Many sources report that cybercrime costs the global economy trillions of dollars per year. It is the top Google search result and it is quoted on Wikipedia. But I am not able to track down how the number was computed, or find criticism of these numbers.

This would be insanely high if true: the world GDP is only 100 trillion / year, and the software industry is only around 1 trillion / year (according to a quick Google search). Does the software industry really produce less value than the cost of cybercrime? This is not impossible, but that is an extraordinary claim that requires strong evidence.

Why I care about this: LLMs might help with cybercrime, and it might be tempting for regulators to ban the creation or deployment of new LLMs that are projected to cause cybercrime damages above e.g. 10 billion / year. But if cybercrime is over a trillion dollars per year, just a 1% increase in cyberattacker productivity would be over 10 billion / year. Does this logic imply that meaningful improvements to software should be banned because they likely create billions in expected damages?

Either the trillions-of-dollars numbers are fake, or this has some weird implications for LLMs and software regulation in general.

New Answer
New Comment

3 Answers sorted by

faul_sname

3812

Looking at the eSentire / Cybersecurity Ventures 2022 Cybercrime Report that appears to be the source of the numbers Google is using, I see the following claims:

  • $8T in estimated unspecified cybercrime costs ("The global annual cost of cybercrime is predicted to reach $8 trillion annually in 2023" with no citation of who is doing the estimation)
  • $20B in ransomware attacks in 2021 (source: a Cybersecurity Ventures report)
  • $30B in "Cryptocrime" which is e.g. cryptocurrency scams / rug pulls (source: another Cybersecurity Ventures report)

It appears to me that the report is intended to enable the collection of business email addresses as the top of a sales funnel, as evidenced by the fact that you need to provide your name, company name, role, and a business email address to download the report. As such, I wouldn't take any of their numbers particularly seriously - I doubt they do.

As a sanity check, $8T / year in cybercrime costs is an average annual cost of $1,000 per person annually. This is not even remotely plausible.

LucaRighetti

293

I had looked into this for a previous research project.  For what it's worth, I don't think there are any perfect sources, but my own BOTECs led me to believe the number people are usually after is $10B-$100B ~$30B-$300B:

  • FBI IC3 (2023): Headline figures that it receives $5-10B/yr of reported losses across the globe. If you assume this mostly only covers US victims (say 4X because the US is 25% of world GDP) and some go unreported (say 2X by dollar value), then you get something like $50B-$100B/yr globally
  • [New via JamieRV's comment] The “2007 GAO report (GAO-07-705) cites a 2005 FBI survey putting the cost of computer crime in the US at $67bn.)”  If you again multiply by 4X for US GDP and 2X for underreporting you get ~$540B/yr globally -- although I've looked into this less
  • Anderson et al. (2019): Suggest maybe "6% of us [UK citizens] are victims of a scam with an average take of $200". If in the UK there are 67M people that totals $800M. If the UK is 2.3% of world GDP that's maybe ~$30B/yr globally. It seems plausible that mostly captures consumer, not business crime.
  • Chain Analysis (2023): Estimate illegal crypto transactions amount to $5B-$20B/yr (it fluctuated a lot during the pandemic). If you assume maybe a ~third of cybercime is done via crypto [as is the case for romance scams], then that gives you $15B-$60B/yr globally

I agree the eSentire >$3T number should be trusted very little. It doesn't have any public methodology and got critcised soon after the original estimates came out in 2015 as part of companies trying to 'one up' each other:

In early 2015 Inga Beale, CEO at the British insurer Lloyd’s, claimed that cybercrime was costing businesses globally up to $400 billion a year. Several months later Juniper Research released a report which said cybercrime will cost businesses over $2 trillion by 2019. Microsoft CEO Satya Nadella stated $3 trillion of market value was destroyed in 2015 due to cybercrime….

The other 'trillion dollar' source that sometimes gets cited is McGuire (2018), who puts it at $1.5T.  They do give a methodology of where this comes from, but...

