The nature of cyber discourse concerns me, and this is a point I have written about extensively with Ryan Maness (Valeriano and Maness 2012a, Valeriano and Maness 2012b, Valeriano and Maness 2014). The idea is that threats we see materialize from cyberspace seem to vastly outweigh any other threats we have faced, ever. Some argue this cyber threat is different, faster, and bigger. I question this conventional wisdom. Is the cyber threat really any different than any other threat we have faced?
To this point, I have generally avoided writing about cyber-crime, but the logic suggesting that international cyber threats are manageable also extends to domestic cyber threats. Cyber-crime is not any different than other forms of crime. There has already been much discussion of transnational crime so it is pointless to argue that global cyber-crime would require a different scope. The threat is not new or different, it just exists in a new domain, the cyber domain.
When I was younger I worked in a few big box stores. The Walmarts, Staples, Office Depots of the world are enormous stores. They make their profits through the vast amounts of goods bought, not through customer service or specialized needs fulfillment. They succeed through volume. With volume come constant threats, as it is difficult to keep control of such a large inventory. These stores assume it is not even possible to lock down all inventory, and that there will be a certain amount of loss. Minor theft, employee errors and stock misplacement, or inside damage all come with retaining the size of offering these stores specialize in. The difference between physical inventory and book inventory is noted in accounting as shrinkage. These losses is not embraced but it is accepted and managed. There are an acceptable amount of losses that come through so much turnover and employee hands on all that merchandise. Even Amazon is not immune to such practices, being so free to fulfill replacement orders lost through shipping or damage. This inventory shrinkage is part of doing business at volume.
We need to move to a view of cyber shrinkage in digital transactions and ecommerce. The amount of volume through cyber transactions is vast and unwieldy. Soon traditional retailers will sell more merchandise on Black Friday online than in their stores, if this has not happened already. The internet is nothing but a global big box store and shrinkage is a concept that should not be tethered to physical stores. There will be cyber shrinkage, a small percentage of loss between expected sales based on inventory and actual sales. So many transitions online will only lead to a certain amount of losses, in both ecommerce and government activities.
Are these acceptable losses? The answer to this question depends on your view of loss and risk acceptance. If we are going to move the majority of our transitions to digital transitions, it would be folly to assume shrinkage will not be part of this transition. Cyber transactions are not any different than any other sort of commerce. In physical stores, the average amount of shrinkage is 1 to 2 percent, if not as much as 3-5 percent.
Reports that come out suggesting that $110 billion was lost in 2012 to cyber attackers, we need to look at this process through the domain of risk acceptance rather than loss. There is a risk to be assumed with working the digital realm, just as there is a risk to be accepted when one puts all their inventory in a warehouse covering a square city block guarded by ten employees (who are often instructed to not even stop shoplifters lest they bring on legal action for the store). In the last year, it was suggested that normal shrinkage resulted in a loss of 34 billion dollars. Comparing $34 billion lost to $110 billion might make it seem like cyber losses are tremendous, but we would really need to compare this to the total amount of money spent. Comparing $110 billion lost to the total US GDP of $69.97 trillion in 2012 suggests loses at .0015 percent. I am not satisfied this is an accurate comparison but it is a starting point to work with until I can finalize this idea as an article.
A theory of cyber shrinkage would be based on the traditional concept of shrinkage. One to two percent is an acceptable loss according to volume. The opposing view would be that to avoid this process we would need to move back to physical transitions representing a loss in volume. The difference between physical transactions and cyber transitions is a source to point us in the right direction about acceptable losses. If we were to transfer all digital communications back to physical communications, what would be lost? The Russians may find out soon as they purchased thousands of typewriters to avoid cyber theft.
Assuming we accept a certain amount of cyber shrinkage, how to do we minimize these losses? When I worked in big box stores, all large and small valuable merchandise was put behind lock and key. We had to log in entry, often with a manager, and this inventory will watched with security cameras. Cyber transactions should start to move towards this framework, where large transactions should be guarded and watched closely while high volume and low end transactions should be a bit more fluid. Sensitive information should be behind lock and key not accessible through regular channels. To allow for more access would leave the producer of this information at risk. Only by accepting risk and minimizing the damage done by controling merchandise (information), can we move towards a feasible view of cyber security.
There also must be responsible policies put in place by those handling data. Background checks should be done on all employees who handle transaction data and passwords. Often this is not done and these employees are treated as any other, yet the damage they can do is vast (as the U.S. found out through Edward Snowden). One employee processing a credit card transaction can be responsible for thousands of dollars lost, and if we multiply this by hundreds of thousands of employees with this access and the problem becomes unmanagable. Control the access points, control who has access to information and who can penetrate these systems. Without this step, it is unrealistic to speak of cyber security in the offensive realm to punish violators and criminals. Security begins at home with both the acceptance of shrinkage and the minimization of damage this realm can do.
Once we move to this frame we can be begin to have a realistic debate about the dangers in the cyber realm. Without this step, prognostications of cyber doom and threat are toothless. There needs to be a reckoning at home, with defense the first step. Rather than moving first to blame the attacker, look at the defense framework and why the attacker choose a certain target. Cyber interactions at not all that different than past physical interactions. Once we accept this reality we can move towards a nuanced view of cyber security.
Valeriano, Brandon and Ryan C. Maness. 2012a. “The Fog of Cyberwar: Why the Threat Doesn’t Live Up to the Hype.” Foreign Affairs.
Valeriano, Brandon and Ryan C. Maness. 2012b. “Persistent Enemies and Cyber Security: The Future of Rivalry in an Age of Information Warfare.” in Derek Reveron’s Cyberspace and National Security: Threats, Opportunity and Power in a Virtual World, (Washington D.C.: Georgetown University Press): 139-158.
Valeriano, Brandon and Ryan C. Maness. 2014. “The Dynamics of Cyber Conflict between Rival Antagonists, 2001-2011.” Forthcoming in Journal of Peace Research.
*edited for minor errors and style
“These losses is not embraced” Whoops!
While $110bn seems like losses that are acceptable as global “shrinkage”, cyberattacks seem to have a worrying tendency to target assets which cannot be lost without grave strategic damage (F-35s, for instance).