By Michael Sentonas.
Extracting value from the computers of unsuspecting companies and government agencies is a big business for criminals, and the scope of the loss to the victim ranges from reputational damage, loss of customer trust, financial penalties, cost of remediation and repair, to greater competition arising from the stolen information.
Over the last 12 months, there has been a change in the complexity and sophistication of advanced malware threats affecting business and government operations. One particularly sinister example recently identified in 600,000 samples carries a ‘wiper module’, designed to steal information and wipe the computer and its network – a devastating event for any business or government. While the victims are busy rebuilding their systems, they are distracted from investigating the security breach and identifying the stolen information.
In Australia, the top four types of data lost include customer personal information, network and online application passwords, financial data such as customer credit card details, and budgets and supplier information – all of which are of interest to cyber-criminals and are merely the first sign of loss to the organisation. (McAfee’s State of Privacy Awareness in Australian Organisations, April 2013)
Attempting to measure the true cost of cyber-crime needs to consider many facets, not just the direct dollar losses sustained by victims, and it is this greater impact that is investigated in this article.
The Components Of Malicious Cyber Activity
In determining the components of malicious cyber activity, we start by asking what we should count in estimating losses from cybercrime and cyber espionage. We can break malicious cyber activity into six parts:
- the loss of intellectual property and business confidential information
- cybercrime, which costs the world hundreds of millions of dollars every year
- the loss of sensitive business information
- opportunity costs, including service and employment disruptions, and reduced trust for online activities
- the additional cost of securing networks, insurance, and recovery from cyber attacks
- reputational damage to the hacked company.
Crime Pays, But How Well?
Cyber crimes against the customer of banks and other financial institutions probably cost many hundreds of millions of dollars every year. Cyber theft of intellectual property and business-confidential information probably costs developed economies billions of dollars—how many billions is an open question. These losses could just be the cost of doing business or they could be a major new risk for companies and nations as these illicit acquisitions damage global economic competitiveness and undermine technological advantage.
The cost of malicious cyber activity involves more than the technical damage to the asset or intellectual property. There are opportunity costs, damage to brand and reputation, consumer losses from fraud, the opportunity costs of service disruptions ‘cleaning up’ after cyber incidents, and the cost of increased spending on cybersecurity. Each of these categories must be approached carefully, but in combination, they help us gauge the cost to societies.
Data collection is complicated by definitional difficulties. Should cybercrime, for example, include all crimes committed using cyber means or only those crimes that could only be committed with cyber tools, leaving out crimes that would have otherwise been committed via traditional criminal means. One way to think about this is to ask, if there was no internet, would this crime have occurred?
Two important caveats shape this comprehensive view. First, we will try to estimate net loss, which is particularly important for estimating the effect of a temporary disruption of service. A store knocked offline for a day may lose $10,000, but if customers wait or go to another store, the net loss to the economy is much smaller. Second, we will try to use market values rather than a value assigned by the victim. A company may spend a billion dollars on research, but it is the expected return on this research that determines its worth, not the expenditure. However, this raised several important questions about the full benefit to the acquirers and the damage to the victims from the cumulative effect of continuous losses in cyberspace. This question of the effect and consequences of the loss is more important than any actual number and it is one we continue to investigate.
Intellectual Property Losses
The most important area for loss is in the theft of intellectual property and business-confidential information – economic espionage. However, it is difficult to precisely estimate the losses. This is, in part, because cyber spying is not a zero-sum game. Stolen information is not really gone. Spies can take a company’s product plans, its research results, and its customer lists today, and the company will still have them tomorrow. The company may not even know that it no longer has control over that information and in certain scenarios could leave companies liable for information they do not know is being used outside their infrastructure.
