Editor's note: This article was updated with comments from Sen. Brian Schatz's office and NIST.
It’s the kind of figure that can make your jaw drop, the kind that forces lawmakers and public officials to get off their duffs and do something, that drives home the way cyber insecurity is ravaging small businesspeople across the nation.
House and Senate lawmakers have cited it in bills that would redirect federal resources and are awaiting action on their chambers’ floors. Top executive branch officials have cited it in official testimony to Congress.
But it’s completely erroneous, not based on any existing study, according to an exhaustive Nextgov search.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The statistic, typically attributed to the National Cyber Security Alliance, is that 60 percent of small businesses that suffer a cyberattack will go out of business within six months.
It appears in a House bill that won unanimous support from that chamber’s Science Committee this week, cited as evidence the federal government must devote more resources to helping small businesses shore up their cybersecurity. It’s also in a companion Senate bill that sailed through the Commerce Committee in April.
Both bills require the government’s cyber standards agency, the National Institute of Standards and Technology, to devote more of its limited resources to creating cybersecurity guidance for small businesses.
Federal Trade Commissioner Maureen Ohlhausen cited the figure in testimony before the House Small Business Committee in March, as did Charles Romine, director of NIST’s Information Technology Laboratory.
Sen. Jeanne Shaheen, D-N.H., ranking member on the Senate Small Business Committee, cited the figure in a letter to Amazon asking the internet commerce giant what it was doing to improve cybersecurity for its third-party sellers.
In each case, the figure was attributed, at best, to a now-removed NCSA infographic that included the statistic credited to the antivirus firm Symantec but did not link to any study. Ohlhausen’s testimony cited a Denver Post article that credited NCSA.
To be clear, there is no public study that has determined how many small businesses are forced to shut their doors following a cyberattack. In fact, there is very little information about the economic impact of data breaches and other cyber incidents on small businesses generally.
The federal agency most likely to gather such data, the Bureau of Justice Statistics, published its most recent study on the effects of cyber crime on businesses of all sizes in 2005. Private companies, such as Verizon, that publish extensive reports on cyber crime tend to focus on larger businesses.
In the absence of hard data, the legislators who allocate federal resources to help small businesses combat cyber crime and the executive branch agencies that manage those resources are left to rely on anecdote, outrage and the general sense of national panic surrounding cybersecurity—and on one horrifying statistic with no basis in fact.
“It’s very common to say, 'If you can’t measure it, you can’t manage it,'” Jacob Olcott, a former top cyber staffer on the Senate Commerce and House Homeland Security committees, told Nextgov. “This is a perfect example of how we’re failing at measuring cybersecurity, and that’s why we’re struggling to manage it.”
A Statistic’s Murky Origin
While there’s no definitive evidence for how the erroneous statistic ended up in an NCSA infographic, the likeliest explanation leads back to a September 2011 Business Insider article by Ramon Ray, the “marketing and technology evangelist” for Smallbiztechnology.com, a media and events company.
Ray’s article begins by crediting Symantec with a statistic that 40 percent of targeted cyberattacks are aimed at small and medium-sized businesses. (If targeted attacks means spear-phishing, the correct figure, per Symantec data, would have been 50 percent in 2011). The article closes with what appears to be the first instance of the erroneous 60 percent figure with no citation.
One month later, in October 2011, NCSA issued a press release about an NCSA- and Symantec-sponsored survey conducted by Zogby International that highlighted small businesses owners’ “false sense of cybersecurity” and linked back to Ray’s Business Insider article in a general background section.
When Nextgov first queried NCSA about the figure in March, an alliance spokeswoman spoke with staff who believed the figure came from a 2012 Symantec sponsored study. Symantec said it had not provided the figure and that it was not based on Symantec research but pointed to the Business Insider article as a likely source of the confusion.
Ray told Nextgov he believes the figure was provided by a cybersecurity expert he interviewed for the story but cannot recall the expert’s name more than five years later.
NCSA Executive Director Michael Kaiser told Nextgov in a statement the statistic was not based on NCSA research and its original source cannot be confirmed.
“This third-party data has not actively been used for multiple years, but we discovered that it was still referenced in an old infographic on the NCSA website,” Kaiser said. “It has been taken down and we recommend that media, policymakers, small businesses and others not use that statistic and rely upon information that is current and relevant. Our team is working to proactively limit this stat’s further sharing and usage.”
A Dearth of Data
The statistic’s continued prevalence, despite limited (and it turns out, erroneous) evidence of its validity points to numerous problems cyber analysts and former congressional staffers tell Nextgov.
