a footnote to a legal paper, where, as it turns out, the $250 billion number is not mentioned at all. Eric Shaw, one of two forensic psychologists Symantec retained to research the " Behavioral Risk" report, told ProPublica the footnote was a mistake. Instead, it should have referred to a different paper that points to a 2003 speech by FBI D irector Robert S. Mueller. The figure is also cited in old FBI news releases ava ilable via the Internet Archive. An agency spokeswoman said that although she believed FBI officials used a relia ble source for the number, the FBI had neither developed the number nor claimed to have done so. She pointed to another document (PDF), from the U.S. Department of Justice, attributing the $250 billion figure to the Office of the U.S. Trade Representative. Then-Commerce Secretary Gary Locke used the $250 billion number in a 2010 speech . Like Locke, the trade representative is a member of the presidents cabinet; a s pokeswoman for the office said the figure was not from them. "Your inquiry appea rs to refer to an industry-reported figure," the spokeswoman told ProPublica, po inting to a U.S. Chamber of Commerce paper on intellectual property theft. Sure enough, theres the $250 billion again this time attributed to none other than the FBI. There are other concerns about Symantec estimates cited by Alexander. Drawing fr om the 2011 Norton Cybercrime Report, Alexander put the direct cost of cybercrim e at $114 billion and cybercrimes total cost, factoring in time lost, at $388 bil lion. The report was not actually researched by Norton employees; it was outsour ced to a market research firm, StrategyOne, which is owned by the public relatio ns giant Edelman. StrategyOne surveyed almost 20,000 people in 24 countries, asking them to report whether they had experienced cybercrime and how much it had cost them. The comp any said it used "standard research practice for online surveys" to obtain a rep resentative sample of Internet users. To calculate a total cost, it multiplied t he estimated number of victims by the average cost of cybercrime in each country . But that still leaves room for uncertainty, several researchers told ProPublica. For example, if responses came mainly from those most concerned about cybercrim e or from those who suffered the biggest losses, it could inflate the average co st. And one persons estimate of the financial damage from a cybercrime might be c ompletely different from the next persons guess, even if both suffered the same c rime and the same amount of lost time. A StrategyOne spokesman, asked if the Symantec estimates could be called scienti fic, responded, "Yes, as much as any survey or poll that relies on consumers to estimate their losses based on recall." Some experts say thats not good enough. "Nobody can really assess the true impact of cybercrime," said Franz-Stefan Gady, an analyst at a security-focused think tank called the EastWest Institute. "Its really the self-reporting because we cant verify it. Its just as simple as that." In their 2011 paper, Florencio and Herley of Microsoft Research did not specific ally mention the Symantec or McAfee numbers. But they observed, "Far from being broadly-based estimates of losses across the population, the cyber-crime estimat es that we have appear to be largely the answers of a handful of people extrapol

ated to the whole population." Sen. Collins added another layer of confusion about the mysterious $250 billion figure when she spoke last week in support of the cybersecurity bill. In remarks on the Senate floor, she mentioned Gen. Alexander and said, "He believes Americ an companies have lost about $250 billion a year through intellectual property t heft." Collins office declined several requests for comment. A spokeswoman for Lieberman , who similarly cited Alexander and the $250 billion figure, replied, "Senator L ieberman and his staff believe that McAfee, Symantec, and General Alexander are reputable sources of information about cybersecurity."

