There was an important point in last week’s report on foreign economic collection and industrial espionage that I did not have a chance to get to in my original post: there are no reliable estimates of how much cyber espionage actually costs the U.S. economy. As the report notes, estimates from the academic literature on the losses "range so widely as to be meaningless"—from $2 billion to $400 billion or more a year.
There are many reasons why the data is so bad. Companies don’t know they are being hacked so they don’t report it, or they do know it’s happening and they still don’t report it because they are afraid of getting sued or damaging their reputation. Much of the data on cyber crime comes from surveys, with the victims self-reporting how much damage they thought was done. Damage might mean the cost of developing the stolen information or loss of future revenues and profits. And these same surveys are often conducted by security firms that benefit from hacking being seen as a widespread and serious problem.
In the context of Sino-U.S. relations, there is also the question of how much technology is already lost through legitimate technology transfer, indigenous innovation and other policies designed to force technology transfer, and China’s failure to protect intellectual property rights. Is the damage from cyber espionage significantly more than what is already occurring? Is the technology G.E. reportedly lost in attacks coming from China-based hackers worth more or less than the technology involved in its avionics joint venture with a Chinese state-owned enterprise?
The lack of reliable data makes it very difficult to design good policy. It is hard to justify costly investments in better security when nobody knows what the losses really are. Moreover, the lack of data also makes it hard for the general public to have any sense of how serious the problem is and to knowledgeably participate in debates over cyber policy. As Dan Geer, chief information security officer of In-Q-Tel, puts it :"unless and until we devise a scorekeeping mechanism that apprises spectators of the state of play on the field, security will remain the province of ’The Few’. This is not good for democracy and it also means, to use Geer’s phrase, that "security expertise so outstrips supply that the charlatan fraction is rising."
Geer goes on to quote Lord Kelvin:
When you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot measure it, when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the state of Science.
That may be the most important take-home from the Office of the National Counterintelligence Executive. Not only do we have to increase awareness of the threat, but we also have to begin to think about how to measure it.