To begin with, despite widespread government and public concern about the threats of cyberattacks such as data breaches, distributed denial-of-service attacks and ransomware, there’s a dearth of hard information about the prevalence of these attacks because companies are not required to disclose most incidents unless they cross particular thresholds that vary from state to state. Companies are also often unaware their data has been breached.
Cybersecurity firms such as Verizon and Symantec that do publish findings base those reports on their customer bases, which is only a sample of the larger population and often veers toward larger companies. Those cyber firms also have a financial incentive to make the threat appear as ominous as they legitimately can.
“There are authoritative sources for the number of airplane crashes in the world and there’s just not the same thing in cybersecurity,” said Olcott, the former congressional staffer who’s now a vice president at the cybersecurity ratings firm BitSight.
“We have to get a lot better about using quantitative data when we talk about cybersecurity policy,” Olcott said. “When we’re talking about adopting a new regulatory framework or something like that, we should try to understand current cybersecurity performance and measure it over time before jumping to a conclusion about what to adopt or not to adopt.”
‘Not Hugely Important’
A staffer for the House Science Committee, which approved the bill citing the statistic in a voice vote Tuesday, said the committee would remove the stat from the final version but said it was not “hugely important” to the overall purpose of the bill.
Committee staffers noted other statistics cited in the bill and during the markup about the broader threat of cyberattacks and the importance of small business to the U.S. economy have not been disputed and that a national cybersecurity commission that delivered its findings at the close of the Obama administration urged the next administration to devote more resources to improving small business cybersecurity.
The staffers also pointed to anecdotal evidence of the cybersecurity challenges facing small businesses, including a multigenerational heating and air conditioning business owned by the family of bill sponsor Rep. Daniel Webster, R-Fla. Webster described a ransomware attack that struck his family business during Tuesday’s markup.
“Just because the number may or may not be correct, the need still exists,” one staffer said. “If you remove that stat, that doesn’t mean small business doesn’t need a little extra help.”
Michael Inacay, communications director for Sen. Brian Schatz, D-Hawaii, who sponsored the Senate version of the bill, said “that specific statistic, which has been cited by multiple sources, will be removed from the bill, but the fact remains that small businesses are a major target for cyberattacks.”
Fewer People, Less Expertise
The size and expertise of congressional staffs who write and vet legislation have also steadily diminished over time as have the staffs of congressional services such as the Government Accountability Office and the Congressional Research Service designed to provide Congress with authoritative data.
“Basically, [congressional staffers] have less expertise available to them, are more reliant on what other people tell them and it’s much easier for erroneous information to get into the political system,” said Daniel Schuman, a former House and Senate staffer who also worked for the Congressional Research Service and is now policy director for Demand Progress, a left-leaning internet rights and open government organization.
As a result, incorrect, slanted or poorly vetted information frequently creeps into bills, Schuman said, though bills typically become much better vetted if and when they reach their chamber’s floors or conference committees and are evaluated by the Congressional Budget Office.
Schuman also differentiated between poorly vetted information emerging from Congress and from executive branch agencies such as the FTC and NIST, which both included the erroneous figure in testimony to the House Small Business Committee in March.
“If you’re looking at a rulemaking or testimony to Congress, they do have the resources and they should be able to track down any claim or assertion to where it came from,” he said.
An FTC spokeswoman said in a statement the agency “relied on respected sources for the data in question, but if the sources we relied on no longer want us to use that information, we will respect their wishes.”
A NIST spokesperson said the agency would remove the erroneous quote from any agency documents or publications.
"Our intent is always to use verified information from reputable organizations," the spokesperson said.
A Problem Ill-Defined
Finally, the general anxiety about cybersecurity has coupled with a broad discomfort with technology to make cybersecurity a field prone to loose, squishy definitions and poor understanding, said Peter Singer, a longtime cyber researcher and senior fellow at the New America think tank.
Singer pointed to language citing the erroneous statistic in the House version of the NIST bill—that “60 percent of small businesses that suffer a cyberattack are out of business within six months” as evidence of this squishiness. “Suffering” a “cyberattack” could refer to “everything from a Russian influence operation to a tweet storm” from a hacked Twitter account, he said.
As a result, people with genuine knowledge of the field would have little information to understand the importance of the statistic even if it were valid, he said.
“It’s a relatively young field with technical terms that are not universally agreed, but there are a lot of people who are uncomfortable with pretty much anything in this space,” Singer said. “Then, you add in a fair dose of politics, profit, hucksterism and hype and you have not a great recipe for understanding.”