 Hi, good morning. My name's Jim Lewis. Welcome to CSIS and our shiny new building. Well, it's not that new anymore, but it still feels new. We have a really good group today. We're going to go over the report that McAfee is releasing, that all of us worked on, on the cost of cyber crime. It's a global estimate that follows the report we did about a year ago, looking just at the U.S. and coming up with a model to estimate this. So we'll open with Tom Gann of McAfee here in Washington, who will introduce us and make some opening remarks. Thanks. Well, hello. It's a pleasure to see you all bright and early this Monday morning, and we're very excited about this report. We're very excited about our panelists here. What I'd like to do today to briefly tee this off is first to talk a little bit about why McAfee has supported this type of research in the past and this kind of research today. And then I've got the great pleasure of introducing a very distinguished panel. So first, why did we support this study? CSIS has consistently come out as the leading think tank in the world on national security matters. Indeed, the University of Pennsylvania every year puts together a very significant research study evaluating the think tanks throughout the world and thinking about which think tanks truly have distinction in particular areas. CSIS consistently ranks as number one. So what we wanted to do was, again, work with the top think tank in the world that has an understanding of national security matters. And it actually goes beyond that. CSIS has got a strong in-house team of economists, a strong network of economists that they work with on a global basis. And for us, this was essential. This study was all about, first and foremost, focusing in on the true cost of cybercrime and using sophisticated econometrics, using sophisticated statistics to derive valid estimates of the genuine cost of cybercrime and the implications for the global economy and policymakers. For us, a study of this kind is all about getting to the truth. It has far less to do with the aggregate numbers. It is all about doing valid academic research to inform the public debate so that policymakers and business people can act with conviction and act based on useful and valid information. Now, in terms of our research team, Jim Lewis is a senior fellow here at CSIS. Many of you here in Washington know him. He has been one of the truly distinguished scholars in the field of cybersecurity and national security for quite some time, having led substantial policy reports informing the president on the future of cybersecurity in their well-received 44th report. He's held distinguished positions in government, both at the State Department and the Commerce Department and also holds a PhD. Paul Rosenzweig has similarly had a distinguished career both in government and also in academia, having served in the administration as a deputy assistant secretary for cybersecurity policy, having published numerous impressive works on cybersecurity and acting today as a professor of law and a lecturer at George Washington University. Now Stuart Baker is an old friend. He had been the assistant secretary of cybersecurity in the Bush 2 administration, had served earlier as the general counsel of the NSA, and has had a long career at Steptoe Johnson as one of the leading international policy experts and international lawyers with a focus on national security at Steptoe Johnson. And finally, Scott Montgomery, a colleague of mine, is our Vice President and CTO for public sector. He's had a long career in the technology field, having served in policy roles, having served in technology roles, sales roles, and prior to coming to McAfee, having been the lead architect and visionary for secure computing, a very impressive firm doing web technology and firewall technology focused on security. So without further ado, I'd like to present Stuart Baker who's going to be here to provide the high level findings and then we'll have a good panel discussion and then we look forward to strong questions and an informed debate from our, you know, wonderful guests. Thank you. Thanks, Tom. Jim and I will try to do this together, but I'll lead it off. I think that means I get to play Gracie Allen to his George Burns. And I'm looking forward to that. So let me just start, I'll just walk through this slide by slide and let Jim provide color commentary. The key findings from this report are that the global cost of cybercrime is, depending on how you extrapolate it, between $375 and $575 billion annually. We settled because our mid-range extrapolation was $445 billion. We have settled on that as if you need a single number, that's a single number. But very broadly, the range could easily be between $375 and $575. We also took a look at the job impact, which was pretty significant in the U.S., 200,000 jobs annually lost as a result of cybercrime, and in Europe, about 150,000. We didn't try to do a global number, in part because in some of these cases, there are jobs gained in black market and other fields that we were not going to be in a position to estimate. And then, probably just as important as we were doing this analysis, we relied heavily in the end on assembling all of the studies that had been done in national markets on the cost of cybercrime. And I think what we found is a remarkable variability in the number, and maybe more importantly, the quality of the national estimates that had been prepared. Many governments just don't do a good job of producing data. And that led us to the conclusion that the overall estimates are probably because of underestimation on the low side. One thing to bear in mind is that the job loss might actually be a shift from high wage jobs to low wage jobs. So that's part of what we found there. It's not that this is a net loss to the economy. It's that people move from high income jobs to lower income jobs as a result. Many governments do not produce good data. Many governments don't produce any data. And so that was one of the problems. We found data for about a third of the countries in the world. And in many places, some were startling. Indonesia, Argentina, Korea, big economies didn't really have any good data. So that was a shock. So moving on to the remaining key findings, the cost of cybercrime is going to continue to go up. We're barring some miracle of cybersecurity innovation and investment. There are going to be more businesses online next year than there are this year that mobile networks have not yet been fully exploited for cybercrime purposes. And the Internet of Things, the mass deployment of sensors across the globe using operating systems that are known to have flaws and which are almost impossible to patch in many cases once they're deployed. All of those things create new opportunities for cybercrime. So it's hard to believe that there won't be growth in those areas. And the companies that are getting all of this stolen data are gradually going to get better at using it, figuring out how to exploit it effectively. And then we see, and this is an interesting insight, we see the growth of cyber espionage or cyber theft of intellectual property as best seen as a tax on innovation, something that dramatically reduces the return on innovation for people who do research and development. And it's an eating of the global seed corn in many ways. The companies that invest in R&D are not going to get the benefit and therefore are going to invest less in R&D. The companies that get the benefit of stolen IP will never learn