Dr. James Lewis…Director and Senior Fellow, Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), very appropriately states, along with other jewels of wisdom, in his July, 2013 report titled, ‘The Economic Impact of Cyber Crime and Cyber Espionage’… https://www.csis.org/analysis/economic-impact-cybercrime-and-cyber-espionage
- there is ‘a wide range of estimates of annual losses, from a few billion dollars to hundreds of billions’.
Lewis’ statement, standing alone, is not particularly noteworthy… but, the distinctive way Lewis reframes the wide range of perspectives on this matter, first, by identifying the various alternative lens in which the impact of economic and cyber espionage can be viewed, ala comparisons and analogies, is significant.
The range of estimates and guesstimates, Lewis argues…reflects several under-reported and misunderstood realities, i.e., victimized companies may…
- be inclined to conceal their losses, i.e., they deem it not to be in their interest, reputationally embarrassing, to ‘go public’…
- not be immediately operational familiar with what – the precise proprietary intangibles assets have actually been comprised, misappropriated, or infringed, etc.
Granted, intellectual property (and other forms of proprietary intangible assets), for some…present challenges insofar as objectively calculating – assigning a ‘dollar value’ to a loss. In my judgment, such valuations, perhaps first and foremost…
- convey an absence of operational familiarity with business intangible assets, and
- the economic fact that 80+% of most company’s value, sources of revenue, and competitiveness, today, lie in – emerge directly from intangible assets, and
- frequently resemble concoctions of subjective guesstimates, which perhaps are aligned with particular (pre-conceived) agendas that translate as broad ranges of lost (asset) value.
Some IP and proprietary intangible asset loss estimates for companies (attributed to) cyber – economic espionage…appear to emulate previous surveys and research findings, which Lewis, again, suggests…
- generally provide imprecise loss valuations, that is, unless the survey itself has been carefully constructed, managed, and absent a product – service marketing agenda.
Dr. Lewis also point out, and I agree…a common challenge, insofar achieving due credence to cyber-economic espionage survey findings, is that (survey) respondents may be inclined to…
- ‘self-select’ the assets which are alleged to have been compromised, misappropriated, and/or infringed.
Obviously, when ‘self selection is introduced to calculating asset losses…it manifests as a probable source of distortion to the calculations. So, being mindful of these and other data collection – calculation challenges (biases) to this already very sensitive topic for companies, is not wholly uncommon, Lewis suggests. In other words, loss calculations should not be based on assumptions about scale and effect! Changing these assumptions, we all argue, will deliver quite different results in terms of loss valuations.
Components of malicious cyber activity…
In CSIS’ ‘The Economic Impact of Cyber Crime and Cyber Espionage’ report…Lewis starts by asking readers, as posed in this blog on numerous occasions…
- what assets should be included in the loss calculation, and how should they be counted insofar as arriving at more accurate and defensible loss estimates caused by cybercrime and cyber economic espionage?
Interestingly, Lewis categorizes malicious cyber – economic espionage activity into five components, i.e., the…
- loss of proprietary, revenue generating, and competitive advantage proprietary intangible assets and intellectual properties.
- loss of particularly ‘sensitive’ business information, and
- opportunity costs linked to – associated with…
- service and employment disruptions, and
- reduced trust in online services and activities.
- requiring additional outlays, necessary to secure company and supply chain networks and recover from cyber attacks, i.e., developing/executing business continuity and resilience procedures, and
- reputational risk insurance due to the materialization and damage to victimized companies.
Collectively, these components, Lewis claims, and I agree again…the cost of cybercrime and cyber espionage to the U.S. and global economies can correctly characterized in the hundreds of billions of dollars annually.
But, Lewis wisely and provocatively, casts such wide ranging estimates – guesstimates in other contexts…starting with a report published by the World Bank which characterizes losses attributed to cyber-economic espionage in global GDP contexts, i.e., about $70 trillion for the calendar year 2011. Thus, a $400 billion loss representing the high end range of probable losses caused by cyber crime and cyber espionage is a fraction of a percent of that global GDP figure.
Loss calculations cast in GDP contexts, Lewis believes, prompts additional questions...e.g.
- an initial question is, can the recipients and/or ultimate beneficiary (end user) of the misappropriated proprietary intangible assets and IP expect to fully maximize the benefits?
- a second question focuses on the damage to victim companies relative to the cumulative effect of cybercrime and cyber espionage, i.e., market space position, sector competitive advantages, reputation risk, etc.
So, what’s the harm…if Lewis’ perspectives, which he conveys in the CSIS Report, are correct, and my experiences suggest they indeed are, some are tantamount to…
- inferring there are ‘tolerated costs’ for some companies, relative to cyber and economic espionage,
- which essentially manifest as ‘ceilings’ for (calculating) estimating losses.
Collectively, this suggests that, at most…cyber – economic espionage losses-costs to U.S. companies, are less than 1% of U.S. annual GDP (gross domestic product). Thus, in the context of U.S.’s GDP, Lewis’ best guess is that losses (caused by cyber – economic espionage) may reach $100 billion annually.
To provide further context for this estimate…Lewis points out that annual expenditures on private sector, government, and university R&D in the US stands in the range of $400 billion annually…
- thus, the value of misappropriated, infringed, or otherwise compromised proprietary intangible assets and intellectual properties does not translate to dollar for dollar gains to the recipients and/or end users, i.e., the economic, competitive advantage adversaries.
Michael D. Moberly [email protected] St. Louis August 8, 2014 the ‘Business Intangible Asset Blog’ since May 2006, 650+ posts, ‘where intangible assets, business, and effective solutions converge’.
I invite you to explore other relevant blog posts, videos, books, and position papers at https://kpstrat.com/blog
As always, readers comments are welcome.