inShare24 Email Print What to Read Next How I Passed My U.S. Citizenship Test: By Keeping the Right Answers to Mysel f Grieving Father Struggles to Is Your Neighbor a Democrat? Cheat Sheet: Behind The U.S. The Best Watchdog Journalism Sponsored Links Obamas Strong Marriage Produces White House Drama, Dysfunction (Bloomberg.com ) 10 Characteristics of Debt-Free People (Reader s Digest) 10 Dirty Negotiation Tactics and How to Beat Them (OPEN Forum) One Secret That Stops Hackers: Girlfriends (Information Week) Just Linking Could Get You 10 Years in Jail (CIO) [What s this?] 15 comments John Aug. 1, 2:06 p.m. There are a couple of problems when dealing with (ugh) cybercrime. The first is that Intellectual Property damage number is basically whatever Hollyw ood says it is. Its how much income they CLAIM theyve lost because someone watche d a movie without paying for it. Usually, its based on statutory copyright infri ngement damagesthe amount they might get if they sue you for downloading. In the United States, willful infringement is a $150,000 award (per item), so theyre ta lking about a million and a half downloads. That number doesnt sound out of whac k, considering the fraction of the population that feels entitled to entertainme nt, people who cant afford it and would never have paid money, and people who wan ted to see if they liked the material before they bought it. (Most studies Ive s eengranting its hard to track the whole picturesuggest that the last category is th e largest, and giving material away for free is better for business than hiding behind pay-walls.) Pay Dead Sons Student Loans Obama Has an App for That Cyberattacks on Iran on Obamas National Security Policies

Butby contrast, about ten times that went to the theater to pay to just see The Da rk Knight Rises on its opening weekend. So scale your expectations accordingly a nd keep the numbers in perspective. A million people listening to a song or wat ching a TV episode without paying is a very small fraction of the people paying. Also by contrast, rather than the 150K award for downloading grandmothers, when you hear music on the radio, the station paid a mechanical license for the year, w hich set them back a whopping fifty bucks. When you buy music from a cover band , they paid about two cents per minute for you. So the real damage in Intellectual Property (assuming that every free listen is eq ual to one lost sale, and nobody listened who wouldnt have purchased, and that al l value is worth money) is about eighty thousand bucks. Its not good, but its not exactly going to tank the economy. Its about as much damage as one guy stealing a Lexus, basically. (The real damage to the economy is after the lawsuits and the studios/labels get their blood money. By wiping out peoples bank accounts for daring to enjoy some thing without paying a dollar, that creates someone who cant buy things unless th ey absolutely need them. And it causes people to turn away from the industry an d spend their money elsewhere.) The trillion dollarsthat may well be a decent ballpark. For example, Sonys PlaySt ation Network has ninety million users, according to Wikipedia. Just causing ea ch of them about ten thousand bucks worth of grief (theft, credit damage, and so forthhard, but not impossible) would hit the trillion mark. And thats just one b reach. The more companies involved, the easier that target would be to hit. However, the lions share of the damage damage is usually done by the companies, n ot the attackers. When that Sony network was hacked, it turned out they hadnt up dated their software in at least five years, ignoring serious security patches; their relaunch used systematically guessable passwords. In Australia, it was Te lstra that posted close to a million full customer records to a public website, not some shadowy criminal. When Sarah Palins e-mail was hacked, it was because Y ahoo! uses your birthdate as a security question and she used her well-documented date of birth. Spam comes from botnets of millions of people worldwide who are or were all running an old, unpatched version of Windows. Thats not always the case. Sometimes, hackers use exploits that nobody else knows about, known as zero-days (how much time theres been to patch them). But you know what? Its not illegal to buy, sell, or use them! A good one (lots of control wi th little work) can be sold to a perfectly-legal broker for about a quarter-mill ion bucks. Stuxnet used at least a few, though I havent heard anything about whe ther they were bought or found. But thats not exactly the point, the point is th at youre allowed to sell information that a criminal can use to commit theft and vandalism, and potentially endanger lives. Worse, if youre a security researcher who finds an exploit, the company will use parts of the Digital Millenium Copyright Act to sue you for copyright infringeme nt, ensuring that only the bad guys can find the flaws. Basically, the problem is real, but the proposed solutionssurveillance and tracki ng, treating the worlds population like criminals while giving known abusive corp orations broad immunityare not going to work at all. What will work is making co mpanies responsible for updating their software and banning traffic in exploits. John Aug. 1, 2:08 p.m.

