Studies that estimate the effects of any particular activity on the economy often shout out headline numbers and then spend a lot of time explaining the methodology used to calculate that figure.
A new report (pdf) from the Center for Strategic and International Studies (CSIS), a Washington think-tank, published in association with the software security firm McAfee takes a different route. In a study titled “The Economic Impact of Cybercrime and Cyber Espionage,” the authors tentatively suggested a wide variety of numbers and then attempt to contextualize each of them.
One big problem with estimating losses is the number of factors involved. For example, it emerged today that over $300 million was stolen by hackers from a variety of US companies between 2005 and 2012.
But that just tallies up the cash value of the losses. In addition to those, the firms suffer losses to their brand reputation, and expend time and money through investigations, attempted recovery, and systems upgrades. And then there’s the opportunity-cost losses from service disruptions. How do you put a precise number on that?
The CSIS report is blunt: “In an ideal world, aggregating the various factors would be straightforward. This is not possible. In all of the categories of malicious cyber activity, the data is incomplete.”
Other types of losses are still harder to quantify. If a company has its intellectual property stolen, does it count the loss as its expenditure on the research, the market value of the inventions or the income it expects the research to bring in? And what if the product would have eventually failed in the market—how might it account for that? These are tricky questions with no firm answer.
The cost-assessment problem may cut both ways, at least. The report makes the counter-intuitive point that thieving nations may also be harming themselves:
One possibility is that cyber espionage harms the recipient country, by disincentivizing innovation, and harms the global capacity to innovate, by both lowering the returns for innovators in the victim country (and thus discouraging them) and by reducing the resources and incentives for innovation in the target country. From this perspective, weak cybersecurity does global harm.
The report is filled of paragraphs like that one, conjecturing and considering. Yet that reflects the messy reality of the undertaking.
The authors do provide some real numbers, though—such as estimating an upper limit on the cost of cybercrime and espionage at between 0.5% and 1% of national income in the US. That works out to between $20 billion and $25 billion at the lower limit, and between $70 billion to $140 billion at the upper limit.
This broad range, the authors admit, is only a starting point since “a precise single figure for the cost of cyber crime and cyber espionage is unattainable.” Yet this starting point may be more helpful and more realistic than single figures based on rigid methodologies.