The recent alarming revelations of Russian hacking of 250 US Government agencies, which went undetected by our most sophisticated cybersecurity defenses including the military’s Cyber Command, the National Security Agency, and the Department of Homeland Security must lead us in the marketing business to reevaluate our thinking about ad fraud.
The scope of online ad fraud has been argued about for years by computer scientists, software engineers, cybersecurity analysts, advertising media specialists, and independent researchers.
On one side we have advertising and marketing trade organizations, agencies, and their security consultants who tell us that ad fraud is a minor problem that is being well-defended and, in fact, is shrinking annually.
On the other side we have independent researchers who tell us that ad fraud is a massive problem (recently estimated at over $60 billion) that is becoming harder to identify and is growing dangerously.
Both sides provide metrics and data that purport to prove their point. Who should we believe?
I would like to argue this proposition from a new point of view -- from the point of view of those of us who are not computer scientists and cannot interpret the impenetrable computer code that underlies cyber theft, and with the added knowledge of the recent shocking revelations about undetected hacking.
Rather than a mathematical or data driven argument, I will present a theoretical argument. Instead of data, I will provide logic.
Let's start with indisputable facts:
- The online advertising marketplace trades over $300 billion annually via computer systems.
- Hackers - in particular state sponsored hackers - have recently been shown to have the ability to penetrate some of the most "secure" systems in the world, undetected.
- Every person, business, or government agency that has ever been hacked had authoritative assurances that it was secure -- until it turned out it wasn't.
- There are a multitude of ways that criminal actors have discovered for extracting money from the adtech ecosystem.
- Gaming the programmatic ecosystem (which transacts about 80% of online ad activity) has been shown to be astoundingly simple.
- There is no international governing authority, and consequently there are no cross-border penalties, for committing online ad fraud.
Now some assertions on my part:
It is folly to believe that hackers who can penetrate systems protected by the US military’s Cyber Command, the
National Security Agency, and
the Department of Homeland Security without detection could not easily penetrate adtech systems without detection.
There are governments in the world with both very sophisticated technology operations and economies that would massively benefit from the addition of billions of dollars.
Now some logic:
If the Cyber Command, the NSA, and the Department of Homeland Security can be fooled, I don't think it's a stretch to assume that fraud detection software can also be fooled. Consequently, if state sponsored hackers are fiddling the adtech ecosystem, it's likely that ad fraud detection systems aren't seeing it.
It would be amazing if state sponsored cyber criminals didn't view the adtech marketplace as ridiculously easy pickings and even more delicious since there are no consequences for being discovered.
If state sponsored penetration of adtech systems exist, the commercial fraud detection companies should be considered seriously overmatched. And, of course, the bold assertions of trade organizations, agencies or marketers are no more reliable than those of the fraud detection companies they rely on.
While we know that criminals and criminal organizations are active in stealing money from the adtech systems, we don't know if governments are. In light of recent revelations, however, it seems highly likely that state sponsored cyber operations would be powerfully attracted to the tens of billions of dollars that the adtech ecosystem is unwittingly dangling in front of them. If so, ad fraud is probably a lot harder to detect and a lot larger than anyone thinks it is.
Let's boil this down to two simple questions...
If you were a bad guy, and you could easily steal billions of dollars with a tiny possibility of detection and no possibility of consequences even if you were detected, why wouldn't you?
If you are a marketer spending substantially on digital advertising, what reason do you have for believing the metrics you're getting?