eWhite House Watch - Full Article

Synopsis of the CEA Report: The Cost of Malicious Cyber Activity to the U.S. Economy

By: Frank X. Wukovits

March 21st, 2018



This past month, the Council of Economic Advisers (CEA) released a reportThe Cost of Malicious Cyber Activity to the U.S. Economy. The report identifies and articulates the impact recent cybercriminal behavior has had on the United States economy and identifies several issues impeding sufficient cybersecurity measures. The report details distinct forms of malicious cyber activity and highlights the sectors of the economy that are most vulnerable to such activity. However, the CEA notes that the vernacular used to describe cybersecurity concepts and issues in the report are not uniform and may differ from other reports published in the cybersecurity community. In general, malicious cyber activities involve cybersecurity incidents, which are described as explicit or implied security policy violations. Private and public entities experience various forms of cybersecurity incidents, which essentially intend to compromise an entity’s confidentiality, integrity, and/or availability (CIA).


Specifically, the report finds that cybersecurity incidents are both increasing and evolving, with an estimation that malicious cyber activity cost the United States economy between approximately $57 billion and $109 billion in 2016. The extent of losses is not always quite clear due to the delayed damages that arise after incidents, such as identity theft or credit card fraud occurring sometime after the initial databreach. To make matters worse, the harm incurred as the result of malicious of cyber activity may become contagious; once the initial target falls victim to malicious cyber activity, economically linked entities are now vulnerable to exposure and similar malicious activity.



As an example, the report cites a supply chain attack on Home Depot that took place in 2014. A supply chain attack occurs when sophisticated hackers target small and medium-sized companies acting as third-parties, usually vendors, dealing in business with larger corporations, such as Home Depot. In this instance, the entities gained access to Home Depot’s payment records through the use of a third-party vendor’s login credentials. Thereafter, the entities were able to infect the network with malware and access the corporation’s point-of-sale devices. The databreach occurred between April and September 2014. In total, 56 million credit cards and 53 million email addresses were accessed and compromised. Since the databreach, Home Depot has lost approximately $300 million as the result of the data breach.



The report identifies and distinguishes two distinct forms of successful attempts of security policy violations: cyberattacks and data breaches. Specifically, cyberattacks intend to impair networks or manipulate data; data breaches involve unauthorized access and disclosure of confidential information to an entity that would not otherwise have access to the information.  The report identifies several groups that benefit from compromising both private and public CIA. These groups include nation-states, corporate competitors, company insiders, hacktivists, opportunists, and organized criminal groups.



Nation-states, with main actors such as Russia, China, and North Korea, engage in sophisticated, targeted attacks motivated by political, economic, and military goals. These nation-states carry out cyberattacks and typically target personal identifiable information (PII) in order to spy on individuals from other nation-states. PII includes but is not limited to names, addresses, social security numbers, private conversations, credit card information, and health information. The report finds that nation-states also target critical infrastructure corporations and organizations in order to steal intellectual property, trade secrets, and customer information to serve as a means of political retaliation.



The report cites a particular databreach in 2014 as an example in which a nation-state, North Korea, targeted an entertainment corporation, Sony Pictures Entertainment (SPE). SPE suffered approximately $41 million as the result of a databreach, which included “over 100 terabytes of confidential information, including employees’ social security numbers and health records, private emails, and unreleased films.” Damages were attributed to costs related to investigations and remediation. The FBI confirmed that the North Korean regime committed the breach, which later claimed that its attack was intended to “stop immediately showing the movie of terrorism which can break the regional peace and cause the War.”



Corporate competitors engage in malicious cyber activity in order to gain access to rivals’ proprietary intellectual property, such as financial, strategic, and workforce-related information.  Likewise, company insiders have also been identified as one of the largest group of individuals responsible for targeting corporations. For example, former employees are common culprits when corporations are targeted for malicious cyber activity intending theft of PII, appropriation of IP, or financial gain.



The report cites a case where a German-based company, SolarWorld AG, and its United States subsidiaries as the targets and victims of intellectual property theft by Chinese nationals. In 2014, federal prosecutors charged Chinese nationals with espionage, trade secret theft, and computer fraud for breaching the United States subsidiaries’ networks during 13 cybersecurity incidents over the course of 8 years. In short, Chinese competitors were able to gain access to the companies’ information, including manufacturing, production, financial, and even legal strategies. As a direct result, SolarWorld AG lost 35% of its market value on the German DAX. By May 2017, SolarWorld AG filed for insolvency, and its United States subsidiaries were then placed for sale in order to cover SolarWorld’s AG’s debt obligations.