  • $800B/yr is from illegal online markets, which is unclear to me where it comes from or if it should even be counted as 'cybercrime' in the way people normally mean
  • $500B/yr is corporate espionage -- when, for reference, the NBR commission estimated that all US IP theft costs $225B – $600B/yr
  • $150B/yr is from stolen data, which comes from the author assuming {personal data is worth $200} * {600M records per year get stolen}  -- when for reference the UN ODC (2010) put identity theft at $1B/yr

This is great, thank you very much!

Dagon

50

There are (at least) two different meanings of "costing" in large-scale economic impact thinking.  The narrow meaning is "actual amount spent on this topic".  The more common (because it's a bigger number) meaning is "how much bigger would the economy be in the counterfactual world that doesn't have this feature".

The article linked from Wikipedia says

The damage cost estimation is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation-state sponsored and organized crime gang hacking activities, and a cyberattack surface which will be an order of magnitude greater in 2025 than it is today.

Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, reputational harm, legal costs, and potentially, regulatory fines.

Which puts it in the second category - most of these costs are NOT direct expenses, but indirect and foregone value.   That doesn't make it wrong, exactly, just not comparable to "real" measures (which GDP and GPP isn't either, but it's more defensible).

It's extremely unclear whether LLM adoption and increasing capabilities will shift the equilibrium between attack and defense on these fronts.  Actually, it's almost certain that it will shift it, but it's uncertain how much and in what direction, on what timeframes.

It's further unclear whether legislation can slow the attacks more than they hinder defense.  

Mostly, it's not a useful estimate or model for reasoning about decisions.

24 comments, sorted by Click to highlight new comments since:

As @faul_sname notes, the $8T number (or $9.5T from on source cited in that wikipedia article) isn't plausible. At least, not without some very generous definitions of "cybercrime," "is," "costing," and "trillions."

By which I mean: if you squint really hard, and count all the money and time everyone everywhere is spending on all (digital and non-digital) cybercrime prevention and countermeasures, and try to estimate all the extra things people could do to generate value if they didn't have to worry about cybercrime, then sure, maybe you could get numbers up to a few trillion. 

But that's a bit like saying the cost of other crime includes all spending on the criminal and civil justice system, all spending on private security and surveillance by individuals and businesses, the entire salary of every cashier (since they wouldn't be needed if people would just count up their own purchases and leave payment), and every time someone doesn't do something because they don't want to go out wandering by themselves at 3am. Not actually a useful metric for deciding where it's worthwhile to increase or decrease resource allocations or to make regulatory decisions.

[-]gwern157

But that's a bit like saying the cost of other crime includes all spending on the criminal and civil justice system, all spending on private security and surveillance by individuals and businesses, the entire salary of every cashier (since they wouldn't be needed if people would just count up their own purchases and leave payment), and every time someone doesn't do something because they don't want to go out wandering by themselves at 3am. Not actually a useful metric for deciding where it's worthwhile to increase or decrease resource allocations or to make regulatory decisions.

That sounds obviously correct and in fact a useful metric which is how you ought to be deciding how much to invest in policing: including the negative externalities and the nice high-trust-society things we could have if there was less crime. Why would you not include those?

But reducing crime by increasing policing won't get you "nice high-trust-society things"! That's almost cargo-cult behavior: the low crime is a symptom of the high trust.

At some point, you're worldbuilding an alternate society (of dubious plausibility) instead of considering the practical effects of a particular policy. You would ignore comparisons to such a world when making policy decisions for the same reason you'd ignore Cato's suggestion of razing Carthage: it's not really related to the matter you're considering.

In one sense, you're right, it is obviously correct. *Iff* you can actually do the calculation well, honestly, and convincingly, that is.

In practice, it's really hard to do that in a way that is consistent and principled. Most who try end up succumbing to various forms of motivated reasoning. And even when you do manage it, you have to make a lot of assumptions and extrapolations that get you really wide error bars, and a result that no one is going to believe unless they already want to believe your conclusion.