to innovate. And eventually when they run out of other people's IP, they too are going to hit a stall. And so it's going to be bad for everyone in the long run. Yeah, I think the issue that we came up with, and this is one of the reasons you got a range of estimates from people is, and it's important to note this builds on our first report, and it actually builds on a prior report we did for McAfee on critical infrastructure. What people take and what they get, and I know this is in the report several times, are not the same thing. So you might steal a billion dollars worth of intellectual property, but you're only able to monetize perhaps 10% of that. And we know from the huge data breaches that hundreds of thousands of people will lose data, but the criminals will only be able to turn a small percentage of that into actual monetary losses. That was interesting in a couple of ways. First, data breaches turn out to be global. I didn't realize that every developed economy has huge data breaches involving tens of thousands, if not hundreds of thousands of people. Second, one of the things that we decided was worth watching is the ability of criminals to monetize what they take. Easy to hack, easy to take information, hard to turn it into money. And so I think what we're looking for is what's the variable when it will be easier to turn stolen information into actual money and get monetary loss from it? So let's start down into the methodology we use to estimate the cost. And here, these are the numbers I gave you at the top of the discussion, 375 to 575, 445 is a rough midpoint. The explanation for that swing is that we discovered that there was a substantial difference between the percentage of GDP that developed countries were losing to cybercrime and the percentage that developing countries were losing to cybercrime. There's a variety of possible explanations for that. But it is a widespread phenomenon. And so the question of estimating global costs where you don't have data from every country, that problem requires that you make a decision about how much of an adjustment you're going to make and where you're going to make it. And the midpoint that we arrived at was essentially saying, let's regionalize the data and let's assume that various regions, which often are characterized by similar or roughly similar levels of development, have roughly similar GDP losses. And when we extrapolate the numbers that we had regionally, the 445 is the number we arrive at. And as I said, overestimation is certainly possible, but we think underestimation is much more likely. Victims don't report their losses. Maybe they don't even know they've lost something. This is certainly true with intellectual property, as we said in the report. If somebody steals your bicycle, you know it the next morning. If they steal the plans for the bicycle you plan to build in a year, you may not know that until their bicycle comes online at the same time that yours does. So there's a substantial lag in identifying cybercrime and its costs. And in many cases, the losses are almost impossible to monetize, such as military advantage. It's a little hard to put an exact price on some of those losses. One of the surprises in this report was that for the countries where we were able to interview people, almost all of them reported difficulty in having victims admit to their loss. And so this is just a rough number and it's not in the report, but maybe half of the companies that get hacked don't tell the local police. Where the local police don't have the time to pursue more than 40%, 50% of the cases they get. Routinely, we heard from police forces in European countries and Asian countries that they were overwhelmed by the level of cybercrime. They didn't have a good measure on it, but that overwhelming thing is one of the questions we had that said, well, maybe this was an underestimate if police across the world are telling us they can't keep up. What does that say about cybercrime? So in terms of estimating costs, from a jobs point of view, we came up with the 200,000 and 150,000 jobs figure by looking at export driven GDP gains and back calculating to the job implications of losing export jobs, which we thought were the kinds of jobs that R&D tends to drive. And you'll see there the GDP impact that we estimated, particularly in relatively developed countries, about one half to a tenth of a point off of GDP in any given year. Yeah, the part that was interesting was that not surprisingly, richer countries tend to lose more, right? And it could be that because they have more money, that's where cybercriminals focus their efforts, better return on investment. It could be that they're more involved in intangible goods and products that are easy to steal through hacking. But that was the difference here. We were a little surprised at the spread between high-income countries and low-income countries. I think the lowest, the least developed, the losses were on the order of 0.2%, right? Yeah, with the caveat that we went through, that's true, but you'll see in the report, we gave them high, medium, and low confidence about how good we felt about the numbers. And the majority of numbers, maybe a quarter of the numbers we didn't have really high confidence in, and those tended to be the low-income countries. Not entirely. There were some high-income countries. It was really kind of a surprise. You'd ask the national police officials or the intelligence officials, do you have an estimate of the losses, and they would say no. So that was a shock. Well, that takes us to the point that cybercrime data is highly variable. And as an example, I think of a developed country that produced a very low number, the number we got out of Japan was on the order of what, 0.02% of GDP, a billion dollars, which just didn't match up with what China was experiencing, the U.S., Germany, Europe as a whole. None of those numbers were anywhere near as low as that. In fact, that was probably one-fiftieth of many of the losses on a GDP basis, which dramatizes, I think, the need for better, more consistent data. And, of course, we've sort of talked about underreporting already and the difficulty of getting governments to adopt good numbers. You know, one of the reasons we keep harping on this is our sense that if governments were producing an accurate estimate of losses, it would have an impact on government policy, as well as the policies of companies that take their cue from government, and the, if governments produce numbers that underestimate the loss, there's a tendency on the part of companies to say, well, it can't be that big a problem. Yeah. So I keep referring to the first report we did, because it did a lot of the spade work for this report. And in that first report, we dealt with the issue of can you value intellectual property? And so one of the things you hear sometimes is, well, we can't put a value on intellectual property. Therefore, we can't come up with an estimate for the loss of cybercrime. And one of the review sessions we had, we had a number of lawyers whose job it is to value intellectual property. And they said, no, this is something we do every day. It's part of a how you value a company. It comes up in mergers and acquisitions. So it is possible to value IP. One of the reasons for the range in estimates is, depending on the assumptions you take, you come up with different numbers. And so talking to these lawyers, talking to some of the M&A people, not the usual community, we tried to pick a middle ground. But it is possible