McAfee voices regret over $1trn cybercrime claims
CTO says he wishes the vendor never put a dollar figure on global losses sustained from cybercrime
McAfee's chief technology officer has expressed regret at the security vendor's widely discredited move to put a value of $1trn on annual losses caused by global cybercrime.
The Intel-owned security vendor first cited the $1trn figure in a press release accompanying its 2009 report entitled Unsecured Economies: ProtectingVital Information(the report itself did not refer to it). Although widely panned by academics and the media, the figure – often mentioned in conjunction with it outstripping global losses from drug trafficking – has since been bandied about by prominent politicians and bureaucrats, including most noteably President Obama.
Last month, that figure was slashed by two-thirds in McAfee-backed research conducted by the Center for Strategic and International Studies (CSIS). The report stated that losses from cybercrime were probably "in the range" of $300m, amounting to four tenths of one per cent of global GDP and half the $600bn figure pinned on global losses sustained from drug trafficking.
But talking to The Australian Financial Review, McAfee chief technology officer Mike Fey said he regretted McAfee's attempts to quantify the market, admitting that even recent, more cautious, estimates were "hard for me to swallow".
"I wish we had never put a dollar figure on it," Fey was quoted as saying. "[It is] very scary to just latch onto the number."
"People take that half-a-trillion number, and say 'that's what it's worth'. What they forget is organisations are spending a very large amount of money to [deter] attacks today – so there's an additive number that has to go on top of that. It would be like saying car crashes kill three people a year in this particular city, so how much should we invest in stop lights. It's flawed."
Fey said it was tough to put a dollar figure on cybercrime losses. Cumulative losses would ignore data breaches that firms failed to disclose to the public, for instance. Companies that do try to quantify what a data breach could cost them may not own up in fear of having to pay out to those affected, he added.
The CSIS noted that estimates for annual losses from cybercrime range from a few billion to hundreds of billions of dollars, which it said reflects difficulties in measuring the market.
"Companies conceal their losses and some are not aware of what has been taken. Intellectual property is hard to value," it said. "Some estimates relied on surveys, which provide very imprecise results unless carefully constructed. One common problem with cybersecurity surveys is those who answer the questions 'self-select', introducing a possible source of distortion into the results.
"Given the data collection problems, loss estimates are based on assumptions about scale and effect-change the assumption and you get very different results. These problems leave many estimates open to question."