It is almost getting to the point where we are numb from the headlines regarding cyber attacks. Unfortunately, as the saying goes, “bad news sells.” In the past several days, between actual events like the attacks on Network Solutions, Ubunto Forums and Apple’s Developer portal, and a spate of reports on the increasing frequency and sophistication of cyber attacks as bad guys become more entrepreneurial, have highlighted remarks from various quarters that cyber attacks are now the biggest threat to global economic vitality.

A question that is top of mind is, “How much is this costing us?” In an attempt to put some numbers around the impact of cybercrime, security giant McAfee announced that it has sponsored a first-of-its-kind report quantifying the economic impact of cybercrime.  It enlisted researchers well-equipped to handle a very complex analysis by giving the task to one of the world’s preeminent international policy institutions for defense and security, the Center for Strategic and International Studies (CSIS). 

The mission was to build an economic model and methodology to accurately estimate the losses from cyber crime on the U.S. economy and by extension the global economy as well. The result is a sobering report, “Estimating the Cost of Cybercrime and Cyber Espionage.”  It posits a $100 billion annual loss to the U.S. economy and as many as 508,000 U.S. jobs lost as a result of malicious cyber activity.

Developing a good methodology and model

This was a non-trivial exercise. CSIS enlisted economists, intellectual property experts and security researchers to develop the report.  The researchers estimate the range for cybercrime loss to the global economy is between $100 billion and $500 billion. As McAfee notes, “They used real-world analogies like figures for car crashes, piracy, pilferage, and crime and drugs to build out the model.


Source: Estimating the Cost of Cybercrime and Cyber Espionage

CSIS noted the difficulty of relying on methods such as surveys because companies that reveal their cyber losses often cannot estimate what has been taken, considering that intellectual property losses are difficult to quantify and the self-selection process of surveys can distort the results.

For purposes of the research, CSIS classified malicious cyber activity into six areas:

1. The loss of intellectual property
2. Cybercrime
3. The loss of sensitive business information, including possible stock market manipulation
4. Opportunity costs, including service disruptions and reduced trust for online activities
5. The additional cost of securing networks, insurance and recovery from cyber attacks
6. Reputational damage to the hacked company

Mike Fey, executive vice president and chief technology officer at McAfee, commented on the report, “We believe the CSIS report is the first to use actual economic modeling to build out the figures for the losses attributable to malicious cyber activity…Other estimates have been bandied about for years, but no one has put any rigor behind the effort. As policymakers, business leaders and others struggle to get their arms around why cyber security matters, they need solid information on which to base their actions.” 

The categorization used in the report is important. It highlights what in business terms would be termed the “fully-loaded costs” of malicious cyber activities. These go beyond the loss of financial assets or intellectual property to include: opportunity costs, damage to brand and reputation, consumer losses from fraud, the opportunity costs of service disruptions, “cleaning up” after cyber incidents and the cost of increased spending on cybersecurity. 

“This report also connects malicious cyber activity with job loss,” said James Lewis, director and senior fellow, Technology and Public Policy Program at CSIS, and a co-author of the report. “Using figures from the Commerce Department on the ratio of exports to U.S. jobs, we arrived at a high-end estimate of 508,000 U.S. jobs potentially lost from cyber espionage. As with other estimates in the report, however, the raw numbers might tell just part of the story. The effect of the net loss of jobs could be small, but if a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effect could be wide ranging.”

The research and development of the analysis tools is actually the first report CSIS is undertaking on the subject. A second report, which is underway, will look at the ramifications of cyber security losses on the pace of innovation, the flow of trade and the social costs associated with crime and job loss. In fact, Lewis and co-author Stewart Baker of Steptoe & Johnson LLP, and distinguished visiting fellow at CSIS, believe the second report maybe more insightful, as “the larger effect may be more important than any actual number.”  

We all like having reliable and actionable insights. Knowledge is power and a powerful ingredient in calls for action that get results. This exercise is one to root for because it will establish a framework for policy makers as they deliberate, but one can only also root that the numbers are not so large as to themselves act as a drag on the markets.