to value IP, and that's discussed at length in the first report. The other thing we did, building on the work in the first report, is we came up with a predictive model. It's really basic, and it just basically says, if this country suffered the same level of loss as what every other country like it seems to suffer, what would the number be? And that's actually the high estimate that you saw there, that the predictive model said this is how much they would lose. And in many cases, we found countries that were reporting very low losses when the predictive model said if they were like everyone else in the world, the losses would be much higher. And so either they have a miraculous cyber defense capability, which we found doubtful, or they're under reporting. You know, one of the things that we did to sort of validate our assumptions about this was to look at the losses for other kinds of activities such as narcotics trade, software piracy, maritime piracy. Things where the global economy functions, we recognize that these losses are bad things, but we have learned to live with them as something that is more or less under control. And many of those losses from those things down to shoplifting and pilferage fall into a range that's in the neighborhood of one half to one and a half percent of the economic activity. So let's just talk about how we broke down the cost of cyber crime. This is a little more conceptual. We didn't build up our estimates, but we did look for all of these elements to be included in the national estimates that we relied on. Innovation cannibalism, loss of IP, this is a major category and very difficult to actually put a good number on. Although I think when we finally started actually calculating what the impact of cyber theft might be, it looked as though it might be reducing the return on research and investment by as much as 50 percent. It's a very significant hit. In addition to that, we looked at financial crime, which is easier to measure if you can get people to tell you about it. That is to say losses in actual dollars. Confidential business data market manipulation, this is a sophisticated form of financial crime, I suppose. And it ranges from targeting your merger and acquisition counterparts to find out what their best offer is and to hold them to that offer to trying to find out who is engaged in merger negotiations so you can bet on their stock. All of that happens and it's often quite difficult to identify the crime. In fact, if you identify the insider trading, you're likely to be able to punish the actors. If you can't tell it happened, then the crime is successful and the cost does not get measured. Opportunity cost, things that you could have done online with information technology that people are simply afraid to do. Reluctant to put information in the cloud, reluctant to use the internet of things, reluctant to get the best out of mobile technology precisely because of legitimate fears of exploitation. And then finally what you could call recovery cost, which is what does it cost you after you've suffered an intrusion? What do you spend on your incident response, on upgrading all of your security, on providing a variety of credit monitoring to the victims of the cybercrime, etc., etc. So those are the elements that we looked at as legitimate cybercrime costs. Yeah, and we were helped in doing this with some good work that other people had done. Ross Anderson at Cambridge did a review of cybercrime costs in the UK. He looked at a smaller category of losses than we did, so his numbers were different. But we threw more things in, including recovery cost, opportunity cost. Poneman Institute has done a good survey of recovery costs around the world. That was kind of interesting because what we could find in what the Poneman survey said is that the recovery costs are highest in the US. And we couldn't explain that, but maybe because there are just so many lawyers here, I don't know. So you found a range of recovery costs that was different. One of the things we tried to measure, it looked like from our first study and our second study, is that the loss from the theft of intellectual property is increasing. There's usually a lag, so you steal the plans, it takes you a few years to build the things. It used to appear to take somewhere between 7 and 10 years to exploit stolen IP on average. And now it appears to be less, maybe 6 to 8 years to exploit the stolen IP. So that was one of the reasons we said this is a conservative number, costs will grow in the future. Finally on opportunity costs, and we have really good data as one of the appendices on spending on cybersecurity and what people are spending on. And so a good way to think about opportunity cost is these are resources that people could have used for something else. There's just the fear of doing things on the net, but you're spending hundreds of millions as a nation or even billions of dollars on defense because of this heightened risk that you could otherwise spend on more productive activities. So that was one of the better parts of the research, I think, is that the recovery costs had a... One of the differences between our first report and this report is we assigned a higher share to recovery costs and opportunity costs than we did in the first report. And then let's close out the presentation with the future of cyber crime, which not surprisingly we assessed it as a growth business with more and more people coming online, especially in developing countries with new infrastructures to exploit. Our assumption is that even if losses stabilize in developed countries, they will continue to grow in developing countries as their online populations grow. And more likely losses are not going to stabilize in developed countries, they're going to continue to grow. So we see a lot of opportunity if you're looking for a future business line, cyber crime certainly looks as though it's going to continue to pay off, and we're going to have continued losses. Yeah, that about sums it up. Yeah. So with that, Tom, do you want to take over? Thank you. Probably helps to turn on the microphone, right? So, nice job on the report, nice job on the analysis. I want to take a few minutes to talk a bit about the implications of the report from our point of view. You know, reading through the report and the depth and the complexity of it, I think some really important implications come out. The first thing is the degree to which this is a extremely dynamic challenge. You know, one of the really interesting questions is at what point does a tipping point truly occur where cyber crime transforms itself from something that is an acceptable loss, something that is really the cost of doing business on a day-to-day basis to something that is transformative to a challenge that tips to the point where the world changes and the response changes. That's an interesting theme that I think we'll talk more about in our panel. In terms of our big takeaways where we sit at McAfee, the first one is on the need for enhanced investment in public-private partnerships. It's clear that there's a challenge in terms of getting good data. One way to address that data challenge is to enhance the partnership between the private sector and governments worldwide to report on cyber crimes, cyber attacks when they occur, to work together to truly analyze how those attacks were propagated and what can be done about them. A following on that to enhance public-private partnerships is the need to improve real-time information sharing, leveraging