May 2, 2006
On behalf of the U.S. Departments of Justice and Homeland Security, the RAND Corporation is fielding the first national survey to measure the impact of cybercrime on American businesses. The DOJ/DHS National Computer Security Survey (NCSS), announced by the U.S. Department of Justice (see www.ojp.usdoj.gov/bjs/pub/press/ncsspr.htm), is scheduled for completion by the end of 2006.
The survey will produce industry-level statistics on the number and consequences of cyber attacks, frauds and thefts of information among the 5.3 million businesses in the United States.
RAND will collect information from businesses across 36 industry sectors – including critical infrastructure – about the nature and extent of computer security incidents; the monetary costs and other consequences of these occurrences; incident details, such as types of offenders and reporting to authorities; and computer security measures that various firms use.
Participation in the survey is voluntary, and data will be combined on the industry level so that no firms can be identified. Participating businesses will be offered information that will allow them to benchmark themselves against the rest of their industry sector.
The survey has been endorsed by a wide range of groups including: Business Executives for National Security, the Business Software Alliance, the Cert Coordination Center, the Cyber Security Industry Alliance, the Food and Agriculture Information Sharing and Analysis Center, the Information Technology – Information Sharing and Analysis Center, InfraGard, the Manufacturers Alliance, the National Alliance for Health Information Technology, the National Association of Manufacturers, the National Federation of Independent Businesses, the National Telecommunications and Information Administration, the President's Council of Advisors on Science and Technology, the Real Estate Round Table, the Risk and Insurance Management Society, the Small Business Group and Entrepreneurship Council, and the U.S. Chamber of Commerce.
Currently no national baseline measure exists on the extent of cybercrime. The survey results will enable the Departments of Justice and Homeland Security, along with private industry, to make more informed decisions and develop policies that identify vulnerabilities and effectively target cyber security resources.
Cyber threats are a national issue that can be adequately addressed only through cooperation among private firms and government agencies at all levels. The President's National Strategy for Securing Cyberspace calls for the Department of Justice to collect more information about victims of cybercrime, track changes over time, and help businesses counter this critical threat.
Nearly 75 percent of businesses responding to a Department of Justice pilot survey said they had been victimized by cybercrime during 2001. Computer virus infections were the most common form of attack (64 percent), followed by denial of service incidents (25 percent) and vandalism or sabotage (19 percent). Among the companies that detected a computer virus, less than 6 percent said they notified a law enforcement agency.
The RAND research team is led by Lois Davis and Robert Anderson. The survey is being conducted by the Safety and Justice Program within RAND's Infrastructure, Safety and Environment (ISE) Division.
The mission of ISE, a division of the RAND Corporation, is to improve development, operation, use and protection of society's essential built and natural assets; and to enhance the related social assets of safety and security of individuals in transit and in their workplaces and communities. The Safety and Justice Program research addresses many aspects of public safety – including violence, policing, corrections, substance abuse and public integrity.