Also in the recent report from Congress about homeland cybersecurity there is this passage, citing a research report:

The insurance industry has the ability to contribute to the development of a cost methodology through its customer base but is currently limited in the number of specialized cyber risk policies available. CRS found that the "growth of cyber risk insurance is hindered primarily by a lack of reliable actuarial data related to the incidence and costs of information security breaches; enhanced collection of such figures would probably be the most important contribution that policy can make."

Missing data?  Very interesting!

If information gathering has the potential to reduce costs and risks, why does the data shortfall persist? According to the CRS report, "[T]here are two chief obstacles. First, there are strong incentives that discourage the reporting of breaches of information security. Second, organizations are often unable to quantify the risks of cyber attacks they face, or even to set a dollar value on the cost of attacks that have already taken place. Thus, even if all the confidential and proprietary information that victims have about cyber attacks were disclosed and collected in a central database, measurement of the economic impact would still be problematical."

This summary of another report doesn’t say what the strong disincentives are that discourage reporting information security breaches, but one can guess they may have to do with fear of customers worrying about their information being insecure, fear of resulting lawsuits (see Negligence or Risk?) and fear of further targeted attacks. A program like InfraGard may help with such corporate hesitance by permitting information sharing about breaches without public disclosure. Or the other direction might work: disclose all breaches, thus giving all enterprises incentive to do something about them.

The report makes a very important point that a centralized database of all breaches still wouldn’t address the economic issues, because the breached companies don’t know themselves. For that matter, they often don’t even know they’ve been breached; witness the burgeoning blackmarket in botnets. And they know even less about slowdowns and interruptions outside the firewall that cause customers not to be able to transact business.

In other words, required reporting such as the FCC requires of telecommunications companies won’t solve the problem. The popular suggestion of determining the security state of the Internet by having ISPs or even enterprises report on it would be inadequate.

Regrettably, many people continue to use metrics and methodologies from the physical environment when thinking about cyberspace. As CRS determined, "There is a fundamental difference between a cyber attack and a conventional physical attack in that a cyber attack generally disables — rather than destroys — the target of the attack. Because of that difference, direct comparison with previous large-scale disasters may be of limited use."

This last is all true, although there has been at least one case involving an electric utility in which temporary loss of electrical service was counted as physical damage with corresponding legal liability, even though everything worked correctly once power was restored. The lost business did not automatically come back. Damage to reputation does not autmatically come back. Increased expense does not necessarily go away.

There are some other differences about cyberspace.

1. Damage doesn’t have to be the result of a targeted attack. This is is different from physical attacks on physical plant. This is more like acts of God such as hurricanes, earthquakes, and floods, which can damage multiple enterprises simultaneously without any human targetting. Even some human attacks aren’t targeted at a particular enterprise; for example, botnet collectors don’t really care who owns the affected computers; they just want a lot of them. We’re not talking Ocean’s 11 here, where a gang of thieves spends a lot of effort cracking a specific casino. That sort of thing does happen in cyberspace, but cyberspace isn’t limited to it.
2. Such aggregation can be even more widespread than for natural disasters, since the average flood is restricted to a riverbed, the average earthquake to a fault, and the average hurricane to an ocean and its environs. The Internet is worldwide, and as we have seen repeatedly, worms, viruses, and general bug exploits are also worldwide. A given enterprise’s customers may be worldwide, and nonredundant routes, congestion, or cable cuts anywhere in the world can interfere with its business.
3. There are three major electrical grids in the United States, but there is by its nature only one Internet, which also extends worldwide. The Internet is the one infrastructure all enterprises increasingly depend upon.

-jsq