The cybersecurity firm McAfee took a licking in the blogosphere last year for claiming that cybercrime and spying cost the world’s economies $1 trillion dollars a year. A headline on Forbes.com screamed: "McAfee Explains The Dubious Math Behind Its 'Unscientific' $1 Trillion Data Loss Claim."
James Lewis co-authored the CSIS study
The trillion dollar figure has been bandied about for years, and not just by the cyber industry. President Obama told a White House audience in 2009 that “last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.”
For whatever reason, criticism of the big number came to a head last August, and so in October McAfee began underwriting a study by cybersecurity experts James Lewis and Stewart Baker of the Center for Strategic and International Studies in Washington, D.C.
The study's initial report, “The Economic Impact of Cybercrime and Cyber Espionage,” doesn't blow the trillion dollar estimate out of the water, but it places it on the far side of the range of possible damages from stolen blueprints, paralyzed networks, and hacked bank accounts.
For the U.S., $70 billion to $120 billion a year would be a good “first guess” about the dollar impact, Lewis told an audience at CSIS headquarters (his report places the low range at $24 billion). The U.S. is one of the world’s major cyber targets, which means that the global tally is “likely measured in hundreds of billions of dollars,” according to the report. An accompanying chart puts the global damage at $300 billion to a trillion dollars.
McAfee said it’s glad a more rigorous estimate is now taking shape: “The numbers are the numbers,” said Tom Gann, McAfee’s vice president for government relations. Past studies settled on “screwy numbers” - some naively low and others unrealistically high -- because they were based on simplistic models or extrapolation, Gann said.
“This is the best study of its kind because it uses very sophisticated econometrics modeling that peer-reviewed economists that CSIS worked with gave the thumbs up to,” Gann said.
No matter what method is used, no one is saying that estimating cyber impacts will ever be easy or precise. Lewis said putting a value on cybercrime and espionage reminded him of studying medieval economies back in graduate school. It’s easy to find anecdotes, but a lot harder to find reliable data.
“This is a fairly normal estimation problem in some fields, either intelligence or in economic history,” he said. “The data is either sparse or distorted.”
He and Baker avoided surveying corporations or other cyber targets, as has been done in other studies. CSIS tried that in a previous study, and Lewis said he was unhappy with the results. The problem with surveys is that not everyone responds. Extrapolating from the numbers given by those who do respond can distort estimates.
He and Baker decided to try a modeling technique in which they identified the key factors -- reputation damage, for example -- that add up to the overall costs of cybercrime and espionage. They found reliable numbers in the economic literature or made estimates from other sources. "This is a standard econometric technique," Lewis said by email.
Lewis said it’s easy to assume grave damage from cybercrime and spying: “If you’re not saying electronic Pearl Harbor, then you’re saying the cost of this is worse than the Black Death." He and Baker went into the study asking, “How do I know it’s actually as bad as we say it is?” They found estimates as low as $6 billion and of course the trillion dollar number. “Generally from an economist’s point of view, you’d prefer a narrower range,” Lewis said.
The CSIS range is still large, and Lewis said it will be refined through further study.