In a world where governments ape the behaviour of cybercriminals, costs estimates risk missing the point.
Cybercrime cost the global economy a staggering-sounding $445 billion in economic losses in 2013, a McAfee-sponsored report from the Center for Stategic and International Studies (CSIS) has estimated, yet another depressing and quotable benchmark telling us that things aren’t going well.
Despite the imposing numbers, the CSIS analysis is basically a re-hash of what it came up with less than a year ago when it offered a cybercrime loss figure around the $400 billion mark, which raises the immediate issue of why McAfee paid the organisation to reheat more or less the same numbers and arguments as last year but we digress.
What the report does ram home is that if cybercrime has some deeper significance that elevates its importance above other types of crime then it is a phenomenon whose precise meaning still eludes us. If it is so important and expensive then why do only a handful of countries in the developed world seem to produce statistics that come even close to a reliable estimate of incidents?
The CSIS figures suggest that China has the biggest problem with losses at around 0.63 percent of GDP, almost identical to the US’s 0.64, but from an economy with low levels of reporting. The UK appears to do well with a number of 0.16 percent of GDP but again it’s not clear whether these crimes are being accurately recorded.
This all means that cybercrime is now 0.8 percent of the global economy, which compares to the illegal drug industry’s 0.9 percent, 1.5 percent for theft (US), 0.89 percent for piracy, and a 1.0 percent effect for US car crashes (which aren't usually a crime but give a scale to these negatives). Bad things costs us all and cybercrime is just another one of those bad things. According to the CSIS, the world will put up with cybercrime as long as it doesn’t get beyond 2 percent of GDP.
The CSIS is thoughtful enough to ask whether the effects of cybercrime can really be measured in terms of money, and the answer is surely no. Of course cybercrime costs money but so surely do all sorts of crime and few of them generate the same sorts of headlines. Many are seen as almost inevitable, a side-effect of globalisation that turns commerce into a market opportunity, demand into supply.
Perhaps cybercrime is just another crime we need to get used to.
In the view of the CSIS, the hidden financial burden is on businesses, which find patents and innovation under attack on a scale that has the potential to undermine whole economies in the long run. This is having political consequences (e.g. the stand-off between the US and China) where one side has become convinced that it is under attack at a fundamental economic level that forces it to retaliate.
This is the odd quality of cybercrime that nobody can quite get a handle on - it is not just the handiwork of criminals but of legitimate states and governments too, which increasingly see it as a tool to undermine the economy and system of its rivals. Cybercrime is derided by governments the world over as an evil of our times as each and yet many now wield the very same as a strategic weapon as well as a defence.
Presumably the CSIS will produce another report in a year and the estimate for cybercrime will have gone up a bit, perhaps nearer the $500 billion mark. But money still won’t be the issue even though every analysis seems to need a number to make itself real. Cybercrime is a far more potent destabilising force that can't simply be written into an accounts ledger as a way of giving it substance. It is not a problem that can be measured in simple dollar terms.