More eye-watering figures for cybercrime

For sheer hyperbole, few subjects stretch disbelief further than cybercrime statistics. Nobody can actually measure it, but everybody knows it’s huge almost beyond imagining.
Take last week’s report, The Cost of Cybercrime, produced by Detica in partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office. It estimates the cost to the UK economy at £27 billion a year, and growing.
The estimate was reported widely and largely uncritically by the Financial Times, The Times, The Guardian, Metro, The Independent and the Daily Mirror. “This is a bit like terrorism” said Baroness Neville-Jones, the Minister of State for Security was quoted as saying. “The more you know, the more scary it looks.”
Detica is a consultancy owned by BAE Systems that lists among its areas of expertise cyber security, a fact that will surprise nobody familiar with cybercrime statistics. They are all, almost without exception, produced by companies that stand to gain by making the problem look big, and growing.
Take the anti-virus vendor McAfee, which in 2007 estimated the cost of cybercrime in the US at $105 billion. This figure wasn’t new: it had ricocheted around the internet for years. It wasn’t true, either.
Where did Detica’s £27 billion figure come from? Cybercrime is made up of many strands, from the banal – people with improbable names soliciting bank details in order to send you the odd million pounds they happen to have stumbled across – to the super-sophisticated disruption of Iran’s nuclear programme using a poisoned memory-stick.
But the two biggest figures in the Detica report (see bar chart, below) are those relating to the theft of intellectual property (IP) and industrial espionage in the UK - £9.2 billion on the first, £7.6 billion on the second. So let’s look at the source of these figures.

(Source: The Cost of Cybercrime, Detica/Cabinet Office)

For IP theft, the report admits there are no robust estimates for actual levels. It further admits that such thefts are not widely reported. So maybe there aren’t  any? At the other extreme, it posits that every bit of IP that is worth stealing is in fact stolen, and then concludes that the truth lies somewhere between the two.
So how much is stolen? The report remarks: “The proportion of IP actually stolen cannot at present be measured with any degree of confidence”. So the assumption is made that the amounts stolen are proportional to their value to the thieves. It then produces estimates, industry by industry, of the amounts stolen rather like a magician producing rabbits out of a hat. No actual examples are cited. We are expected to believe that the theft of IP costs £9.2 billion a year without a single case of such theft being advanced. This is closer to guesswork than analysis.
What about the £7.6 billion on espionage? Here the methods are equally haphazard. “It is very hard to determine what proportion of industrial espionage is due to cybercrime” the report acknowledges. So it calculates how much there is by measuring the rewards that might accrue to a cybercriminal if he (or she) were to gain access to, say, secret tendering information, or to advance plans for mergers and acquisitions. But this amounts to measuring motive, not crime. Again no examples are given.
“Our assessments are necessarily based on assumptions and informed judgements rather than specific examples of cybercrime, or from data of a classified or commercially sensitive origin” the report says. The examples it does give are of cyber-terrorism (the Iran attack), malware, bank fraud, and denial-of-service attacks aimed at websites targeted by hackers – none, bar bank fraud, actually the subject of the report.
The report does not cost cyber-terrorism, internet grooming, cyber-bullying, pornography, counterfeit goods, or the losses to business from illegal file-sharing. For identity theft, it says that only one in 15 incidents is reported and the total cost is £1.7 billion a year, while online scams, it says, cost individuals £1.4 billion.
Owen Bowcott of The Guardian was the only reporter to raise an eyebrow. He reported: “The size of the cybercrime estimate has surprised some experts. The UK Payments Administration, the banks’ centralised clearing system, said that levels of online fraud and “card-not-present” fraud had been falling due to improved security. The banks are expected to record smaller losses of around £50 million for online banking fraud and £230 million in card-not-present frauds this year.”
Professor Bernard Silverman, Chief Scientific Adviser to the Home Office, told a meeting at the Foundation for Science and Technology last year that better methods needed to be devised for measuring cybercrime, but to judge by this report little progress has so far been made. Detica warned that the real figure “could be higher” than its £27 billion a year. Or lower, I’d hazard.
Finally it is far from clear, even if cybercrime goes on at the levels assumed in the Detica report, that the overall losses to the economy or the consumer are as great as it claims: one company’s lost IP is another company’s enhanced products. True, it may be a company overseas. But we might be stealing theirs at the same time as they are stealing ours. The actual cost is, at present, unknowable.