 

The other problem is you can't assume the analysis still holds if any of all those assumptions change. Two people, each with credible proposals to reduce the risk and cost of cybercrime in that sense, they can both make similar cost and benefit claims, but clearly effects are not additive; your estimate defines a max not a sum. This is always strictly the case, but if you use a narrower analysis than you can often treat them as approximately independent. If you want to make real-world decisions, you should include a sensitivity analysis as well.

I'd also add that a high fraction of these costs won't be increased if you improve cyber crime productivity (by e.g. 10%). As in, maybe a high fraction of the costs are due to the possiblity of very low effort cyber crime (analogous to the cashier case).

And Fabien's original motivation was more closely related to this.

The point is that if the majority of the "cost of crime" is actually the cost of preventing potential crime, then it's not obvious at all that more crime prevention will help.

Sure, sometimes it's better to shift from private prevention (behavior change) to collective prevention (policing) at the margin, but not always.

I don't know the answer to how much cybercrime is really costing, but I think your economic analysis is not accurately tracking "what GDP means".

Arms length financial transactions of "money points for services or goods" operates on the basis of scarcity, monopoly pricing power, and other power concerns that are locally legible inside of bilateral exchanges between reasonable agents.

GDP does not track the "reserve price" of consumers of computational services, where conditional on a computing service hypothetically being monopolistically priced, the person would hypothetically pay a LOT for that service.

Various surveys and a bit of logic suggest that people would hypothetically pay thousands or in many cases even tens of thousands of dollars for access to the internet even though the real cost is much much less.

By contrast, GDP just measures the "true scarcity... and lawful evil induced scarcity" part of the economy (mushed together and swirled around, so the DMCA makes hacking printer ink cartridges full of producer-added malware illegal, rather than subsidizing such heroic hacking work, as would occur under benevolent governance, and so on).

Linus Torvalds is probably owed a "debt of gratitude", by Earth, on the order of many billions, and possibly trillions, but he gave away Linux and has never been paid anything like that amount, and so the value he created and gave away does not show up in GDP. (Not just him, there's a whole constellation of rarely sung heroes and moderately happy dudes who were part of a hobbyist ecosystem that created the modern digital world between 1970 and 2010 and gave it away for free).

On a deeper level, the inability to measure or encourage the "post-scarcity" or "public goods" part of the human "economy" (if you can even call it an "economy" when it doesn't run on bilateral arms-length self-interested deals) is part of why such goods are underproduced by default, in general, and have been underproduced for all of human history.

Within this frame, it seems very plausible that the computational consumer surplus that cybercriminals attack is worth huge amounts of money to protect, even though it was acquired very cheaply from people like Linus.

Presumably humans are not yet in "private scarcity-based equilibrium" with the economics of computation processes?

In the long run it might be reasonable to expect the "a la carte computer security situation" (where every technical system becomes a game of whack-a-mole fighting many very specific ways to ruin everything in the computational commons) to devolve until most uses of most computer processes have almost no consumer surplus, because the costs of paying for a la carte help with computer security almost perfectly balances against the consumer surplus from using "essentially free compute".

This would not happen if good computer security practices arise that can somehow preserve the existing (and probably massive) consumer surplus around computers such that "using the internet and computers in general in a safe way is very cheap because computer security itself is easy to get right and spread around as a public good with nearly no marginal cost".

Like... hypothetically the government could make baseline "secure and super valuable" computing systems.

But it doesn't.

A private ad-based surveillance and propaganda corporation "solved search and created lots of billionaires" NOT the library of congress.

The NSA tries to make sure that most consumer hardware and software is insecure so that the <0.5% of consumer buyers that happen to be mobsters or terrorists can be spied on, rather than putting out open source defensive software for everyone.

People like Aaron Swartz and Moxie did, mostly for free, the thigns that a benevolent government would do if a benevolent government existed.

But no actively benevolent governments exist.

In Anathem, Neil Stephenson (who is very smart, in a very fun way) posits a giant science inquisition that prevents technological advancement (leading to AGI or nukes or bioweapons or what have you) and lets humanity "experience the current tech scale" for thousands of years with instabilities factored out and only locally stable cultural loops retained...