technology and other capabilities to enhance the kind of information sharing that can occur in real-time. Cyber attacks can occur in seconds, can occur in minutes, though it may take months or even years for an attacked organization to understand that they were attacked. So doing innovations on information sharing, leveraging best practices and technology we believe can make a difference to improving reporting and improving responses. Thirdly and finally, I think a clear implication is that organizations both in the private sector and the public sector need to look at best practices on how they secure themselves. What we tend to find and I think what the research tends to show is that organizations that think about security in a holistic way, developing a high-level strategy, putting in place the people, processes and technologies necessary to defend themselves end-to-end, generally protect themselves the best. And organizations on the contrary that don't put cybersecurity at a sufficiently high level in the organization, don't invest in the right people, processes and strategies are the ones that tend to suffer the greatest losses. Now, I think so often with these reports, much of the value comes in a deeper discussion from a distinguished panel, which is something that we'll do right now. And I've got the great privilege of asking some questions. You know, firstly, I'd like to ask Jim Lewis, a lot has been made about the question of the aggregate numbers and the question of the job losses. You know, can you have shed some additional light on the methodology used to derive those estimates? Sure. And Stuart, jump in when you got a chance. We started out by looking for open-source data on losses at a national level. And we found data for, I think it was 58 countries of mixed quality, but we said, what do people say they're actually losing? And in most cases, we found a couple estimates, a high estimate and a low estimate, or in some cases, a ridiculously low estimate and a ridiculously high estimate. We just took that as a start. We then looked for confirming data to see how likely is it that the number we got at a national level was accurate. And that was a surprise in that the number of incidents on a global basis is, just if you totaled up the anecdotes we found, you would be in the billions of dollars. We then came up with the data we found and with the work in the first report to develop a predictive model so we could say, here's the number we found. Here's the number that would be predicted by the model. How close are they? And what was the fourth step? I think we then... We talked to a bunch of experts. We interviewed actually officials in about, I think it was 18 countries and said to them, what do you think the losses are? What's your estimate? How do you do this? And got a range of answers. So we got a lot of help from foreign partners, mainly in Europe and in Asia. And using all those things and putting them together, we came up with the number. Can I ask a question? Oh, absolutely. About the methodology, because it's interesting and this is... Tom, can you hit your button? Yeah. And this is actually, I asked you this outside. Last year, a Congressional Chartered Commission, the Commission on the Theft of American Intellectual Property put the annual IP-only losses. So just one of your six categories is something like 300 billion in America. And obviously, if that's the case, then 455 globally for everything is too low. So I was wondering what distinguishes the way you estimated it from that and how do you account for the difference? It's kind of a natural question. Okay. I guess I'm stuck. Stuart, this one's for you. So some of it is building off our first report, which we were fairly comfortable with the theory that losses in the U.S. were about 100 billion. Again, a range, because this is a model. So we said U.S. losses are somewhere between 90 billion, 120 billion. And again, we picked a middle figure as the most likely. I think that the context of if you look at other huge global transnational crimes, other transnational crimes, 300 billion would be excessive. The real difference, I think, is both the assumptions going in and the difference between what is taken and what is actually monetized. So you've had a number of people, including General Alexander and others, say this is the greatest transfer of wealth in human history. And if you're counting the value of what's taken, that's a true statement. So a company might spend a billion dollars on R&D. If you count the actual losses, though, it tends to be smaller, because a billion dollars of R&D taken by someone doesn't translate into a billion dollars of gain. They have to be able to monetize it. And so I think that's the main difference is that, and this was actually Stuart's line, you know, if you lose a $500 bicycle, the thief may only resell it for 50 bucks on the black market. That same thing happens for cyber crime. And if somebody can steal all of your IP, you spent $50 million developing that IP, you could legitimately say it's worth $50 million. But if the guy who stole it never brings to market a product that actually hurts you, then you haven't lost anything like the $50 million. You know, one of the really interesting issues in the study of economics for sure is the question of tipping points. You know, how do things change and what are the implications for that? I mean, it's clear from this study that the ability to make use of stolen intellectual property today seems rather limited. Will that be true in the future as countries and organizations become better technically, become more capable from a manufacturing point of view? You know, Jim or Stuart, what's your point of view? Yeah, we think that they are going to get better at doing this. It's not surprising. They've got a flood of data now and they're just sort of, in many cases, just picking through it, trying to figure out how to deal with it. But as with any IT innovation, people learn how to use it more effectively over time. And so, you know, there are just questions. If you steal a whole bunch of IP from somebody, how do you get it to people who can use it? And are those folks set up to do it? And as they begin to see value in it, the people who get it are going to start having specialized teams, whose job is just to research information in the language of the victim company. And you'll learn tools like, do you create a database, a sort of mini wiki leaks, and make it searchable? How do you make it searchable? Who does the searching? All of those are things that cyber thieves have to learn in the context of stealing IP, and they are going to learn it and they're going to get better at it. Tom, there's also no disincentive. As we saw after Operation Aurora in 2010, the largest intellectual property theft in history. Exabytes and exabytes of data being exfiltrated from some of the largest companies in the world, both high tech, heavy industry, etc. Only two of those companies, Google and Adobe, admitted that the theft had occurred at all, although 50 had literally exabytes of data exfiltrated from them. So on the front end, we're not going to admit that we had a problem from these companies as the report notes. Then on the back end, there's a lack of disincentive with respect to literally millions of lines of code in many of the examples being available to the cyber criminals without there being any repercussion for using them. Scott, you work with many organizations around the world on protecting themselves. Given the implications of