ABSTRACT

Public and academic knowledge of cyber conflict relies heavily on data from commercial threat reporting. There are reasons to be concerned that these data provide a distorted view of cyber threat activity. Commercial cybersecurity firms only focus on a subset of the universe of threats, and they only report publicly on a subset of the subset. High end threats to high-profile victims are prioritized in commercial reporting while threats to civil society organizations, which lack the resources to pay for high-end cyber defense, tend to be neglected or entirely bracketed. This selection bias not only hampers scholarship on cybersecurity but also has concerning consequences for democracy. We present and analyze an original dataset of available public reporting by the private sector together with independent research centers. We also present three case studies tracing reporting patterns on a cyber operation targeting civil society. Our findings confirm the neglect of civil society threats, supporting the hypothesis that commercial interests of firms will produce a systematic bias in reporting, which functions as much as advertising as intelligence. The result is a truncated sample of cyber conflict that underrepresents civil society targeting and distorts academic debate as well as public policy.

摘要

关于网络冲突的公共和学术知识在很大程度上依赖于商业威胁报告中的数据。有理由担心这些数据提供了对网络威胁活动的扭曲看法。商业网络安全公司仅关注威胁的子集，并且仅公开报告子集的子集。商业报告将对高知名度受害者的高端威胁放在优先位置，而对缺乏资源来支付高端网络防御费用的民间社会组织的威胁则往往被忽略或完全消除。这种选择偏见不仅阻碍了关于网络安全的学术研究，而且还对民主产生了影响。我们提出并分析了私营部门以及独立研究中心提供的可用公共报告的原始数据集。我们还提供了三个案例研究，这些案例研究追踪了针对民间社会的网络运营的报告模式。我们的发现证实了对公民社会威胁的忽视，支持了以下假设：企业的商业利益将在报告中产生系统性的偏见，其作用与广告一样，与情报一样。结果是截断了网络冲突样本，该样本不足以代表民间社会的目标，并扭曲了学术辩论和公共政策。