Annual costs to the global economy of cybercrime range between $375 billion and $575 billion and the cyber threat remains a “growth industry,” according to a new study by the Center for Strategic Studies (CSIS) and cyber security provider McAfee.
These estimates are probably on the “low side” because many governments don’t do a good job producing data that leads to underestimating the costs of cybercrime, Stewart Baker, a former official with the Department of Homeland Security and one of the authors of the new study, said at a presentation on Monday hosted by CSIS.
The report notes that most cybercrimes are not reported and that even when incidents become public, many affected companies don’t come forward. It also says that most nations aren’t making a “serious effort” to estimate their losses from cybercrime.
These costs also impact employment with annual job losses in the United States estimated to be upward of 200,000, and in Europe up to 150,000, says the study, Net Losses: Estimating the Global Cost of Cybercrime, Economic Impact of Cybercrime II.
James Lewis, a cyber security expert with CSIS and another of the study’s authors, said that the job losses may actually be shifts from high wage to low wage jobs due to cybercrime.
“It’s a net loss to the economy as people move from high income jobs to lower income jobs,” Lewis said. Echoing Baker, Lewis said “many governments don’t produce any data,” with the research showing a lack of data in one-third of the world.
The new study by CSIS and McAfee, which is part of computer chip maker Intel [INTC], follows an earlier report last summer done by the two entities that focused on costs to the U.S. economy. That report put the costs at about $100 billion annually, with the range between $70 billion and $120 billion, CSIS’ Lewis said a year ago (Defense Daily, July 23, 2013).
Baker, who is a partner with the law firm Steptoe & Johnson, LLP, and a visiting fellow at CSIS, said the global costs of cybercrime will continue to increase as more business is done online, adding that mobile devices and the “Internet of things” are also creating new risks.
The barriers to cybercrime are low, says the report, noting that the two most common techniques, social engineering and vulnerability exploitation, are “surprisingly cheap,” adding that the “Criminals know that risk and cost are low while rewards are high.”
Unfortunately for the victims of cybercrimes, defending against cyber theft is a business decision that weighs risks and cost.
“Defenders lack the incentive to do more because they underestimate risk; the incentive for cyber criminals is to do more, as the rate of return is increasing,” the report says. “Absent a change in the incentives equation, the loss from cybercrime will increase.”
The report says the most important cost from cybercrime is the theft of intellectual property and confidential information from businesses “has this has the most significant economic implications.” These attacks “reduce the return on innovation,” Baker said, and results in the “eating of the global seed corn in many ways.” He added that if companies aren’t going to see the benefits from their research and development (R&D) due to cybercrime then they will invest less in R&D.
Lockheed Martin [LMT], which has been the target of a number of cyber campaigns the past 10 years, so far hasn’t had any of its data stolen, Joe Connelly, the company’s chief information security officer, told reporters on Monday its annual media day.
The company has identified over 43 different cyber campaigns against it by hacker and adversary groups, noting that there were 10 different groups in 2007 focusing on the company, eight of which are still trying to attack it, Connelly said. While Lockheed Martin doesn’t publicly identify the attackers, he said they are nation state adversary groups and the company knows “the attribution of all the different elements.”
Connelly also said Lockheed Martin’s supply chain is an attack vector of adversaries and the company has been addressing this the past two years, in some cases selling managed cyber security services to some of its larger suppliers while in others bringing smaller companies on to its own network and helping with best practices.