https://www.nationalreview.com/2021/06/the-rising-economic-cost-of-cyberattacks/?utm_source=recirc-desktop&utm_
The Biden administration should build on the Trump administration’s strategy to confront the increasing security and economic threat of cyberattacks.
It was recently revealed that DarkSide raked in $90 million worth of Bitcoin — including $4.4 million in ransom from the Colonial Pipeline operator — from its cyberattacks stretching back to October 2020. The ransoms paid to DarkSide and similar organizations, however, do not capture the total economic cost of cyberattacks. Targeted firms acting in their individual interests may not fully account for the economic costs that spill over to consumers and to other firms. The result is underinvestment in cybersecurity from the private sector as a whole. While the Biden administration’s “private sector decision” remark helped define its Colonial Pipeline response, the federal government has an important role in closing this cybersecurity investment gap and limiting the future cost of cyberattacks.
Cyberattacks are perpetrated by numerous types of actors and stretch far beyond ransomware attacks such as the attack on the Colonial Pipeline. In fact, ransomware is on average a less costly form of cyberattack. While ransomware attacks on large firms tend to make headlines, according to one report, 70 percent of such attacks are directed at small- and medium-sized firms with fewer than 1,000 employees with 90 percent of the losses against these firms uninsured. The widespread nature of cyberattacks, their pervasiveness across industry and firm type, the varying components that make up the total cost, and the prevalence of underreporting all contribute to the difficulty in estimating the overall economic impact of these incidents, though some studies do exist.
In 2018, the Council of Economic Advisers (CEA) published a report evaluating the total costs associated with malicious cyberactivity by measuring the stock-price reaction of publicly traded firms to news of cyberattacks that had been made public. After taking into account firms’ underreporting of cyberattacks, spillover effects to other firms, and private costs incurred alongside the costs to publicly traded firms, the CEA estimated that the total cost posed by malicious cyberactivity to the U.S. economy in 2016 was as high as $109 billion (roughly 0.6 percent of 2016 GDP). These estimated costs are very likely to have increased since 2016.
According to annual studies by Accenture and the Ponemon Institute based on extensive surveys of firms and cybersecurity experts, between 2016 and 2018, the average total cost incurred by firms due to malicious cyber activity increased by 58 percent in the United States. Assuming that the total cost to the U.S. economy increased at the same rate as the average cost faced by those surveyed firms, the total cost of cyberattacks in 2018 would be as high as $172 billion (roughly 0.8 percent of 2018 GDP). This assumption likely serves as a lower-bound estimate, however, as the average number of cyberattacks faced by firms globally increased over this period, making it more than likely that the frequency of attacks against U.S. firms also increased. Since 2018 — the last year the study was conducted — the number of cyberattacks, the average cost of cyberattacks, and the total economic costs are likely to have risen even further.