Cybercrime knocks almost a percentage point off global GDP growth, according to a study published last month by the Center for Strategic and International Studies (CSIS), a bipartisan think-tank with a strong reputation in international affairs and global security issues. In a world struggling with a weak recovery from the last recession and dogged by talk of “secular stagnation,” this is a serious cost. We believe that both cybercrime and efforts to combat it will continue to escalate — with implications for individual firms, economic sectors, national economies, and global markets.
A Paradigm Shift in Cybersecurity
Until recently, cybersecurity was often based on a basically passive approach: build a wall, wait for an attack to occur, and then fight it off.
More and more cybersecurity companies — including firms like Symantec (SYMC) , Juniper Networks (JNPR) and FireEye (FEYE) — are moving beyond the passive protection regime. The starting-point for security now is becoming an assumption that the network is already compromised, and an active hunt for malicious “exploits” already present but undetected. One analyst estimates that hackers are active in corporate systems for an average of 210 days before they are detected. Symantec analysts have been quoted as saying that traditional passive cybersecurity is “dead.”
As this paradigm shift continues, it seems likely that both private companies and governments will become more aware of the extent to which their networks have been hacked. That means that their calculus of the damage being done by cybercrime is likely to shift. What was once an irritating but tolerable threat — a “cost of doing business” — may begin to seem a lot less tolerable as more of the “hidden iceberg” of cybercrime begins to come to light.
The increasingly clear revelation of the cost of cybercrime and cyber-espionage presents a compelling case for investment in cybersecurity firms — both those who provide services to the government, and those who work to protect private firms.
The Real Cost of Cybercrime
Calculating the economic impact of cybercrime is extremely difficult because reported data are incomplete. Some countries have robust systems in place to collect data on cybercrime incidents; others have weak reporting or none at all. Some firms — especially in the financial sector — have regulatory obligations to report fraud and security breaches; others can choose to keep such attacks private. And as we noted, many companies are simply unaware that they’ve been attacked, since the intrusions usually go undetected.
Finally, it’s complex and difficult to estimate the value destroyed by hackers who steal intellectual property or proprietary business information, or who make companies build up cybersecurity rather than invest in productive research and development.
In spite of those limitations, CSIS was able to use a combination of public data and their own estimates to look at the global cost of cybercrime in GDP terms.
Theft of Intellectual Property: The Number One Cybercrime Cost
If we look at cybercrime’s economic effects from the top down, we see that the number one effect comes from the theft of IP (intellectual property). That effect starts at the firm and ripples out through the national and global economies.
Fundamentally, cybercrime acts as a damper on economic activity in a variety of ways.
Cybercrime Depresses the Rewards of R&D
Any company that invests in research and development does so in the hope of future returns — and the IP created by research is the ticket to those returns. It can give its creators a head start in the market. The purpose of IP protection — copyrights, patents — is to secure those benefits and make it worthwhile for companies to do the R&D. IP protection encourages innovation by “locking in” a period of enhanced profits.
Without those profits as a lure, companies tend not to be as willing to spend on R&D. Without R&D investment, in the long term, a company’s growth suffers, and a national R&D deficit means an entire national economy suffers. That means low growth, low job creation, and general stagnation.
But cybercrime is an especially egregious example of IP protections being violated. It means that companies’ R&D expenditures don’t reap the rewards they could, and acts as a drag on company growth. For the country as a whole, IP theft adds up to a drag on national growth. IP theft means that innovators will get smaller than expected revenues, and face competing products earlier than they thought.
Until they know what’s being stolen, though, companies won’t be able to identify the source of their losses. As CSIS observes, “The man whose bicycle is stolen knows exactly what he has lost the next morning. The factory owner whose bicycle plans are stolen doesn’t know he’s lost anything until his competitor’s bicycle reaches the market.”
As companies become more aware of intrusions that are resulting in the theft of IP and other proprietary data, they’ll likely increase the commitment of resources devoted towards fighting it. And as national governments become more aware, they will reassess the damage that cybercrime does to their own economies — damage to trade balances, national income, and employment. Then, they too will increase the resources and regulations to combat it.
Confidential Information, Market Manipulation
Besides stealing IP, hackers can also gain access to confidential information businesses have about their customers and about their own operations and strategy. The Target breach last Christmas falls in this category. Such data is not always easily monetized by the criminals who steal it, but they’re getting more capable in that regard, and the cybercrime ecosystem is developing middlemen who specialize in buying data from thieves and monetizing it. Stock market manipulation is another potential growth sector for criminals, who could leverage confidential business information about performance or potential mergers with little risk of being caught. Again, as companies become more aware of the presence of hackers in their networks, and more capable of evaluating the potential damage of their activities, they’ll be more eager to deploy resources to counter the threat.
Industrial Internet: More Targets
We noted in our article above on the industrial internet that we believe this sector — the “internet of things” focused on industrial efficiency rather than on consumer-facing applications — is poised for dramatic expansion. Of course, that expansion will provide exponential growth for cybercrime targets, both in terms of data theft and potential cyber-espionage and terrorism. The growth of the industrial internet will also bring huge opportunities to cybersecurity firms.
Who Are the Criminals? Gangs and Governments
In May, the Obama administration caused a small international tempest by indicting five Chinese citizens for hacking American corporate networks — and allegedly the five were members of a cyber-unit of the People’s Liberation Army. Administration sources noted that it was the blurred line between private and state actors in China that made the U.S. feel an obligation to respond. These revelations, as well as Wikileaks and the accusations of American fugitive Edward Snowden, show that governments are active in cybercrime at high levels.
And governments are not the only operatives with significant organizational size and capacity who are active cybercriminals. CSIS quotes an unnamed European intelligence officer who claims that there are 20 to 30 cybercrime groups operating from the territories of the former Soviet Union who have “nation-state level capacity.” The realization is beginning to sink in to both state and corporate actors that (1) networks are more compromised than anyone has realized, and (2) that the adversary is becoming increasingly organized and well-funded — either working for foreign governments, or approaching them in scale and sophistication.
As the government’s and industry awareness grows that the threat is bigger than has been thought — and therefore that the damages are greater than has been realized — more resources will flow into cybersecurity.
Investment implications: Next-generation cybersecurity firms will benefit from increased private-sector concern about the scope and costs of cybercrime. Defense contractors with strong cybersecurity programs will benefit from policy shifts that occur as government becomes more aware of the economic and political impacts for the U.S. economy and U.S. global interests. The stocks of these companies sell at high valuations — wait for market corrections to get involved.