Attacks on businesses and consumers are a blight on the economy, with criminals foreign and domestic using the Internet to steal identities, intellectual property, trade secrets and just about anything else they can get their hands on.
A new economic model developed at a prominent D.C. think tank puts the cost to the U.S. economy as high as $100 billion annually, with a corresponding loss of as many as half a million jobs.
The report, released by the Center for Strategic and International Studies (CSIS) and written by James Lewis and Stewart Baker, two old hands in the Washington cybersecurity policy discussion, offers a quantitative approach based on data from the Commerce Department and analogous losses from activities such as car crashes, piracy and other losses and crimes.
Cybercrime: The Cost of Doing Business?
The authors explain: "One way to think about the costs of malicious cyber activity is that people bear the cost of car crashes as a tradeoff for the convenience of automobiles; similarly they may bear the cost of cybercrime and espionage as a tradeoff for the benefits to business of information technology."
[Related: Obama Signs Cybersecurity Order]
But what is the price of all that nefarious activity?
The report, sponsored by security software vendor McAfee, eschews survey data, which the authors say is flawed because respondents "self-select," and businesses often either conceal or do not realize the full extent of the losses from a cyber attack.
"We believe the CSIS report is the first to use actual economic modeling to build out the figures for the losses attributable to malicious cyber activity," Mike Fey, executive vice president and CTO at McAfee, said in a statement.
"As policymakers, business leaders and others struggle to get their arms around why cybersecurity matters, they need solid information on which to base their actions."
Lawmakers Divided Over Government's Role
And cybersecurity is the subject of a long-running policy debate in Congress, with lawmakers divided over what role the government should play in setting and enforcing security standards for critical infrastructure operators in the private sector.
The CSIS report evaluated malicious cyber activity in a variety of forms, including crime, intellectual property loss, reputational damage and the cost of bolstering network security and recovery after an attack. The authors also considered the opportunity costs associated with downtime and lost trust, as well as the loss of sensitive business information.
Through an analysis of Commerce Department data on exports and job losses, the authors estimated that cyber espionage could rob the economy of as many as 508,000 jobs. Though he described that figure as a "high-end estimate," co-author Lewis suggested that the real impact could be more severe.
"As with other estimates in the report, however, the raw numbers might tell just part of the story," he said. "If a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effects could be more wide ranging."
The authors are planning to produce a second report that will focus on the less tangible impacts of malicious cyber activity, attempting to quantify the impact on the pace of innovation and the flow of trade.
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow Kenneth on Twitter @kecorb. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.
Read more about government in CIO's Government Drilldown.