How a Fake Cyber Statistic Raced Through Washington

Sean Pavone/Shutterstock.com

A frequently cited statistic about the danger small businesses face from cyberattacks has no basis in fact.

Editor's note: This article was updated with comments from Sen. Brian Schatz's office and NIST.

It’s the kind of figure that can make your jaw drop, the kind that forces lawmakers and public officials to get off their duffs and do something, that drives home the way cyber insecurity is ravaging small businesspeople across the nation.

House and Senate lawmakers have cited it in bills that would redirect federal resources and are awaiting action on their chambers’ floors. Top executive branch officials have cited it in official testimony to Congress.

But it’s completely erroneous, not based on any existing study, according to an exhaustive Nextgov search.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The statistic, typically attributed to the National Cyber Security Alliance, is that 60 percent of small businesses that suffer a cyberattack will go out of business within six months.

It appears in a House bill that won unanimous support from that chamber’s Science Committee this week, cited as evidence the federal government must devote more resources to helping small businesses shore up their cybersecurity. It’s also in a companion Senate bill that sailed through the Commerce Committee in April.

Both bills require the government’s cyber standards agency, the National Institute of Standards and Technology, to devote more of its limited resources to creating cybersecurity guidance for small businesses.

Federal Trade Commissioner Maureen Ohlhausen cited the figure in testimony before the House Small Business Committee in March, as did Charles Romine, director of NIST’s Information Technology Laboratory.

Sen. Jeanne Shaheen, D-N.H., ranking member on the Senate Small Business Committee, cited the figure in a letter to Amazon asking the internet commerce giant what it was doing to improve cybersecurity for its third-party sellers.

In each case, the figure was attributed, at best, to a now-removed NCSA infographic that included the statistic credited to the antivirus firm Symantec but did not link to any study. Ohlhausen’s testimony cited a Denver Post article that credited NCSA.

To be clear, there is no public study that has determined how many small businesses are forced to shut their doors following a cyberattack. In fact, there is very little information about the economic impact of data breaches and other cyber incidents on small businesses generally.

The federal agency most likely to gather such data, the Bureau of Justice Statistics, published its most recent study on the effects of cyber crime on businesses of all sizes in 2005. Private companies, such as Verizon, that publish extensive reports on cyber crime tend to focus on larger businesses.

In the absence of hard data, the legislators who allocate federal resources to help small businesses combat cyber crime and the executive branch agencies that manage those resources are left to rely on anecdote, outrage and the general sense of national panic surrounding cybersecurity—and on one horrifying statistic with no basis in fact.

“It’s very common to say, 'If you can’t measure it, you can’t manage it,'” Jacob Olcott, a former top cyber staffer on the Senate Commerce and House Homeland Security committees, told Nextgov. “This is a perfect example of how we’re failing at measuring cybersecurity, and that’s why we’re struggling to manage it.”

A Statistic’s Murky Origin

While there’s no definitive evidence for how the erroneous statistic ended up in an NCSA infographic, the likeliest explanation leads back to a September 2011 Business Insider article by Ramon Ray, the “marketing and technology evangelist” for Smallbiztechnology.com, a media and events company.

Ray’s article begins by crediting Symantec with a statistic that 40 percent of targeted cyberattacks are aimed at small and medium-sized businesses. (If targeted attacks means spear-phishing, the correct figure, per Symantec data, would have been 50 percent in 2011). The article closes with what appears to be the first instance of the erroneous 60 percent figure with no citation.

One month later, in October 2011, NCSA issued a press release about an NCSA- and Symantec-sponsored survey conducted by Zogby International that highlighted small businesses owners’ “false sense of cybersecurity” and linked back to Ray’s Business Insider article in a general background section.

When Nextgov first queried NCSA about the figure in March, an alliance spokeswoman spoke with staff who believed the figure came from a 2012 Symantec sponsored study. Symantec said it had not provided the figure and that it was not based on Symantec research but pointed to the Business Insider article as a likely source of the confusion.

Ray told Nextgov he believes the figure was provided by a cybersecurity expert he interviewed for the story but cannot recall the expert’s name more than five years later.

NCSA Executive Director Michael Kaiser told Nextgov in a statement the statistic was not based on NCSA research and its original source cannot be confirmed.

“This third-party data has not actively been used for multiple years, but we discovered that it was still referenced in an old infographic on the NCSA website,” Kaiser said. “It has been taken down and we recommend that media, policymakers, small businesses and others not use that statistic and rely upon information that is current and relevant. Our team is working to proactively limit this stat’s further sharing and usage.”  

