Cyber Crime Costs Over $1 Trillion Globally?

Sunday, March 06, 2011

Danny Lieberman


A recent post on LinkedIn's Information Security Community piqued my attention yesterday with the following teaser for a Webinar:

As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally.

The UK government report UK Cyber crime costs UKP 27BN/year published on the BBC’s website offers a top-level breakdown of the costs of cybercrime to Britain and is one of the most dubious reports I have seen recently in a long list of security-vendor and political hype around the cyber crime story. 

Regardless of how badly UK businesses are hit by cybercrime, there are several extremely weak points in the work done by Detica for the UK government.

a) First  - they don’t have any empirical data on actual cybercrime events.

Given the number of variables and lack of ‘official’ data, our methodology uses a scenario- based approach.

Which is a nice way of saying

The UK government gave us some money to do a study so we put together a fancy model, put our fingers in the air and picked a number.

b) Second – reading through the report, there is a great deal of information relating to fraud of all kinds, including Stuxnet which has nothing to do with the UK cyber crime space.

Stuxnet does not seem to have put much of a dent in the Iranian nuclear weapons program although, it has given the American President even more time to hem and haw about Iranian nuclear threats.

What this tells me is that Stuxnet  has become a wakeup call for politicians to the malware threat that has existed for several years. This may be a good thing.

c) Third – the UK study did not interview a single CEO in any of the sectors they covered. This is shoddy research work, no matter how well packaged. I do not know a single CEO and CFO that cannot quantify their potential damage due to cyber crime – given a practical threat model and coached by an expert not a marketing person.

So – who pays the cost of cyber crime?

The consumer (just ask your friends, you’ll get plenty of empirical data).

Retail companies that have a credit card breach incur costs of management attention, legal and PR which can always to leveraged into marketing activities. This is rarely reported in the balance sheet as extraordinary expenses so one may assume that it is part of the cost of doing business.

Tech companies that have an IP breach is a different story and I’ve spoken about that at length on the blog. I believe that small to mid size companies are the hardest hit contrary to the claims made in the UK government study.

I would not venture a guess on total global cost of cyber crime without empirical data.

What gives me confidence that the 1 Trillion number is questionable is that it just happens to be the same number that President Obama and other leaders have used for the cost of IP theft – one could easily blame an Obama staffer for not doing her homework….

If one takes a parallel look at the world of software piracy and product counterfeiting, one sees a similar phenomenon where political and commercial organizations like the OECD and Microsoft have marketing agendas and axes to grind leading to number inflation.

I have written on the problems associated with guessing and rounding up in the area of counterfeiting here  and software piracy.

Getting back to cyber crime, using counterfeiting as a paradigm, one sees clearly that the consumer bears the brunt of the damage – whether it’s having her identity stolen and having to spend the next 6 months rebuilding her life or whether you crash on a mountain bike with fake parts and get killed.

If consumers bear the brunt of the damage, what is the best way to improve consumer data security and safety?

Certainly – not by hyping the numbers of the damage of cyber crime to big business and government. That doesn’t help the consumer.

Then – considering that rapid rollout of new and even sexier consumer devices like the iPad 2, probably not by security awareness campaigns. When one buys an iPhone or iPad, one assumes that the security is built in.

My most practical and cheapest countermeasure to cyber crime (and I will distinctly separate civilian crime from terror ) would be education starting in first grade. Just like they told you how to cross the street, we should be educating our children on open, critical thinking and not talking to strangers anywhere, not on the street and not on FB.

Regarding cyber terror – I have written at length how the Obama administration is clueless on cyber terror.

One would hope that in defense of liberty – the Americans and their allies will soon implement more offensive and more creative measures against Islamic and Iranian sponsored cyber terror than stock answers like installing host based intrusion detection on DoD PCs

Cross-posted from Israeli Software

Possibly Related Articles:
malware Cyber Crime Stuxnet report metrics Cyberterrorism
Post Rating I Like this!
Michael Schultz Well written Denny but I see a slight slant here that should be addressed:

1) Stuxnet was a quite effective malware and the tracking module worked perfectly to create a DNA trail. i reference North Korea for those who understand the inference.

2) The 1 trillion USD may be a bit inflated but not an order of magnitude off. In 2009 Javelin/LexisNexis produced a report showing, with methodology and metrics, that in the USA alone merchants lost $100 billion in fraud. Since the USA represents about 28% of the world market that translated into $357 billion worldwide and bringing that to 2010 that is about 400 billion USD.

3) ACH transfer fraud is a much tighter kept secret but financial industry Risk Management leaders have stated off the record that in 2010 it amounted to 350+ million in the USA so less than 1 billion USD globally.

4) In the USA fraud loss can be added to fees paid by merchants and consumers but current legislation will pivot that risk to the card issuers (banks). ROW is another matter altogether with Europe more pro-consumer.

5) Can identity theft/cyberfraud be prevented? The answer is yes and within reasonable costs as well. A layered approach is what is required rather than a silver bullet approach. As someone who has worked with the US Senate and Congress to improve cybersecurity I can tell you that government leadership, regulations and legislation is not the way.

So unless you get business leaders acting like leaders hackers will get their far share of some tasty morsels.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.