Probably not £27 billion a year. That, however, is the claim of the Cabinet Office & Detica in a recent report evaluating the cost of cyber crime in the UK. That would be more than the cost of drugs, estimated in 2004 at £15.4 billion a year in the UK. So what are the real costs?
Before repeating the £27bn claim, note that it is an estimate of the cost of cyber crime. It does not provide a breakdown of known cyber crimes, which would be far more informative.
Law-enforcement authorities may actually assess the actual level of cost of cyber crime. Cyber criminals violate laws, and the police keep record of the cases they deal with. In Germany, for instance, the police reported that the actual cost of cyber crime was €61.5 million in 2010. The UK, unfortunately, does not publish such fine-grained statistics.
Cyber crime can be split into two categories: the crimes facilitated by the modern use of information technologies, and the crimes targeting information technology. The UK estimate includes intellectual property theft and fiscal fraud, and falls therefore squarely within the first category. But child pornography and cyber stalking are strangely left out. An approach that estimates the cost of cyber crime in its wider interpretation should therefore include the socio-economic cost of online child pornography and cyber stalking in order to be coherent. Such an estimate is as difficult to make as extrapolating the cost of intellectual property theft and espionage.
The evaluation of the costs of intellectual property theft and espionage is largely based on two factors: first the investment in R&D by sector, and secondly that sector’s turnover. Even if a criminal got his hands on a company’s most recent and most valuable proprietary information, that doesn’t mean that the company in question would lose its entire R&D investment. The thief needs to be able to re-sell the material first, and even in the case a competitor implementing the stolen R&D, the company would still have some return-on-investment. But admittedly the actual loss is hard to pin down.
A first question that can be answered is how many cases have been processed by law enforcement agencies that relate to the wider interpretation of cyber crime. The statistics of crime are available from the Criminal Justice Statistics in England and Wales. It is then possible to link each cyber crime category of the Cabinet Office & Detica report with a specific breach of law.
Clik here to view.
If you're interested in more detail ...
We cannot know how many of these cases really involved the use of computer and how much the court assessed the damage to be in each case. But law enforcement agencies can. In any case, it is interesting to note that blackmailing trumps intellectual property theft, or that customer data loss is almost irrelevant (2 cases).
Needless to say: having a better taxonomy for data gathering by law enforcement agencies would be desirable. From a legal standpoint, ‘espionage’ may be merged with ‘intellectual property theft’, and ‘online theft from businesses’ with ‘online fraud’.
Bearing in mind that cyber crime in its wider interpretation is incomplete and only extrapolations of figures can be provided, how much of the cost of cyber crime in its narrow interpretation can then be assessed?
Let’s focus for a moment on online fraud (and identity theft and online theft from businesses), scareware and customer data loss. According to Financial Fraud UK, and summing up online banking fraud (£46.6 million), phone banking fraud (£12.7 million) and e-commerce fraud (£135.1 million), this makes a total of £194.4 million. Scareware are fake program that trick the user into believing he has been infected by a virus and he needs as a consequence to buy an (fake) anti-virus solution. No legal complaints have concerned them and no other figures are available apart from those in the Cabinet Office & Detica report. The figure of £30 million damage is to be contrasted by the worldwide market of scareware estimated at £114 million. The UK would therefore represent 26% of the share of this market for an online population representing only less than 2% of the global online population. Why the discrepancy?
And regarding consumer data loss: all the 3 legal cases in 2010 where the Computer Misuse Act 1990 was invoked concerned a breach of confidentiality, and no data were deleted. Thus the cost of consumer data loss reported to the police would be zero.
Finally the report raises the issue of two other gaps that need to be explained. The first is straightforward: the Police e-Crime Unit’s annual budget is said to be £2.3 million (footnote 39). That seems to contradict Charlie McMurdie’s statement, the head of that unit, during the RUSI Cyber Security Conference 2011, saying the budget was £504 million over four years. Where’s the mistake?
The other gap concerns policy itself: if £27 billion is an accurate figure, none of these budgets would be adequate to deal with the threat. But if the magnitude of the damage is comparable to what’s happening in Germany — in the ballpark of £200 million — the Police e-Crime Unit’s budget, whatever the figure, suddenly seems a lot more appropriate.
So — if the £27 billion figure is right, then the government should perhaps put their money where their mouth is. But if our on-the-back-of-the-envelope calculations are up to something, then they better put their mouth where their money is.
The author is a MPhil/PhD student in the Department of War Studies at King’s College London.
