Darlene Storm

$445 billion: Bloated BS or the true cost of cybercrime?

June 09, 2014 12:17 PM EDT

Granted, cybercrime is big business and it’s bad out there as company after company admits to being compromised, but I have a real problem with believing cybercrime cost estimates are more than mere made-up figures. For example, the McAfee-sponsored Center for Strategic and International Studies (CSIS) report estimated that in 2013 “the likely annual cost to the global economy from cybercrime is more than $400 billion. A conservative estimate would be $375 billion in losses, while the maximum could be as much as $575 billion.” That’s a difference of $200 billion as if the dollars are simply Monopoly play-money!New $100 Monopoly-like money

Where do these numbers come from to prove actual dollar-value for cybercrime losses? The report starts by talking about the number of people who had their personal information stolen, listing the following 2013 incidents:  “more than 40 million people in the US, 54 million in Turkey, 20 million in Korea, 16 million in Germany, and more than 20 million in China.” That’s 150 million taken from just those examples, but it seems like a wild leap to accept 800 million individual records stolen to the tune of an estimated $160 billion per year for just personal info stolen.

Furthermore “researchers used real-world analogies like figures for car crashes, piracy, pilferage, and crime and drugs to build out the model.” Although maritime piracy is mentioned, so is counterfeiting/piracy. Well that’s peachy because we know that Hollywood or software companies would never dream of inflating the dollar value from piracy losses. The same goes for a true cost regarding the war on drugs. You see, even the model is questionable. Cybercrime and cyber espionage are huge problems for which we need real solutions. I’m not saying CSIS intentionally tried to mislead anyone about the true cost of cybercrime – heck CSIS even tries to explain why it's so hard to come up with real numbers – but I am saying that I don’t accept those figures as undisputed facts.   

A year ago the first-of-its-kind CSIS study estimated $100 billion to $500 billion as the “general accepted range for cybercrime” in the global economy. For the US, the annual loss was “$100 billion” to the economy and “as many as 508,000 US jobs were potentially lost as a result of cyber espionage and other malicious cyber activity."

According to the recently released study, Net Losses: Estimating the Global Cost of Cybercrime (pdf), CSIS said cybercrime cost as many as 200,000 American jobs with a special section of the report devoted to Intellectual Property theft and innovation cannibalism. IP is hard to put a real dollar amount on and varies greatly from country to country. The integrity of a hacked company is not listed, despite a portion of the report being devoted to the “why” some nations claim to lose more than others. Three of the four largest economies in the world -- the US, China, and Germany -- “lost more than $200 billion to cybercrime.”

When discussing the “theft of financial assets through cyber-intrusions – the second largest direct loss of cybercrime" – CSIS reported:

These crimes are carried out by professional gangs, some with significant organizational abilities. One European intelligence official told us that there are “20 to 30 cybercrime groups” in the former Soviet Union that have “nation-state level” capacity. These groups have repeatedly shown that they can overcome almost any cyberdefense. Financial crime in cyberspace now occurs at industrial scale.

Additionally, the researchers found that unless cybercrime and cyber-espionage cost more than 2% of the gross domestic product, then that malicious activity is considered "acceptable."

The most expensive part of cybercrime is the clean-up. While that does make sense, if some of these companies had security audits before being hacked, then they wouldn’t need to pay for things like forensic experts and credit monitoring for customers afterwards. They wouldn’t need to dream up dollar figures for IP losses either. Of course, anything done after a company is breached contributes to the “cost of cybercrime” when the reality is that hiring that penetration tester should have been done beforehand.

clean up after hackingRegarding an example of clean-up costs, CSIS points toward Italy where “actual hacking losses totaled $875 million, but the recovery, or clean-up costs, reached $8.5 billion. In other words, there can be a tenfold increase between the actual losses directly attributed to hackers and the recovery companies must implement in the aftermath of those attacks.”

What's the true cost of cybercrime?

If we used the loss by high-income countries to extrapolate a global figure, this would give us a global total of $575 billion. Another approach would be to take the total amount for all countries where we could find open source data and use it to extrapolate global costs. This would give us a total global cost of around $375 billion. A third approach would be to aggregate costs as a share of regional incomes to get a global total. This would give us an estimate of $445 billion. None of these approaches are satisfactory, but until reporting and data collection improve, they provide a way to estimate the global cost of cybercrime and cyberespionage.

In short, CSIS found that the cybercrime outlook “is increased losses and slower growth,” with no “credible scenario in which cybercrime losses diminish.”

In closing, remember that back in 2009 McAfee estimated that companies lose over $1 trillion due cybercrime. Then McAfee turned to CSIS for more reasonable estimates…but after $1 trillion in losses, doesn't almost any dollar figure sound more accurate? $445 billion as the cost for global cybercrime may be accurate, but take that figure with a healthy dose of skepticism.