Ooh. Bad math. My estimate for IP damage should be eighty MILLION dollars, not eighty thousand. Worse (not just a Lexus), but still a bit shy of hundreds of bi llions. Cliff Arnebeck Aug. 1, 2:53 p.m. If you count electronic vote shifting to switch Presidential election results in favor of a neocon administration that would pursue wars of choice and financial deregulation, the cost of cybercrime must be a multiple of a trillion dollars. Rezishka Aug. 1, 3:20 p.m. President Truman was advised by his military top brass to use the nuke against J apan to send a warning to USSR. He did exactly that. Ike, our most pragmatic of all presidents, sensed the danger and reminded us of the forces in Washington DC and the military industrial complex. He predicted that Trend is troublesome. It has a potential to foster future wars. Well Korea, Vietnam, Iraq and Afghanistan proved he was right. Now, we are putting trillions in our war industry enterprise at the cost of our education systems, economy, health, energy, and arts in order to defeat our cybe rspace enemies: Russia, China, Pakistan, Cuba, Iran, India and the list can go o n and on We have become of a nation fearful of all that we do not approve, or lik e. Wait until we support Israel in her preemptive strike against Iran and then a nother episode. Victoria Aug. 1, 10:28 p.m. $60 billion per year of that figure is attributable to the MPAA (Motion Picture Association of America). They pulled it out of their ****, If the F.B.I. took th eir word for it it wouldnt surprise any of us, would it? The MPAA documentation r eference is on the image in the link at the bottom of this post. Can we distinguish between cybercrime and cyberpiracy? The address at the end of this post is to a bar chart image. It graphically illu strates the cyberpiracy losses claimed by the motion picture, music, and softwar e industries, and contrasts them with the actual losses, as reported by them in their own documents (sources are at the bottom of the image. In summary, no evi dence was provided to support their claims of losses to cybercrime. Despite the lack of evidence, the government, industry, and academia, jumped to the front to lead the fear-mongering witch-hunt of these alleged criminals. The dip in sales of the American music industry that took place immediately before t hese claims corresponded to their own drastic cuts in the number of artists, and the variety of music, that they produced. The motion picture industry profits grew predictably over the years in question before leveling off in the last 2 years. In light of the economy, and market shi fts that have helped Netflix blossom in the soil of decayed and bankrupt Blockbu ster, that is an outstanding performance. No matter how many imaginary numbers t hey throw around, or how much credibility they attempt to cloak themselves with, the entire cyberpiracy threat is a huge hoax, and the majority of the public kn ows it, because of the freedom of information inherent in the Internet.

So, if the cyberpiracy threat was a hoax perpetrated on the American people, and it (obviously) failed to provide a means of restricting access to information t hrough SOPA, PIPA, etal., it shouldnt be overlooked that whoever or whatever moti vated the amount of money, time, and manpower that went into that attempt, would not be likely to walk away with their tail between their legs. And so, here we are, after the dog and pony circus rash of cybercrime that miracul ously swelled as SOPA and PIPA ebbed, confronting, conveniently, the same questi ons, and promoting the same kind of restrictions on the public sphere of informa tion and encroachment on civil liberties. We all, of course, would love to see b usinesses and individuals thrive in a safe online world, but when that security for business comes at the price of access to information upon which our informed votes depend, and at the price of freedom and privacy for individuals to speak out against corporate intelligence overseers, we should all be highly cynical. https://sphotos-b.xx.fbcdn.net/hphotos-ash3/s720x720/538673_405619989459554_2976 74106_n.jpg Steve Hamm Aug. 1, 11:43 p.m. I smell WMDs, aluminum tubes and yellow cake. Anybody got a knife? Stephen Aug. 2, 6:41 a.m. Any quoted figure must be measured based on the benefit to be gained by the peop le who produced, and the people quoting it. In this case, the figures are being produced by companies that want people to bu y their products (or in the case of the content industry want laws to force ever yone to pay an annual subscription just for living on the same planet as a movie is produced). Theyre being quoted by someone who wants to get more money and mo re power for his agency. How does he do that? Persuade people that theres a thr eat out there. Its something thats been happening in the west for decades. Sell a threat, keep p eople docile and complicit, democracy really isnt that important when youre terrif ied about terrorists/communists/fascists/drug lords C Parker Aug. 2, 7:53 a.m. Does the $1T include alleged cybercrime by wall street? Sharon Aug. 2, 8:34 a.m. Glad you investigated these estimates, but is it fair to cite Microsoft research ers on the scale of cybercrime without mentioning that they have an economic int erest in proving that systemsor at least their systemsare generally secure? John Aug. 2, 10:49 a.m.

