How much do hackers cost, really?
March 27, 2013 9:18 PM   Subscribe

So, we sometimes hear about hackers who break into XFamousCompany and cause untold gazbillionty dollars in damage. How accurate is that? How do they get these numbers?

I kinda doubt the price tags companies often put on hacker invasions. I know damage to reputation and customer trust can be pretty much incalculable. But so often news stories post actual dollar amounts, and I really wonder how they get there. I'm guessing highly paid employee salaries goes into it, but... what else? How do they land at really big-sounding numbers? Are the companies being pretty honest, in general there?

I understand things like Coke's secret formula and other 'trade secrets', processes and design docs and such, could also be theoretically invaluable, but how much damage do hackers actually do? I seldom seem to find any mention of the hackers selling info (though it is obviously has been rising in recent years)
posted by Jacen to Computers & Internet (11 answers total) 2 users marked this as a favorite
How do they get these numbers?

It's what's known as a SWAG: Scientific Wild-Assed Guess.

Some parts can be estimated, such as how much labor will be needed to fix any damage that was done, and other work like that. But a lot of it is just bullshit.
posted by Chocolate Pickle at 9:43 PM on March 27, 2013

This is just a guess, but I'm guessing it's almost all in labor costs. When someone breaks into a computer network, the response involves: (1) disconnecting/taking down compromised servers, therefore preventing people from working, (2) changing passwords (a *lot* of passwords), (3) updating server operating systems, potentially breaking existing setups and requiring a tremendous effort to bring everything up to speed, and (4) making up for all of the things that didn't get done due to the response.

If the company is small, it's a nuisance (albeit a time-consuming one). For a large company with a complex server network, this is a massive time sink, requiring several IT support staff and at least a week of full time work. It's likely the entire IT staff participates. Newspapers might be calculating the damages based on average server admin pay.
posted by spiderskull at 9:45 PM on March 27, 2013

"The Chicago Computer Fraud and Abuse Task Force had been assured that the E911 Document was worth a hefty sum of money. In fact, they had a precise estimate of its worth from BellSouth security personnel: $79,449. A sum of this scale seemed to warrant vigorous prosecution. Even if the damage could not be undone, at least this large sum offered a good legal pretext for stern punishment of the thieves. It seemed likely to impress judges and juries. And it could be used in court to mop up the Legion of Doom."
Zenner gave the witness a copy of "BellSouth E911 Service Interfaces," which cost, as he pointed out, $13, straight from the catalog. "Look at it carefully," he urged Ms. Williams, "and tell me if it doesn't contain about twice as much detailed information about the E911 system of BellSouth than appeared anywhere in Phrack."
Kim Megahee, a Southern Bell security manager, had arrived at the document's value by simply adding up the "costs associated with the production" of the E911 Document. Those "costs" were as follows:

1. A technical writer had been hired to research and write the E911 Document. 200 hours of work, at $35 an hour, cost : $7,000. A Project Manager had overseen the technical writer. 200 hours, at $31 an hour, made: $6,200.

2. A week of typing had cost $721 dollars. A week of formatting had cost $721. A week of graphics formatting had cost $742.

3. Two days of editing cost $367. `

4. A box of order labels cost five dollars.

5. Preparing a purchase order for the Document, including typing and the obtaining of an authorizing signature from within the BellSouth bureaucracy, cost $129.

6. Printing cost $313. Mailing the Document to fifty people took fifty hours by a clerk, and cost $858.

7. Placing the Document in an index took two clerks an hour each, totalling $43.

Bureaucratic overhead alone, therefore, was alleged to have cost a whopping $17,099.
From _The Hacker Crackdown_, by Bruce Sterling
posted by novalis_dt at 10:06 PM on March 27, 2013 [8 favorites]

updating server operating systems, potentially breaking existing setups and requiring a tremendous effort to bring everything up to speed

Which is horseshit, because they should have done that before the break-in, which most likely would have prevented it to begin with.
posted by empath at 10:11 PM on March 27, 2013 [2 favorites]

Here's a U.S. Justice Department document entitled Prosecuting Computer Crimes (PDF) which might be interesting. In discussing the Computer Fraud and Abuse Act of 1984, which allows someone to be charged with a crime for almost anything related to the use of computers (to the point that lawyers have tried to use it to prosecute someone for violating MySpace's terms of service; although last year SCOTUS ruled that an employee violating an employer's computer use policies isn't a violation of the CFAA, at least), it says:
The statute defines “loss” quite broadly: “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). This definition includes, for example, the prorated salary of a system administrator who restores a backup of deleted data, the prorated hourly wage of an employee who checks a database to make sure that no information in it has been modified, the expense of re-creating lost work, the cost of reinstalling system software...


“Loss” also includes such harms as lost advertising revenue or lost sales due to a website outage and the salaries of company employees who are unable to work due to a computer shutdown.


At least one court has held that harm to a company’s reputation and goodwill as a consequence of an intrusion might properly be considered loss for purposes of alleging a violation of section 1030.
So as also described in the text novalis_dt cites, in news stories you may be hearing figures that are being cranked up as high as possible for litigation purposes.
posted by XMLicious at 11:13 PM on March 27, 2013 [2 favorites]

I can say from direct experience that it's basically BS. I know someone who was criminally charged with causing damage far in excess of the yearly salary of the two people who spent a couple of days restoring a group of about 5 servers from backup.

