London, UK - 22 July 2005, 15:00 GMT - According to independent research carried out at the Swiss Federal Institute of Technology (ETH) Zurich the potential threat of a massive Distributed Denial of Service attack on critical Internet elements that affect an entire national economy can no longer be ignored. In a national scenario presented by ETH, if the whole of Switzerland is affected by an Internet blackout lasting one week, the economic damage to the Swiss economy with an annual GDP of CHF 482 billion is worked out to be CHF 5.83 billion, ie, 1.2% of GDP. The level of industrialisation of Switzerland is similar in profile to that of most G8 and OECD member countries. 48% of all 3.59 million jobs in Switzerland are IT intensive.

The economic damage model for large scale Internet attacks developed in the context of the DDoSVax project independently by Thomas Duebendorfer, Prof Bernhard Plattner and Arno Wagner at ETH in Zurich has arrived at a similar economic damage calculation approach to the mi2g Intelligence Unit's Economic Valuation Engine for Damage Analysis (EVEDA). Prof Plattner is the Head of the Communication Systems Research Group. Although mi2g's EVEDA is proprietary, it is interesting to note that an 'open source' approach has come up with a similar systems analysis. The ETH economic damage model can be used to transparently estimate economic damage in a qualitative and quantitative way.

The problem that ETH has identified is that companies relying on the Internet may be faced by large-scale attacks such as uncontrolled massive malware spreading and massive distributed Denial-of-Service (DDoS) attacks. Many companies are not aware how Internet-dependent their business is and how much financial damage they would suffer when the Internet is "down". Today's economic damage models - other than the one developed by mi2g - typically ignore damage by Internet attacks. Reliability and availability of the Internet and its services can be drastically reduced within minutes. Such interruptions can last for hours or even days.

"The over 1% damage to GDP of a developed country such as Switzerland for every one week of Internet blackout is a reflection of how reliant modern business and society have become on Internet technologies. It is very interesting for us to observe that ETH has independently arrived at a similar approach to ourselves in developing economic damage models for large scale Internet attacks," said, DK Matai, Executive Chairman, mi2g. "We are pleased to announce our intention to collaborate with ETH Zurich to develop more refined economic damage models for Internet attacks and their lingering commercial fallout in the years ahead."

In a commercial sample scenario presented by ETH, when an Internet Service Provider with an annual revenue of CHF 2.81 billion is hit by a massive attack causing 24 hours of Internet outage, the total economic loss is projected to be CHF 32.99 million or 1.2% of annual revenue. The breakdown is as follows:

1. Downtime Loss = Degraded Productivity + Loss of Revenue = CHF 292,000
2. Disaster Recovery = CHF 5.2 million
3. Liability = CHF 15 million
4. Customer Loss = CHF 12.5 million

"Many people underestimate the real damages from cyber-attacks mostly due to the fact that they are either not reported or not expressed transparently in monetary units," said Thomas Duebendorfer, CISSP, Computer Engineering and Networks Laboratory, Swiss Federal Institute of Technology (ETH). "We think that mi2g's approach of comprehensively collecting cyber-attack incident data and publishing current damage estimates is very helpful in making people aware of the inherent risks when relying more and more on the Internet for business."

What infrastructures and services are typically affected in a DDoS attack?

According to ETH, commercial Internet servers (eg eBay, Yahoo, Microsoft, SCO); Network core services (eg DNS, routers); and corporate and consumer computers and their users (worm and virus infections; misused directly or backdoors installed) can all be affected. In the near future smaller backbone attacks could take place, ie, massive flooding attacks. Such attacks usually also cause collateral damage by causing high packet loss or even virtually detaching certain networks from the Internet.

Who is attacking?

Mostly single persons or small groups of hacker(s) for fun and to prove technical excellence as well as saboteur(s) with criminal motives appear to be behind such attacks. Resources needed for an attack such as a Personal Computer with development software are low cost; Internet connectivity through an Internet café is also low cost; Technical know-how - most can be found on the Internet - is easy to acquire; and many poorly secured computers hooked up to the Internet are also easy to turn into zombies.

The assumption behind the ETH economic damage model is that Internet availability and reliability can be drastically reduced within minutes by large-scale Internet attacks. Consequently, many companies may suffer direct and indirect financial damage. The core questions are: Who suffers what financial damage? and When does that damage occur? The Approach and Goals of ETH include developing a System model (based on systems engineering); Categorization of financial damage; Qualifying damage over time; Quantifying economic damage; Assuring the applicability of the model and its methodology through scenarios.

ETH's economic damage model calculates total financial damage as the sum of the costs for:

1. Downtime Loss (as the sum of Productivity Loss and Revenue Loss)
2. Disaster Recovery
3. Liability
4. Customer Loss

Productivity Loss - employees have to use less efficient ways to fulfil their duties; Revenue Loss - certain tasks have to be postponed; lost transactions by customers that cannot access a service due to the company's inability to fulfil customer requests; Disaster Recovery - cost of time that employees spend on recovery from an incident; Liability - compensation payments for not being able to fulfil a service level agreement (SLA); Customer Loss - lost revenue due to dissatisfied customers quitting a service; and opportunity costs of potential customers lost.

ETH's qualitative analysis demonstrates that economic damage usually does not have the same characteristics over time as technical problems have. Economic damage can still grow when technical problems have been resolved and the attack has been stopped. Three time intervals are considered: During the attack; shortly after the attack has been stopped; and a much longer time after the incident such as weeks and months. Temporal overlap of different damage types is possible.

Economic damage is calculated by the mi2g Intelligence Unit's EVEDA algorithm on the basis of helpdesk support costs, overtime payments, contingency outsourcing, loss of business, bandwidth clogging, productivity erosion, management time reallocation, cost of recovery and software upgrades. When available, Intellectual Property Rights (IPR) violations as well as customer and supplier liability costs have also been included in the estimates.

[ENDS]


mi2g is at the leading edge of building secure on-line banking, broking and trading architectures. The principal applications of our technology are:

1. D2-Banking;
2. Digital Risk Management; and
3. Bespoke Security Architecture.

mi2g pioneers enterprise-wide security practices and technology to save time and cut cost. We enhance comparative advantage within financial services and government agencies. Our real time intelligence is deployed worldwide for contingency capability, executive decision making and strategic threat assessment.

mi2g Research Methodology: The Frequently Asked Questions (FAQ) List is available from here in pdf. Please note terms and conditions of use listed on www.mi2g.net

Full details of the June 2005 report are available as of 1st July 2005 and can be ordered from here. (To view contents sample please click here).