Since Victoria brought up laws, its worth mentioning that today would be a good d ay to contact your Senators. The Cybersecurity Act is ending debate today. Bas ically, there are three issues. 1. The Act itself is overbroad and harmful to anything regarding due process, c ivil rights, and so forth. The SOPA- and PIPA-like parts have been removed, tho ugh. 2. Al Franken grew a backbone and proposed amendments that would eliminate corp orate immunity (and affirmative authority) for spying on you and blocking your tra ffic, just in case. This is a good step, and if the Act MUST pass, this needs to be in it. 3. John McCain has proposed his own amendments that would put the NSA (military ) in charge. I cant imagine anything worse than pervasive military surveillance of Americans. As I suggested above, though, theres nothing in that bill that will stop an attac k. What will stop attacks is keeping software up to date and finding (and fixin g) security holes before the criminals do. Thats what the law needs to encourage , not watching what you read and send; the draconian measures are going to catch whistleblowers, not vandals or identity thieves. In any case, my understanding is that switchboards are overloaded, so the staff arent registering nuances like this amendment is good, that ones bad, but rather are just noting whether the caller supports the bill. If you call, make sure youre clear and make sure the person youre talking to is clear in his reporting. Other wise, Twitter and Facebook are immediate and somewhat better-monitored, so those might be better routes. bertrand Yesterday, 5:53 a.m. Misha Glenny: Why you cant trust the cybercrime stats ! http://www.wired.co.uk/magazine/archive/2011/12/ideas-bank/cybercrime-stats John Yesterday, 9:56 a.m. Andthe Cybersecurity Act failed. Great news, but only by a narrow margin, and no thanks to Senators who swear up and down theyll never pass a bill that harms Ame rican liberty. (My guess is that theres a second definition of liberty used in Congress, to which were not privy) Bertrand, thats a fairly good overview. Thanks for it. Phil Yesterday, 11:03 p.m. A basic rule in business is: If you want to sell a solution, you first have to s ell the problem. This strategy isnt just limited to companies in the private sector like McAfee an d Symantec. It also works if you are a government agency trying to get Congress

to spend money on your budgetary wish-list. Ted Today, 1:03 a.m. Well if you trust Symantec or McAfee then you need your head examined. I think t hey create most of the viruses just to stay in business! Wonder how much they ro b corporations every year? Richard M Stallman Today, 12:41 p.m. Aside from doubts about the accuracy of McAfees answer, we cant even tell what the question means. It suffers from the confusion that the incoherent concept of intellectual property generally spreads, because that term lumps together ten or more unrelated laws. When they say intellectual property theft, it is not clear activities they are talking about. >From the substance of the article, I would guess that the term refers in this context mainly to trade secrets, and that the theft referred to in the article means obtaining those secrets. However, publishers refer to sharing copies as intellectual property theft, even though legally copyright infringement is not theft. Can we be sure which of these the number in Symantecs report is was supposed to measure? Whatever it was, they should have stated it clearly. The only route to clear thinking about any of the various issues that intellectual property blurs and confuses is to reject that term, and use terms that are properly specific.