The vast majority of reports published by the cyber-security industry focus on high-end economic spying and state-sponsored hacking topics, ignoring threats to civil society and creating a distorted view of the actual cyber threat landscape that later influences policy-makers and academic work.
In an article published in the Journal of Information Technology & Politics, a team of academics composed of some of today’s biggest names in cyber-security and internet research fields analysed 700 cyber-security reports published between 2009 and 2019 over the last decade.
“The reports we obtained were drawn from two types of sources: first, providers of commercial threat intelligence (629 reports), and second, independent research centres (71 reports),” academics said.
The team also analysed helpline data from AccessNow, a digital rights advocacy organisation, to clarify the true digital threats, as stated by the end-users themselves.
The research team — made up of prominent names in the field of cyber-security such as Lennart Maschmeyer, Ronald J. Deibert, and Jon R. Lindsay — found that only 82 of the 629 trade reports (13 per cent) addressed a direct threat to civil society.
Of those 82, only 22 reports placed at the forefront of their investigations a threat to civil society, with the remaining 607 commercial reports concentrating on cybercrime networks and national-state actors (APT groups).
By comparison, most of the studies that independent research centres generated concentrated on the challenges to civil society.
Profits Guide Cyber Security Reports
Maschmeyer, Deibert, and Lindsay claim this is because their bottom lines push cyber-security companies, and the reports they put out serve “as much as ads as information.”
“Commercial reporting is motivated by corporate interests that dictate what is published and what is not published,” said the research trio.
Cyber-security companies — chasing big business clients and government contracts — focus mainly on investigating cybercrime, economic surveillance, and vital infrastructure disruption, but ignore risks to individuals, minorities, or the civil society as a whole.
“High-end threats to high-profile victims are prioritised in commercial news, while threats to civil society organisations, lacking the resources to pay for high-end cyber security, appear to be ignored or bridged fully,” the research team said.
“This situation represents a market failure that leaves those most in need of reliable threat information – vulnerable actors in civil society – least well educated,” they added.
Since business cyber-security firms are behind much of today’s cyber-security reports, the research trio says this current state of affairs creates “a systemic reporting bias” that is likely to “effect understanding among policymakers and academics” and eventually affect government policies, national defence strategies, and long-term academic study.