A collaborative partnership…in 2013, CSIS (Center for Security and Internal Studies) and McAfee partnered to examine cyber – economic espionage impact in a manner more inclusive than what I have previously observed over the past 25+ years.
Spoiler alert; Dr. James Lewis, Senior Fellow and Director of CSIS’ Center for Technology and Public Policy Program…offered his best guess that ‘the upper limit (of the costs-losses attributed to cyber – economic espionage) might be somewhere under one percent of the U.S. GDP (gross domestic product).
- Lewis also states, and I paraphrase…‘U.S. economic costs-losses to cybercrime and economic espionage attributed specifically to – originating in China, may reach as much as $140 billion annually’.
$140 billion annually, 508,000 jobs…I have no specific – objective evidence to challenge these figures, and certainly not question Dr. Lewis’ experienced and respected record of achievements in the cyber crime – economic espionage arena.
I am suggesting there may be some predictable factors…insofar as arriving at the $140 billion annual loss figure especially…
- one of which lies in determining which assets and/or adverse impacts to include, and
- the second is the methodology for determining their near term and long term value in terms of costs and losses companies will experience with respect to market space, competitive advantages, sustainability, etc.
Routinely, (intangible) asset loss – impact valuations attributed to cyber-economic espionage…irrespective of their accuracy or objectivity, produce…
- dollar values characterized in broad ranges on the plus – minus side.
Lewis claims, and I agree…describing value loss – impact estimates with such broad range estimates is reflective of multiple difficulties, among them being, as readers know, victim companies may…
- be reluctant to reveal, and therefore inclined to conceal their losses,
- not know precisely which-what assets were targeted, stolen, comprised, or misappropriated.
Intellectual property (and other forms of intangible assets) are challenging to value with consistency and objectivity…so, when values are presumably calculated and assigned to stolen, misappropriated, and/or otherwise compromised intangible assets, i.e., intellectual and structural capital particularly…
- those figures, in my judgment, may be somewhat subjective and/or embedded with a particular bias or even agenda that in turn may influence high or low valuations.
For example, it’s relatively common to see open source media and the abundance of ‘talking heads’ to…merely regurgitate (cherry picked) extraordinarily high dollar volume losses (impacts) to the U.S. economy, attributed to cyber – economic espionage, often ranging between $100 and $500+ billion annually that may suit their agenda, should there be one.
But, Lewis wisely, yet provocatively, casts such wide ranging estimates of losses attributed to…cyber – economic espionage in other contexts, starting with…
- World Bank reports which state global GDP stood at about $70 trillion for the year 2011.
- thus, a $400 billion loss representing the high end range of probable losses caused by cyber crime and cyber (economic) espionage is a fraction of a percent of that global GDP figure.
This, Lewis says, prompts additional questions, questions which I have variously examined since the early 1990’s…for example…
- can the recipients and/or ultimate beneficiary (end user) of the targeted-acquired intangible assets expect to maximize their benefit and use?
- another question focuses on the damage to victim companies relative to the cumulative effect of cybercrime and cyber espionage, i.e., market space position, sector competitive advantages, reputation risk, etc.
Guesstimates…having thoroughly studied many, what I respectfully refer to as ‘guesstimated’ economic espionage and stolen/infringed intellectual property (IP) reports and studies…
- I genuinely believe Dr. Lewis’ findings to be as flawless, encompassing, and accurate as can be reasonably expected in the multi-faceted and ambiguous arena from which to acquire reliable and replicable data points.
- for example, quite interestingly, the CSIS – McAfee report translates these asset loss estimates as representing perhaps as many as 508,000 U.S. jobs.
Conventional surveys to assess – assign dollar value to losses…some IP and intangible asset theft – loss estimates rely on surveys, which Lewis quite correctly points out, generally provide imprecise values, unless the survey itself has been carefully constructed and managed.
Too, a common challenge, insofar achieving credence to cyber-security-economic espionage survey findings…Dr. Lewis also points out, is that (survey) respondents are inclined to engage in self-selection…
- obviously, when this occurs, it introduces a potential source of distortion to the results.
- so, being mindful of these and other data collection challenges to this already sensitive topic for companies,
- Lewis suggests loss estimates be based on assumptions about scale and effect.
- changing those assumptions, Lewis argues, will likely deliver quite different results in terms of loss values.
