The cyber world, still in its relative infancy, presents a unique challenge. Unlike other forms of assets, cyber assets are tantalizingly accessible to wrongdoers in far-flung corners of the globe. This physical distance affords criminals significant protections against apprehension, resulting in lower risks. With the vast realm of cyber assets and activities valued in the trillions of dollars, the potential payoff remains staggeringly high.

Recalling the 2017 WannaCry Ransomware Cyber Attack

 WannaCry ransomware cyber attack should make us wanna cry
WannaCry ransomware cyber attack should make us wanna cry

In 2017, the world experienced the widespread WannaCry ransomware cyber attack, which impacted approximately 200,000 computers in over 150 countries. This attack exploited vulnerabilities in unpatched Microsoft Windows systems, encrypting users’ files and demanding Bitcoin ransoms for decryption. It had severe global consequences, affecting various sectors, including healthcare, finance, and government agencies, with hospitals facing significant disruptions. The economic cost of WannaCry was estimated to be in the billions of pounds, highlighting the urgent need for cybersecurity vigilance and proactive measures in our interconnected digital world.

Beyond Privacy and Security: Unveiling Economic Losses

While discussions about cybercrime often revolve around privacy and security breaches, the economic toll is equally substantial. Regrettably, research and data on this aspect of cybercrime remain limited. Data collection grapples with small sample sizes and other challenges, casting shadows of doubt on accuracy.

A Closer Look: Assessing Cybercrime Losses in the U.S.

In a recent report by the National Institute of Standards and Technology (NIST), I delved into the losses incurred by the U.S. manufacturing industry due to cybercrime. This analysis involved scrutinizing an underutilized dataset from the Bureau of Justice Statistics, widely recognized for its statistical reliability. The dataset, stemming from a 2005 survey of 36,000 businesses with 8,079 responses, represents the most extensive sample available for evaluating aggregated U.S. cybercrime losses.

Estimating the Scale: Unveiling Astonishing Figures

Through the application of statistical methods designed to address data uncertainty, I extrapolated both upper and lower bounds. The results were eye-opening, placing 2016 U.S. manufacturing losses between 0.4% and 1.7% of manufacturing value-added, equating to a range of $8.3 billion to $36.3 billion. These losses extended to all industries, amounting to 0.9% to 4.1% of the total U.S. gross domestic product (GDP), ranging from $167.9 billion to $770.0 billion. Remarkably, even the lower bound surpassed widely cited yet largely unsubstantiated estimates from McAfee.

Hidden Depths: The True Magnitude of Cybercrime Losses

Hidden Depths: The True Magnitude of Cybercrime Losses
Hidden Depths: The True Magnitude of Cybercrime Losses

What makes these estimates startling is that, despite exceeding commonly cited figures, the assumptions I employed to calculate losses substantially depressed the lower bound estimate. This suggests that the actual losses may be far higher. My low estimate assumed that businesses not responding to the Bureau of Justice Statistics survey experienced no losses. This implied that 77% of the 36,000 surveyed businesses were presumed to have suffered no loss, hinting that the true loss likely surpasses the low estimate.

The Shifting Landscape: A Digital Economy in Flux

Furthermore, the 2005 data from the Bureau of Justice Statistics reflects an era when cybercrime held less prominence, and the digital economy was in its infancy. If this data accurately represents reality—where respondents’ companies’ average losses align with the actual average U.S. losses per company—the losses approach the high estimate of $36.3 billion for manufacturing and $770 billion for all industries. This would signify total cybercrime losses surpassing the GDP of numerous U.S. sectors, including construction, mining, and agriculture. If losses per company have outpaced inflation, which is probable, the figures would be even more substantial.

A Paradigm Shift: Cybercrime vs. Traditional Crime

Many other estimates, including widely cited ones, often lack the technical details of data collection and analysis. Some assume that the ceiling of cybercrime losses should not exceed the cost of car crashes or petty theft in a given year. However, cybercrime stands apart from other property crimes or losses. Traditional property losses necessitate physical presence, limiting the scope of loss or damage. For instance, a burglar must physically enter a home or business to steal property. In contrast, cyber assets remain potentially accessible to would-be criminals across the globe, eliminating the need for physical presence.

A Paradigm Shift: Cybercrime vs. Traditional Crime

The removal of this physical presence barrier reshapes the landscape of criminal activity, making cybercrime more prevalent. As a personal example, my information has been stolen numerous times, while my home has never been burglarized. Finding a cybercriminal requires merely checking my email inbox, but locating a burglar remains a mystery.

The Ongoing Challenge: Staying Ahead of the Curve

My report meticulously describes the methods used, relies on publicly available data, and does not assume that cybercrime losses resemble those of other crime categories. However, since the data I utilized from the Bureau of Justice Statistics dates back to 2005, these estimates likely err on the conservative side. The digital economy, measured in real dollars, burgeoned by 129% between 2005 and 2016, a growth factor not incorporated into the calculations. Moreover, the number of businesses used for estimation decreased in 2016, according to the Census Bureau’s Annual Survey of Entrepreneurs, further lowering the low-end loss estimate.

Economic Implications: Hindered Growth

In recent years, U.S. economic growth has averaged between 2% and 3%, at least before the onset of the COVID-19 pandemic. Although considered robust, my estimates suggest that the economy could have expanded even more rapidly were it not for the scourge of cybercrime. With the U.S. being a prosperous nation and boasting a commonly spoken language—facilitating a larger pool of potential offenders—it stands as a prime target for cybercrime. Underestimating this risk may lead businesses and government entities to underinvest in mitigation strategies, such as IT security expertise, data risk management, or recommended security measures. The result is unnecessary, potentially substantial losses. In cases involving intellectual property, these losses can dampen incentives for research and development investment, further curbing economic growth.

The Urgent Need: A Deeper Understanding of Cybercrime Loss

My report’s implication is that widely accepted estimates of cybercrime loss may significantly underestimate the true extent of these losses. Addressing a problem like cybercrime necessitates understanding the magnitude of the loss, the types of losses incurred, and the contexts in which they arise. Without continued data collection, we remain in the dark about the scale of our losses. However, the evidence strongly indicates that these losses are greater than initially thought.