r
Virus Damage a Controversial Science
r
r
r
Philbert Shih, theWHIR.com
r
r
r
March 12, 2004 — (WEB HOST INDUSTRY
r
REVIEW) — Many observers consider the recent MyDoom virus to be the
r
worst of all time, surpassing last year’s Sobig and MS Blaster viruses.
r
But while MyDoom was certainly successful in wreaking havoc on the
r
Internet, it had another effect, raising the question of how we can
r
accurately measure and compare the impact of major viruses and other
r
digital attacks.
r
Mi2g (mi2g.net),
r
a UK-based digital risk firm, has attempted to do just that,
r
calculating the impact of viruses in terms of economic damage. This is
r
intended to illustrate how “damage is visible from an economic
r
perspective,” says DK Matai, mi2g’s executive chairman. He says
r
bandwidth overflow or emails deleted by an overzealous spam filter are
r
just two virus effects that have a negative economic component
r
associated with them. One extension of the economic cost, for example,
r
is the man-hours required to deal with such occurrences.
r
r
In the case of the MyDoom virus, mi2g
r
estimated over $43.9 billion in economic damage in 215 countries after
r
just two weeks. The United States accounted for $12.2 to $15 billion of
r
that number. Large numbers certainly raise eyebrows. Publications such
r
as CNN, Time, and the New York Times have cited mi2g findings in the
r
past and the attention has prompted observers and critics to question
r
how exactly the firm derives its numbers.
r
Matai says mi2g employs SIPS (Security
r
Intelligence Products and Systems), an engine that collects and reports
r
on overt hacking activity around the world, to produce its estimates of
r
digital damage. The database in the SIPS engine, maintained since 1995,
r
holds information on over 8,500 hacker groups, keeping records of
r
380,000 hacking events in addition to other viruses and vulnerabilities
r
as they occur. Updates to the database occur on a daily basis.
r
The data stored in SIPS is compiled from
r
a wide range of sources. In the first group are “personal
r
relationships” mi2g has with top executives around the world. In
r
addition, mi2g compiles data from its monitoring of hacker bulletin
r
boards, hacker activity and its anonymous communications channels with
r
hacker groups. Matai adds that his organization also works very closely
r
with a range of government intelligence agencies and organizations to
r
investigate specific areas of concern, such as criminal syndicates.
r
Finally, SIPS collects data from various open sources such as
r
anti-virus companies. All of the data that the firm receives from its
r
sources are verified to ensure their accuracy, mi2g says.
r
r
EVEDA (Economic Valuation Engine for
r
Damage Analysis) is the component of the SIPS engine that the firm uses
r
to calculate economic damage. EVEDA, according to mi2g, is an
r
econometric model that estimates economic damage caused by digital
r
attacks based on “a unique set of algorithms” that the company’s SIPS
r
team has developed in conjunction with economists and risk analysts.
r
When it comes to a specific virus like MyDoom, mi2g aggregates the data
r
it has collected from its various sources and plugs them into EVEDA,
r
which then produces the numbers.
r
r
Several economic parameters, weighted to
r
the size of organizations, are factored where applicable and are used
r
to extrapolate the economic damage metric. These include help desk
r
support costs, overtime payments, contingency outsourcing, loss of
r
business, bandwidth clogging, productivity erosion, management time
r
reallocation, recovery cost, software upgrades and others. Matai adds
r
that the algorithm is not static and “continues to modify itself
r
depending on what we have learned from previous outbreaks.”
r
Mi2g’s estimates have sparked debate
r
across the industry and in some cases, stern criticism. Rob
r
Rosenberger, a well-known virus expert, is the editor of Vmyths, a Web
r
site dedicated to eradicating what it describes as “computer virus
r
hysteria.” Rosenberger has been outspoken about mi2g, accusing the firm
r
of publishing numbers that are inaccurate and designed to attract
r
publicity. “Firms like mi2g make wild guesstimates because they know it
r
will result in valuable free publicity,” he says. Rosenberger also
r
criticizes mi2g for not revealing details of its methodology,
r
suggesting that without such information, people are forced to take
r
them on blind faith. “They refuse to explain how they obtain
r
micro-economic data… [and] they even refuse to identify the
r
extrapolation model they use,” he explains.
r
Chris Belthoff, a senior security analyst
r
at Sophos, is also curious about mi2g’s methodology. “We don’t see how
r
they are able to come up with such numbers and would love to be shown
r
the methods by which they are reached,” he says. Belthoff also
r
questions the utility of such numbers. He doesn’t see how the average
r
company would find these numbers of much use. “What does $44 billion
r
meant to a typical small or medium sized business,” he asks. And while
r
not denying that there is a real cost resulting from virus infections,
r
“it is very difficult and often misleading to make estimates.”
r
r
Matai disagrees. He believes that
r
estimates can be very useful. “One of the things that these economic
r
damage numbers are meant to do is give a sense of perspective on how
r
big the problem associated with a particular type of malware [virus]
r
is.” In fact, mi2g would be the first to say that its economic damage
r
calculations are not exact, but guesstimates. “These numbers, by and
r
large, we say are not accurate… they are estimates.”
r
Critics who dismiss mi2g question the
r
company’s methodology as well as its motives, suggesting that the
r
numerous press releases and large damage estimates are designed merely
r
to attract publicity and help sell its research reports and other
r
digital risk products. In response, mi2g has tempered its own numbers
r
with an element of caution while detailing certain elements of how it
r
produces its metrics.
r
r
Estimating virus damage is an inexact
r
science at best. But Matai says mi2g’s calculations can be used to
r
gauge the overall and relative damage caused by viruses and digital
r
attacks, helping us develop a somewhat clearer picture of a murky
r
reality.
r