CSIS – McAfee Assessment model…as a demonstration of Lewis’ intent to be as objective and encompassing as possible insofar as valuing losses attributed cyber and economic espionage, CSIS secured the expertise of prominent economists, intellectual property experts, security researchers, and even incorporated, what could appear at first blush irrelevant analogies to bring clarity to the figures they were reporting, e.g., comparative statistics for car crashes, product piracy, pilferage, crime stats, and drug usage which collectively were integrated, for comparison purposes, to serve as frameworks to draw upon in devising their assessment (valuation) model. By incorporating these analogies in the design of their assessment model, Dr. Lewis, CSIS, and McAfee were essentially suggesting, should my interpretation be correct, it’s problematic to rely exclusively on conventional methodologies, particularly time honored surveys, to identify dollar values to losses attributed to cyber-economic because…
- companies that (publicly) reveal losses attributed to cyber – economic espionage are frequently unable to distinguish, with the necessary precision, the actual (proprietary, IP, intangible) assets which were stolen, compromised, or infringed.
- intellectual property – intangible asset losses are admittedly difficult to quantify with consensus, and when they are, the assessment – valuation is likely to reflect subjective guesstimates absent factoring numerous dependant variables which are invariably in play.
- the self-selection process associated with most conventional (time honored) survey methodologies, frequently produce some distortion to the findings.
CSIS model includes six classifications of cyber – economic espionage…
Insofar as actually commencing this much needed project, CSIS classified malicious cyber – economic espionage activities into six areas, i.e., wherein there…
- was a loss of intellectual property occurred.
- was an actual crime committed, i.e., a violation of federal law.
- was a loss of sensitive – proprietary business information.
- were opportunity costs involved, including business and/or service disruptions that adversely effected consumer/customer expectations and trust particularly those related to the victim company’s online activities.
- would be additional costs incurred by the victim company relative to securing their IT networks and incorporate greater resilience measures to provide quicker and fuller recovery when future attacks occur.
- damages manifested – materialized as reputational risks to the victim company.
Each of the above should be examined through a lens of reverence…in that there is little question the inclusion of these and other factors, collectively help victim companies arrive at a more comprehensive and current appreciation for the losses, costs, and overall impacts caused by acts of cyber – economic espionage.
Economic (industrial) espionage is often euphemistically referred to as the world’s second oldest profession…behind, of course, to prostitution. Readers do recognize that an, as yet unknown percentage of malicious cyber activity, evolves as economic espionage and is an obvious by-product of the continually evolving IT and Internet arenas.
But still, as both cyber – economic espionage are irreversibly embedded in global business cultures…there remain a percentage of policymakers, c-suites, and management teams who find it a challenging phenomenon to understand and recognize insofar as articulating, with strategic clarity, precisely what either are and their relevance to their company – business, notwithstanding risk prevention, mitigation, and management.
Strategies to address these increasingly critical concerns through the lens of…economic, competitive advantage, and business sustainability, anyone of which, when they materialize, can produce substantial, if not utterly debilitating adverse effects to a company.
Respectfully, all emerges from…well grounded – objective research to aid business leadership to frame and execute near term and strategic decisions, actions, and responses that fit their business and its respective culture!
Components of malicious cyber activity…as conveyed in the CSIS – McAfee report, Lewis, quite appropriately asks…
- what should be counted insofar as arriving at better loss estimates attributed to cybercrime and cyber (economic) espionage?
Interestingly, in an effort to address this question, Lewis categorizes malicious cyber activity into the following components, i.e., the…
- loss of intangible assets, i.e., intellectual property and sensitive – proprietary business intangible assets, i.e., intellectual and structural capital primarily, and
- opportunity costs linked to service and employment disruptions, and reduced trust in online services and activities.
- additional costs to secure company supply chain networks and insurance.
- resilience to – recovering from cyber attacks, i.e., developing/executing business continuity and resilience procedures to fully encompass reputational risk materialization and damages.
What’s the harm…if Dr. Lewis is correct in assuming, through the analogies he describes in the Report, some of which appear…
tantamount to inferring there are “tolerated costs” within in the realm of cyber crime and cyber espionage
which manifest as a ‘ceiling’ of sorts, for estimating losses.
Should the above be reasonably correct, and I believe it is, it further suggests that, at most, cybercrime and cyber espionage costs less than 1% of GDP…
- for the U.S. then, in the context of its GDP,
- Lewis’ best guess is that losses (caused by cyber crime and cyber espionage) may reach $100 billion annually.
To provide context for this estimate…Lewis points out that annual expenditures on research and development in the US are $400 billion annually, and $100 billion in stolen/misappropriated intellectual properties he offers, does not translate to…
- dollar for dollar gain to the recipients and/or ultimate beneficiaries, i.e., the economic, competitive advantage adversaries!
Michael D. Moberly [email protected] St. Louis August 17, 2014 the ‘Business Intangible Asset Blog’ since May 2006, 650+ posts, ‘where intangible assets, business, and effective solutions converge’.
Please explore other relevant blog posts, video, books, and position papers at https://kpstrat.com/blog