Cyber-attacks cost the U.S. economy between $57 billion and $109 billion in 2016 and are measured in things like lost revenue, data and intellectual property, court settlements, regulatory penalties and reputational damage, says a new report by the White House Council of Economic Advisors.
The most costly attacks are associated with cyber theft of intellectual property (IP), even though these events are generally among the fewest reported, according to the report, The Cost of Malicious Cyber Activity to the U.S. Economy, which was released on Feb. 16.
“Moreover, security breaches that enable IP theft via cyber may go undetected for years, allowing the periodic pilfering of corporate IP,” says the 62-page report. Case in point, the report points to Germany’s solar power company SolarWorld AG, which was a target of cyber IP theft at the same time it accused Chinese manufacturers of selling into the U.S. market at below fair market value.
The breach of SolarWorld included its operations in the U.S., and ultimately resulted in the loss of 35 percent of its market value after charges against the Chinese manufacturers were reported, and last year the company filed for insolvency and the U.S. operations were put up for sale to cover the parent company’s debt, the report says.
The report says there were five observed incidents of cyber-enabled IP theft in 2016 and five incidents of distributed denial of service attacks, 15 malware attacks, 56 observations of fraud, 14 attacks by nation-state actors, 35 data breach incidents, and 156 incidents listed as other.
Thefts involving IP resulted in a 6.3 percent loss of market value on average for victim firms followed by companies hit with DDoS attacks losing 2.4 percent of their market value on average, the report says.
The finance sector suffered the most cyber-attacks in 2016 followed by healthcare.
Companies that hide the fact that their networks have been breached add to what the Council of Economic Advisors says is a “dark cyber debt,” which they say is “the future, negative valuation impact of a breach that a firm hid from the public.”
The report also says that firms typically invest in cyber security to protect their internal assets, but often ignore the larger impacts a successful cyber breach might have on their customers, suppliers and the economy. This leads to underinvestment in cyber security, which is a “market failure,” it says
“Thus, weak cybersecurity carries not only a cost to the firm itself but also to the broader economy through the negative externalities imposed on the firm’s customers and employees and on its corporate partners,” the report says.
The Council of Economic Advisors recommends penalties and incentives so that firms “internalize the externalities and thereby help raise levels of cybersecurity investment to the socially optimal level.” Mandatory disclosure requirements would be one kind of incentive, they say.
The report also warns of the potential consequences of attacks on critical infrastructures, highlighting the energy grid and financial sector. It notes that there have been no successful cyber-attacks on the U.S. power grid, and instead uses weather-related data and studies to calculate potential costs to the economy from direct and indirect damages to the energy sector.
Citing one study by the insurance firm Lloyd’s and the Univ. of Cambridge, direct damages to the U.S. economy from a successful cyber-attack against the power grid could range between $243 billion to $1 trillion while indirect costs to the insurance industry could run between $21.4 billion and $71.1 billion.
Separately, last week, the Government Accountability Office (GAO) said that that most critical infrastructure sectors in the U.S. have taken steps to implement a four-year old framework for managing cyber security risk and adopting best practices and standards on a voluntary basis. The Cyber Security Framework was published in February 2014 after a year-long public and private effort overseen by the National Institute of Standards and Technology (NIST).
However, the Feb. 15 GAO report said that 12 of the 16 critical infrastructure sectors have implemented guidance for the NIST framework, and highlights four challenges to framework adoption as cited by the Department of Homeland Security, NIST, and other stakeholders. These challenges include limited resources, a lack of knowledge and necessary skills within certain entities, regulatory, industry and other requirements that inhibit adoption, and other priorities that are more pressing than framework adoption.
Accurate assessments of framework adoption are lacking, GAO said, which means there is no “comprehensive understanding of the current adoption level within the critical infrastructure sectors.”