Calculating the Costs of Cyber Crime
On Monday, Security Fix looked at figures published by the Justice Department suggesting that the FBI had between 3 and 6 percent of its field agents dedicated to fighting cyber crime. On the surface, that number may seem low for an area the FBI rates as its No. 3 priority, behind only counter-terrorism and counter-espionage activities.
Is that ratio appropriate? The only real way to know is to try to figure out how costly the cyber crime problem is in the first place. After all, how can we judge the proper level of resources to throw at a problem if we don't have a good idea of just how bad cyber crime is?
The problem, it seems, is that nobody really has any clue about how much cyber crime is costing U.S. businesses and consumers each year. The best guesses so far have been just that, and have ranged all over the map. Valerie McNevin, a former Bush administration official, once famously stated that the cyber crime problem had ballooned to a $105 billion a year problem. McNevin's comments were recently echoed by an executive at anti-virus maker McAfee, but most of the security experts I've seen asked about this statement have dismissed it, saying that estimate is far too high.
So what does the government say? If we want to know how much cyber crime costs U.S. businesses annually, we can consult an FBI survey released in 2006, which estimated that companies collectively spend about $67 billion dealing with viruses, spyware, data theft and other computer-related crimes. That study dealt with responses from 2005, so the same analysis conducted today would almost certainly produce a higher figure.
But what of the cost to consumers? The Federal Trade Commission says identity theft is a crime that affects 10 million U.S. consumers each year, at a cost of about $50 billion. (A more inclusive and accurate term for this type of crime is "identity fraud," which encompasses not only new and existing account fraud but also credit and debit card fraud, phishing, and theft of data from computer intrusions).
So how much of that $50 billion is related to cyber crime? That also is not a simple question to answer. But in an interview I had last week with Shawn Henry, assistant director of the FBI's Cyber Division, Henry said he believes that "the majority of identity theft now results from computer intrusions," noting the "sheer volume" of consumer data being stolen by invasive computer programs, such as keystroke loggers.
If we assume for the moment that Henry's statement is reasonably accurate, that means that at least $26 billion in consumer identity fraud is the result of cyber crime. All of a sudden, McNevin's $105 billion cyber crime estimate doesn't seem so far off the mark.
But wait a minute. Aren't there any statistics about fraud that America's banks themselves have to report to the government? Yes, and no.
All financial institutions have to file "suspicious activity reports" -- or SARs -- that cover stock transactions, money deposits, withdrawals and transfers that bank officials and security regulators suspect may be related to fraud or money laundering activities. The banks and brokerages file these reports with regulators by the truckload every year, and there are literally mountains of these reports at the Financial Crimes Enforcement Network's (FinCEN) Web site for anyone who wants to pore over them.
The biggest shortcoming of the SARs process is that at the end of the day the filings don't say how much money is involved. Even when these individual reports are described in the aggregate, there are no monetary figures attached. What's more, there appear to be a great number of inconsistencies in the way banks classify and report the same suspicious transactions.
Chris Hoofnagle, senior fellow with the Berkeley Center for Law and Technology, believes that the United States could get a better handle on cyber crime and identity fraud if banks were required to disclose more fraud data, such as the volume of money involved in the crimes (including fraudulent transactions where the consumer/business was ultimately made whole or where anti-fraud measures foiled the attempted theft of funds).
In an article written for the forthcoming Fall issue of the Harvard Journal of Law & Technology, Hoofnagle says such a requirement would not only give Congress and the public a better sense of the resources needed to combat this type of crime, but also could create a secondary market where banks compete on ways to better protect consumers.
"Currently we don't know the scope of the problem," Hoofnagle writes. "We do know that it is a big problem and that the losses are estimated in the tens of billions. Without reporting, we cannot tell whether the market is addressing the problem. Reporting will elucidate the scope of the problem and its trends, and as explained below, create a real market for identity theft prevention."
Hoofnagle also takes aim at the claim that consumers don't bear the costs of identity theft, which conventional wisdom says is usually assumed mostly by lending institutions and merchants. "Consumers ultimately pay for the crime through lost time, inconvenience, higher financial services fees, and sometimes through out-of-pocket costs. There is another, largely unknown way in which we all pay for identity theft that causes the market not to correct the problem: lending institutions write their losses off against corporate income taxes."
Chuck Wade, a financial industry security expert and co-founder of Interisle Consulting Group, which consults for some of world's largest financial institutions, said a lack of oversight, transparency and fraud reporting -- particularly in the securities industry -- is precisely the type of environment that led to the current sub-prime mortgage fiasco.
"The question is when does (fraud) become big enough to affect the financial status of the banking industry?" Wade said. "In the case of mortgage-backed securities, obviously things changed in the marketplace such that that exposures previously hidden became visible. Identity fraud and cyber crime may or may not be the same kind of thing: right now, it's there and it's managed, and doesn't appear to be huge problem, but it could very easily become a big problem."
As the current sub-prime meltdown shows, a crisis of confidence in one sector of financial industry can have huge ripple effects on all other areas of the market. This is in large part, Wade said, because the bank stocks themselves are a proxy for the success of the credit card industry and the measure of consumer debt. Back in the 1960s, he said, the financial industry represented about 5 percent of U.S. gross domestic product. Today, the industry's share of GDP is closer to 30 percent.
"When it comes to [disclosing fraud rates], the financial industry would say these disclosures don't affect our standing because of course we'll take care of our customers: If we find a customer who's been defrauded, we'll make them whole," Wade said. "The flip side of that is that the purloining of financial data has become a major industry in its own right, and so we now have this growing level of exposure that really wasn't there before. And before the recent [debt] market meltdown, nobody really understood how the market was being impacted by mortgage-backed securities. In the same way, nobody really knows now how much financial institutions are impacted by this new type of fraud that steals information at a wholesale level."
September 27, 2007; 11:25 AM ET
Categories: Fraud , From the Bunker , U.S. Government
Save & Share: Previous: Service Pack 3 Available for Office 2003 Users
Next: Apple Ships iPhone Security Updates
Posted by: Rick | September 27, 2007 2:31 PM | Report abuse
Posted by: GTexas | September 27, 2007 6:05 PM | Report abuse
Posted by: Jimbo | September 27, 2007 8:17 PM | Report abuse
Posted by: Reuben Kincaid | September 27, 2007 9:04 PM | Report abuse
Posted by: Richard Bejtlich | September 28, 2007 2:21 PM | Report abuse
Posted by: Julian Evans | October 1, 2007 1:04 PM | Report abuse
The comments to this entry are closed.