Theft of personal data, loss of intellectual property and opportunity costs stemming from these and other cybercrimes in 2016 may have cost the global economy 0.8 percent — or as much as $600 billion — according to a report released Wednesday.
The growing spread of computer connectivity, easy availability of malware and the ability to monetize stolen information is leading to an explosion in cybercrime, according to the report, titled Economic Impact of Cybercrime. It was prepared by the Center for Strategic and International Studies, a Washington think tank, and McAfee, a computer security firm.
“Cybercrime remains far too easy, since many technology users fail to take the most basic protective measures, and many technology products lack adequate defenses, while cybercriminals use both simple and advanced technology to identify targets, automate software creation and delivery, and monetization of what they steal,” the report says.
Cybercrime is only a portion of the vast criminal activity that takes place on the internet, the report says, noting that its definition focuses on “criminals gaining illicit access to a victim’s computer or network.”
The report named Russia, North Korea and Iran as the top perpetrators of cybercrime, while China largely focuses on cyber espionage. Russia in particular is brazen and leads overall in cybercrime, “reflecting the skill of its hacker community and its disdain for western law enforcement,” the report says.
The assessment includes the following crimes in calculating the annual damages: the loss of intellectual property and business information, online fraud that leads to the loss of personally identifiable information, financial manipulation using stolen business information relating to mergers and other performance measures of companies, opportunity costs of business disruption from a cyberattack like ransomware, costs of covering such losses including cyber insurance costs, and the reputational damage and potential loss of stock value.
Watch: Intelligence Officials Aware of Russian Activity Aimed at 2018 Elections
With the help of modeling techniques used in economic research when data is incomplete, CSIS and McAfee said they estimated that in 2016 cybercrime may have cost between $445 billion and $600 billion, or about 0.8 percent of the world’s economy. That compares with a cost of 0.62 percent of global GDP in 2014, according to the report, which marks the third time CSIS and McAfee have teamed up to assess cybercrime’s impact.
The report’s estimate of loss is conservative and doesn’t count the real cost of damages inflicted by cybercrime, said London-based Raj Samani, the chief scientist at McAfee. “It’s an unknown, unknown,” Samani said, referring to the difficulty of estimating true costs.
If, for example, a U.K.-based telecom company loses 100,000 customers and incurs $85 million in costs because of a cyberattack, it is hard to say what else the company could have done with the money, Samani said. “Would they have spent to hire 5,000 more people, or invested in a new area to make more money? What we do know is the money did not go back into the U.K. economy.”
The cost estimates were drawn from publicly available loss data from 50 countries and were supplemented with interviews with cybersecurity officials from all the G-7 countries: Canada, France, Germany, Italy, Japan, the United Kingdom and the United States, the report said.
As computer technology and connectivity spread, so does cybercrime.
“Cybercrime operates at scale,” the report says. “The amount of malicious activity on the internet is staggering,” it says, citing data from an unnamed internet service provider that sees 80 billion malicious scans a day because of “automated efforts by cybercriminals to identify vulnerable targets.” Estimates of the amount of malware released range from 300,000 to a million viruses every day, according to the report. “Most of these are automated scripts that search the web for vulnerable devices and networks,” while “phishing remains the most popular and easiest way to commit cybercrime,” with anywhere between 1.2 million and 14 million attempts in 2016 to lure potential victims to click on a trap door in their email.
The costs of cybercrime varied by region, with North America, Europe, Central Asia, East Asia and the Pacific leading, followed by South Asia, Latin America and the Middle East, the report says.
Banks remain the favorite target for the skilled cybercriminal, forcing financial institutions to spend three times as much on cybersecurity as nonfinancial firms.
Russia and North Korea hack banks specifically to steal money, as both countries labor under economic sanctions imposed by the rest of the world. Pyongyang also turned to cryptocurrency theft from South Korean exchanges, using the anonymity offered by Bitcoin to circumvent sanctions, the report says.
The Russian government and organized crime groups work together on cybercrime, and Moscow “provides a sanctuary for the most advanced cybercriminals, whose attention focuses on the financial sector,” the report says. “The best cybercriminals in the world live in Russia, and, as long as they do not travel to countries where they could be arrested, they are largely immune from prosecution.”
The report says one of the hackers who broke into Yahoo in 2013 and stole information on as many as 3 billion users did so at the behest of Russian intelligence, and then handed over the information to the Russian government.
In March 2017, the Justice Department charged four Russians and a Canadian for the attack.