Cyber crime and cyber espionage could leach US$100 billion to US$500 billion from the global economy, notes a new report released July 22.
Sponsored by McAfee, a subsidiary of Intel Corp., loss estimates are based on an economic model and methodology built by the Washington, D.C.-based Center for Strategic and International Studies (CSIS). Calling the report the first of its kind to quantify the economic impact of cyber crime, McAfee notes that CSIS then enlisted economists, intellectual property experts and security researchers to develop the report.
The report, Estimating the Cost of Cybercrime and Cyber Espionage, posits a $100 billion annual loss to the U.S. economy and as many as 508,000 U.S. jobs lost as a result of malicious cyber activity, McAfee notes in a press release.
Read more: Majority of execs say cyber attacks a greater national threat than physical attacks
“The effect of the net loss of jobs could be small, but if a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effect could be wide ranging,” James Lewis, director and senior fellow, Technology and Public Policy Program at CSIS, and a co-author of the report, comments in the press release.
Malicious cyber activity was classified into six areas: loss of intellectual property and business confidential information; cyber crime, which costs the world hundreds of millions of dollars every year; loss of sensitive business information, including possible stock market manipulation; opportunity costs, including service and employment disruptions, and reduced trust for online activities; the additional cost of securing networks, insurance and recovery from cyber attacks; and reputational damage to the hacked company.
“Put these together and the cost of cyber crime and cyber espionage to the global economy is probably measured in the hundreds of billions of dollars,” notes the report. “A $400-billion loss – the high end of the range of probable costs – would be a fraction of a percent of global income. But this begs several important questions about the full benefit to the acquirers and the damage to the victims from the cumulative effect of cyber crime and cyber espionage.”
Read more: Majority of U.S. Fortune 500 companies say they would face serious harm from a cyber attack
Looking at the global economy as a whole, researchers used real-world analogies to build out the model and come to an cyber crime loss estimate in the range of US$100 billion to US$500 billion, notes the statement from McAfee. The real-word analogies included figures for car crashes (for example, the Center for Disease Control and Prevention estimated the cost of car crashes in the U.S. at $99 billion); piracy (for example, the International Maritime Bureau estimated the annual cost of piracy at $1 billion to $16 billion in 2005); pilferage (for retail companies in the U.S., for example, this falls between 1.5% and 2.0% of annual sales); and crime and drugs (for example, in 2012, the UN Office on Drugs and Crime estimated the cost of all transnational organized crime as $870 billion).
“In an ideal world, aggregating the various factors would be straightforward. This is not possible. In all of the categories of malicious cyber activity, the data is incomplete,” the report adds.
“Other estimates have been bandied about for years, but no one has put any rigor behind the effort. As policymakers, business leaders and others struggle to get their arms around why cyber security matters, they need solid information on which to base their actions,” Mike Fey, executive vice president and chief technology officer at McAfee, says in the statement.
“Companies will always have to spend on cyber security, but if we assume that some percentage of the current spending would be unnecessary in a more secure cyber environment, that additional spending counts as part of the total cost,” notes the report. “Determining the ‘risk premium’ for malicious cyber actions faces all the estimation problems in other categories of loss, but one initial reference point would be that companies spend almost $1 billion in 2012 to insure against the risk of social media attacks, privacy breaches, cyber crime and cyber espionage,” it adds. “This relatively low figure may reflect imperfection in the insurance market as much as company perceptions of cyber risk.”
Lewis and co-author Stewart Baker of Steptoe & Johnson LLP, and distinguished visiting fellow at CSIS, note in the report that cyber espionage and cyber crime slow the pace of innovation, distort trade and bring the spate of social costs associated with crime and job loss. Lewis and Baker say the larger effect may be more important than any actual number, and it will be the focus of the next report.
That report, which is under way, will look at the ramifications of cyber security losses on the pace of innovation, the flow of trade and the social costs associated with crime and job loss.