Malicious cyber activity could cost the U.S. between $57 billion and $109 billion a year, according to a study from the Council of Economic Advisers.
The study finds that malicious activity is costing the economy up to $109 billion each year, and that most activity directed toward public and private entities manifests as denial of service attacks. It also says that scarce data and insufficient information sharing impede cybersecurity efforts and slow down the development of the cyber insurance market, and firms often share common cyber vulnerabilities, causing cyber threats to be correlated across them.
The report defines malicious cyber activity as anything that seeks to compromise or impair the confidentiality, integrity, or availability of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems. It says that cyber threats fall into six broad groups: nation-states, corporate competitors, hacktivists, organized criminal groups, opportunists and company insiders. It quotes Verizon’s 2017 Data Breach Investigations Report, which noted that 75 percent of recent cyber incidents and breaches were caused by outsiders, while 25 percent were performed by internal actors. Overall, 18 percent of threat actors were state-affiliated groups, and 51 percent involved organized criminal groups.
The report goes on to highlight China’s significant role in cyber-enabled IP theft, quoting a 2016 report from FireEye that says China’s cyber threat became “more focused, calculated and still successful at compromising corporate networks.”
An adverse cyber event has huge costs to an organization, according to the report, made up of costs related to loss of IP, reputational damage, loss of strategic information, loss of revenue, cybersecurity fixes and court settlements and fees, among other factors.
It also estimates the cost of an adverse cyber event to a typical publicly-listed U.S. firm, based on data from Thomson Reuters. It states that, on average, firms lost about 0.8 percent of their market value in the seven days following news of an adverse cyber event. The firms in the report’s sample, on average, lost $498 million per adverse cyber event. Unsurprisingly, the report also finds that a cyber attack of the same magnitude will have more impact on a smaller firm than a larger firm, often causing the smaller company, especially if it has few product lines, to go out of business.
The report found that cyber events that involved IP theft were the most damaging, with firms losing on average 6.32 percent of their market value. DDoS attacks were the next most damaging, with firms losing 2.37 percent of their market value on average. The finance sector, closely followed by manufacturing, government, and healthcare, saw the highest number of security breaches, according to the report.
The study also discusses initiatives from both the private and public sector to tighten up cybersecurity. From the public sector, it highlights the NIST Cybersecurity Framework, and DARPA’s allocation of 10 percent of its research budget ($41.2 million) to cyber sciences. It also cites an estimate from a Morgan Stanley study in 2016, which says that by 2020 cybersecurity will more than double from $56 billion to $128 billion within the private sector.
“Effective public and private-sector efforts to combat this malicious activity would contribute to domestic GDP growth,” the report concludes. “However, the ever-evolving nature and scope of cyber threats suggest that additional and continued efforts are critical, and the cooperation between public and private sectors is key.”