(must have spent it on insecure software…)
Dark Reading: Insecure Software Costs US $180B per Year, according to David Rice in his book, Geekonomics. [Me: I wonder how he came up with that?]
Here’s the nut graph from the Dark Reading article:
He estimates that the actual cost of insecure software to
the U.S. is at least $180 billion per year, although he acknowledges
that such numbers are "soft." He based his estimates on other numbers
– including a recent General Accounting Office report that says the
U.S. cybercrime market is around $117 billion — as well as other
reports, such as estimates of worldwide phishing operations of $350
billion per year.
Here’s the pertinent part of his book (p. 37):
In the case of software, the National Institute of Standards and Technology (NIST) the cost of inadequate software testing cost the United States roughly $60 billion, which is just under 1% of GDP. This cost does not account for other social costs associated with software usage such as cyber crime and related identity theft, however. A 2007 report by the Government Account [sic] Office (GAO) estimated cyber crime costs the U.S. economy approximately $117 billion a year.
Given that $117 and $60 make $177 ~ $180 billion, I am going to assume these are the sources the DR article (and other parts of the book) reference:
- The NIST study in 2002, which was actually done under contract by RTI: Economic Impacts of Inadequate Infrastructure for Software Testing.
- The $117 billion estimate, which actually comes from an article written about the GAO report in E-commerce Times: Cybercrime Costs US Economy at Least $117B Each Year. The GAO report itself is available as well: Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats.
Though I’ve been known to employ my own back-of-the-envelope estimates on occasion, I have a number of reservations about the approach employed by Geekonomics:
- The RTI study employed interview techniques and included all faults, not just security-related ones. In addition, the estimate was actually a range from a "feasible" $23 billion to the $60 billion identified in the book.
- The GAO report is all secondary research; it simply aggregates the information from other studies. The $117 billion amount was derived from 3 of the identified reports totaled together. One main source for the $117 billion ($67.2 billion) was the 2005 FBI Computer Crime Survey. This survey includes, for example, losses associated with laptop/PDA theft that were not caused by "insecure" software.
- The second largest report cited by the GAO is an identity theft report that cites $49.3 billion in losses. Unfortunately, the full report costs $2500 so I could only work with press reports. In any case, to source identity theft of all types back to insecure software is a huge leap. In at least one account (the "consumer version") only 2% of the incidents are Internet-related.
- Btw, I believe all of these numbers (certainly most of them) are for the U.S. only.
I don’t know if this number is too high or too low, but I do know that this estimate doesn’t get us any closer to knowing the true cost of insecure software.
Great post. You’ve hit upon what I anticipated to be the most frustrating part of writing (and reading) Geekonomics and something I’ve been clear about both in the Dark Reading article as well as in other venues: the numbers about the real cost of insecure software are soft. As such, I spend little effort defending this number.
It is an area I knew, deep down, that would be most controversial and most distracting aspect of the book. Unfortunately so. As I state in Geekonomics, “The real cost of something is not always measured in money. The real cost of something is what you have to give up in order to get it.”
Insecure software communicates an unmistakable message of disorder into cyber space: no one is in control of software. Not manufacturers. Not consumers. And certainly not governments. Lack of order imposes a cost. So the real cost is not a dollar amount; it is in the threat to national and economic security. Vulnerabilities in software are being exploited, and rampantly so. To focus primarily on the dollar amount, is helpful, but misses the point. That said, I put the number out knowing the possibility for distraction and you are being more than reasonable to challenge the number’s accuracy.
Somewhere in the muddle of hype and deflation are the “real” numbers. From my conversations with journalists and industry experts, the cost of insecure software is somewhere above $100 billion (US only); this much we know (or at least this number was felt to be “about right.”). So $180 billion is not unreasonable, but it is a reach to state this number, or any number on the subject, with any level of confidence. Talking about, and getting reliable numbers on insecure software is like talking about sexually transmitted diseases: we can see the effects but very few actually admit to, or are even aware of, their contribution to the problem. Similar to the stigma associated with sexually transmitted diseases, there is also a bevy of circumstances in the software market that cloud both the collection and reporting of numbers. This is a shame. And the reality. The greater upset perhaps is not so much that $180B may be soft, but that we have no idea by how much.
But there is a glimmer of hope that only appeared after Geekonomics went to print. The Department of Justice received a report from RAND Corporation last year from an in-depth study on cyber crime across 8,000 companies. This report is not public, but should be made public by DOJ early in 2008. This is good news. RAND promised that the participating companies would get sanitized data about their individual industries outside of what was in the public report (which was the incentive RAND used to promote participation in the first place). This potentially means that anonymity, and the subsequent freedom from stigmatization, might indeed provide more reliable numbers, if only from a limited subset. But given that a 2003/2004 CIO report (just prior to the time period of collection for the RAND data) showed that only 12 percent of surveyed companies (approx. 5,000) had a reliable way of quantifying their losses due to exploitation, hope might need plenty of salt.
Your analysis is a welcome addition to the discussion. Thanks so much.
I have been asking the people at RAND for the last year asking about the availability of NCSS data. From what I read at the site, this study has the potential to be one of the best we have, but I share your fears concerning the lack of real loss numbers.
http://www.ojp.gov/bjs/survey/ncss/faq.htm
says that:
“a restricted-use data file will be made available for research purposes only. It will be carefully scrubbed of all identifying information so that the individual companies’ identities and responses will be protected.”
Hopefully, they won’t be jerks about defining “research”. Maybe I still have some letterhead from grad school…
Runaway Numbers
Freedom to Tinker has an excellent post on journalistic skepticism. I agree wholeheartedly that numbers can take on a life of their own — it concerns me even more because it is a real downside of estimates and measurements, of which I am a huge advoca…