Skip to content
NEW

Security news and analysis brought to you by the McCrary Institute

READ MORE

How the economics of cybersecurity favor attackers and what defenders can do to change the dynamic

Sgt. Randy Sweet, a network defender with the Army National Guard's Cyber Protection Team 173, participates in core methods of cyber protection during Cyber Shield 17 at Camp Williams, Utah, April 25, 2017. (U.S. Army National Guard photo by Sgt. Michael Giles)
By Kiran Sridhar and Frank Cilluffo

Cyber attacks are wreaking havoc on American businesses. In 2023, the Internet Crime Complaint Center (IC3), an FBI-run clearinghouse, received reports of 850,000 crimes, leading to over $13 billion in losses. As eye watering as that statistic is, IC3 acknowledges that many internet crimes are unreported, meaning the total cost of cybercrime is significantly higher. More troublingly, state-sponsored threat actors are burrowed into our critical infrastructure—the systems and services that are essential for society to function. For example, the Intelligence Community and technology firms have found that Volt Typhoon, a Chinese state-linked threat actor, has infiltrated communications, energy, transportation, and water systems and that another Beijing-backed threat group, Salt Typhoon, has hacked into telecommunications networks.2 In the event of a future armed conflict, cyber attacks could be used by these actors to cripple our critical infrastructure, preventing or delaying the United States from mounting a response.

Why have cyber threats remained so persistent? It is because the economics in cyberspace tend to favor the attackers. This is for two reasons. First, it’s easy and cheap to perpetrate attacks. Our underlying technology infrastructure, including the systems of many critical infrastructure operators, is filled with vulnerabilities that attackers can cheaply exploit. Second, when attackers exploit these vulnerabilities, they are rarely punished, particularly relative to other crimes. In fact, while over 18% of property crimes and 46% of violent crimes are “cleared,” meaning that the perpetrator is arrested and charged, less than 1% of cybercrimes were estimated to have been cleared in 2018.

Cyber policymakers should focus on both hardening our cyber infrastructure, so that it is more expensive for cyber criminals to wage attacks, and on imposing costs on cyber criminals. We propose three strategies to achieve each of these two objectives.

read the policy brief

Read More