A Dearth of Data

The statistic’s continued prevalence, despite limited (and it turns out, erroneous) evidence of its validity points to numerous problems cyber analysts and former congressional staffers tell Nextgov.

To begin with, despite widespread government and public concern about the threats of cyberattacks such as data breaches, distributed denial-of-service attacks and ransomware, there’s a dearth of hard information about the prevalence of these attacks because companies are not required to disclose most incidents unless they cross particular thresholds that vary from state to state. Companies are also often unaware their data has been breached.

Cybersecurity firms such as Verizon and Symantec that do publish findings base those reports on their customer bases, which is only a sample of the larger population and often veers toward larger companies. Those cyber firms also have a financial incentive to make the threat appear as ominous as they legitimately can.

“There are authoritative sources for the number of airplane crashes in the world and there’s just not the same thing in cybersecurity,” said Olcott, the former congressional staffer who’s now a vice president at the cybersecurity ratings firm BitSight.

“We have to get a lot better about using quantitative data when we talk about cybersecurity policy,” Olcott said. “When we’re talking about adopting a new regulatory framework or something like that, we should try to understand current cybersecurity performance and measure it over time before jumping to a conclusion about what to adopt or not to adopt.”

‘Not Hugely Important’

A staffer for the House Science Committee, which approved the bill citing the statistic in a voice vote Tuesday, said the committee would remove the stat from the final version but said it was not “hugely important” to the overall purpose of the bill.

Committee staffers noted other statistics cited in the bill and during the markup about the broader threat of cyberattacks and the importance of small business to the U.S. economy have not been disputed and that a national cybersecurity commission that delivered its findings at the close of the Obama administration urged the next administration to devote more resources to improving small business cybersecurity.  

The staffers also pointed to anecdotal evidence of the cybersecurity challenges facing small businesses, including a multigenerational heating and air conditioning business owned by the family of bill sponsor Rep. Daniel Webster, R-Fla. Webster described a ransomware attack that struck his family business during Tuesday’s markup.

“Just because the number may or may not be correct, the need still exists,” one staffer said. “If you remove that stat, that doesn’t mean small business doesn’t need a little extra help.”

Michael Inacay, communications director for Sen. Brian Schatz, D-Hawaii, who sponsored the Senate version of the bill, said “that specific statistic, which has been cited by multiple sources, will be removed from the bill, but the fact remains that small businesses are a major target for cyberattacks.”

Fewer People, Less Expertise

The size and expertise of congressional staffs who write and vet legislation have also steadily diminished over time as have the staffs of congressional services such as the Government Accountability Office and the Congressional Research Service designed to provide Congress with authoritative data.

“Basically, [congressional staffers] have less expertise available to them, are more reliant on what other people tell them and it’s much easier for erroneous information to get into the political system,” said Daniel Schuman, a former House and Senate staffer who also worked for the Congressional Research Service and is now policy director for Demand Progress, a left-leaning internet rights and open government organization.

As a result, incorrect, slanted or poorly vetted information frequently creeps into bills, Schuman said, though bills typically become much better vetted if and when they reach their chamber’s floors or conference committees and are evaluated by the Congressional Budget Office.

Schuman also differentiated between poorly vetted information emerging from Congress and from executive branch agencies such as the FTC and NIST, which both included the erroneous figure in testimony to the House Small Business Committee in March.

“If you’re looking at a rulemaking or testimony to Congress, they do have the resources and they should be able to track down any claim or assertion to where it came from,” he said.

An FTC spokeswoman said in a statement the agency “relied on respected sources for the data in question, but if the sources we relied on no longer want us to use that information, we will respect their wishes.”

A NIST spokesperson said the agency would remove the erroneous quote from any agency documents or publications. 

"Our intent is always to use verified information from reputable organizations," the spokesperson said. 

A Problem Ill-Defined

Finally, the general anxiety about cybersecurity has coupled with a broad discomfort with technology to make cybersecurity a field prone to loose, squishy definitions and poor understanding, said Peter Singer, a longtime cyber researcher and senior fellow at the New America think tank.

Singer pointed to language citing the erroneous statistic in the House version of the NIST bill—that “60 percent of small businesses that suffer a cyberattack are out of business within six months” as evidence of this squishiness. “Suffering” a “cyberattack” could refer to “everything from a Russian influence operation to a tweet storm” from a hacked Twitter account, he said.

As a result, people with genuine knowledge of the field would have little information to understand the importance of the statistic even if it were valid, he said.

“It’s a relatively young field with technical terms that are not universally agreed, but there are a lot of people who are uncomfortable with pretty much anything in this space,” Singer said. “Then, you add in a fair dose of politics, profit, hucksterism and hype and you have not a great recipe for understanding.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.