Global cyber-crime likely costs nations more than $400 billion annually, with American losses counting for about one-quarter of the total, according to a new study.
Examples of the problem are easy to come by. Two banks in the Persian Gulf lost $45 million in a few hours. A British company reported losing $1.3 billion from one cyber-attack. India’s computer emergency response team reported 308,371 websites hacked from 2011 to 2013.
But the authors of the report by the Center for Strategic and International Studies acknowledge that the data they gathered was incomplete – simply because many countries don’t track cyber-crime, and companies often don’t report it.
To arrive at their estimate, the authors collected data from 51 nations that monitor the problem, then combined that with CSIS survey information of businesses and other organizations in countries that do not.
The results suggest that cyber-crime is taking a significant bite out of the cyber-economy, and that the impact varies by region.
“Studies estimate that the Internet economy annually generates between $2 trillion and $3 trillion, a share of the global economy that is expected to grow rapidly,” the report states. “If our estimates are right, cybercrime extracts between 15 percent and 20 percent of the value created by the Internet.”
Criminal damage from hackers falls into three main categories: theft of intellectual property, financial crime, and theft of confidential business. Total estimated losses ranged between $375 billion and $575 billion annually.
“Even the smallest of these figures is more than the national income of most countries and governments and companies underestimate how much risk they face from cybercrime and how quickly this risk can grow,” according to the report.
High-income countries lost perhaps as much as 0.9 percent of gross domestic product on average. For developing economies less connected to the Internet, and where intellectual property plays a smaller part in the economy, economic losses were about 0.2 percent of GDP, the study found.
“The disparities we found are explained in part by the fact that the best hackers prefer to target richer countries,” wrote James Lewis and Stewart Baker, the co-authors of the report, which was funded by McAfee, a security company.
While that disparity may just reflect better record keeping, it might also suggest actual global losses are higher than estimated. Companies often underreport damages after they get hacked.
To address the problem, the study recommends better technology and stronger defenses. For example:
- Agreeing on and applying standards and best practices.
- International agreement on law enforcement and state behavior that includes restraints on cyber-crime, as well as working through organizations like the World Trade Organization.
- Governments doing a better job accounting for cyber-crime losses and companies doing a better job assessing their own risk.
“These are well within the realm of the possible if people decide to treat cybercrime seriously and take action against it,” the report states.
Unless such action is taken, the authors warn that cyber-crime can be expected to grow.
“Absent these changes ... we do not see a credible scenario in which cybercrime losses diminish,” the authors write. “The outlook for the world is increased losses and slower growth.”