Companies aren’t properly incentivized to protect their networks and we’re all paying the price, the Council of Economic Advisers concludes.
The U.S. economy loses between $57 billion and $109 billion per year to malicious cyber activity, according to an estimate published Friday by the White House Council of Economic Advisers.
That’s between 0.3 and 0.6 percent of the value of all the country’s goods and services, the study states.
That estimate “likely amount[s] to only a small fraction of the cost that the U.S. economy may incur if the United States were to enter a large-scale conflict in cyber space,” such as a major cyberattack on the financial services sector or the energy grid, the report notes.
The total loss figure is based mostly on analyzing the effects of data breaches and other cyber incidents on companies’ stock prices. As a result, the data skews toward larger companies.
The estimate is roughly in line with a Center for Strategic and International Studies estimate that malicious cyber activity cost the U.S. $107 billion in 2013.
The cost of cybercrime is notoriously difficult to measure. To begin with, companies often aren’t required to publicly report data breaches that don’t affect customers’ or employees’ personal information. The effect of breaches that companies do report is also less apparent for companies that are not publicly traded. Finally, companies—especially smaller ones—frequently don’t even know that they’ve been breached.
Beyond the overall price estimate, the Council of Economic Advisers report is largely a compendium of earlier studies. Among the report’s conclusions are that companies aren’t properly incentivized to pay for sufficient cyber protections and poor cyber protections at one company damage the cybersecurity of the broader economy.
Scarce cyber threat data has also impeded the development of the cyber insurance market, the report states. A more mature market for cyber insurance might remedy some misaligned incentives by, for example, requiring policyholders to meet certain minimum cybersecurity standards.
Numerous studies have found that misaligned economic incentives hinder cybersecurity, but government officials have also been wary of imposing new regulations to shift those incentives—both because of the broadly anti-regulatory environment in Washington and because it’s difficult for the government’s sluggish regulatory process to keep up with the speedy evolution of cyber threats.