Cybercrime cost estimate is 'sales exercise', say experts

Cybercrime experts have questioned a £27bn annual cybercrime cost figure released by the Cabinet Office in a report on Thursday, saying it is little more than a sales exercise for Detica, the company that researched the report.

Professor Peter Sommer of the London School of Economics (LSE) called the report an "unfortunate item of British Aerospace puffery". Detica is owned by BAE Systems, and is involved in intelligence analysis for the UK government. The company also sells data protection and information assurance products.

The £27bn cybercrime cost estimate is "an unfortunate item of puffery", according to LSE's Peter Sommer. Photo credit: LSE Library

Sommer told ZDNet UK that the Office of Cyber Security and Information Assurance (Oscia) should not have allied itself so closely with the report, which put a figure of £21bn annual losses to UK businesses through crimes including intellectual-property theft and espionage. The remaining losses are attributed to consumers and the government.

"It seems rather unfortunate that Oscia, [which has] to make important and careful decisions about spending taxpayers' money, should ally [itself] to a sales promotion exercise by a British Aerospace subsidiary," Sommer said in an email exchange.

Sommer said the UK £27bn loss-figure was based on conjecture, as hard figures for cybercrime damage are not known, as were effects of reputational damage.

"The report is full of fake precision, with elaborate charts claiming to show the relative costs of IP theft and industrial espionage per industry sector," Sommer said. "But we have no means of measuring either in terms of events and no agreement about what to include in losses — how do you calculate a lost business opportunity?"

Detective inspector Charlie McMurdie, who heads the Metropolitan Police Central e-Crime Unit (PCeU), agreed that it was difficult to calculate cybercrime damage.

Quantifying cybercrime

"Cybercrime losses are difficult to quantify," McMurdie told ZDNet UK on Friday. "A lot of issues aren't reported to law enforcement, so it's difficult to say what the cost is."

However, McMurdie said that, given the scale of cybercrime, she "wasn't surprised" at the £27bn figure.

"We are dealing with multi-million pound investigations," she said.

Other cybersecurity experts were more scathing about the report. Richard Clayton, a computer security expert at Cambridge University who has estimated the cost of phishing (PDF), said the basis for calculating the statistics could be wildly inaccurate.

All ridiculous cyberwar and cybercrime estimates are endorsed by people who want to make the issue more important.

– Richard Clayton, Cambridge

"Basically, it's nonsense," Clayton told ZDNet UK. "It seems the report has taken the GDP of the UK and multiplied by some number we don't know whether it's appropriate to multiply by."

Clayton said that, during current economic uncertainty and with a background of swinging UK government cuts across the board, estimates about damage from cyberattacks were one way for government agencies to get funding and for suppliers to get business.

"The fact the UK government has endorsed the report is remarkable," he added. "All ridiculous cyberwar and cybercrime estimates are endorsed by people who want to make the issue more important."

Tyler Moore, a Harvard University cyber-security expert, wrote in a blog post that the £27bn estimate was "meaningless", as the report does not describe the rationale for ascribing the probabilities used to calculate the estimate.

"Unfortunately, much of the total cost is based on questionable calculations that are impossible for outsiders to verify," Moore wrote. "When measurements are made, it is essential that the entire methodology and calculations be transparent, so that the decision makers relying on the calculations are not inadvertently misled."

Mikko Hypponen, chief research officer for security company F-Secure, told ZDNet UK on Friday that he thought the figure was too high. Hypponen said that companies very often have no idea how much intellectual property has been taken, even if they are aware that their systems have been breached.

"Cybercrime is a problem; it causes damage, but the £27bn figure doesn't hold water in my book," Hypponen said. "Mostly, it's pretty obvious when companies have been targeted by espionage, but in many cases they don't know what they've lost."

Hypponen said that losses are always hard to quantify, especially for intellectual property. He gave the example of unauthorised file-sharing and projections of lost sales, adding that "piracy figures can't be real" as the people who downloaded the file may not have gone out and bought the data in other circumstances.

Detica had not responded to a request for comment at the time of writing.