Cybercrime costs the UK £27bn a year

Cybercrime is costing the UK £27bn a year, according to the government, which has pledged to work with businesses to combat the problem.

Home Office minister Baroness Neville-Jones has presented a report that says cybercrime costs the UK £27bn a year. Photo credit: Home Office

The total figure covers £21bn from losses suffered by businesses, £3.1bn by citizens and £2.2bn by government, the Office of Cyber Security and Information Assurance (Ocsia) said in a report summary published on Thursday. It did not account for the other £700m.

The report, produced by Ocsia and BAE Systems security subsidiary Detica, marks the first time the government has made a public estimate of cybercrime costs. At a press launch event, security minister Baroness Pauline Neville-Jones emphasised that while the figures are an estimate, they still give an indication of the scale of economic loss suffered by the UK.

"It's a bit like terrorism — the more you know, the more frightening it looks," Neville-Jones said at the Home Office event. "It's not that the situation has changed; it's that you know more about it. Clearly we are not the only country by a long chalk that is suffering losses."

The report's authors looked at data in the public domain and talked to cybersecurity, business, law enforcement, and public- and private-sector organisations.

The areas they examined include intellectual property (IP) theft (excluding the music industry), espionage, fiscal fraud, extortion, online theft, online fraud, identity theft, data loss and scareware. The report found that out of the £27bn costs each year, £9.2bn was due to IP theft and over £7.6bn was due to industrial espionage.

It's a bit like terrorism — the more you know, the more frightening it looks. It's not that the situation has changed; it's that you know more about it.

– Baroness Neville-Jones, security minister

The government plans to work more closely with businesses on countering the problem, said Neville-Jones. On Monday, ministers held a meeting at 10 Downing Street with companies including Barclays, HSBC, British Airways, BAE Systems, Tesco, Symantec and GlaxoSmithKline, she told ZDNet UK.

The parties met with a view to setting up a forum to deal with cyber issues. "We hope to form a partnership that's strategic and operational," Neville-Jones said.

The Centre for the Protection of Critical National Infrastructure (CPNI) will be involved in the forum, as will other bodies that advise on and co-ordinate response to cyberattacks. "CPNI is part of this, but we need something bigger and real time," she told ZDNet UK.

After setting up the forum, the next stage will be to form a working party to identify strategy and decide how to implement it. The working party is expected to report at the end of summer 2011.

Company attacks

At present, a large proportion of companies are ignorant about the scale of attacks on their systems, according to the security minister.

"In the first instance, you have to have technical competence in your systems," Neville-Jones told the press conference. "Many companies in the country don't know what the normal functioning of their systems looks like.

"They need to be upgrading their skills, they need to be constantly vigilant, and they need situational awareness. Big companies need to have sufficient knowledge of what their systems are doing," she said.

Both the government and business must tighten up security to avoid risks and must have the capabilities to disrupt attacks, she told ZDNet UK. The government's cyberattack and defence capability lies in the hands of the Cyber Security Operations Centre, based in Cheltenham.

"I think [the best response] is going to be through much better defences and disruption — by screwing up their network. Much as the intruder can screw up the company network, the reverse can happen," Neville-Jones said. "If you look at terrorism; if we relied [solely] on prosecution, we would have lots of incidents. We have to rely on disrupting the activity while in course."

In the Strategic Defence and Security Review in October, the government recognised cyberattacks as 'top-tier' threats to the UK, and pledged £650m to combating them. On Wednesday, the Home Office said that £63m would go towards cybercrime law enforcement.

In our work, we see a range of perpetrators, from state-sponsored attacks to organised criminal gangs to spotty teenagers in bedrooms.

– Martin Sutherland, Detica

Companies have historically been reticent about admitting to cyberattacks, making it difficult to come up with precise cybercrime figures, Detica's managing director Martin Sutherland told the press event.

In its research for the report, Detica did not make any differentiation between state-sponsored IP theft, corporate IP theft (such as employees selling company secrets) and IP infringement (such as people using peer-to-peer networks to share unauthorised copies of movies). It did not make a distinction because, from a security standpoint, the type of perpetrator makes no difference to the risks of successful attacks, Sutherland said.

"In our work, we see a range of perpetrators, from state-sponsored attacks to organised criminal gangs to spotty teenagers in bedrooms," Sutherland told ZDNet UK. "There is a whole range of actors. What matters is the impact on the economy."