1 Answers sorted by
133
Looking at the eSentire / Cybersecurity Ventures 2022 Cybercrime Report that appears to be the source of the numbers Google is using, I see the following claims:
- $8T in estimated unspecified cybercrime costs ("The global annual cost of cybercrime is predicted to reach $8 trillion annually in 2023" with no citation of who is doing the estimation)
- $20B in ransomware attacks in 2021 (source: a Cybersecurity Ventures report)
- $30B in "Cryptocrime" which is e.g. cryptocurrency scams / rug pulls (source: another Cybersecurity Ventures report)
It appears to me that the report is intended to enable the collection of business email addresses as the top of a sales funnel, as evidenced by the fact that you need to provide your name, company name, role, and a business email address to download the report. As such, I wouldn't take any of their numbers particularly seriously - I doubt they do.
As a sanity check, $8T / year in cybercrime costs is an average annual cost of $1,000 per person annually. This is not even remotely plausible.
2As @faul_sname notes, the $8T number (or $9.5T from on source cited in that wikipedia article) isn't plausible. At least, not without some very generous definitions of "cybercrime," "is," "costing," and "trillions."
By which I mean: if you squint really hard, and count all the money and time everyone everywhere is spending on all (digital and non-digital) cybercrime prevention and countermeasures, and try to estimate all the extra things people could do to generate value if they didn't have to worry about cybercrime, then sure, maybe you could get numbers up to a few trillion.
But that's a bit like saying the cost of other crime includes all spending on the criminal and civil justice system, all spending on private security and surveillance by individuals and businesses, the entire salary of every cashier (since they wouldn't be needed if people would just count up their own purchases and leave payment), and every time someone doesn't do something because they don't want to go out wandering by themselves at 3am. Not actually a useful metric for deciding where it's worthwhile to increase or decrease resource allocations or to make regulatory decisions.
Many sources report that cybercrime costs the global economy trillions of dollars per year. It is the top Google search result and it is quoted on Wikipedia. But I am not able to track down how the number was computed, or find criticism of these numbers.
This would be insanely high if true: the world GDP is only 100 trillion / year, and the software industry is only around 1 trillion / year (according to a quick Google search). Does the software industry really produce less value than the cost of cybercrime? This is not impossible, but that is an extraordinary claim that requires strong evidence.
Why I care about this: LLMs might help with cybercrime, and it might be tempting for regulators to ban the creation or deployment of new LLMs that are projected to cause cybercrime damages above e.g. 10 billion / year. But if cybercrime is over a trillion dollars per year, just a 1% increase in cyberattacker productivity would be over 10 billion / year. Does this logic imply that meaningful improvements to software should be banned because they likely create billions in expected damages?
Either the trillions-of-dollars numbers are fake, or this has some weird implications for LLMs and software regulation in general.