DHS, DOJ plan cybercrime survey

Bureau of Justice Statistics

In what they hope will become the premier measure of national cybercrime statistics, officials at the Homeland Security and Justice departments plan to survey 36,000 businesses this spring to examine the type and frequency of computer security incidents.

Officials from both departments said there are currently no surveys that do what they envision the Computer Security Survey will do annually: provide statistically relevant national data on cybercrime across all U.S. businesses, especially those in critical infrastructure sectors.

Patrick Morrissey, deputy director for law enforcement and intelligence in DHS' National Cyber Security Division, said no one really knows if the problem is getting better or worse or what sectors cybercriminals may be targeting.

"We are awash in anecdotal evidence but little or nothing scientific or verifiable," he told members of the National Infrastructure Advisory Council Jan. 11 during a presentation. "With that being the case, decisions are being made in this area on incomplete information. Among other things this initiative is designed to help us address this gap."

Better data could help form policy and improve resource allocation for government and the commercial sector, but few datasets are available on the national level. Other datasets such as the Computer Security Institute's annual survey examine only the organizations' members. That doesn't provide nationally representative data, officials said.

Ramona Rantala, a statistician in the Justice Department's Bureau of Justice Statistics, said DHS and DOJ officials will ask about the prevalence and types of computer security incidents, where systems were vulnerable, and whether vulnerability was caused by an insecure wireless connection. It will also inquire about monetary losses and who committed the crimes, meaning whether they were general hackers, foreign competitors or current or former employees.

The Computer Security Survey, which has been vetted by some groups, including the FBI and the President's Information Technology Advisory Committee, is still being reviewed by other organizations before distribution. Officials hope to get preliminary results by the end of the year if they get enough responses, and have final results within 12 to 15 months. The project will cost about $3.1 million, officials said.

The full-scale survey is based on a questionnaire that was sent in 2001 to 500 businesses, 208 of which responded. Of the 198 responding companies that used computers -- 10 did not -- 74 percent reported they were victims of a cybercrime, such as embezzlement, fraud or theft of proprietary information. Two-thirds were victimized by a computer virus at least once, a quarter experienced denial-of-service attacks and a fifth said their computer systems were vandalized or sabotaged.

Rantala said the full-scale survey will help determine what types of attacks are most common nationally. She said people tend to think that if you have one computer attack, you shore up everything and that prevents anything else from happening. But they fail to consider that hackers develop methods of attack quicker than businesses can respond to them. "In other words, they can open the door faster than we can relock it," she said.

From the survey, participating companies could also receive tailored reports of where they stand within their industry in terms of how many attacks they've been subject to, what kinds of technologies they used for protection, and percentage of their budget was used for that.

"We'll give them a report with the industry total and with their specific values so that they'll know where they sit in that industry," Rantala said. "A lot of the [chief information officers] said they would love to be able to take this kind of information to their president and say, 'We need to put more money in this area. We need to put a higher percentage of our budget into this kind of technology because this is what everyone else in our industry is using.'"

She also said the full-scale survey could help estimate losses from cybercrimes that many news publications publish. "Honestly, nobody I've talked to has any idea where they come from," she said. "I can't say the methodology isn't sound. I'm just saying I'm not aware of what it is because there are no national data out there."

However, results will depend mainly on participation of the officials at the 36,000 businesses that will receive the questionnaire. For instance, the pilot survey, Rantala said, found that larger companies were less likely to respond than smaller companies. Officials at most of the large companies said they did not respond to voluntary surveys and that they receive too many surveys for them to answer.

Rantala said it would take an act of Congress to make a survey mandatory, but officials from both departments prefer it be voluntary. However, she said Information Sharing Analysis Centers, trade associations and private-sector leaders could help urge participation in the full-scale survey.

"What we're trying to avoid is having the businesses get multiple surveys," she said. "If they're only going to answer one, then we want it to be ours."