57$ B or greater in costs to the U.S. economy in 2016 because of malicious cyber actors

Information technology creates enormous value for the U.S. economy. However, it also exposes U.S. firms, the government sector, and private individuals to new risks that originate and are often effectuated entirely in cyberspace. Due to the difficulty of identifying and punishing malicious actors, and the ever-greater interconnectedness stemming from the intensified use of the Internet, malicious cyber activity is becoming more and more widespread. Malicious actors range from lone individuals to highly sophisticated nation-states, and they pose a potential threat to all Americans using any information and communications technologies.

Malicious cyber activity imposes considerable costs on the U.S. economy. Some costs are more immediate and include the value of sensitive information and intellectual property stolen by hackers, as well as the loss of revenues, data, and equipment due to disruptive cyberattacks and data breaches. Other costs are longer term, such as the slow rate of adoption of new, productivity-boosting information technologies and the underinvestment in research and development stemming from poor protection against cyber theft. The ongoing costs could escalate considerably in the event of an attack with large-scale consequences—for example, an attack on critical infrastructure sectors that are crucial for the smooth functioning of the U.S. economy.

Cybersecurity is a common good. A firm with weak cybersecurity imposes negative externalities on its customers, employees, and other firms tied to it through partnerships and supply chain relations. In the presence of externalities, firms would rationally underinvest in cybersecurity relative to the socially optimal level. Therefore, it often falls to regulators to devise a series of penalties and incentives to increase the level of investment to the desired level.

The marketplace is responding to the growing level of cyber threats. Firms are increasingly outsourcing cyber protection functions to the blossoming cybersecurity sector. The emergence of the cyber insurance market helps firms share the risk of cybersecurity compromises. However, these positive developments are hampered by firms’ reluctance to share information on past malicious cyber activity directed at them, along with the cyber threats they currently face. This resistance stems from a variety of concerns, such as the fact that investors will respond negatively, causing the stock price to plunge, that the firm will suffer reputational damage and be exposed to lawsuits and regulatory actions, or that the revelation of potential vulnerabilities could lead to additional cybersecurity exposure. Despite the regulatory requirement that material cybersecurity events be reported by publicly traded firms, there is a general agreement that underreporting is pervasive. As a result of this underreporting, the frequencies and costs of various types of malicious cyber activity directed at firms are largely unknown, and this lack of information hampers the ability of all actors to respond effectively and immediately.

In addition, the scarcity of information may be slowing down the development of the cyber insurance market. Further, the use of common technologies among otherwise unrelated firms may impede the development of the cyber insurance market. Common vulnerabilities in these technologies cause cybersecurity risks to be correlated across firms in complicated and little-understood patterns, which makes it difficult for insurance companies to construct properly diversified portfolios of insured firms.

Continued cooperation between the public and private sectors is the key to effectively managing cybersecurity risks. The ongoing efforts by the private sector involve making information technology more secure, providing timely defenses to new threats, and further developing platforms for anonymous information sharing on cybersecurity threats. The government is likewise important in incentivizing cyber protection—for example, by disseminating new cybersecurity standards, sharing best practices, conducting basic research on cybersecurity, protecting critical infrastructures, preparing future employees for the cybersecurity workforce, and enforcing the rule of law in cyberspace.

Read The Year in Review and the Years Ahead