This cost covers the loss of intellectual property, financial crime against banks and their customers, loss of business information and commercial strategy, the cost of recovering from cybercrime, and the losses incurred from the need to ramp up security and avoid risks.
The report’s authors discussed the report Monday at the Center For Strategic and International studies (CSIS). CSIS senior fellow James Lewis co-authored the report along with Stewart Baker, former assistant secretary of security for policy at the Department of Homeland Security under President George W. Bush.
At Monday’s panel discussion of the report security experts emphasized the need for better data collection on incidents of security breaches, pointing out that law enforcement will only address crime that is measured, as in police departments can only target crimes they are aware of.
In writing the report they evaluated the data received from governments around the world. They had low confidence in the reliability of about one-quarter of the data received and urged governments to be more proactive in measuring cyberattacks.
“If governments produce numbers that underestimate loss, companies say, ‘It can’t be that big a problem,’” said Baker.
James Lewis of CSIS said that in speaking with law enforcement around the globe many said they were overwhelmed by cybercrime and unable to address all reports of such crime. Even so, law enforcement may only receive reports on a fraction of the incidents since it is common for companies not to report cybercrime.
The report also discussed how hard it is to quantify the monetary loss from theft of intellectual property. For example, $1 billion spent in R&D to develop a certain amount of intellectual property does not equal $1 billion lost.
Criminals may only be able to monetize about 10 percent and doing so often takes them six to eight years. Even so, criminal theft of intellectual property is growing more lucrative as criminals get better at monetizing more of the information. Their average time to market is also going down, according to the report’s authors.
Baker said he would like to see the government be more proactive in going after cybercriminals rather than just work on shoring up defenses. He said he welcomed the Justice Department’s recent indictment of five Chinese military hackers but more action is needed.
“The role of government is to find the bad guy and make them pay,” said Baker.