Similarly, organized criminal groups are motivated by financial gain. For instance, the organized crime members appropriate PII during databreaches and then sell the stolen PII on the dark web for profit. Likewise, these groups have also targeted both private and public entities’ during cyberattacks involving the use of ransomware. In contrast to these groups, hacktivists and opportunists are motivated by other values and goals when they engage in malicious cyber activity. Hacktitvists, motivated by ideological values and political agendas, target high-profile targets, corporations, and organizations. Unlike hacktivists, opportunists are typically “amateur hackers” motivated by the “desire for notoriety” and target organizations with common and easily identifiable cybersecurity flaws.



The report notes that when these groups carryout malicious cybersecurity activities, the extent of the immediate observable costs vary. Based on statistics involving 254 companies documented in 2017, the note provides the following estimates as the immediately observable costs suffered during a cybersecurity incidents:

Information Loss – 43%

Business Disruption – 33%

Revenue Losses – 21%

Equipment Damages – 3%



However, the report emphasizes that these are not the total costs or effects suffered during a cybersecurity incident. For example, a firm that suffers a data breach involving the appropriation of PII can be extremely destructive for a firm that is structured and organized for storing and synthesizing large quantities of PII. The report uses the Equifax data breach as a prime example of data breach, PII appropriation, and damages suffered by both the corporation and consumers. In addition, the report notes that a corporation’s trust and reputation are severely damaged during these cybersecurity incidents.



Based on findings and literature by economists and academics, the report identifies cybersecurity as a common good. Therefore, the report also finds that cybersecurity bears a cost to the overall economy through negative externalities imposed on corporate partners, employees, and the public. In fact, the FBI’s Internet Crime Complaint Center provides private individuals with the ability to report malicious criminal activity. The report finds that in 2016, the FBI received approximately 300,000 complaints of cybersecurity incidents, with approximate costs amounting to a total of $1.3 billion. However, the report notes that only 15% of malicious cyber activity is detected and reported each year. Therefore, the report concludes that costs are significantly greater than originally calculated.



In terms of economics, the report finds that stock prices react significantly negative upon the public’s notification of a malicious cyber security incident. Specifically, based on the news of 290 malicious cybersecurity incidents experienced by 186 publicly traded United States firms between January 2000 and January 2017, the report finds that firms lost on average approximately 8% of their market value over the course of a week following the news of a cybersecurity incident. However, the report documents that among the 290 incidents in its data set, only 131 incidents were reported between January 2000 and January 2014, and 159 incidents were reported between January 2014 and January 2017. Based on a survey of 46 different global stock exchanges, the report finds that approximately 53% of the exchanges experienced cybersecurity incidents.



The report documents security incidents and breaches in each sector of the US economy. Specifically, the report finds that sectors such as finance, healthcare, education, and accommodations suffered the greatest and most disproportionate number of breaches in the United States. The report notes that this is most likely that result of the attractiveness of these sectors to malicious cybersecurity entities because they sectors involve massive quantities of valuable PII and IP.



Statistically, the report defines large companies as companies with more than 1,000 employees. Out of a total of 42,068 documented cybersecurity incidents and 1,935 data breaches, the report finds that large companies suffered the most number of incidents, and small companies suffered the most number of breaches. The report speculates that the reason why smaller companies suffered greater data breaches than larger companies is because smaller companies are less equipped financially, strategically, and legally to combat cybersecurity intrusions.



The report concludes that in order to combat the malicious cybersecurity activity, both the private sector and the government need to cooperate in detecting malicious activity and developing solutions to cybersecurity incidents. The United States government is playing a large role in approaching threats of malicious cybersecurity activity. For example, this year the Defense Advanced Research Projects Agency (DARPA) has allocated approximately 10% of its research budget towards cybersecurity research and technology. However, the report emphasizes that the private sector is best situated to find and affirm legitimate cybersecurity measures against malicious cybersecurity. The report, citing sources such as Thomson Reuters, highlights that the number of cyberattacks and databreaches have been increasingly reported due to increases in the number of firms experiencing cybersecurity incidents; investors starting to investigate to such incidents; and improvements in advanced technology used in detecting breaches. The report, citing data gathered by Morgan Stanley, stands by a prediction that spending on cybersecurity measures will reach upwards of $128 billion in 2020, which is more than double the amount of $56 million spent in 2015.



Leave a Reply