In 2012, a group of cybersecurity researchers and social scientists studied the impact of cybercrime and its cost to society, concluding that the money spent anticipating an attack is less effective than money spent responding to an attack.
This week, many of the same researchers released an updated paper at the Workshop on the Economics of Information Security (WIES) conference, in Cambridge, Mass., that looks at direct and indirect damages due to cybercrime, as well as the cost to defend against the crimes. Their conclusion? While people and technology are more interconnected and different platforms have become dominant, the overall impact of cybercrime remains relatively the same.
"One of the lessons of the paper is that, although there's been huge changes — new platforms, some crime types replacing others, etc. — the overall picture is little changed," says Richard Clayton, a co-author of the paper, director of the Cambridge Cybercrime Centre, and a security researcher at the Computer Laboratory at the University of Cambridge. "That's because fixes are not technical but have to do with incentives, economics, criminal justice, sociology, [and] criminology."
The latest research attempting to quantify the costs of cybercrime comes as estimates for the market for cybersecurity products and services continue to grow. Largely unsupported estimates of cumulative annual growth vary from 9% to 18%, and estimates vary from $119 billion in 2019 to more than $300 billion in 2024.
Similarly, the cost of cybercrime has been a quantity of much speculation. One firm estimates costs of about $1 trillion annually in 2019, while another estimates a supersized $6 trillion in yearly damages by 2021.
The paper presented at WEIS aims to inject some sanity into all of these estimates, representing the most complete look at the state of cybercrime without relying on data collected by companies that are trying to sell security products, says security expert Bruce Schneier, a lecturer at Harvard University's Kennedy School of Government.
"It is the best data that we have that isn't being driven by some corporate agenda," he says. "To me, that is the key for why this is important. They don't have a dog in the fight. They are just trying to figure it out."
For the most part, the paper underscores the unreliability of current data. Among the best data is payment fraud, which has doubled in total volume since 2012 but has decreased as a percentage of the total amount of payments.
The paper finds that only a dozen or so crimes — such as online credit-card fraud, cryptocrime, ad fraud, and telecom fraud — actually result in more than $1 billion in damages. However, new ways of doing business using connected devices has resulted in new pathways for fraud; the world has changed since the original paper, the authors stressed.
"New apps, such as ride hailing, and new technologies, such as cryptocurrencies, create new targets, while old targets, such as medical records, have migrated to cloud services," they wrote. "So larger quantities of personal information are kept online and are open to a variety of attacks."
This leaves the authors with little advice for the average user or small or midsize enterprise (SME), Clayton says.
"It might make sense to replace your Windows machines with Chromebooks because that allows you to eliminate some attack types," he says. "But, generally, the step change in response is needed by law enforcement, not SMEs."
The actual economic problem is paying for defenses for every person is extremely inefficient. The cost of securing their systems outpaces the damages caused by cybercriminals. Instead, nations should focus on empowering law enforcement to pursue and punish cybercriminals, the authors argued.
"The core problem is that many cybercriminals operate with near-complete impunity," the paper states. "We will not get a real handle on cybercrime until we put an end to impunity."
Yet that remains a difficult, Schneier says.
"That is easy to say and hard to do anything about because it is so international," he says. "A lot of the impunity comes from the difficulty of reaching into some country in, say, sub-Saharan Africa and exacting penalties."
In addition, attempts by the United States to hold actors from larger countries accountable has typically failed. In 2018, as part of the Mueller investigation, the US government issued arrest warrants for 12 Russian nationals who allegedly took part in that country's interference in the US elections. To reduce the cost of cybercrime, such actions need to become more common and effective, the paper stated.