The White House (Council of Economic Advisors) released a 62 page report today detailing the cost of malicious cyber activity in the U.S. in 2016. The White House says that the cost was between $57 Billion and $109 Billion for that one year. That’s billion with a B. The report is available here.
The report says that damages from cyber attacks and cyber thefts may spill over to economically linked firms from the original target, magnifying the damage. In English, this means that if Target is hacked and their sales go down, it affects their entire supply chain.
They say that companies are not comprehending the costs external to their organizations (like to you and me) and as a result, they are under-investing in cybersecurity. That is because, due to the nature of the laws, the company that gets hacked doesn’t really bear most of the costs. For example, after the Target breach – way after – they settled the consumer class action lawsuit for about $30 million. If there were 50 million victims, that means each victim gets about 60 cents. For a company the size of Target, that $30 million payout may be considered a cost of doing business.
If we look at the law that goes into effect in May in the European Union, the fine from the regulators alone, worst case, might be $2.8 billion (4% of revenue of $70 billion). Compare that to $30 million for that one lawsuit or $250 million overall. We don’t know what the regulators are going to do, but they are making noises about making examples of people. If Target or other companies faced a risk of a $2.8 billion fine, the economics of cyber security change quickly.
The report also says that attacks against critical infrastructure (such as power or energy) could be highly damaging to the economy.
Rick Perry, former governor of the big oil producing state of Texas and now Secretary of Energy says that the DoE plans to create an office of cybersecurity, energy security and emergency response.
Given the impact to the country in the case of hackers creating massive power outages or energy distribution failures and the cost to the businesses in Perry’s home state, it makes sense that he is doing that. How they plan to fund that is unclear. There is $96 million for it in President Trump’s proposed 2019 budget, but people are saying that budget is dead on arrival at The Hill. So, Perry can create the office, but, for now, the only way to staff it would be to steal people from other parts of the agency. Given that the agency has a $30 billion annual budget, it is possible that there could be some waste there that Perry could clean up to create funding for this idea. Maybe.
Of the report’s 62 pages, a little over two pages (45-47) are devoted to thoughts about possible ideas regarding improving cyber security.
While the report doesn’t say so, maybe the White House will propose some legislation or regulation reqarding improving cyber security sometime in the future, but for now this report is merely meant to put some specifics on what we already know – that malicious cyber activity is costing us a fortune.
Information for this post came from the White House web site.