the report, what are best practices that you see that organizations are engaging in to protect themselves? I thought a lot about this after reading this report, and one of the things that struck me is in the first half of the 20th century, am I the only guy here in that echo? Is it bad? Is it really bad? Go? Okay. In the first half of the 20th century, you would take your cash to the bank, and you could point to it. It's in that vault right over there, $100. Well, there's no notionality of location, and I think this is something that 21st century companies have failed to recognize. Well, where is this asset? It's behind our firewall. Well, that's a ludicrous notion. If you've enabled the asset to be seen from the internet, there is no behind, and there is no network. It's simply an asset that's available on the network. So what I'd like to see companies doing and what we advocate at Intel is to be more data-centric. There is an absolute value to each piece of data within the organization. And to date, only the adversaries and cybercriminals have done a good job of creating the valuation for that, because they picked their targets very carefully, don't they? So I'd like to see us become a little bit more data-centric, and I'd like to see us look to... The attackers need to find one way in. And in the case of the retail breach, it wasn't the point of sale register. It was the HVAC system, which enabled them to go in and move laterally. Does that mean you should spend millions of dollars on HVAC protection? No. What it means is we need to properly identify the risks and make expenditures according to those risks. And we're doing a poorer job of that than the adversaries are. Paul, you'd had the great privilege of working in government, thinking about how organizations should protect themselves. What are sort of stories of successes or stories of challenges that you saw in your tenure in government? I want to hear the successes. The biggest success was working for Stuart, so there you go. Government is a difficult participant in this debate. It is insufficiently nimble and overly hierarchical in a domain that is extremely distributed and dynamic. I think that government's best successes come when it sticks to the things that it does best, serve as a conduit for information sharing, perhaps as a purveyor of information that it is uniquely in the possession of through classified means and methods. But it does have some competitive advantage in that it is capable of acting in ways that some private sector actors are not presently permitted to, at least not in the United States. Of course, overseas some of those barriers seem to disappear. Where it, I think, gets into difficulty in some of the failures, the modes that I would say, is when it tries to see itself as the decider, the regulator, the setter of standards. It does that poorly and slowly. I'm a big fan of the NIST cybersecurity framework. I think the people who were set with that test did a great job. I think that it sets a kind of bare minimum standard that doesn't really address a lot of the advanced threats that we see today. So in the context of what you've been talking about here and what the report says, I think that one of the really important roles that we might consider for government is to increase and enhance its ability to collect and disseminate accurate data about cyber crime. You know, even reports like this are at best based on estimates, surveys, and the like. And what we know from traditional kinetic crime is that you address what you measure and that we invest more resources in things that we start to measure better, whether it's murders in Washington D.C. or sexual assaults on campuses or whatever. And to date, we have done very, very little as a government in either incentivizing, or dare I say, even requiring reporting of breaches that have adverse effects. It is the case that most companies won't admit it. They're not obliged to and there's plenty of incentives for them not to do. Beyond that, I would think that government's best role would be to kind of get out of the way of the private sector in terms of actual activity in developing new tools to combat cyber crime because I don't think that they are quite nimble enough to do that on a really consistent basis. Does that kind of answer your question? Tom, I'd like to pull that thread a little bit and echo that we spent a good portion of the 2000s in government in particular, but also the private sector working on compliance reports, whether it was FISMA or whether it was HIPAA or whether it was PCI for the credit card companies. But there's no correlation between that reprinted report and an information security posture. Your organization's security posture has very little to do with that printed report moments after it's printed. And I think one of the things that's going on, particularly in government, where government is actually taking a lead position, is at Homeland Security in its continuous diagnostics and mitigation program, where they're saying the fact that you measured a month ago is not relevant to your security posture now. You need to be aware and basing your decisions risk by risk as they occur, not when you decide to measure. And I think that's one area where government's actually setting a bar that's a good bar to set. The other thing I think that's interesting is the government, in this case the state of California with its SB 1386 bill, did a fairly good job of saying we're going to force people who want to do business in California to report these particular things as it relates to the privacy of consumers who are breached. But there is no corresponding litigation or bills, even in progress today, where companies are forced to disclose this, and in particular public companies. And this is something where I think government could say, wait a minute, what's good for the goose is good for the gander. So if I could just jump in on the government role. I spent two hours recently at a dinner with some of the smartest people in this area talking about the government role. We covered a lot of the topics that you all have covered here. And at the end I said, you know, I feel as though I was sitting in a meeting of the chief of police and his aides talking about some massive new wave of street crime. And the question was, well, could we share information about the crimes that are being reported to other people to tell them what kind of body armor they should buy when they go out on the street? Or maybe we should actually ticket them if they don't have the right kind of body armor and they haven't got up to date body armor. And I said, Jesus, you know, the role of government is to find the criminals and make them pay. And we have not done enough of that for a variety of diplomatic and other reasons. This is one of the reasons I welcome the indictments that the government has brought because it shows that that spirit of finding the bad guys and making them pay isn't dead and the government hasn't given up on some creativity in finding ways to bring the pain. You know, I think Paul used to suggest that this had something to do with my Scots-Irish heritage. But I don't think the government spends enough time on that question. How do we find people and then how do we persuade them that they should choose a different line of work? Well, the other thing that is apparent is that we've got some very distinguished members of the audience. You know, and we've got about 10, 15 minutes to go. I'd like to reserve time now to receive questions from the