An article in Forbes the other day reports on US Secretary of Homeland Security Janet Napolitano’s comments that ‘cybercrime represents the “greatest threat and actual activity that we have seen aimed at the west and at the United States” in addition to “or other than Al Qaeda and Al Qaeda-related groups.”’ From Forbes:

Addressing an audience of business leaders and government officials, Secretary of Homeland SecurityJanet Napolitano said cybercrime represents the “greatest threat and actual activity that we have seen aimed at the west and at the United States” in addition to “or other than Al Qaeda and Al Qaeda-related groups.”

Napolitano cited a study commissioned by Symantec that put the total worldwide cost of cybercrime at $388 billion—higher than the global market for heroin, cocaine and marijuana combined. “I think those numbers are conservative numbers based on the things that come into DHS,” Napolitano said. “Cybercrime is already outstripping traditional narcotics.”

I went to Symantec’s report because $388 billion is a lot of money—nearly $200 per Internet user per year. The financial cost of cybercrime in the last year ($114bn) is calculated as follows: Victims over past 12 months (per country) x average financial cost of cybercrime (per country in US currency). The loss of time per user is calculated the same way.

This overstates the impact of cybercrime. According to this report by Microsoft Research, the reason why cybercrime’s impact is overstated is because statistical extrapolations are incorrect and based upon people who skew the data.

For example, suppose we had 10 victims. 9 of these victims lose $10 each, while the last one is rich and powerful, part of the elite 1% (i.e., it’s not me). This guy (or girl) loses $100,000. That’s an average loss of about $10,000 per victim. However, this does not reflect reality because if you are a victim of cybercrime, the odds of you losing that much is 1/10, and it depends on how much money you even have to lose. Therefore, studies that estimate cybercrime disproportionately represent the losses (and skew them upwards) and the truth is we don’t know how much money cybercrime costs us. These studies would do better to give us either the median loss, or % loss as a fraction of their income.

But that’s beside the point.

If our leaders truly believed that cybercrime was a bigger threat than terrorism, or bigger than the narcotics market, we would see more resources poured into it. How much money does the US spend on fighting cybercrime as opposed to, say, sending troops to Afghanistan or Yemen?

In my own life, my money is spent where my priorities lie. My biggest expense is housing. Number 2 is travel. Number 3 is charitable giving. Another resource is time—I spend the majority of my time at work. Number 2 is with my wife doing something-or-other. Number 3 is… browsing the web or watching Game of Thrones or something. The point is that it’s easy to see what I consider the most important because it’s where my time and money go.

Compare the budgets of the Department of Defense and the FBI. And within the FBI, look at the budgets for cybercrime vs. drug enforcement. Which is more important?

One reason is that there just isn’t the expertise out there for the FBI to recruit. But on the other hand, there has to be serious political will to make these changes, and this is driven by the public (that’s ham-and-eggers like you and me). The public understands why terrorism and drugs are problems. They do not yet understand why cybercrime is so serious and therefore do not pressure elected officials to take action. We in the Security industry understand this, but we are few (and we suck at lobbying).

Perhaps one day that will change.