author photo
By Bruce Sussman
Thu | Sep 10, 2020 | 1:02 PM PDT

Most of us in cybersecurity are caught in what you could call the inbox storm—a constant barrage of new "cybersecurity research" calling out about emerging threats or presenting a new analysis of a threat actor.

Some of the research is excellent and can act as a form of threat intelligence, helping you become aware of what cybercriminals are focusing on.

But is something missing from these industry reports, webinars, and white papers? Something that could distort your vision of cyber reality and perhaps harm democracy, itself?

The answer is yes, according to new research published in the Journal of Information Technology and Politics.

Researchers analyze industry cybersecurity threat reporting

Researchers from the University of Toronto and the Center for Security Studies in Zurich analyzed hundreds of reports published by the cybersecurity industry.

And they contend there is a hidden risk as a result of the angle these reports take, which is warping how leaders in business, academia, and government understand cyber risk.

"Public and academic knowledge of cyber conflict relies heavily on data from commercial threat reporting. There are reasons to be concerned that these data provide a distorted view of cyber threat activity.

Commercial cybersecurity firms only focus on a subset of the universe of threats, and they only report publicly on a subset of the subset. High-end threats to high-profile victims are prioritized in commercial reporting while threats to civil society organizations, which lack the resources to pay for high-end cyber defense, tend to be neglected or entirely bracketed.

This selection bias not only hampers scholarship on cybersecurity but also has concerning consequences for democracy."

Cybersecurity threat research statistics

For their paper, the researchers analyzed several hundred commercial security reports, and they say what is missing is reporting and analysis on cyber threats to civil society or to democracy:

"...only a small minority, 82 out of the 629 commercial reports analyzed (13%), discuss a targeted threat to civil society. A deeper look at prioritization of the issue within this subset of commercial reporting revealed that only 22 out of these reports (4% of total reporting) place their primary focus on civil society. Meanwhile, 30 reports (5%) place a secondary focus on civil society targeting, with limited analysis, and 30 reports (5%) mention civil society in only passing."

Researchers looked at several case studies, including reports on the Russian-backed threat actor group APT28. Researchers found plenty of reporting on the group's high-profile corporate targets; and a number of reports mentioned APT28's targeting of the band Pussy Riot, which was picked up by the mainstream media.

But very few took the approach of a Trend Micro report, which contained a section about APT28's broad targeting of civil society. This is despite the fact that APT is known to target dissidents and journalists—things rarely mentioned in commercial reporting.

In the case study, they found few mentions of a Tainted Leaks operation by APT28, which hacked and leaked emails and then weaved disinformation into otherwise legitimate data.

"The victim, journalist David Satter, is a high-profile Kremlin critic, but a low-profile actor concerning the sector's revenue potential. The operation was part of a larger scale phishing operation against several high-profile targets, including 'a former Russian Prime Minister, members of cabinets from Europe and Eurasia, ambassadors, high ranking military officers, CEOs of energy companies' (Hulcoop et al., 2017)."

The researchers in this case conclude the following:

"...this distorted picture poses a risk for democracy by systematically under-representing the threats to the CSOs [Civil Society Organizations] that are vital for the functioning of democracy. Indeed, it seems increasingly likely that the original cyberwar narrative had things precisely backwards. The information revolution does not portend a new anarchy rife with destructive disruption but rather the encroaching hierarchy of the surveillance state. Cyberspace may create asymmetric advantages, but they are advantages of the strong to monitor and enforce the behavior of the weak. The good news about a lower likelihood of cyberwar is expressly bad news for democratic liberties and human rights.

Moreover, this distorted picture implies a linear relationship between technical sophistication and threat level that does not hold in practice."

What do you think of this analysis? Let us know in the comments below.

To see the complete publication, including case studies, read: A tale of two cybers - how threat reporting by cybersecurity firms systematically underrepresents threats to civil society.

Listen to The SecureWorld Sessions podcast: Pandemic Cyberattack on the World Health Organization.