Can cyber security investment get the UK out of recession?
Posted: 07/05/2012 12:00:00 AM EDT
Is it possible to accurately measure the cost that the UK is paying as a result of hacking, data theft, corporate espionage, and other cyber offences? Defence IQ’s Calum Jeffray explores this question in the wake of a report published by the University of Cambridge looking at the cost of cyber crime to the UK economy.
During an industry conference last month, Neira Jones, Head of Payment Security at Barclaycard, posed the question, “Can cyber security contribute to getting the UK out of this recession?”
If we didn’t spend the amount that we currently do on recovering losses as a result of data breaches and other cyber crime, Jones argued that the saving would be so huge our economy would no longer be in recession. Although you may dispute her logic, it begs the question - is it possible to accurately measure the cost that the UK is paying as a result of hacking, data theft, corporate espionage, and other offences that come under the umbrella of ‘cyber crime’?
The problem comes down to which set of statistics you believe.
In February 2011 Detica, a division of BAE Systems, made the headlines when it claimed that cyber crime cost the UK economy a remarkable £27 billion every year. It estimated the cost of IP theft at just over £9 billion and espionage at over £7 billion a year. Having been commissioned by the UK Cabinet Office, the report has since benefited from the “according to government statistics” tagline and is widely quoted in the media.
While the methodology used in the report was questioned by those within the cyber security field, and widely criticised for an apparent “talking-up” of the cyber crime issue and exaggeration of certain data, it did bring into focus what many had long suspected; that in the face of growing investment in cyber defence, increasingly complex cyber crimes were on the rise and supplying criminal networks with ever-larger dividends.
At the time, barely anyone had heard of Anonymous, Sony’s systems were considered impenetrable, and Duqu could have been mistaken for a character from Star Wars. With wave after wave of high-profile security breaches it’s no surprise that 2011 subsequently became known as ‘the year of the hack’.
Fast forward to today, and things don’t seem to have improved much. As Jones stated during her presentation: “Cyber breaches are now a statistical certainty. It is no a longer a question of if you are hacked, but when”. The first six months of 2012 have seen 35% more data breaches than in the same period in 2011 There has also been a 10% rise in identity theft since 2010.
On the international scale, high-profile (and suspected to be state-sponsored) cyber attacks on government, military, and industry systems have become a mundane occurrence. Out of all the threats to our national security, cyber is now seen as one of the biggest attack vectors by the UK government.
With cyber attacks on the rise, inevitably so does the cost to the economy.
Yet the main culprit of the rise in data breaches is poor knowledge of the simple technical solutions that are available. IT experts continue to allege that the vast majority of data breaches could have been prevented by keeping anti-virus software up-to-date, not inadvertently giving away personal data, and not using ‘password’ as a password. More investment is needed to put in place policies that will educate the population, while making sure that cyber defences keep up with the ever more complex malware devised by cyber criminals.
And yet a report led by Cambridge University published last month claims differently.
The conclusion of ‘Measuring the cost of cybercrime’, this time commissioned by the UK MoD and produced by an international panel of computer scientists, is that the cost of protecting ourselves against cybercrime can far exceed the cost of the threat itself. It argues society should spend less on anti-virus software and more on policing the internet and tracking down the “small number of gangs” that it claims are often behind the majority of cyber crimes.
Lead author Ross Anderson, Professor of Security Engineering at the University of Cambridge’s Computer Laboratory explains:
“Some police forces believe the problem is too large to tackle. In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software. Cybercrooks impose disproportionate costs on society and we have to become more efficient at fighting cybercrime.”
The report finds that each year the UK spends $1 billion on efforts to protect against or clean up after a threat, including $170 million on anti-virus. By contrast, just $15 million is spent on law enforcement.
However, the report purposefully avoids calculating a total cost of cyber crime to the UK economy, citing the international nature of the offence (making it difficult to count the cost to the UK economy alone), fluid definitions of ‘cyber crime’, and the number of different factors that could potentially influence this figure.
Instead it points to the idea that the “cost” of cyber security could be more complex than first thought, distinguishing between the “direct”, “indirect” and “defence” costs of different areas of cyber crime. Dr Richard Clayton, expert in the econometrics of cybercrime in Cambridge’s Computer Laboratory, explains the reasoning behind these distinctions:
“Take credit card fraud. Direct loss is clearly the monetary loss suffered by the victim. However, the victim might then lose trust in online banking and make fewer electronic transactions, pushing up the indirect costs for the bank because it now needs to maintain cheque clearing facilities, and this cost is passed on to society. Meanwhile, defence costs are incurred through recuperation efforts and the increased security services purchased by the victim. The cost to society is the sum of all of these.”
If the report is to be believed and a relatively small number of perpetrators are indeed responsible for the majority of cyber attacks then investing in further policing would be a cost-effective solution to reducing all these costs - even if it doesn’t get the whole of the UK economy out of recession.
Turkey's first indigenous tank set to be unveiled
Op-Ed: The MoD is not fit for purpose
The F-35 decision: Disastrous implications for UK airpower
$10 billion FICV decision looming for India
F-INSAS Update Part II: Lethality
Army cuts cast shadow over future of QEC carriers?
Maritime security: The week that was
Missiles heading to London following Olympic security fears
Armoured vehicles: The week that was
Japan's F-35 deal signed, sealed despite soaring costs