It was recently revealed that DarkSide raked in $90 million worth of Bitcoin — including $4.4 million in ransom from the Colonial Pipeline operator — from its cyberattacks stretching back to October 2020. The ransoms paid to DarkSide and similar organizations, however, do not capture the total economic cost of cyberattacks. Targeted firms acting in their individual interests may not fully account for the economic costs that spill over to consumers and to other firms. The result is underinvestment in cybersecurity from the private sector as a whole. While the Biden administration’s “private sector decision” remark helped define its Colonial Pipeline response, the federal government has an important role in closing this cybersecurity investment gap and limiting the future cost of cyberattacks.
Cyberattacks are perpetrated by numerous types of actors and stretch far beyond ransomware attacks such as the attack on the Colonial Pipeline. In fact, ransomware is on average a less costly form of cyberattack. While ransomware attacks on large firms tend to make headlines, according to one report, 70 percent of such attacks are directed at small- and medium-sized firms with fewer than 1,000 employees with 90 percent of the losses against these firms uninsured. The widespread nature of cyberattacks, their pervasiveness across industry and firm type, the varying components that make up the total cost, and the prevalence of underreporting all contribute to the difficulty in estimating the overall economic impact of these incidents, though some studies do exist.
In 2018, the Council of Economic Advisers (CEA) published a report evaluating the total costs associated with malicious cyberactivity by measuring the stock-price reaction of publicly traded firms to news of cyberattacks that had been made public. After taking into account firms’ underreporting of cyberattacks, spillover effects to other firms, and private costs incurred alongside the costs to publicly traded firms, the CEA estimated that the total cost posed by malicious cyberactivity to the U.S. economy in 2016 was as high as $109 billion (roughly 0.6 percent of 2016 GDP). These estimated costs are very likely to have increased since 2016.
According to annual studies by Accenture and the Ponemon Institute based on extensive surveys of firms and cybersecurity experts, between 2016 and 2018, the average total cost incurred by firms due to malicious cyber activity increased by 58 percent in the United States. Assuming that the total cost to the U.S. economy increased at the same rate as the average cost faced by those surveyed firms, the total cost of cyberattacks in 2018 would be as high as $172 billion (roughly 0.8 percent of 2018 GDP). This assumption likely serves as a lower-bound estimate, however, as the average number of cyberattacks faced by firms globally increased over this period, making it more than likely that the frequency of attacks against U.S. firms also increased. Since 2018 — the last year the study was conducted — the number of cyberattacks, the average cost of cyberattacks, and the total economic costs are likely to have risen even further.
These estimates account for costs incurred beyond just the target of the attack because, as mentioned above, the costs often spill over to additional firms, to consumers, and to workers. The CEA documented how the costs of cyberattacks on one firm spill over to economically similar firms or firms linked through supply chains. Cyberattacks on one target also expose other firms to costs as they expose vulnerabilities in cybersecurity and technology that are shared across multiple firms and industries. In the presence of these externalities, firms may “rationally” underinvest in cybersecurity, resulting in an investment gap between the necessary level of cybersecurity and the total costs incurred from cyberattacks. Further inhibiting private cybersecurity investment is the underdevelopment of the cyber insurance market relative to the scope of the cyber threat, especially as the underreporting of cyberattacks and their costs may limit both supply and demand for cyber insurance. As insurers evaluate the cybersecurity measures at individual firms through the underwriting process, it could incentivize those firms to invest more in cybersecurity to lower their premium.
The threat of cyberattacks to critical infrastructure further underscores the role of cybersecurity as a common good. The Colonial Pipeline attack underscores the heightened economic and security risks associated with cyberattacks directed at critical infrastructure. Seventeen states declared a state of emergency in response to the reduced supply and increased consumer stockpiling of gasoline driven by the pipeline shutdown. According to data reported by the Energy Information Administration, the average price of gasoline in the affected regions increased by 6.1 percent between the week of May 3 and the week of May 17, double the 3.1 percent increase in regions not directly affected by the pipeline shutdown. Under the assumption that this regional price divergence is driven solely by the cyberattack, that the price effect persists for two weeks, and that the quantity demanded is perfectly inelastic, this implies an additional $5 million in fuel costs faced by consumers in the affected regions.
The rising costs of cyberattacks, the associated negative externalities, and the particular interest in protecting critical infrastructure present the federal government with an important role in enhancing cybersecurity. In 2018, the Trump administration issued for the first time in 15 years a National Cyber Strategy. The strategy outlined a number of priorities that could help close the private cybersecurity investment gap. These priorities include incentivizing cybersecurity investments, improving cyberattack reporting, and expanding and equipping a highly skilled cybersecurity workforce. Additionally, the CEA identified information sharing and transparency, cybersecurity standards, and investment in cybersecurity research and development as important areas for federal policy to address.
The Biden administration should build on the Trump administration’s strategy to confront the rising security and economic threat of cyberattacks. Although the ransom decision itself might be a “private sector decision,” cybersecurity is a common good that requires prioritization by the federal government.