Eric Jardine is a CIGI research fellow, contributing to the Global Security & Politics program's work on Internet governance. Follow him on Twitter @ehljardine.
Another day, another hack. It seems like every time we read the news, we hear of another mega breach compromising the records of millions of people. In 2013, Target was hacked, resulting in the theft of private information on 110 million shoppers. In early 2014, it was eBay that was targeted, leading to the compromise of all 145 million active account holders. In 2015, it was the U.S. Office of Personnel Management, with initial estimates placing the number of compromised records at more than four million and later estimates indicating that upwards of 18 to 21.5 million current and former federal government employees could have been affected. The list is seemingly endless.
Cyberspace seems to be a dangerous place indeed, and seems to be getting far worse by the day. This notion is reaffirmed each year by cybersecurity reports from IT security firms like Norton Symantec or Kaspersky Labs. Meanwhile, the media readily piles on; sensationalizing the occurrence of cybercrime and parroting the numbers produced by IT security experts.
Yet, in reality, we have only a partial – and at that a fairly poor – picture of how secure cyberspace truly is. The problem with our perceptions is that while cybercrime is certainly going up, cyberspace itself is getting bigger. And, just as we would expect more crime in a large city compared to a small village, we would expect more crime in a large and active cyberspace than in a small and inactive online environment.
Let's unpack the problem a bit. Right now, how the numbers on cybercrime are typically presented is misleading. Sometimes, the numbers get expressed in absolute terms, something like there were 1,000 cyberattacks in 2013 and there were 1,500 attacks in 2014. Other times, these same numbers are expressed as a year-over-year percentage change, where there was, for example, 50 per cent more attacks in 2014 than in 2013. In both cases, the security of cyberspace seems to be getting worse.
These numbers are not wrong, but they are misleading. Picture a small town of 1,000 people, where there are 100 crimes a year. Now imagine a city of 100,000 with 1,000 crimes per year. In which would you rather live?
With ten times the amount of crime as the town, the city seems pretty dangerous. But, let's be real for a moment. What most of us care about in the first instance is not necessary how much crime there is overall, but how likely it is that we will be personally affected by a burglary, assault, murder or what have you. Framed in these terms, the city is actually ten times safer than the town. The same principle applies in cyberspace.
Only when we take the numbers on the occurrence of cybercrime and normalize them around the growing size of the online environment do we obtain a reasonable picture of the actual security of cyberspace. In a recently published paper entitled, "Global Cyberspace is Safer than You Think: Real Trends in Cybercrime," I gathered data on the vectors of cyberattacks, the volume of cybercrime and the cost of data breaches. I also collected data on the size of cyberspace, including the number of Internet users and websites, the volume of web traffic (both mobile and otherwise) and estimates for the Internet's contribution to global GDP.
What I found was that the absolute numbers consistently paint a far worse picture of the security of cyberspace when compared to the normalized figures. More than 30 comparisons of the two trends point to three ways that the absolute numbers are misleading.
The bottom line is that when the growing size of cyberspace is factored into the equation, security in the ether of cyberspace is actually better than is commonly reported in IT security reports and in the media.
I would certainly not recommend throwing caution to the wind. Internet users should continue to exercise good digital hygiene (changing passwords regularly, avoiding suspicious attachments and links). But society needs to avoid overreacting to false impressions about how bad cyberspace has become.
That cyberspace is more secure than is commonly thought is crucially important for public policy. "In politics," wrote Samuel Taylor Coleridge, "what begins in fear usually ends in folly." Let us avoid harsh and short-sighted policies, driven by fear, which could inadvertently break the Internet, and more clearly recognize the situation for what it is.