...in that world it is just taken for granted that 99.999% of the internet is full of auto-generated lies called "bogons" that are put out by computer security companies so as to force consumers to pay monthly subscriptions for expensive bogon filtering software that make their handheld jeejaws only really good for talking with close personal friends or business associates. It is just normal to them, for the internet to exist and be worthless, like it is normal to us for lies in ads and on the news to be the default.

Anathem's future contains no wikipedia, because wikipedia is like linux: insanely valuable, yet not scarce, with very few dollars directed to it in ways that ensures (1) it isn't hacked from the outside and (2) the leadership doesn't ruin it for personal or ideological profit from the inside.

Anathem offers us a bleak "impossible possible future" but not the bleakest.

Things probably won't happen that way because that exact way of stabilizing human civilization is unlikely, but Anathem honestly grapples with the broader issue where information services are (1) insanely valuable and (2) also nearly impossible for the market to properly price.

very few dollars directed to it in ways that ensures … the leadership doesn't ruin it for personal or ideological profit from the inside.

Could you elaborate on how you think dollars could be directed to prevent this? As of this writing, Godot is the latest project to do this, but much the same has happened to your examples, Wikipedia and Linux (Edit: and since you mentioned their founders, Reddit and Signal). And they're not unusual; this is typical of every major open source project. And it's not just the new "digital" projects this occurs in: in public libraries, librarians use their position in the same way.

I think it would require *not just throwing money* at it, but also *actually designing sensible political institutions* to help aggregate and focus people's voluntary interest in creating valuable public goods that they (as well as everyone) can enjoy, after they are created.

For example, I would happily give Wikipedia $100 if I could have them switch to Inclusionism and end the rule of the "Deletionist" faction.

((Among other things, I think that anyone who ever runs for any elected political office, and anyone nominated or appointed by an elected official should be deemed Automatically Politically Notable on Wikipedia.

They should be allowed by Wikipedia (in a way that follows a named policy) to ADD material to their own article (to bulk it up from a stub or from non-existence), or to have at least ~25% of the text be written by themselves if the article is big, but not DELETE from their article.

Move their shit about themselves to the bottom, or into appendices, alongside the appendix of "their opinions about Star Wars (according to star wars autists)" and the appendix on "their likely percentage of neanderthal genes (according to racists)", and flag what they write about themselves as possibly interested writing by a possibly interested party, or whatever... but don't DELETE it.))

Now... clearly I cannot currently donate $100 to cause this to happen, but what if a "meta non-profit" existed that I could donate $100 to for three months (to pool with others making a similar demand), and then get the $100 back at the end of the three months if Wikipedia's rulers say no to our offer?

The pooling process, itself, could be optimized. Set up a ranked ballot over all the options with "max payment" only to "my favorite option" and then do monetary stepdowns as one moves down the ballot until you hit the natural zero.

There is some non-trivial math lurking here, in the nooks and crannies, but I know a handful of mathematicians I could probably tempt into consulting on these early challenges, and I know enough to be able to verify their proofs, even if I might not be able to generate the right proofs and theorems myself.

If someone wants to start this non-profit with me, I'd probably be willing serve in exchange for a permanent seat on the board of directors, and I'd be willing to serve as the initial Chief Operating Officer for very little money (and for only a handshake agreement from the rest of the board that I'll get back pay contingent on success after we raise money to financially stabilize things).

The really hard part is finding a good CEO. Such roles require a very stable genius (possibly with a short tenure, and a strong succession planning game), because they kinda drive people crazy by default, from what I've seen.

I don't think "let's outsiders who don't understand why the processes within Wikipedia work the way they do" spend money to buy policy outcomes would improve anything about how Wikipedia runs.

If you take a decision about whether running for any elected political office should give someone notability in Wikipedia, there aren't any rulers who decide whether or not to adopt that policy but it's a democratic process where different people at Wikipedia voice their opinion about what's good for Wikipedia. 

