Estimating cybertheft’s economic impact is often more hyperbolic rhetoric than detailed financial numbers. But a new study released Monday is attempting to bring a more analytical approach to cybersecurity, putting the cost of cyberespionage and cybercrime to the U.S. as high as $140 billion, but as low as $20 billion.
The low end would put the economic damage on par with the simple costs of doing business for many companies, lowering the incentive to enhance cybersecurity. The estimate is a first attempt; the researchers plan to continue the search for better data.
“It will still be a range, but it will be narrower,” said James Lewis, a cybersecurity expert with the Center for Strategic and International Study, which conducted the study with computer-security firm McAfee.
CSIS and McAfee are working to narrow the range by relying less on surveys (often self-selecting) and anecdotes (too random) and more on giving context to existing estimates, developing better data and redefining economic loss — “If you steal $100 in intellectual property, it doesn’t mean your economy gets $100 in benefits,” Lewis said.
The preliminary results suggest an upper limit of between $70 and $140 billion — on par with the $100 billion estimate from some U.S. intelligence analysts — and a lower limit between $20 and $25 billion. Both ends are drastically less dramatic than McAfee’s previous $1 trillion estimate, which President Barack Obama cited in a 2009 speech.
The study’s findings were scaled back from some previous estimates because it tried to take into account the gray area of cybertheft, which Lewis ticked off: What should we count? How do we actually calculate it? How do you measure effect?
Losing proprietary information doesn’t mean it’s being put to use, said Teddy Nemeroff, an associate with the law firm Steptoe & Johnson.
“What happens to the intellectual property once it gets taken?” he said. “Does it go to a competitor? Does the other company have know-how to use the product?”
The report also attempted to determine the number of jobs lost annually to cybertheft, one of the first studies to do so. The Commerce Department estimates $1 billion in exports equals 5,080 jobs. A rough calculation — assuming $100 billion in cyberespionage losses — would mean 508,000 jobs lost this year, a decrease of a third of a percent in employment. While that wouldn’t be the actual net loss (many workers would find other jobs), the main hit would be if the jobs lost came from high-paying sectors, such as manufacturing.
“The effect of cyberespionage may be to move workers from high-paying blue-collar jobs into lower-paying work or unemployment,” the report reads.
The forward-looking report asks as many questions as it answers, essentially painting a road map for a follow-up study in the coming months.
“Going forward, we need to take a deeper look at what makes this thing move,” said Phyllis Schneck, McAfee vice president and chief technology officer.
“Putting a number on the cost of cybercrime and cyberespionage is the headline, but the heart of the matter is the effect on trade, technology and competitiveness,” the report reads. “Answering these questions will help us put the problem in its strategic context.”
There are intangible consequences — lost trust in the Internet, social costs from job losses — that might retard entrepreneurship.
“This larger effect may be more important than any actual number and it is one we will focus on in our final report,” the report reads.
But understanding these effects circles back to the need for better data — no easy task. There’s no good way to get companies to share cybertheft information in a timely fashion. Releasing the data might reveal proprietary information, or private customer data. And there’s no liability protection “for a company that wants to share something in good faith,” Schneck said.
So what can we do to change that? an audience member asked.
“I think that’s a political question,” Lewis said with a laugh.