“It’s been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion,” said President Obama in his first major address on cybersecurity, back on May 30, 2009. “In short, America’s economic prosperity in the 21st century will depend on cybersecurity.”
$1 trillion is an impressively large, perfectly round number. The only trouble is, it’s not correct. McAfee, the very organization that came up with the original estimate, announced Monday that the actual and extrapolated losses from online espionage, hacking, and cybercrime probably fall closer to $100 billion–one-tenth of the original figure. That’s less than 1% of the U.S. GDP and in line with other minor costs of doing business, like losses from employee “pilferage.” That’s the cost to both businesses and governments combined, by the way.
One major reason the estimate was revised downward is that previous studies failed to take into account that when hackers “steal” information, they’re actually just copying it. Businesses retain access to their important information, making cybertheft less like regular theft and more like an annoyance.
Wrong though it is, the $1 trillion figure has had an impressive run as a worst-case-scenario scare stat. Senators Joseph Lieberman, I-Conn., and Susan Collins, R-Maine, referenced it in their ultimately unsuccessful effort to pass the Cybersecurity Act of 2012. And Keith Alexander, director of the National Security Agency, last year in a famous soundbite called cybercrime “the greatest transfer of wealth in history.” Drumming up fear around cybersecurity has been a key part of securing support for domestic surveillance programs like PRISM, and
So will the walk back of cyberthefts from high crime to lowly misdemeanor lead to a walk back on privacy invasions as well? It’s not likely. Many of the outlets that covered the new $100 billion figure used the higher ends of the range and didn’t even acknowledge that the new figure is a heck of a lot smaller than it used to be, even insignificant alongside other costs of doing business. Estimating the size of illicit markets is difficult and the few estimates made with weak data points are often repeated over and over–human trafficking is a notorious example. One thing is clear, though: It’s hard to make good policy when you start with bad data.
[Image: Flickr user Jonathan Kos-Read]