audience. A young lady in white. Hi. I'm Dr. Donna Wells. I'm an expert in the Russian language Internet. Can you talk a little bit more about the confidential business data market manipulation variable? How often does this happen and how did you come up with the figures? Thank you. This is one of the places where we've had a few countries say they were beginning to investigate this. And we had one country say, one other problem. It was fun for me because it was like being a reporter in that people wouldn't say very much on the record. And if you're willing to go off the record, they would say a lot more. So we had one country say they had some evidence that this had occurred, right? It wasn't one of the ones you'd expect. The way people are trying to measure it is by using the data they use now for insight, pardon me, the search techniques they have for insider trading. The programs that look for patterns that would suggest insider trading. You could do the same thing to find this kind of stock market manipulation. But it is very difficult. We put it in there because it's again one of the categories that we thought might lead to an underestimate. People have not found a lot of data. There are these few anecdotes of people manipulating stock prices. But it's the area where if you were going to do this again, which we don't want to, you would hopefully be able to find better data. But the other half of that manipulation of the information to find out what your counterpart is prepared to settle for is now due to this routine. And investment banks that work on these things expect that they're going to be targeted. And their lawyers are going to be targeted. And their clients are going to be targeted. All in a very well-developed effort to help often state-owned enterprises get the best deal possible. Really good data on the effect on M&A. Not so good data on stock market manipulation, but a number of countries raised it as an area of concern. The lady in green. Hi, Amber Korn. I'm with Federal Times. I was wondering if you can speak specifically to any cost to the federal government. Were any of those figures broken down in your report or maybe in your expert opinions and views? Maybe you can tell us a little bit about any U.S. government specific costs and outlook. No, we didn't do that. We tried to do it for the complete economy. And in some cases we thought about looking at the military effect on military cost. So you could imagine a process where you'd say the U.S. spent X on this fighter aircraft. They lost the IP for that fighter aircraft. They had to spend some amount of money to repair the damage from that loss. There was also a much more difficult to measure cost in the sense of a foreign opponent now had better capabilities. And that was the part where we decided you just couldn't really come up with a good number. So I think I didn't try to look at the whole economy because measuring military advantages is so difficult. We put that one aside. I would say though that in that particular example that James is mentioning, it does speak very well to the trend that the CSIS guys found where there was an acceleration of the ability to utilize solar and IP from the eight to ten year window into a much sooner window. And that particular example for sure. For what it's worth, I'd say that there are three ways to kind of think about this that are useful. One is the one that Jim alluded to, the Defense Science Board issued a report in 2013. It was classified, which means that it appeared in the Washington Post only a couple weeks later. That listed, I think the total number was 82 different technologies and weapons systems that had been compromised in one way or another. So that's a significant loss. It's difficult to put a number on it. The second way to think about it is how much the U.S. government is spending on its own internal cybersecurity, which has gone through the roof, it's I think on the order of 50 billion this year. So that's just called that opportunity cost or recovery cost. 38 billion for DOD and then there's the DHS and the other. And then the third way to think about it is simply that if you go out and look, you can find, last I looked there was something on the order of 80 data breaches of U.S. government systems in the last five years or four years. And in the private industry, we monetize those at between $1 and $3 per record loss. So a nice rough estimate of that kind of cost would be $3 times the number of records, summed over 80 breaches in five years. I haven't done the figures, but it's a lot of money. But it's not existential money either. Thank you. And first of all, thanks to McAfee and CSIS for doing this. This sounds like a great report. I can't wait to read it. I want to return to the point that Stuart was making a minute ago and I'm from Irish Heritage, so maybe that's why we agree so much. Some of the estimates I've seen indicate that law enforcement maybe gets one or two percent of cyber criminals. And one of the things that frustrates people on my board, they're talking about all the time, is the amount of money corporations spend on old security, hiring guards to stand in bank vaults, you know, when only an idiot would now walk in with a gun, you know, try to steal $500 out of the till when you can go in a room and steal hundreds of millions through cyber crime. I'm wondering, have you guys done any comparison with respect to the amount of money we are losing with respect to cyber crime and the amount of money that law enforcement is spending to get at that much larger amount of crime? My suspicion is that the ratios aren't what they ought to be. And I don't know if you guys have done any analysis on this or if you can locate one, but I think that's an interesting public policy question. That was one of the things that we thought was a good conclusion out of the report, is that people underestimate risk and therefore they don't spend enough on this. And so from, as I said I think in the opening, police forces around the world told us they simply couldn't keep up. One of the G20 economies told us that they were overwhelmed by the amount of cyber crime. Another one told us they could only look at maybe 10% of the crimes that they knew about. And that just happened repeatedly. So, you know, you would say this is an opportunity cost. We'd rather be spending the money on something else than policing. But it looks like this is a place where countries could do more to improve the ability to catch criminals, right? So that was one of the reasons we were concerned this might be an underestimate. One of the reasons we thought it's useful for people to do a better job of measuring risk. You know, if you were a police department and you didn't track how many muggings there were, you wouldn't be doing as good a job in stopping them. And that's kind of where we are on cyber crime. Yeah, and I guess one thing that we didn't follow through on that actually would be entirely appropriate in that regard is our estimate is that the global loss from cyber crime is roughly equivalent to the global cost of narcotics trade. There is no cybersecurity enforcement agency out there breaking down doors and intercepting communications around the world to catch cyber criminals. But I have not asked the question, what is the global narcotics enforcement budget and compared it to the global cybersecurity or at least cyber criminal enforcement budget? But I would guess it's 100 to 1 out of whack. And this kind of report eventually is going to lead people to say, well, why are