At a recent session presented by the American Enterprise Institute, NSA Director and Commander of the US Cyber Command General Keith Alexander called cybercrime “the greatest transfer of wealth in history.”
Is this true?
Numbers relating to cybercrime — and to cybersecurity in particular — are notoriously suspect. My experiences as a cybersecurity professional have brought me into contact with numbers relating to the value of economic cybercrime that vary as much as almost an order of magnitude. Numbers relating to the value of intellectual property may be even harder to pin down; General Alexander notes that “Symantec placed the cost of IP theft to the United States companies around $250 billion a year, global cybercrime at $114 billion annually ($388 billion when you factor in downtime), and McAfee estimates that $1 trillion was spent globally under remediation.”
Whether we accept these numbers to be accurate or not, they’re probably directionally useful, and they may even understate the problem.
- Geopolitics. First, the theft of intellectual property is more than a crime. Thinking about a 2011 report of the U.S. National Counterintelligence Executive, we realize that the theft of intellectual property from U.S. firms conforms to the policies, doctrine, plans, operational concepts and capabilities of foreign state actors, or, in other words, the governments of other countries. This theft represents their belief that taking this intellectual property shifts the geostrategic balance of power toward those who possess it, and away from those who lose it. These countries are attempting to shift the global balance in their favor, and they see the economic, scientific and technological content of the intellectual property they steal to be at least as valuable as traditional measures of military power. Indeed, it may become more valuable and more important in the future.
- Existential Threats. Second, the companies that lose their vital intellectual property, developed sometimes at great expense and representing irreplaceable investments in R&D, may lose everything. They may lose time-to-market, market share, reputation and even their own market relevance, particularly if their intellectual property is exploited by a foreign competitor equipped with the backing of a foreign government and possibly unbound by the need to protect a product’s reputation for quality. Such theft of intellectual property can force a company out of business. With enough theft of intellectual property, an entire economic or industrial sector can be savaged and possibly destroyed. It’s more than a crime; it can be an existential threat to a company or to an industry.
- Critical Infrastructures. Finally, the threat to our cybersecurity extends to our critical infrastructures, regulated by the government to reflect the public’s interest, but owned and operated primarily by the private sector. Again, our nation’s security — and our geo-strategic interests — are affected by what happens in cyberspace where both the public and private sector operate.
This view may be alarmist to some extent, and it’s generally useful to take the long view in analyzing historical trends. General Alexander is correct, however, in pointing out that speed in cyberspace makes for a difficult long-term analysis of events. Our adversaries are not awaiting the passage of legislation to develop their policies, elaborate their doctrine, refine their tradecraft and build the capabilities they need to meet their objectives. While we need to build strategies that are well considered, there is frequently a need to act quickly to deter threats. When it comes to today’s cybersecurity challenges, we may not have the luxury of time we often afford ourselves.