Have We Normalized Theft?

When did cyberattacks truly begin to concern us?  Was it the Morris worm of 1988?  One would have wished it was, but clearly this is not the case.  How about the 2008 cyberattack on USCENTCOM?  That worm, likely injected into the DoD system through a single USB key, took about 14 months to clean up by some estimates.  Fast forward nine years, Equifax.  145 million records stolen.  Have we learned yet?  I wish I could say “okay, this time we will do something about it!” but I am not too optimistic.


Because I feel we have slipped into a dangerous area: we have allowed the normalization of data theft.  And today, data theft means anything from personally identifiable information to R&D/intellectual property to good old fashioned money.  My feeling is that because we don’t “feel” data the same way we would, oh a stack of $20s, we don’t really appreciate what is being lost.

Let’s try to put this into perspective.  If in fact 145 million records were stolen from Equifax, what would that look like in a “smash-and-grab” operation?  For simplicity, let’s assume one record is one page.  The average thickness of paper is 0.1 mm (0.0039 inches).  How high would the paper stack in this case?  Well, those 565,500,000 inches equate to about the distance from New York to Manila (over the Pacific), give or take a few hundred miles.*

To think that somebody could perform a break-and-enter like this (and get away with it) sounds so preposterous, this idea wouldn’t even make into a B-movie script.  But when all these “pieces of information” are digitized into a bunch of zeros and ones, well, you can fit all that information into the palm of your hands.

And that’s what gives me heartburn because we are doing such a poor job understanding what is being stolen.  We spend billions of dollars innovating, labor for years, and all these valuable resources could be gone, poof, like that because somebody missed patching a system or left a terminal unprotected or clicked a link they shouldn’t have.  This is asymmetry of galactic proportions.

So back to my point about normalizing theft: I think because we can’t “feel” the pain, we don’t give this issue the attention it deserves.  If I was a nefarious actor and I was able to siphon $5 a month from your bank account, would you care?  Before you answer … would you notice?  What if I was able to make this siphoning as some sort of “fee” or common every day purchase?  You may not give it that much thought and let it slide.  Now let me do that to a million people.  And let me do that to a different million people every week.  How does $260 million a year sound to you?

Does this sound like a tenable business model for an economy to survive?  Nope.  But that’s what we are dealing with when we normalize theft.

Sure, some may say “but we have services to protect us.”  Okay, but those services cost money, $10 a month, let’s say.  That’s $120 a year per individual.  To protect the 52 million people that would have gotten ripped off in the earlier scenario, that’s a hit of $6.24 billion dollars annually.  That’s $6.24 billion dollars that could have gone into paying rent, buying a meal, helping a local foundation, or go towards tuition or medication.

Lost in so much of the cybersecurity conversation is that protection rarely offers a return on investment.  Protection is a tax on business and a tax on individuals.  So unless we start “feeling” this theft on a more personal level and take the steps to properly educate ourselves of the human dimension, we are going to run out of money to invest in protection real fast.  People are generally not good at understanding risk and we often have farmed out that risk to somebody else (insurers, public officials, you name it).  But even this model is becoming too expensive.  So it’s time we take a closer look at ourselves and see if we are part of the problem by having allowed data theft to be normalized.  We shouldn’t be so passive about it.  We should be outraged, because this is a slow strategic bleed of national strength and stability.

By George Platsis, SDI Cyber Risk Practice

October 3, 2017

* Correction: “I’m tempted to say what’s a few extra zero’s among friends, but am forced to heed my own counsel…when you make a mistake, own it: it’s actually 565,500 inches, which is closer to 9 miles, more like New York to Hoboken and back…but that’s still a lot!”