A tale of two cybers - how threat reporting by cybersecurity firms systematically underrepresents threats to civil society

ABSTRACT

Public and academic knowledge of cyber conflict relies heavily on data from commercial threat reporting. There are reasons to be concerned that these data provide a distorted view of cyber threat activity. Commercial cybersecurity firms only focus on a subset of the universe of threats, and they only report publicly on a subset of the subset. High end threats to high-profile victims are prioritized in commercial reporting while threats to civil society organizations, which lack the resources to pay for high-end cyber defense, tend to be neglected or entirely bracketed. This selection bias not only hampers scholarship on cybersecurity but also has concerning consequences for democracy. We present and analyze an original dataset of available public reporting by the private sector together with independent research centers. We also present three case studies tracing reporting patterns on a cyber operation targeting civil society. Our findings confirm the neglect of civil society threats, supporting the hypothesis that commercial interests of firms will produce a systematic bias in reporting, which functions as much as advertising as intelligence. The result is a truncated sample of cyber conflict that underrepresents civil society targeting and distorts academic debate as well as public policy.

KEYWORDS:

• Cybersecurity
• public goods
• civil society
• threat intelligence
• cyber conflict
• market failure

Acknowledgments

The authors would like to thank Max Smeets, Masashi Crete-Nishita, Irene Poetranto, Adam Casey, and Alexei Abrahams for their insightful comments on earlier drafts of this paper. We also thank the participants of the 2018 “Global Digital Futures” workshop at Columbia University’s School of International and Public Affairs, the team at ETH Zurich’s Center for Security Studies, participants of the 2019 ISA panel on Digital Technologies and Human Rights, and the Ostrom workshop at Indiana University Bloomington for their helpful feedback. Daria Goriacheva provided excellent research assistance for the reliability test. We are grateful for the generous funding from the Carnegie Corporation of New York and the School of International and Public Affairs at Columbia University, the Ford Foundation, the John D. and Catherine T. MacArthur Foundation, the Sigrid Rausing Trust, the Oak Foundation and the Open Society Foundations that helped make this project possible. Finally, we thank AccessNow for providing us with aggregate data, and in particular Daniel Bedoya for his help in preparing this data.

Declaration of interest statement

The authors declare there are no conflicts of interest.

Data availability statement

A copy of the dataset can be accessed here: https://docs.google.com/spreadsheets/d/1FyzBsZ1UvhR2inK_cKItBgSzY7J-lGHDLbrEQKFD08w/edit?usp=sharing

Notes

1. See the next section for more details.

2. For more details and a definition of these threats, please see Online Appendix, Section A1.

3. A definition is included in the Online Appendix, Section A1.

4. For examples of this influence, please see Online Appendix, Section A2.1.

5. These include Citizen Lab, Electronic Frontier Foundation, AccessNow, Human Rights Watch and Amnesty International.

6. See Online Appendix, Section A1, for definitions of these terms.

7. This dual role also allows for a less cynical interpretation of threat reporting as a quasi-academic enterprise, yet with similar results. See Online Appendix, Section A2.2 for more details.

8. There are two such projects: (1) APT Groups and Operations, a sheet consolidating naming schemes and operations; and (2) APTNotes, a repository of commercial reporting.

9. See Online Appendix, Section A2.3 for more details.

10. See Online Appendix, Section A2.4 for a more detailed discussion of these expectations.

11. See Online Appendix, Section A3.3, for further details on the assumed causal mechanism and limitations in the availability of data.

12. See Online Appendix, Section A3.1, for further details on these criteria.

13. A coding guide is available in the Online Appendix, Section A3.4, which also discusses reliability measures and provides a link to our data.

14. See Online Appendix, Section A3.6, for further details.

15. Our qualitative analysis tracks these additional indicators as well.

16. For coding details on attribution, see Online Appendix, Section A3.4.

17. See Online Appendix, Section A3.2 for a discussion of rival theories.

18. Some commercial reports discuss spyware in general (Cf. Kaspersky 2017), but not its targeted use.

19. Public goods are defined by two key properties: they are non-exclusive (Samuelson, 1954), and non-rivalrous (Ostrom & Ostrom, 1977). In other words, no one can be excluded from the benefits of the good, while its consumption by one actor does not reduce the availability to others. Public threat reporting fulfills both criteria: it is freely available online and reading a report does not reduce availability to others (Rosenzweig, 2011).

Additional information

Funding

This work was supported by the Carnegie Corporation of New York; Ford Foundation; John D. and Catherine T. MacArthur Foundation; Oak Foundation; Open Society Foundations; Sigrid Rausing Trust.

Notes on contributors

Lennart Maschmeyer

Lennart Maschmeyer is a Senior Researcher at the Center for Security Studies, ETH Zurich.

Ronald J. Deibert

Ronald J. Deibert is a Professor of Political Science, and Director of the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto.

Jon R. Lindsay

Jon R. Lindsay is an Assistant Professor of Digital Media and Global Affairs at the Munk School of Global Affairs and Public Policy, University of Toronto.