[Infowarrior] - 'Cybercrime exceeds drug trade' myth exploded

Tue Mar 31 18:01:35 UTC 2009

(I know Rick from his Gartner days ... he's one of the folks who  
"gets" security pretty well.  --rf)

'Cybercrime exceeds drug trade' myth exploded

http://www.theregister.co.uk/2009/03/27/cybercrime_mythbusters/

AT&T feeds Congress trillion-dollar FUD

By John Leyden • Get more from this author
Posted in Crime, 27th March 2009 16:22 GMT

A leading security researcher has unpicked the origins of the myth  
that revenues from cybercrime exceeds those from the global drug  
trade, regurgitated by a senior security officer at AT&T before  
Congress last week.

Ed Amoroso, Senior Vice President and Chief Security Officer of AT&T,  
told a Congressional Committee on 20 March that cybercrime was a $1trn  
a year business. It'd be nice to think that Amoroso had been misquoted  
or made a slip of the tongue but written testimony from Amoroso  
repeats the amazing claim, made before a hearing of the Senate  
Commerce, Science, and Transportation Committee.

The end of paragraph 5 of the written submission states:

     Last year the FBI announced that revenues from cyber-crime, for  
the first time ever, exceeded drug trafficking as the most lucrative  
illegal global business, estimated at reaping more than $1 trillion  
annually in illicit profits.

As Richard Stiennon points out the quoted figure would make cybercrime  
bigger than the entire IT industry. The top 10 Fortune 50 firms turned  
over $2trn last year.

Put another way, revenues from cybercrime exceed those of AT&T itself  
($119bn in 2008) by a factor of around eight.

Estimates of the drug trade peg annual revenues at about $400bn.  
There's no figure on this from the FBI much less a comparative figure  
comparing cybercrime and drug trade revenues, despite what Amoroso said.

Stiennon, chief research analyst at IT-Harvest, guesses that  
cybercrime profits might be worth about $1bn a year, which seems much  
more plausible.

You'd have to be on something truly mindblowing to think that  
cybercrime revenues exceed the GDP of Saudi Arabia ($555bn in 2007),  
with all its oil income.

How could anyone ever think such a thing? Stiennon comes up trumps in  
tracking down the origin of this meme.

The idea that cybercrime revenue trumps that of the drug trade were  
first mentioned by Valerie McNiven, a consultant to the US Treasury  
Department in November 2005. The figure cited at the time was the  
still-implausible $105bn, Stiennon reports.

The same figure, mentioned by a lawyer to a Reuters stringer and  
henceforth enshrined in clippings harvest by the PR departments of  
security firms, reappeared again in a September 2007 speech by the  
chief exec of McAfee, David DeWalt.

Eighteen months later the meme has grown so that the figure cited is  
$1trn but, as Stiennon points out, the form of language is virtually  
identical. Earlier this week security firm Finjan published a press  
release ("Finjan confirms cybercrime revenues exceeding drug  
trafficking") supporting the myth, most recently relayed by Amoroso  
before Congress.

We asked Finjan whether it wanted to rethink what it said. Not a bit  
of it, the security firm responded.

"In our Q1 2009 report on cybercrime, for example, we revealed that  
one single rogueware network are raking in $10,800 a day, or $39.42  
million a year," it said. "If you extrapolate those figures across the  
many thousands of cybercrime operations that exist on the internet at  
any given time, the results easily reach a trillion dollars."

You can observe the ongoing capers of this implausible FUD-laden  
cybercrime revenues meme in Stiennon's posting on the ThreatChaos blog  
here. ®
Bootnote

We're aware that even leaving aside Finjan's head-spinning statistical  
assumptions its figures still don't stack up. When we called it to ask  
if it wanted to reconsider its earlier statement, contained in a press  
release but not published on its website, in light of Stiennon's  
criticism it answered that it was sticking by its guns.