The vast majority of reports published by the cyber-security industry focus on high-end economic espionage and state-sponsored hacking topics, ignoring threats to civil society and creating a distorted view of the actual cyber threat landscape that later influences policy-makers and academic work.
In an article published in the Journal of Information Technology & Politics, a team of academics made up of some of today’s biggest names in cyber-security and internet research fields analyzed 700 cyber-security reports published over the last decade, between 2009 and 2019.
“The reports we collected were derived from two types of sources: first, commercial threat intelligence vendors (629 reports), and second, independent research centers (71 reports),” academics said.
In addition, the team also examined helpline data from AccessNow, a digital rights advocacy group, in order to understand the true digital threats, as reported by the end-users themselves.
The research team — made up by eminent names in the cyber-security field such as Lennart Maschmeyer, Ronald J. Deibert, and Jon R. Lindsay — found that only 82 of the 629 commercial reports (13%) discussed a targeted threat to civil society.
Of these 82, only 22 reports placed a threat to civil society at the center of their investigations, with the rest 607 commercial reports focusing on cybercrime gangs and nation-state actors (APT groups).
In contrast, most of the reports produced by independent research centers were focused on the threats to civil society.
Cyber-security reports are driven by profits
Maschmeyer, Deibert, and Lindsay believe this is because cyber-security firms are driven by their bottom lines, and the reports they put out serve “as much as advertising as [threat] intelligence.”
“Commercial reporting is driven by specific business interests that determine what gets reported, and what does not,” the research trio said.
Cyber-security firms — chasing large enterprise customers and government contracts — primarily focus on investigating cybercrime, economic espionage, and critical infrastructure sabotage, but ignore threats to individual, minorities, or the civil society as a whole.
“High end threats to high-profile victims are prioritized in commercial reporting while threats to civil society organizations, which lack the resources to pay for high-end cyber defense, tend to be neglected or entirely bracketed,” the research team said.
“This situation constitutes a market failure that leaves those most in need of accurate information about threats – vulnerable civil society actors – least well-informed,” they added.
Since commercial cyber-security firms are behind most of today’s cyber-security reports, the research trio says this current state of affairs produces “a systematic bias in reporting” that is likely to “impact perception among both policy-makers and researchers” and end up affecting government policies, national state defense strategies, and academic work in the long run.
Best example: 2016 US Presidential Election
The best example of this theory, which researchers published back in June, is the 2016 US Presidential Election.
US cyber-security agencies expected nation-state entities to hack campaigns, which it happened, but most of the actual damage was done through social media influence campaigns aimed at the civil society.
“This Russian influence campaign focusing on individuals and civil society caught most scholars and policy-makers off guard; it did not correspond to prevailing threat models focusing on critical infrastructure disruption and large-scale digital espionage,” Maschmeyer, Deibert, and Lindsay said.