Home / Blogs

According to the Department of Homeland Security, Cybercrime Is a Bigger Threat Than Terrorism

An article in Forbes the other day reports on US Secretary of Homeland Security Janet Napolitano’s comments that ‘cybercrime represents the “greatest threat and actual activity that we have seen aimed at the west and at the United States” in addition to “or other than Al Qaeda and Al Qaeda-related groups.”’ From Forbes:

Addressing an audience of business leaders and government officials, Secretary of Homeland SecurityJanet Napolitano said cybercrime represents the “greatest threat and actual activity that we have seen aimed at the west and at the United States” in addition to “or other than Al Qaeda and Al Qaeda-related groups.”

Napolitano cited a study commissioned by Symantec that put the total worldwide cost of cybercrime at $388 billion—higher than the global market for heroin, cocaine and marijuana combined. “I think those numbers are conservative numbers based on the things that come into DHS,” Napolitano said. “Cybercrime is already outstripping traditional narcotics.”

I went to Symantec’s report because $388 billion is a lot of money—nearly $200 per Internet user per year. The financial cost of cybercrime in the last year ($114bn) is calculated as follows: Victims over past 12 months (per country) x average financial cost of cybercrime (per country in US currency). The loss of time per user is calculated the same way.

This overstates the impact of cybercrime. According to this report by Microsoft Research, the reason why cybercrime’s impact is overstated is because statistical extrapolations are incorrect and based upon people who skew the data.

For example, suppose we had 10 victims. 9 of these victims lose $10 each, while the last one is rich and powerful, part of the elite 1% (i.e., it’s not me). This guy (or girl) loses $100,000. That’s an average loss of about $10,000 per victim. However, this does not reflect reality because if you are a victim of cybercrime, the odds of you losing that much is 1/10, and it depends on how much money you even have to lose. Therefore, studies that estimate cybercrime disproportionately represent the losses (and skew them upwards) and the truth is we don’t know how much money cybercrime costs us. These studies would do better to give us either the median loss, or % loss as a fraction of their income.

But that’s beside the point.

If our leaders truly believed that cybercrime was a bigger threat than terrorism, or bigger than the narcotics market, we would see more resources poured into it. How much money does the US spend on fighting cybercrime as opposed to, say, sending troops to Afghanistan or Yemen?

In my own life, my money is spent where my priorities lie. My biggest expense is housing. Number 2 is travel. Number 3 is charitable giving. Another resource is time—I spend the majority of my time at work. Number 2 is with my wife doing something-or-other. Number 3 is… browsing the web or watching Game of Thrones or something. The point is that it’s easy to see what I consider the most important because it’s where my time and money go.

Compare the budgets of the Department of Defense and the FBI. And within the FBI, look at the budgets for cybercrime vs. drug enforcement. Which is more important?

One reason is that there just isn’t the expertise out there for the FBI to recruit. But on the other hand, there has to be serious political will to make these changes, and this is driven by the public (that’s ham-and-eggers like you and me). The public understands why terrorism and drugs are problems. They do not yet understand why cybercrime is so serious and therefore do not pressure elected officials to take action. We in the Security industry understand this, but we are few (and we suck at lobbying).

Perhaps one day that will change.

By Terry Zink, Program Manager

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign


Sponsored byDNIB.com


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global