What is the global cost of crime? According to a study released Monday by the Center for Strategic and International Studies (CSIS) and McAfee, the figure could be as low as $375 billion or as high as $575 billion annually. While both numbers are staggeringly large, the wide variation of cost estimates points to a troubling issue in cybersecurity today: a lack of data breach reporting and transparency.
The CSIS/McAfee report itself spends some time detailing how the lack of complete or accurate records about security breaches impacted the creation of the report, noting that most cybercrime is not reported. (For example, the report mentions that when Google was hacked in 2010, 34 other Fortune 500 companies were also impacted, but only one company besides Google admitted to being hacked.) Outside of the United States, the report is missing data from various countries around the world, most conspicuously in the developing world where cybersecurity data is often not collected at all.
The lack of a complete data set coupled with the difficulty of quantifying the economic loss associated with cybercrime makes it easier to understand why the report presents such a wide range in estimated costs. At the presentation of the report at CSIS on Monday, panelist James Andrew Lewis reiterated that “many nations don’t produce good data and some don’t produce any data.”
If reports, like the CSIS/McAfee report and others, have difficulty estimating the extent of economic loss due to cybercrime, the consensus is that most estimates are low due to lack of transparency. At the presentation, panelist Stewart Baker noted that that while “overestimation is possible, underreporting is much more likely.”
BitSight Technologies CTO and cofounder Stephen Boyer also believes that cybercrime is generally unreported. “The math does not add up between public disclosure and what is actually going on,” he explains. “We know that the problem is much worse than is communicated by breach disclosure.”
The lack of security breach data makes it difficult to accurately quantify the costs and risks of cybercrime for analysts, which then impacts businesses’ ability to engage in risk management and customers’ ability to understand the safety of their data. Instead, we are presented with a familiar but vague narrative in cybersecurity research reports: cybercrime is prevalent and escalating, and companies need to do more to educate and protect themselves. In light of this, would a national standard for data breach reporting be a good thing in the fight against cybercrime?
Boyer of BitSight believes so. Boyer notes that the cybersecurity today is what aviation security was at a time when anyone could fly a plane or buy a ticket. Because of plane crashes and safety concerns, “transparency was pushed all through the system.” Today, the National Transportation Safety Board investigates all civil aviation accidents in the United States, in addition to significant accidents in other modes of transportation. Something of this nature has yet to happen in the realm of cybersecurity, Boyer explains.
Companies often fear the economic impact of disclosing data breaches. According to the CSIS/McAfee report, companies who have been hacked have suffered a drop in stock value of one to five percent, although they usually recover within two quarters. Increased transparency could change the culture and lessen the economic impact on any one company which reports. “Over time, the stigma will decrease,” Boyer explains. “As more and more organizations step up…it’s going to change the culture. Over time, it’s going to change outcomes.”
Embarrassment and business culture contribute to a lack of transparency in data breach reporting, according to Boyer. The majority of security breaches are accomplished through less-than-sophisticated methods, and companies don’t like admitting to these kinds of attacks. Additionally, the United States has a business culture where companies don’t disclose breaches and where IT is a “back office function,” Boyer says.
Currently, data breach disclosure is regulated on state level. According to Pam Greenberg at the National Conference of State Legislatures, Kentucky became the 47th state to pass a security breach law this year and 19 other states have also expanded or amended existing security breach legislation. The differing standards between states make it difficult for businesses who work in multiple states.
“There is a patchwork of regulations,” explains Gautam Hans, the Ron Plesser Fellow at the Center for Democracy and Technology. “Bigger companies end up following the most highly regulated law in notifying their customers. Smaller companies may not be doing that.” Hans believes that greater disclosure would be helpful but wouldn’t prevent data breaches. “We need to have stronger data security in general, and security notification won’t get us there,” Hans explained. “Companies need to put security first.”
While stricter breach disclosure laws obviously wouldn’t end cybercrime (if only it were that easy), more mandated reporting especially on the national level could be a step in the right direction. With more complete data and an idea of the true scope of cybercrime, individual companies as well as national cybersecurity experts would be able to learn from the data and take more informed steps to strengthen cybersecurity and prevent future breaches. If the requirements to disclose were stricter, companies might also be motivated to strengthen their security systems for fear of customer dissatisfaction. This could be expensive, but so is allowing cybercrime to continue as the report shows.
Increased legislation may be a long time away, but until organizations and governments become more transparent about data breaches, we are left with alarming but vague estimates about the extent and cost of cybercrime—an estimated 200,000 U.S. jobs lost annually to cybercrime in addition to over $400 billion lost globally, according to this report.