October 23, 2008, 1:45 PM — Numbers are interesting. At times, numbers almost feel to possess a physical quality about them; numbers represent something we can hold, even if we cannot actually touch.
Really big numbers, even those starting in the millions might be difficult to fathom at first, but somehow we're able to get our head around them; to hold them and manipulate them. Imagine having two million dollars in the bank, and a grin, even a smile, might quickly appear as we mentally allocate those funds towards our wants and desires.
Billions and trillions, though, are numbers that pose some interesting problems. Consider spending US$700 billion on bailing out a financial system and most of our reactions might be to shake our heads in disbelief. $700 billion is a big number. How and to what $700 billion might be allocated staggers the imagination. Big numbers make us skeptical. That is understandable.
When I first proposed the costs of insecure software might be somewhere around $180 billion some were and remain skeptical. Rightly so. Even I am skeptical about the number. Not because it might be wrong, but because we have no idea by how much.
Recent testimony given before the U.S. Congress helps me believe that the number might be less wrong. Paul Kurtz in testimony before the House Permanent Select Committee on Intelligence (Sept 18, 2008) states:
"Today our information systems are being exploited on an unprecedented scale by state and non-state actors. We face dangerous combination of known and unknown vulnerabilities, strong adversary capabilities, and weak situational awareness...
Government networks are being targeted to steal sensitive information and gain understanding of mission-critical dependencies and vulnerabilities. Corporate intellectual property across all sectors is being stolen (information technology, bio-technology, defense industrial base, financial, transportation, and energy). The NCIX [Office of the National Counterintelligence Executive] has estimated that the loss of intellectual property totals in excess of 200 billion per year. The United States is not alone in this conclusion."
Losses of $200 billion per year are hefty but not surprising. Earlier estimates in Congressional testimony by Frank Cillufo placed intellectual property losses due to system vulnerabilities for years 1997 to 2000 at over $1 trillion. To quote:
"...intellectual property theft has become so common that some companies now hire "good hackers" to perform vulnerability assessments of their networks...Fortune 1000 companies alone lost more than $ 45 billion from theft of trade secrets in 1999. By 2000, American companies were losing in excess of $1 trillion." [Intellectual Property Crimes, American Law Review]
Certainly not all theft of intellectual property can be attributed solely to insecure software, but as I argue repeatedly, there is a strong relationship: Insecure software sends an unmistakable message of disorder into the environment of cyberspace inviting further disorder, even crime. $180 billion is an imperfectly derived fractional estimated cost of a multi-trillion dollar, global problem. As Bruce Schneier has said:
"Information insecurity is costing us billions. We pay for it in theft: information theft, financial theft...The problem is insecure software. It's bad design, poorly implemented features, inadequate testing and security vulnerabilities from software bugs. The money we spend on security is to deal with the effects of insecure software. And that's the problem."
Spending $700 billion to bail out a financial system is shocking. But the United States has already "spent" that, and much more, dealing with and feeling the effects of insecure software. Irresponsible bankers rightly deserve our ridicule... irresponsible software manufactures even more so.
David Rice is Director of The Monterey Group and author of Geekonomics: The Real Cost of Insecure Software; you can read the Geekonomics chapter "The Perversity of Patching" on CSOonline.