It is a big, scary number—$1,000,000,000,000 (one trillion dollars)—that politicians, including President Obama, military leaders and anti-virus software companies allege is the annual cost of cybercrime. And it is a number that is very likely wrong, yet the fact that it is such a large, frightening amount of money is the reason this bit of misinformation simply will not die. In fact, at present, Congress is considering legislation—the Cybersecurity Act of 2012—whose supporters have cited the number in support of its passage.

 

The trillion-dollar estimate originated in a 2009 press release from McAfee Inc., a leading maker of computer security software, that accompanied a company-sponsored report on cybercrime by academics at Purdue University: “Unsecured Economies: Protecting Vital Information” The report surveyed more than 1,000 senior IT decision makers at companies around the world and found that cybercrime had cost them an average of $4.6 million worth of intellectual property in 2008, but the report did not include the trillion-dollar number. Instead, a group of technology, marketing, and sales officials at McAfee took the numbers from the report and extrapolated them to reach that amount, a practice sharply criticized by several of the contributors to the report.

 

Professor Eugene Spafford, a key contributor to the report, said: “I was really kind of appalled when the number came out in news reports, the trillion dollars, because that was just way, way large.” Augusto Paes de Barros, a Brazilian security consultant, blogged a week after the press release that, “I could not find any data in that report that could lead into that number. … I’d like to see how they found this number.” Another contributor to the report, Ross Anderson, professor of security engineering at the University of Cambridge, complained that he was unaware of the $1 trillion estimate before it was announced: “I would have objected at the time had I known about it,” he says. “The intellectual quality of this [$1 trillion number] is below abysmal.”

 

McAfee is not alone in creatively estimating the value of cybercrime, as rivals Symantec and Norton have published similar reports. As companies whose bottom lines depend on increasing sales of its security software, they clearly have a vested interest in stoking fears of cybercrime. Despite the objections of the report writers, McAfee has continued to tout the trillion-dollar estimate, as recently as 2011.

 

Although the companies deny that self-interest plays a role in their efforts, a paper by Microsoft computer scientists Dinei Florencio and Cormac Herley sharply criticized these sorts of reports. “Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings,” they wrote. “We are not alone in this judgment. Most research teams who have looked at the survey data on cyber-crime have reached similarly negative conclusions.”

 

As Julie Ryan, professor of engineering management and systems engineering at George Washington University and co-author of “The Use, Misuse, and Abuse of Statistics in Information Security Research” put it, “From what I’ve seen of the big commercial surveys, they all suffer from major weaknesses, which means the data is worthless, scientifically worthless. But it’s very valuable from a marketing perspective.”

 

While no one doubts that cybercrime is a big problem that costs a lot of money, the lack of reliable data is more than unsettling, especially since Congress seems intent on passing legislation based on “facts” that are not true.

- Matt Bewig

 

Does Cybercrime Really Cost $1 Trillion? (by Peter Maass and Megha Rajagopalan, Pro Publica)

The Cybercrime Wave That Wasn’t (by Dinei Florêncio and Cormac Herley, New York Times op-ed)

Sex, Lies and Cybercrime Surveys (by Dinei Florêncio and Cormac Herley, Microsoft Research) (pdf)