How difficult is it to quantify the effects of cyber criminal activity?

Quantifying financial losses from cyber attacks is one of our major problems. Really, you're still doing "guesstimates." Sometimes you'll see tens of thousands, and hundreds of thousands of dollars lost in an attack, and that's mostly the cost of clean-up and investigation. But the real costs are the soft costs--lost business opportunities. If you're conducting e-business and you're counting on $600,000 an hour in revenue, like Amazon, and your service is disrupted by a denial of service attack, you can start with the figure $600,000 for every hour that you're down. If you're Cisco and you're making $7 million a day online, and you're down for a day, you've lost $7 million. That's where you start. . . .

There were estimates that the "Love Bug" virus did damage in the billions and billions of dollars. That scale leaves most people saying, "That's beyond any kind of comprehension."

Right. It staggers the imagination, and there's a tendency to disbelieve that four lines of code literally cost $80 million, or $10 billion in damages. But if you think about it in terms of a 24/7 global corporation, a Fortune 500 corporation, there's a little meter inside it, ticking all the time. . . . A Fortune 500 corporation was hit by the "Melissa" virus when it came out, and their own internal tabulation was that they lost $10 million. When you ask them how they lost it, it was lost productivity, lost network operation time. All of this is factored into their budgets. They have a dollar sign attached to each minute of network time, and when you disrupt that minute of network time, you cost that much money. And every serious corporation values their information. This trade secret is worth X amount of money. If that trade secret is compromised online, or through some kind of hacking, insider or outsider, then that much money is lost.



Chief Executive Officer & Co-Founder of iDefense, a private agency specializing in information intelligence.

The cost of the "Love Letter" virus, which affected everyone . . . ranges between $4 billion and $10 billion. That's the equivalent of a complete obliteration of a major American city. And that was one individual from thousands of miles away.


Chief of Information Security, Microsoft Corporation

When I'm talking to people in this information security industry, I get a much darker, more frightening perspective than I get from you. Is that because you're out on the West Coast, or because you're not in that specific line? . . . What is the reality here?

I'm probably a bit more pragmatic than some of these folks are . . . even going back to the denial of service attacks back in February. Some of the reports of that allege that billions of dollars' worth of business was lost. Well, if that were the case for a five-hour downtime, it would show that that company is making trillions of dollars a year, and it's not realistic. But when you separate through that and look at . . . those of us who work in this business day to day, yes, there are challenges that we have; there are patches that we need to worry about. But we're able to run the business successfully. We're able to do our jobs. It's no worse, in some cases, than a bad winter snowstorm that keeps you from getting in the work for a day or two. In this case, it's electronic.