Cybercrime and espionage could be costing the world between $70 billion (£46 billion) and $400 billion a year from a total global economy of $70 trillion, a new estimate by the Center for Stategic and International Studies (CSIS) has calculated.
In the context of the US economy, the damage caused by it is possibly equivalent to 500,000 jobs displaced but in truth the McAfee-sponsored study The Economic Impact of Cybercrime and Cyber Espionage admits that even coming up with these numbers is prone to be defeated by a raft of imponderables.
What the researchers were determined to do was calculate the negative effects using something more substantial than the unsatisfactory surveys often used by security vendors to describe cybercrime, the CSIS said.
First context – what do other negatives cost economies? In the US, for instance, car crashes cost somewhere between $99 billion and $168 billion a year, depending on which official estimate and year is used. Similarly, illegal drug trafficking is a $600 billion global industry.
Set against these vast numbers, the losses from cybercrime look less alarming although in the case of the car industry not all the costs will be losses; fixing cars and buying new ones generates income for other types of business in ways that cybercrime doesn't.
Cybercrime's main unintended economic benefit has been to prime the global security industry, the size of which is a separate topic.
What the CSIS's difficulties in coming up with accurate figures suggest is that the task might be nearly impossible. Direct effects are hard enough to model let alone indirect ones.
A second points is that using selective estimates based on surveys – wheeled out by governments in particular - is almost certainly misleading.
“We believe the CSIS report is the first to use actual economic modelling to build out the figures for the losses attributable to malicious cyber activity,” said Mike Fey, executive vice president and chief technology officer at McAfee.
“Other estimates have been bandied about for years, but no one has put any rigour behind the effort. As policymakers, business leaders and others struggle to get their arms around why cyber security matters, they need solid information on which to base their actions.”
Or is conceiving of 'costs' as losses the wrong way to approach the whole issue? The CSIS suggests that we view cybercrime losses in the same way we view losses from other activities, as something tolerated to access the benefits.
The alternative, then, is to worry less about the sums of money involved so much as the scope of the actual effects themselves. Cybercrime's damage is as much psychological as fixed in dollars.
For example, Chinese espionage and intellectual property theft might not generate huge losses for the US economy per se but could still warp relative economic performance in significant ways.
“Using figures from the Commerce Department on the ratio of exports to US jobs, we arrived at a high-end estimate of 508,000 jobs potentially lost from cyber espionage,” said co-author and CSIS director, James Lewis.
“As with other estimates in the report, however, the raw numbers might tell just part of the story. If a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effects could be more wide ranging,” he said.
What is clear is that whatever it is costing, cybercrime didn't exist 15 years ago and its rapid rise must be having some effect. A 2012 report from Moscow-based Group-IB found that cybercrime had mushroomed during 2011 into a $12.5 billion industry in terms of its income stream. Russian-speaking countries accounted for around a third of that total.