At $400 Billion a Year, Cybercrime Is No Longer an 'Acceptable' Cost

A new report has placed a number on the global cost of cybercrime: around $400 billion. The Center for Strategic and International Studies, in collaboration with McAfee, launched their report today, in which they collate data from countries across the world in an effort to figure out quite how lucrative cybercrime is. (Hat tip to Net Security for bringing the findings to our attention.)

The $400 billion figure is a mid-point between their low estimate of $375 billion and high estimate of $575 billion in losses from cybercrimes, including the theft of personal information and intellectual property. In a live-streamed panel announcing the report, CSIS’s Stewart Baker and James Lewis admitted they could have overestimated, but felt they were more likely to have underestimated.

And as Baker pointed out, with more businesses going online and a greater shift to mobile platforms and the Internet of Things (which has already become known as difficult to secure), the number is only likely to grow by next year. “All of those things create new opportunities for cybercrime, so it’s hard to believe there won’t be growth in those areas,” he said.

In fact, perhaps more interesting that the end number the researchers came up with is the difficulty they had in making any estimate at all. They put together a map of the cost of cybercrime for different countries around the world (presented here as percentage of GDP) but colour-coded it depending on how confident they were in the numbers. Only a handful of countries were marked highly on the confidence scale, with the majority—especially in Europe—on the low end.

That’s because a lot of countries don’t have particularly good data on cybercrime (or in some cases, any). Part of that could be down to a reluctance on the part of businesses to report their losses or even an inability for them to recognise they're victims.

That results in underestimations at a national level, which Baker pointed out can feed back into a loop that only exacerbates the problem. “If governments produce numbers that underestimate the loss, there’s a tendency on the part of companies to say it can’t be that much of a problem,” he said.

Calculating the “loss” incurred through cybercrime, even if data is available, is a tricky one. The researchers pointed out that what cyberthieves take and what they actually make from it aren’t the same—it’s one thing to steal a piece of intellectual property, for example, but another to monetise it.

If someone steals something that cost you $50 million to develop, Baker explained, it won’t cost you that much in losses if the thief never brings to market a product that hurts your business. That said, he warned that cybercriminals will only move forward in figuring out how to sell on or use stolen IP. “They are going to learn it and they are going to get better at it,” he said.

The researchers also looked at straight-up financial crime (e.g. stealing credit card details), the “opportunity” lost by resources being expended to deal with cybercrime rather than, say, to invest in research and development, and market manipulation such as insider trading.

In general, developed countries seem to have a greater loss than developing countries. The estimate for the US is at 0.64 percent of GDP and in a couple of European countries it goes over one percent. (Baker and Lewis considered Japan, which reported just 0.02 percent, to be an anomaly, probably due to inaccurate data.)

Countries in Africa that had data available reported lower figures, such as 0.14 percent in South Africa and only 0.08 percent in Nigeria. Lewis explained that this wasn’t surprising, and could be partly down to the fact that developed countries generally have more cyber assets to lose, and/or that cybercriminals are attracted to them more for the same reason.

From their data, they also extrapolated how losses incurred by cybercrime could affect the job market, suggesting that 200,000 American jobs and 150,000 European jobs could be lost due to cybercrime. They came to that conclusion by looking at the effect a loss in GDP has on employment—which even they admit is perhaps a bit of a stretch, because workers in affected industries could have jobs elsewhere.

In the end, the exact figures are less important than the fact that they’re considerable, and set to grow. Speaking at the conference, Thomas Gann, vice president of government relations at McAfee, asked where the tipping point is at which cybercrime is no longer considered an “acceptable” loss—just a risk you have to deal with if you’re working on the web? According to this report, it’s probably about now.

If governments and businesses don’t start taking the threat more seriously, the report paints a rather bleak picture for the future. “We do not see a credible scenario in which cybercrime losses diminish,” the writers conclude. “The outlook for the world is increased losses and slower growth.”