The cost of cybercrime is frequently used to justify the cost of security products and the implementation of new – and invariably more stringent – cyber laws. But what if those figures are wrong? Could it mean that industry, and government, gets its entire cybersecurity strategy wrong?
Last year, Ross Anderson from Cambridge University led a study that resulted in ‘Measuring the Cost of Cybercrime‘. “It was prepared in response to a request from the UK Ministry of Defence followingscepticism that previous studies had hyped the problem,” says the report. In particular, it was responding to a study by Detica “which estimated cybercrime’s annual cost to the UK to be £27bn (about 1.8% of GDP).” But that £27 billion figure pales in the face of a much earlier 2009 estimate from McAfee: that global cybercrime costs the world $1 trillion per year.
This year McAfee has downgraded the threat – it now apparently ‘only’ costs in the region of $300 billion. But that earlier figure has remained like an albatross around McAfee’s neck: it has been used ever since by software vendors to sell products and governments to justify cybersecurity laws and bigger cybersecurity budgets. It “has been used by politicians and bureaucrats including US President Barack Obama and National Security Agency director Keith Alexander to justify law changes or significant increases in cyber-security spending,” noted theAustralian Financial Review (AFR) this weekend.
Now McAfee’s global chief technology officer, Mike Fey, has told AFRthat he regrets those early estimates, and that even recent, more conservative estimates were ‘hard for me to swallow.’ “I wish we had never put a dollar figure on it,” Fey said. “[It is] very scary to just latch onto the number.”
The problem is that when excessively large estimates are used it can create consumer distrust and has a counter-productive effect – people don’t buy security products because they simply don’t believe the threat. “This is another case in point of how an estimation that is wildly off the mark can create consumer distrust and further confusion in the market,” comments George Anderson, enterprise product marketing manager at Webroot. “The security industry has often been accused of using FUD (Fear, Uncertainty & Doubt) to scaremonger and that has to stop – we need to cut the FUD, the fear and the frenzied reaction it instigates.”
Ross Anderson’s conclusion had been more extreme – that the effect of this FUD has led to a completely wrong focus on fighting cybercrime. His report gave spam as one example. “The botnet behind a third of the spam sent in 2010 earned its owners around US$2.7m, while worldwide expenditures on spam prevention probably exceeded a billion dollars.” The implication is clear: where is the logic in spending $1 billion to save a probable total of much less than $10 million?
“As for the more direct question of what should be done,” says the report, “our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response – that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail.”