There are many ways to determine the value of intellectual property, however it is very hard to measure. One is to estimate what it would fetch on the market if offered for sale or for licensing. Companies can value their intellectual property by determining the income streams it produces and what it is expected to produce in the future. Companies can also estimate what it would cost to replace intellectual property as a means of estimating its value, although a reliance on inputs for estimating value can be very misleading. (CRS, The Economic Impact of Cyber-Attacks, April 1, 2004 ) The actual value of intellectual property can be quite different from the research and development costs incurred in creating it. If a company spends a billion dollars on a product that fails in the market, and then a foreign power or competitor steals the plans, the loss is not a billion dollars but zero – the invention’s market value. http://www.wipo.int/sme/en/documents/value_ip_intangible_assets.htm
However, if the competitor that illegally acquired the intellectual property is unable to develop a competing product, the theft does not create additional risk for the victim. To suffer loss, the acquiring company would have to use the IP in a way that harms the victim, by offering a competing product or by improving their bottom line through reduced R&D costs. http://www.chathamhouse.org/media/comment/view/177189
Making high tech products requires ‘know-how’ as much as blockbuster IP – knowing how to run a manufacturing process, where to buy the cheapest inputs, which customers are most interested, what designs actually move product, etc. If a company who steals ideas from other companies can ask each time they hit a roadblock, “How did the victim get over this barrier?” and then go back find the answer in the victim’s files, then they can quickly acquire the practical know-how to use the stolen IP.
Historically, state sponsored commercial espionage has focussed on areas of great interest to governments, such as military and advanced technologies. More recently, some countries seem to use cyber espionage as a normal part of business. Cyber espionage by nation states to benefit their companies is a kind of state aid to those companies that is cheaper than traditional subsidies. This privatised espionage can be deployed against a much broader swath of companies. One interview with intelligence officials told of a US furniture company being hacked and losing its IP, only to see furniture made from its designs being offered online to wholesalers. There are similar stories involving efforts to use cyber techniques in attempts to acquire breakfast cereal recipes, running shoe designs, automobile part technologies, and soft drink formulas. These are not ‘strategic industries’, but their losses from cyber espionage can still be significant.
The victim company still has access to the intellectual property. It has not lost the ability to make the product; what has in fact happened is that it now faces a new competitor. The risk of this competition is increased if the new foreign competitor has access to other government subsidies that allow it to sell at a lower price or if it is supported in its domestic market by barriers that hamper outside companies from competing. We need, in our assessment of the cost of cyber espionage, to put it in the larger context of national economic and trade policy to understand the possible consequences.
Business Confidential Information
While it may take years for stolen IP to show up in a competing product, there is no delay in monetising stolen confidential business information. Theft of oil exploration data, sensitive business negotiation data, or insider stock trading information, can be used immediately by the acquirer. The damage to individual companies can be great. Measuring this category of loss is very difficult since the victim may not know the reason they were underbid, a negotiation went badly, or a contract was lost.
A more insidious form of hacking is the equivalent of insider trading. In this case, the individual extracting non-public information about a future financial transaction is not an insider, but the effect is the same. Insider trading, or its hacking equivalent, may look like a victimless crime but it reduces social welfare and harms financial markets. An astute hacker may manipulate stock prices or automated trading systems, putting out false news that could affect a price or the market. The effect may be short lived, but a hacker could execute trades planned in advance. In the case of stock manipulation, the cyber crime resembles insider trading which can be notoriously difficult to detect. The information acquired could be used to make trades on another exchange, complicating enforcement efforts.
Next Steps For Estimation
We have identified important factors for determining the cost of malicious cyber activity. These factors may be quantifiable, but they rest on assumptions about the utility of illicitly acquired IP and the accuracy of reported losses from cybercrime and espionage.
Calculating a single figure for cybercrime is unattainable. However, further analysis into whether companies consider cybercrime a tolerable cost of business, and if a dollar cost for losses is an accurate measure of the effect of cyber espionage and cybercrime, or whether it undervalues intangible costs, including international trust and military power, will help to reveal a more precise understanding of the true cost of cybercrime and cyber espionage.
At the heart of the matter is the effect on trade, technology and competitiveness. While the cost of cybercrime and cyber espionage to the global economy is likely billions of dollars every year, the dollar amount, large as it is likely to be, may not fully reflect damage to the global economy. Cyber espionage and cybercrime may slow the pace of innovation, distort trade, and create social costs from job loss. This larger effect may be more important than any actual number and it is one we will focus on in our follow-up report.
Michael Sentonas is Asia Pacific Chief Technology Officer for McAfee, one of the world’s largest dedicated security technology companies.