E’ possibile valutare, con un buon livello di affidabilità, il costo del cyber-crime e del cyber-espionage? Ma soprattutto, è possibile valutarne l’impatto economico ovvero l’effetto sulla competitività, la tecnologia ed il commercio? Il CSIS e la McAfee hanno provato a ragionare su tali questioni con un report scritto da James Lewis e Stewart Baker: “The impact of cybercrime and cyber espionage“.
Il documento è un ottimo punto di partenza per un’analisi seria della “minaccia cyber”. In particolare evidenzio un passaggio dedicato al cyber espionage che aiuta a cogliere le connessioni tra spionaggio economico, difesa e sicurezza nazionale. Scrivono i due esperti:
Companies have likely underestimated the risk they face. Some companies believe that the damage from espionage is tolerable, part of the cost of doing business in the world’s fastest growing markets, and that they can “run faster,” to create new technologies and so minimize any loss. There may have been an economic rationale for this, in that for an individual firm, there are near term gains. But illicit technology transfer, even if the technology is dated by US standards, accelerates military modernization. It accelerates improvements in indigenous industrial and technological capabilities, making the recipient better able to absorb stolen technology in the future and produce competitive products.
Companies risk losing not just their strategic advantage, not just intellectual property but also customer lists, their competitive analyses, and sales data.
The dollar value of malicious cyber activity may understate the actual damage if there is a “multiplier effect.” There are proponents of government funded research who argue strenuously, albeit self-interestedly, that a dollar spent on research produces more than a dollar of economic benefit. If this is true, the multiplier effect for cyber espionage could produce more than a dollar of benefit for a foreign competitor. If this is accurate, the lost of $20 billion in intellectual property translates into a much greater benefit for the acquiring nation.
But this is uncertain ground, as the estimation of a multiplier effect remains in dispute in economic literature. Some economists assert that one dollar spent on biomedical research, for example, produces two dollars in benefits. Other estimates by critics of the multiplier effect suggest that one dollar in spending may have a multiplier effect of only 80 cents or even less.
As noted earlier, another difficulty lies in quantifying the dollar cost of damage to national security.
First, there is a link between cyber espionage and the development of cyber attack capabilities. Cyber espionage provides, if nothing else, knowledge of potential targets and training for attackers. Second, there is a link between cyber espionage directed at commercial targets and cyber espionage targeted on military technology. It is often the same actors pursuing a collection plan that targets both military and commercial sources. In the US, for example, a strong case could be made that there has been extensive damage to the US lead in stealth, submarine, missile, and nuclear capabilities. We cannot accurately assess the dollar value of the loss in military technology but we can say that cyber espionage, including commercial espionage, shifts the terms of engagement in favor of foreign competitors.