Annual U.S. Cybercrime Costs Estimated at $100 Billion
WASHINGTON—The cost of cyberespionage and cybercrime to the U.S. is as much as $100 billion each year, according to a study released Monday that is casting doubt on earlier estimates of as much as 10 times higher.
The latest estimate is supported by some U.S. intelligence analysts, said a former U.S. official familiar with the intelligence discussions. That figure is 1% or less of U.S. gross domestic product and, for companies, puts cybertheft losses among a variety of costs incurred in the course of doing business.
The joint study by the nonprofit Center for Strategic and International Studies and the computer-security firm McAfee reflects a major revision of McAfee’s own previous estimate of $1 trillion, which has been cited widely, including by President Barack Obama in a 2009 cybersecurity speech. McAfee is a subsidiary of Intel Corp. INTC -1.17%
That figure also contrasts sharply with an oft-quoted statement by Gen. Keith Alexander, head of U.S. Cyber Command, who last year said the losses represent “the greatest transfer of wealth in human history.”
This study represented McAfee’s effort to work with the CSIS “to develop the most analytically sound report on the market,” said Tom Gann, McAfee’s vice president for government relations. The company’s previous $1 trillion estimate, he said, had been criticized by economists, and while it “was an honest effort” to extrapolate a figure from surveys, “some of the assumptions were wrong.”
One key reason the study’s estimate is lower than many previous ones is that it takes into account the shifting benefits of cybertheft. “Cyberspying is not a zero-sum game,” the report said. “Stolen information is not really gone.”
If the Chinese steal intellectual property, they might not know what to do with it and the cost of the theft would be limited. Likewise, if one U.S. bank is knocked offline by a cyberattack, customers might just use another U.S. bank.
The wide range of estimates shows how difficult it has been for government and private industry to gauge the net impact of cyberspace mischief. The reluctance of firms to report hacking incidents, much less their costs, is a major barrier.
When the National Intelligence Council tackled that question last year, it ultimately decided not to put a dollar figure on the cost and instead chronicled the rapid escalation of cyberespionage—particularly Chinese—and its sweeping nature, ranging across many sectors from military to energy. China denies allegations of hacking in the U.S.
If the $100 billion estimate is accurate, those losses compare with costs that the American public and businesses often confront. The cost of car crashes for the U.S. in 2010, for instance, was estimated between $99 billion and $168 billion, the study noted.
The study appears to be the first to look at the potential effect on American jobs, citing the loss of as many as 508,000 positions each year. Global losses, it finds, are between $100 billion and $500 billion each year.
To assemble the estimate, the researchers asked 20 top economists about the best modeling techniques that would avoid many of the weaknesses of the survey approach.
“We’re trying to get away from the ‘Magic 8 Ball’ approach to estimation, where you shake the ball until you get the number you want,” said the CSIS’s James Lewis, who co-wrote the study with Stewart Baker, a former top official at the Department of Homeland Security and the National Security Agency.
They broke down cybertheft into six component parts and devised costs for each of those components: intellectual-property loss, direct losses because of cybercrime, the loss of sensitive business information, opportunity costs and reputational impact.
They then used analogies to gauge the scope of the problem and concluded that the costs of cybertheft are in roughly the same range as car crashes and rates of “pilferage” or inventory shrinkage in major companies.
The authors make clear their estimate is an initial attempt to calculate the incalculable. The cost range cited in the study is $25 billion to $100 billion, but there may be additional costs not reflected in this estimate.
Still unknown, for example, are the unseen costs of military cybertheft, said Mr. Lewis. “A lot of the cost overruns in some of our big programs are because they had to rewrite the code after the Chinese got in—and the real damage won’t appear until we see how weapons actually perform,” he said.
Another challenge, said Mr. Gann, is the difficulty of gauging the long-term impact on U.S. competitiveness. McAfee is funding another study by the CSIS to look at that question.
At an event here to unveil the report, Mr. Lewis said, “The cost to society may be greater than the cost to an individual company.”