Analysts Can’t Calculate True Cost of Cybercrime, Espionage

Costs incurred by cybercrime and espionage have recently been estimated at a range between $6 billion and $1 trillion,according to a study done by the Center for Strategic and International Studies.

The center, along with network security firm McAfee Inc., is looking to close the gap between the two numbers to gain a more precise understanding of the economic losses incurred in cyberspace.

“Where we came out is that reasonably an upper limit might be somewhere under 1 percent of GDP. That’s a best guess,” James A. Lewis, director and senior fellow at CSIS’s technology and public policy program, said July 22 in a panel discussion in Washington, D.C.

There is limited data on cybercrime and that has proven to be a major hindrance in coming up with a better range. “It’s a problem,” he added.

One issue is that workers and companies may recognize that there have been breaches in their security systems, but they don’t know and can’t figure out what was taken.

There is risk in doing business in cyberspace. “Perhaps companies are underestimating the risk,” said Lewis.

There is also the question of whether crime and espionage are growing within cyberspace, or if the public is simply more aware that it’s happening. The answer, according to Phyllis Schneck, vice president and chief technology officer with the global public sector division of McAfee, is both.

“The awareness is obviously something that you sense and something that we hear about. The presence of malware is far more prevalent than we might know about through normal means,” she added. “So when you look at, ‘is it increasing?’ Yes it’s increasing but we’re also increasing our awareness of what’s happening.”

The more technology advances, the more avenues are created for cybercrime and espionage. The lack of data, methodology and legal standards make it difficult to defend against criminals.

“This is open season for the bad guys. We have created an Internet that… sends bad things to good people with a high quality service,” said Schneck.

“The more information we can put together, the more data points you have, the better understanding you have of the actual threat and how to address” it, she added.

However, companies are reluctant to share network data “on good faith.” There is no liability protection for a firm that wants to disclose information. In doing so, it could put its integrity and clients at risk.

More information is needed to more successfully handle the threat of cybercrime and espionage. “There is a lot of noise and a lot of chaos and a lot of buzzwords, but we really need to get through what does this mean, and what does it mean for network resilience,” said Schneck.

Topics: C4ISR, Cybersecurity