One of the numbers often thrown about when discussing cyber crimes, Internet-based crimes, and the like, is “$1 trillion.” This is most often cited by politicians in both Washington D.C. and Ottawa when promoting their “solutions” to the “cybercrime threat.” Some of these solutions might be good ones, but in the main, they appear to be bumbling attempts to staunch a problem that the politicians don’t really seem to understand nor have realistic expectations towards.
Another number often highlighted in these stumps is “$250 billion,” referring to annual losses from intellectual property thefts. This number is another of the statistics trotted out when campaigning for the latest and greatest attempt to thwart online evildoers.
Where, exactly, do these numbers come from?
McAfee and Symantec
The $1 trillion statistics is courtesy of electronic security firm McAfee, famous for its popular consumer anti-virus software and related tools. The number was given in a 2009 report titled “Unsecured Economies: Protecting Vital Information” (http://www.cerias.purdue.edu/assets/pdf/mfe_unsec_econ_pr_rpt_fnl_online_012109.pdf) published in conjunction with Purdue University. Except the number never appears in the university’s report, only in McAfee’s press release announcing the report’s findings. McAfee, when questioned by ProPublica.org about the number says it was an “extrapolation by the company, based on data from the report.” Purdue researchers and contributors interviewed by ProPublica.org said they’d never seen the trillion dollar number until news stories about the report began to air.
As for the $250 billion number, that comes from McAfee’s rival Symantec. That number appeared in a similar Symantec report, but was from un-cited sources and the company has never clarified where the $250B estimate actually comes from. So the only thing we have to back that number is faith that this company whose business it is to provide security against cyber theft is being truthful when they estimate how much cyber theft is happening. That’s more than a little shaky.
The Real Cost?
So what’s the real cost of cyber-based crimes (hacking, theft, security breaches, etc)? That’s anyone’s guess. Pinning down a real number would not be easy. Think of it this way: if your computer were hacked into right now and all of its information stolen, how much would that information be worth? Some things, like bank account information, you could probably put a realistic dollar figure on. But what about years of family photos? Old credit card information that’s no longer valid? Access to your Facebook and other social networking accounts? Got a figure for those? Next, if the information is stolen but never used, was it really “theft” in the sense that there was no financial loss from its being copied?
Now consider those questions on a much larger, grander, and even more convoluted scale. If information from a large array of servers at IBM is stolen.. how much was it worth in dollars? Sensitive information from military contractors?
The reality is, the figures for actual losses could be much larger or much smaller than the $250B and $1T cited. Most likely, they’re smaller. Information is stolen all the time. Someone overhearing you recite your Health Canada ID at a doctor’s office is technically “stealing” your information since they are privy to something they should not be. If they don’t use it, though, was there a loss?