we spending all our money over here when we're losing as much over here? Well, so we're pretty close to the top of the hour. How about, say, two more questions and then we'll call it a day. This gentleman here in the blue. Good morning. I'm Tom Ryzen from U.S. News and World Report. I got a question about companies have been talking a lot about their information sharing and their efforts to combat these breaches, but do you think companies employ enough cybersecurity specialists with technical skills like coding to combat hackers? Colleges turn on a lot of specialists on cybersecurity, but some of them study more policy and law than they do coding and programming. And that's what hackers do. Do you think there's enough of that training out there? Training, yes. Trained professionals, absolutely not. So there are absolutely the right number of venues and training programs available for a good cadre. What there aren't, there's not enough butter to go over the bread, is what it boils down to. There simply aren't enough people who know what they're doing to available to either government or the private sector. And there also, it's very, very difficult. Across both public and private sector, we seem far more enamored with buying tools and going after the new shiny pebble far more than training our workforce in order to combat the adversary with the tools that we have. I would posit that most organizations would find themselves a lot better off if they simply utilized what they have today well. But I would say that there hasn't been a time in the recent past where there's been more visibility, more awareness, more communication. I would say that because practitioners have found themselves on the wrong side of bad math, that they're doing a much better job, particularly FSISAC, in sharing information with one another because a win in the community benefits everybody. So if I could just add to that. I think about the cybersecurity people I've been most impressed with inside companies. One of them started her career as a nurse. One as a cop. Another as a lawyer. And what was unique about them was their ability to continue to learn and to think about the problem anew. And I remember a guy I was talking to who was an undergrad at Brown who said to me and sort of summed it up. He said, you know, in this field, you're either self-taught or you aren't any good. And I wouldn't focus so much on their background as on whether there are enough people who are willing to stay self-taught for their entire careers. Tom, we have the room for a little bit more if you want to try and squeeze in a couple more questions. Sure. Absolutely. The fellow in the front. I think it's home. Yeah, Eric Fisher with the Congressional Research Service. I was wondering to what extent did your estimates of GDP include the underground economy or could they at all? And if and whether or not that's the case, were there any which if any countries actually had a positive impact on GDP or might have if you could have included the underground economy? No, we use the IMF and World Bank GDP figures so it just took them to get a level point. It's clear that a few countries, but a very small number of countries, get a net benefit from this. But it's smaller than you might think because it turns out everyone including our favorite suspects are losing money as a result of this. So that was again one of the things we found global problem. Everybody's losing. Some places the net loss is smaller but we looked we just for consistency sake stuck with mainly IMF figures. Yes, the young lady in the front. Yes, it works. Claire Davann, NISO's group. Yeah, I was wondering exact same question as you were mentioning. So the one or two percent cyber criminals that we are able to catch basically are the most mostly state actors or I don't know private sector? And yeah, that was my question. Thanks. I'd love to answer that if you don't want to, but... No, I'll answer it. I'll answer it and then we can all chime in because that's a good one. We don't catch most cyber criminals and we don't catch the most successful ones and so that's the heart of the problem. And the ones we do catch, I think it's kind of Darwinian. They tend to operate in countries that observe the rule of law or where it's not in their national interest to hack and so they are largely private actors, right? But we're not catching the top of the league. That's one of the reasons, again, we thought this was a growth industry is so far there is impunity for the best cyber criminals. I would say it depends on who you ask and when you ask them. Certainly there's no difference in the net results of these companies. There's absolutely no difference in the net result. It's only in the motivation of the individual. So I would posit that the results that these guys found are pretty staggering and I think that regardless of the motivation this is something that is absolutely addressable from a pure risk management standpoint whether your risk is from a flag or a guy looking for a bag of money. I do think, though, that the motivation matters because that goes to Stewart's deterrence point. People who are profit-motivated criminals are much more readily deterred by what we would consider to be traditional criminal sanctions and the answer to that if you think that's the nature of the problem is better cooperation, better information sharing across the globe, make the Council of Europe global, get people to go. The problem is that a lot of the criminality is, if not state sponsored, then state-motivated, state-tolerated, state-permitted and then you have to actually start thinking of this not in terms of the narrow cybercrime but rather a large-scale diplomatic initiative that involves economic, financial, diplomatic, law enforcement, intelligence, tools of a wide variety of things and so I mean to put it bluntly I can say this probably because I'm the guest here but you're not going to deter Chinese intellectual property theft simply through an indictment of five guys. It has to actually happen at a higher level if the U.S. government has to undertake a large-scale policy decision that it wants to deter and then undertake more significant actions to do that at the government-to-government level. Paul, I think that was, so I totally agree. It's chicken and egg. If your house is wide open and you put something in the larder and someone comes along and takes it, without any form of disincentive, regardless of whether they're a criminal or sent by the next town over, your larder is going to be raided again. So my point is from the economic impact standpoint, we have to observe this purely as a risk management issue until the many years go by before there's any form of hardened policy and you said 100 to 1 with respect to traditional criminal narcotics spending versus cyber, I think that's probably worse than that, right? So my point is not to say that the motivation isn't important, but until the community has gotten its arms around risk management, you've got bigger fish to fry. Yes, the lady in the third row. Hello. Pamela Passman from the Center for Responsible, Enterprise and Trade, create.org. Thank you to McAfee for investing in this kind of research. And I look forward to reading the report, but I wanted to go back to some of the issues around intellectual property theft. I think we all appreciate cybercrime is just one way that IP theft occurs, but you've talked about your different cost factors, and if you can just enlighten us a little bit more on what percentage of your cost you