[Infowarrior] - Musing on Cyber "Attack" Metrics

Richard Forno rforno at infowarrior.org
Mon Mar 8 12:55:01 UTC 2010 

We're seeing a ton of spooky statements and soundbytes about the  
"number of cyber attacks" being thrown around Washington these days.   
But absent the context of how such statistics are generated and  
compiled, it's hard to place much credence in them if you're serious  
about really understanding the cyber environment and developing an  
accurate picture of things.

To wit:

"In 2008, security events caused by vectors including worms, Trojan  
horses and spybots averaged 8 million hits per month. That number  
skyrocketed to 1.6 billion in 2009 and climbed to 1.8 billion this  
year, according to Senate Sergeant-at-Arms Terrance Gainer......The  
Senate Security Operations Center alone receives 13.9 million of those  
attempts per day. "
(http://www.politico.com/news/stories/0310/33987.html)

This leads me to wonder: what is the metric used in defining and  
quantifying an "attack" for the Senate, DOD, USG, etc?  Does a single  
malicious email (ie phishing) sent to one person at one agency count  
as one "attack"?   But does that same email sent to 20K people at the  
same agency constitute 20K "attacks?"   If 1 person's system does a  
reply-all to a malicious message, does that raise the number of  
"attacks" logged by the agency by another 20K?   In the case of e- 
mail, is an "attack" based on the number of messages received or the  
number of different attack mechanisms encountered?  IE, is it 20K  
"attacks" coming from 1 identified worm, or is it 20K different worms  
attacking the agency?  Clearly how these metrics are defined go a long  
way in their believability and usability for security planning.

For years we've heard such awesomely-bad statistics about cyber- 
attacks bandied around in Hill hearings, industry conferences, and  
industry marketing.   Again, knowing the context of these statistics  
that become oft-echoed media and policy talking points would go a long  
way in letting us take them more seriously.

-rick

PS: I know DHS was working on some cybersecurity reporting metrics for  
the USG some years ago but I have no idea if it's gone anywhere or  
been mandated for gov-wide use yet.

More information about the Infowarrior mailing list