Most people on Wikipedia would not like that, because there are plenty people who run for elected offices like a small town council where there are no trustworthy secondary sources for information about those people. Articles about them are thus not possible to policy for being correct the way that's possible with other Wikipedia articles and it's going to be hard to engage with those articles and false claims are not going to be effectively removed. 

While I'm more inclusionist then the average person at Wikipedia, it's worth noting that Wikipedia is a resource of high quality and that's an achievement of the current system.

Quora used to be full of quality similarly to how StackExchange has answers of high quality. StackExchange has a firm policy of quality standards while Quora doesn't. StackExchange managed to keep high quality levels while Quora didn't. 

People frequently complain about StackExchange being elitest and not friendly to people who don't put effort into asking questions but the result is that they kept a high-quality level.

It might be that you can either get a constantly self-reinforncing sense of higher standards or a constantly self-reinforcing sense of lower standards. 

Meme about the experience of using StackExchange: link.

I'm with Shankar and that meme: Stack Exchange used to be good, but isn't any more.

Regarding Wikipedia, I've had similar thoughts, but they caused me to imagine how to deeply restructure Wikipedia so that it can collect and synthesize primary sources.

Perhaps it could contain a system for "internal primary sources" where people register as such, and start offering archived testimony (which could then be cited in "purely secondary articles") similarly to the way random people hired by the NYT are trusted to offer archived testimony suitable for inclusion in current Wikipedia stuff?

This is the future. It runs on the Internet. Shall this future be democratic and flat, or full of silos and tribalism?

The thing I object to, Christian, is that "outsiders" are the people Wikipedia should properly be trying to serve but Wikipedia (like most public institutions eventually seem to do?) seems to have become insular and weird and uninterested in changing their mission to fulfill social duties that are currently being neglected by most institutions.

Wikipedia seem, to me, from the outside, as someone who they presumably are nominally "hoping to serve by summarizing all the world's trustworthy knowledge" to not actually be very good at governance, or vetting people who can or can't lock pages, or allocating power wisely, or choosing good operating policies.

Some of it I understand. "Fandom" used to be called "Wikia" and was (maybe still is?) run by Jimbo as a terrible and ugly "for profit, ad infested" system of wikis.

He naturally would have wanted wikipedia to have a narrow mandate so that "the rest of the psychic energy" could accumulate in his for-profit monstrosity, I think? But I don't think it served the world for this breakup and division into subfields to occur.

And, indeed, I think it would be good for Wikipedia to import all the articles across all of Fandom that it can legally import as "part of RETVRNING to inclusionism" <3

Wikipedia seem, to me, from the outside, as someone who they presumably are nominally "hoping to serve by summarizing all the world's trustworthy knowledge" to not actually be very good at governance, or vetting people who can or can't lock pages, or allocating power wisely, or choosing good operating policies.

Given that by your own standards there are no big institutions that are "very good at governance" or "allocate power wisely", is it any surprise that this is true for Wikipedia?

Even if Wikipedia's institutions could be improved, just letting people who don't understand the way the gears inside Wikipedia work buy policy changes isn't going to lead to either good governance or wise decision making.

He naturally would have wanted wikipedia to have a narrow mandate so that "the rest of the psychic energy" could accumulate in his for-profit monstrosity, I think? But I don't think it served the world for this breakup and division into subfields to occur.

While Jimmy Wales might have made decisions in the first decade of Wikipedia's existence that were good for Wikia, Wikipedia's guidelines on inclusion & exclusion are in a constant flux via RfCs and you have people arguing for both sides. Some RfCs get adopted while others rejected. Jimmy is neither voicing an opinion in most of these discussions nor would have a way to decide the outcome that goes beyond what anyone who writes well could achieve. 

Decisions about those RfC's are made in a democratic and flat way within Wikipedia. Your proposal about making them via people paying money, is not moving it into making them more democratic and flat. 

