New Report Suggests the Cost of Cybercrime is Nearly Unknowable

In this era of Big Data, it seems we can measure almost everything—just not the financial and other losses from the criminal use of computers and networks.

A new report basically says figuring out the cost of cybercrime and espionage is nearly impossible. It says U.S. losses might be as low as $20 billion or as high as $140 billion. “A very crude extrapolation would be to take this ($20 billion to $140 billion) range for the U.S., which accounts for a little more than a fifth of global economic activity, and come up with a range of $100 billion to $500 billion for global losses,” says the report, by the security company McAfee and a Washington think-tank, the Center for Strategic and International Studies. But that range is essentially a wild guess.

Still, these numbers are down considerably from the upper estimate of a $1 trillion global impact cited by President Obama in a 2009 cybersecurity speech. (The $1 trillion figure was later attributed to a press release about an earlier report by McAfee. So much for White House speechwriters.)  

Why is estimating damages so hard? Because it’s hard to detect attacks in the first place (see “Preparing for Cyberwar Without a Map”), the attacks come in myriad guises (see “Moore’s Outlaws”), companies are reluctant to disclose what’s happened to them, it’s difficult to value thefts that don’t involve stealing money, and surveys can be inaccurate.

The report asserts that the theft of intellectual property may be the most worrisome—and that more studies are on the way on this point. But even the people searching for better data say they won’t insist on getting it. There can be downsides to companies disclosing how they were attacked and what was stolen, said James Lewis, director of the technology and public policy at CSIS. “I’d rather have a company retain value than be damaged because I got better data,” he said.

So don’t expect much more clarity in the future.