On Wednesday, the Australian Cyber Security Centre (ACSC) released its inaugural report on the cyber threat level facing Australia.
The analysis concludes that “the cyber threat to Australian organisations is undeniable, unrelenting and continues to grow”. When it comes to calculating the price of cybercrime, the report refers to a contentious 2013 figure from Symantec that estimated a total cost of $1 billion for that year.
The ACSC forecasts a menacing future for businesses in which they will be targeted by more adversaries, who are more skilled and better equipped to perpetrate more destructive attacks. Media headlines have focused on this aspect of the report to varying degrees of sensationalism.
But when looked at in a broader context, the numbers in the report don’t tell such a shocking story.
Much publicity has been given to the dramatic increase in cyber incidents as cited in the report. Indeed, this number more than tripled between 2011 and 2014.
On the face of it, this is an alarming rate of growth, but the data also indicates another trend: the percentage increase in cyber attacks has actually fallen year-on-year.
Whilst 2012 saw 119% more cyber attacks than the previous year, this rate dropped dramatically in each subsequent year. In 2013, cyber attacks increased by 37% and in 2014, by just 20%.
The report does not draw attention to this trend or discuss the potential reasons behind it.
But the data would yield greater insights if it were accompanied by a critical understanding of how cyberspace has developed in the same period.
Neither depicting statistics on cyber attacks in absolute terms (i.e. 1,131 reported incidents in 2014) nor as a year-on-year percentage (i.e. 20% more reported incidents in 2014 than 2013) are ideal ways of measuring changes in the threat level.
Advocating a different approach, the Global Commission on Internet Governance (GCIG) released a report earlier this month arguing that cyberspace is actually “far safer than commonly thought”. Author Eric Jardine argues that cybercrime statistics should be expressed as a proportion of the growing size of the internet. This method would reflect the increase in potential targets and attackers that accompany this growth.
To put it another way, if a school has five bullying cases one year and 10 the next, this is less shocking if we also learn that the school’s population has doubled.
We can measure the increase in Australian organisations with online presences crudely by charting the growth of ‘.au’ domain names. In January 2011 there were 1,945,387 ‘.au’ domain names registered. By 24 July 2015, this had grown to more than 3 million, up nearly 55% from 2011.
This increase in the ‘population’ of cyber-vulnerable Australian organisations can be understood as an increase in the number of potential targets for cyber attackers.
Another method of measuring the size of the internet is to consider how many individuals are using it.
Australian internet users represent only 0.73% of the world’s online population, while according to the ACSC report, many potential sources of cyber threats come from groups outside of Australia, whether foreign state adversaries, transnational criminal group and hacktivists. Measuring the increase in global internet users—rather than just Australian users—will provide a better reading of the cyber threat level facing the country.
Between 2011 and 2014, the number of individuals with access to the internet grew from 2,272,463,038 in 2011 to approximately 3,174,000 today – an increase of approximately 39%.
In this rudimentary way, we can clearly illustrate two ways in which the internet has expanded: there has been an increase in the number of Australian organisations with online presences as well as in the number of individuals with access to the internet worldwide.
In this environment, an increase in the level of cyber attacks should be expected; loosely speaking, the proverbial school population has doubled.
This reality is not reflected by the ACSC’s conclusion that the cyber threat level in Australia is “unrelenting” in its rise.
This risks fostering a climate that is dismissive of Eric Jardine’s proposal that cyberspace is safer than we believe. A high cyber threat level should not be taken for granted; we need impartial analysis of risks and their associated costs.
Over the coming weeks, the ACSC report will generate more discussion on the level of cyber threats facing Australia. The numbers under consideration tell multiple stories, and we need an open debate to ensure that these are evaluated in turn.
Harriet Ellis is the International Security Fellow for Young Australians in International Affairs.
Image credit: Perspecsys Photos (Flickr: Creative Commons)