Are you a wikipedian? Is there some way that I could find all the wikipedians and just appeal to them directly and fix the badness more simply? I like fixing things simply when simple fixes can work... :-)

(However, in my experience, most problems like this are caused by conflicts of interest, and it has seemed to me in the past that when pies are getting bigger, people are more receptive to ideas of fair and good justice, whereas when pies are getting smaller people's fallenness becomes more prominent.

I'm not saying Jimbo is still ruining things. For all I know he's not even on the board of directors of Wilkipedia anymore. I haven't checked. I'm simply saying that there are clear choices that were made in the deep past that seem to have followed a logic that would naturally help his pocketbook and naturally hurt natural public interests, and these same choices seem to still be echoing all the way up to the present.

I'm an admin at Wikidata and I have engaged some in the German and English Wikipedia. 

On https://en.wikipedia.org/wiki/Wikipedia:Requests_for_comment you have a general page that explains how RfCs get made and which also links to the individual categories.

At the moment there for example a discussion about whether "Should all British National rail stations be presumed notable as an exception to WP:NTRAINSTATION". If you think of it in terms of deletionism vs. inclusivism, the inclusivity position would be to grant notability to all the British National rail stations while the deletionist policy is to reject automatic notability of those rail stations.

There are constantly small decisions like that, where the border of what's notable and what isn't gets shifted. There are 81 sites worth of achieves at Wikipedia_talk:Notability that span a variety of proposals to change notability rules that have been accepted and rejected.

However, in my experience, most problems like this are caused by conflicts of interest

If that's what you believe you have to understand the interests of the people who currently vote in the decisions about how the lines of notability shift and not just what interests might have existed twenty years ago. 

What I'd prefer is to have someone do data science on all that content, and find the person inside of wikipedia who is least bad, and the most good, according to my preferences and ideals, and then I'd like to donate $50 to have all their votes count twice as much in every vote for a year.

Remember the OP?

The question is "How could a large number of venal idiots attacking The Internet cost more damage than all the GDP of all the people who create and run The Internet via market mechanisms?"

I'm claiming that the core issue is that The Internet is mostly a public good, and there is no known way to turn dollars into "more or better public goods" (not yet anyway) but there are ways to ruin public goods, and then charge for access to an unruined simulacrum of a public good.

All those votes... those are a cost (and one invisible to the market, mostly). And they are only good if they reliably "generate the right answer (as judged from far away by those who wish Wikipedia took its duties as a public goods institution more seriously and coherently)".

Yes, there are a lot of people complaining about quality standards on StackExchange and don't want to engage in the work it takes to write quality questions. 

This is not an answer, but I register a guess: the number relies on claims about piracy, which is to say illegal downloads of music, movies, videogames, and so on. The problem is that the conventional numbers for this are utter bunk, because the way it gets calculated by default is they take the number of downloads, multiply it by the retail price, and call that the cost.

This would be how they get the cost of cybercrime to significantly exceed the value of the software industry: they can do something like take the whole value of the cybersecurity industry, better-measured losses like from finance and crypto, and then add bunk numbers for piracy losses from the entertainment industry on top of it.

Why do you think the methodology of calculating piracy damages by taking the number of downloads and multiplying by the retail price utter bunk?

It assumes the alternative is "everyone buys at retail price" rather than "they just don't buy, the pirates go without, and the sellers make no more money."

I haven't looked at the math used in this case, but if they're using retail price that's actually much less distorted than I'd expect. Historically, the more motivated liars would use statutory damages for each instance. Since statutory damages were set based on assuming intended commercial re-use rather than personal, that overstates the impact by 2-7 OOMs. Even still 

Your last sentence hasn't been finished.

Sorry, that was a fragment I meant to remove. Please disregard.

Because that method rejects everything about prices. People consume more of something the lower the price is, even more so when it is free: consider the meme about all the games that have never been played in people's Steam libraries because they buy them in bundles or on sale days. There are ~zero branches of history where they sell as many units at retail as are pirated.

A better-but-still-generous method would be to do a projection of the increased sales in the future under the lower price curve, and then claim all of that as damages, reasoning that all of this excess supply deprived the company of the opportunity to get those sales in the future.