Cybersecurity and bad science

Via Bruce Schneier comes a link to an OECD report “Reducing Systemic Cybersecurity Risk” written by Peter Sommer & Ian Brown stating that the threat of cyberwar has been grossly exaggerated. Bruce has written about this before. He links to an interesting article “…on cyberwar hype and how it isn’t serving our national interests, with some good policy guidelines.”

From the executive summary of the Sommer & Brown report:

Analysis of cybsersecurity issues has been weakened by the lack of agreement on terminology and the use of exaggerated language. An “attack” or an “incident” can include anything from an easily-identified “phishing” attempt to obtain password details, a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth onslaught. Rolling all these activities into a single statistic leads to grossly misleading conclusions. There is even greater confusion in the ways in which losses are estimated. Cyberespionage is not a “few keystrokes away from cyberwar”, it is one technical method of spying. A true cyberwar is an event with the characteristics of conventional war but fought exclusively in cyberspace.

Basically cyberwar/cybersecurity is plagued by bad science. For more on bad science I warmly recommend Ben Goldacre’s book.

Leave a Reply

Your email address will not be published.