Shostack + Friends Blog Archive

 

Cyber-Spies!

The WSJ has an article up today about how the Russians and Chinese are mapping the US electirical grid.  What I thought was more interesting was the graph they used (which is only mildly related to the article itself).

If I’m reading this correctly, the DHS is claiming that there were just under 70,000 breaches that were reported to them from somewhere.  That I’m willing to believe.  But check out that red line for Commercial there – how interesting is that?  And then compare the red bands of ’06, ’07, and ’08…

Now in interpreting the graph, I’m not sure how “complete” the DHS’s Commercial data set is.  After all, businesses will only report a breach when necessary, and it’s not clear where DHS got it’s information from.  But Commerical compared to Government is an interesting contrast (I suppose I’d be willing to put a lower “uncertainty” value on the government reported breaches number reported by DHS).  And then there’s “Individuals”.

I find it real interesting that somewhere south of 50,000 individuals told someone that they had a cybersecurity breach (I apologize for using the term “cyber”, btw). And it’s interesting that this number doubled between ’07 and ’08.  I’m not sure what to make of that, or how these numbers are arrived at.  Are these people reporting directly to DHS?  Do any readers know how DHS gets these numbers?

3 comments on "Cyber-Spies!"

  • Adam says:

    My WAG is that this is CERT data, but I don’t know.

    In GAO-08-496T http://www.gao.gov/new.items/d08496t.pdf there’s a graph that resembles the government incidents numbers.

    See page 20, noting that it’s 05-07, rather than 06-08 with roughly 6000 incidents in 06, 13,000 in 07. That doesn’t look like it’s at odds with this graph.

  • Evilb1t says:

    The DHS has multiple sources for their metrics. Two I believe are subcontracting companies Unisys, IBM or EDS not 100%. DHS would have access to the breach information provided by the FBI. The Corporations would use the FBI to handle chain of custody or assist in breach. As this impacts stock prices and business I can only guess on the obligation of reporting to the public. I do not know the reporting or confidentiality of those echanges stand. http://www.cio.com/article/140500/FBI_Investigates_Unisys_Over_US_Government_Hack

  • Pingback: Security Briefing - April 9th : Liquidmatrix Security Digest [http://www.liquidmatrix.org/blog/2009/04/09/security-briefing-april-9th-2/ no longer works]

Comments are closed.