Incidentally, it's the same way the values quoted in news stories about drug seizures are almost all vastly inflated.
posted by wierdo at 12:03 AM on March 28, 2013

Does the break-in involve losing sensitive data for a bunch of your customers? If so, the financials change, at least in the U.S. Since the ChoicePoint data breach that occurred in California in 2005, virtually every state has passed a "data breach" law that includes notification requirements and sometimes requires credit monitoring for impacted customers.

I've been peripherally involved with a couple of largish data breaches. Here are my observations on where the money got spent. There is going to usually be some scrambling for remediation activities involving some security consultants will literally get on the next plane to come to you and work around the clock. Those kinds of guys are pretty expensive and you are in no position to negotiate, think about a billable rate of something like $300 an hour (or more) per person. There may later be an audit, to demonstrate to your board and your customers that you have remediated your problem. Because of the volume of phone calls, you probably won't have the call center capacity to it, so you'll want to contract with a call center to handle your overflow. There will be a startup fee and will end up costing something like $5 to $10 per call. You may be required by law to notify your customers by snail mail, which involves printing letters and mailing them -- that will be about $0.50 to $1 per affected customer. Again, unless you happen to have that function in house, you are contracting on very short notice for someone. Many companies that suffer a breach will choose to engage a credit monitoring service for all of their customers for a year or two. This is highly negotiable, when you are dealing in volumes of hundreds of thousands or millions, but if you are trying to throw together a budget to deal with your breach, you start with the retail cost of these services, which is about $15 a month per person. Then, the law suits come. Most companies are going to end up outsourcing the legal defense to a specialty law firm. The cost here is somewhat unknowable in advance. Are you in a business where your customers have a choice about where they get their service? How many cancelled immediately on announcement of the problem? How many are going to cancel later? What about loss of reputation? And, did you have to run any print or TV commercials assuring the public that you don't have a problem?

In a nutshell, the costs that are pretty well defined up front: security consultants, auditors, call center, letters, credit monitoring service. Call center, letters, and credit monitoring scale with the size of your data breach: more customers involved, the higher the cost. The costs that may be harder to define: legal fees, loss of business, loss of reputation, TV and print ads.
posted by kovacs at 4:00 AM on March 28, 2013 [1 favorite]

The costs cited are usually high because they look at the worst case scenario. They don't just factor in the cost of the two schlubs working 36 hours straight to get the machines back up and running. They calculate the cost of calling in Anderson Consulting to completely replicate the data from scratch, because they don't know what it will take to fix the problem.

Think of it this way: if you throw a rock through my window, I am going to ask you for the price of replacing that window, and if you are charged with a crime, that's what the charge will say: causing $1000 worth of damage. It makes no difference whether I call a contractor and write a check for $1000, or if I replace it myself with a spare window I keep in the garage.

It's sort of like retail versus wholesale. Liability is usually priced at retail.

Incidentally, it's the same way the values quoted in news stories about drug seizures are almost all vastly inflated.

The reason for that is that they break it down to street value. A kilo of cocaine costs $1000 from the distributor, but 1000 1 gram baggies would sell for $20 a piece on the street. So that's $20,000 worth of drugs. Made up numbers, I'm sure.
posted by gjc at 4:35 AM on March 28, 2013

Remember first that there's costs and then there's "sales we could have billed for but didn't." They're often lumped together because of shoddy journalism.

I recall a cell phone exec trying to tell me that, in '96, cloned phones cost the company $1 million a day, as if the company had a giant pile of money down at the bank, and gremlins were hoovering it up.

Totally not true.

What he was saying was that, if all of those cloned phones were in the hands of actual paying customers, their calls could have billed to the tune of $1 million a day.

I'm convinced that, of these stories of hackers causing untold damage, half of them are bending the truth, just like that exec, and journalists aren't calling them on it.
posted by Cool Papa Bell at 5:49 AM on March 28, 2013

Hackers are like ancient steppe horsemen attacking the Roman Empire. Behind your city walls, you're pretty safe. Sure, they'll burn your fields and create a little havoc, but you'll survive. Eventually they'll realize they can't storm the city, run out of food and move on. Even the occasional successful raid is put down pretty quickly because even if they take a city, they can't hold it.

The real cost associated with those nomads from Mongolia isn't the damage they do in an individual attack, it's the unbelievable cost of putting up those city walls and keeping standing armies around as defense.

Defense is *incredibly* expensive. Much more expensive than offense. A few fast horsemen could lay waste to gigantic armies that were foolish enough to spread out enough to protect a large landscape or to stay put in the open and try to fight a pitched battle. Even today, putting together a missile defense system costs billions of dollars, compared to the unguided $50,000 rockets that are coming at you from rebels across the border.

A few punks with commonly available software can harry the forces of PayPal, Inc for approximately no cost. Meanwhile, it costs PayPal an absolute boatload of resources putting together an effective security plan. Millions and millions of dollars. And everyone with an internet presence needs defense. Every bank. Every college. Every grade school. Every private website. Everyone. Add all that up and it's easily measured in the billions of dollars.
posted by pjaust at 6:31 AM on March 28, 2013 [2 favorites]

gjc: "The reason for that is that they break it down to street value. A kilo of cocaine costs $1000 from the distributor, but 1000 1 gram baggies would sell for $20 a piece on the street. So that's $20,000 worth of drugs. Made up numbers, I'm sure."

No, you're not understanding. They claim that the drugs have a street value around 10 times what it actually would sell for on the street, even in the smallest possible volumes. Same thing with the person I referred to. I have direct knowledge of what was involved in responding to that incident.
posted by wierdo at 6:55 PM on March 28, 2013

« Older Teaching with duct tape   |   Dead furnace, need help! Newer »
This thread is closed to new comments.