think is related to IP theft and your number related to IP theft, you talked about it being the value that the criminal receives from the IP theft, which seems to me to undervalue it quite a bit. If there's a billion dollar of R&D investment, wouldn't you be looking at what that owner of the IP could have valued from that one billion dollar investment? Thank you. We talked about this issue a lot in the first report, where we tried to establish some of the basic methodologies for this. And what more would you want to... What was the first part of the question? I'm sorry, I forgot now. Oh, yeah. And what we found it was interesting is that it varies from country to country, and some of that is it depends how IP intensive the economy is, it depends how developed the economy is. So you can have a country... It wasn't... Normally we could use wealth income to predict losses. In IP theft it didn't work so well, so you could have a high income country from mineral extraction that did not lose as much as a high income country that was IP intensive. So what we found is a pretty broad global variation driven by the role of IP intensive industries in the economy. And that's one reason why less developed economies lose considerably less than more developed economies. And the one thing I would add to that is yes, if somebody steals a billion dollars worth of IP from you, you've lost the billion dollars IP sort of, but you still have it. You can still develop products based on that IP, and the question is, did it give you as much of a competitive advantage as you expected? If the cyber criminals are unable to commercialize the products that compete with yours, you may have gotten much of the benefit from that research and development as you expected, even though they stole everything. So it's a hard estimate to arrive at, but we just didn't feel that you could just say, this is how much I spent on IP and they stole it all, so that's the value of it. The fellow in the very back. Thank you. I'm not sending from Chinese embassy, but I will speak totally as an international professional. I would like to say that the report is very interesting. However, I have two questions. First is concerning the deflation or the scope of the cybercrime you mentioned. It seems that this report is only concerning the so-called cybercept. However, the cybercrime is international use term, which cover a larger of issues. Maybe some issues are more important than the cybercept, so I want your clarification. The second question is concerning about the famous examples mentioned by Baker, Miss Baker. You say that the steal of bicycle is a crime, agree. The steal of design of the bicycle is a crime, I also agree. However, it seems to be some different understanding on whether the following categories will be crime or not. First, the steal of design of bicycle for a company may be left cut. The second, the steal of bicycle design for some national intelligences. The third is the steal of the bicycle design by a government to benefit the whole industry of that country. So in the last three categories, I wonder your point and ideas about whether there are crimes or not. Because according to international conventions and most legal professionals, the crime is defined under actions, not by the purpose. Thank you very much. The first bit. So in the course of doing this research, one of the things we came across was there is no agreed international definition of what includes cybercrime, and that's one of the reasons you get differences in national estimates. In fact, there are a number of reasons that only count crimes that would occur if the Internet wasn't there. Other people count crimes that would have occurred in the real welfare fraud, but now are taking place on the Internet. So one of the recommendations in the report is we need to have, as we do for drugs or for any other sort of crime, we need to have a better definition. The former head of the WTO pointed out that we have not adjusted our trade statistics to take into account the shift from physical to intangible, that intangible trade is now more valuable, and we need to rethink how we count trade, and in the same way we need to rethink how we count cybercrime. So a common definition would be good. That sounds like a job for the OECD or the UN or one of these multinational bodies, and then a better definition that takes into account intangible value. Some of the issues, and this leads into your second question, some of the things we didn't count is because there is no good way to measure the intangible loss, right? And we could have come up with a model that would have been what we would call a bold model, and we just didn't feel comfortable doing that. So I don't... I would say the way we tried to think about cybercrime losses is from the point of view of the victim. That is to say, one, did somebody break in and steal your stuff? And it doesn't really matter who broke in and stole your stuff. You've still suffered the break-in. Where it does matter and where the adjustment might come into play is that if someone broke into your company to steal information so that they could write a report to a government about the direction of technological thinking in a particular field, and that's all that happens, that some bureaucrat someplace is smarter, you're not going to feel substantial losses from that. And this is why the theft of intellectual property is so hard to value. We tried to, or at least I would say, because this is more theoretical than operational in the report, we did draw a distinction between thefts that have an impact on a company in terms of its ability to win and maintain markets using its intellectual property and theft of intellectual property that simply has a generally educational impact on some government somewhere. Can I just add one point, which is I'm unfamiliar with Chinese criminal law so I can't speak to it, but in common law countries, motivation and intent are absolutely a critical distinguisher. That's why we recognize things like self-defense as a defense. It's why we have different grades of criminality based upon whether it's an intentional offense or a negligent offense, and that's also why we accept justifications and mitigation of some criminal activity. So I can't really speak to it in China, having only been there a couple of times, but at least in the United States and the other common law countries, we definitely grade and reflect on criminality based upon the ultimate purpose and expectation of what the use case was going to be. It doesn't determine all of the punishment, but it's clearly a relevant factor in assessing what the crime is and its significance. All right. Well, I think that we're at about a quarter past. Let's do one final question and then you can call it a day. Yes, the fellow right there. So just a quick question. You can talk about the report. Is there a report? And if so, where do we get it? It's online now. And so we'll, I thought we were going to hand out something. It is online and we will send you, give me your card if you want to get sent the link. If not, check the CSIS website. I thought I went up at 830, but I'll double check. Okay. Give the web address then. Stand by. Yeah. Just Google it. It'll take a while. Well, very fine. I think this was an informed discussion and I'd like to thank our panel for the fine work that you've done. And likewise, thank you to the audience. I think we had a really good range of questions. And so without further ado, let's close this session and get on with the day.