Source: WashingtonPost

A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost 1 percent of global income.

The estimate by the Center for Strategic and International Studies is lower than the eye-popping $1 trillion figure cited by President Obama, but it nonetheless puts cybercrime in the ranks of drug trafficking in terms of worldwide economic harm.

“This is a global problem and we aren’t doing enough to manage risk,” said James A. Lewis, CSIS senior fellow and co-author of the report, released Monday.

The report, funded by the security firm McAfee, which is part of Intel Security, represents one of the first efforts to analyze the costs, drawing on a variety of data.

“Cybercrime costs are big, and they’re growing,” said Stewart A. Baker, a former Department of Homeland Security policy official and a co-author of the report. “The more that governments understand what those costs are, the more likely they are to bring their laws and policies into line with preventing those sorts of losses.”

According to the report, the most advanced economies suffered the greatest losses. The United States, Germany and China together accounted for about $200 billion of the total in 2013. Much of that was due to theft of intellectual property by foreign governments.

Though the report does not break out a figure for that, or name countries behind such theft, the U.S. government has publicly named China as the major perpetrator of cyber economic espionage against the United States.

The Chinese government has accused the United States of being one of the biggest perpetrators of cyber-espionage, but the U.S. government has always objected that it does not steal intellectual property and hand it to its own industries to give them a competitive advantage.

CSIS estimated that the United States lost about $100 billion. Germany was second with $60 billion, and China followed with $45 billion.

In both the United States and China, the losses represent about 0.6 percent of their economies, while Germany’s loss is 1.6 percent.

Japan, the world’s fourth largest economy, reported losses of $1 billion, which researchers said was extremely low and not credible.

Valuing intellectual property is an art form, based on estimating future revenues the intellectual property will produce or the value the market places on it, the report said. Putting a price tag on it is difficult but not impossible, it said.

Intellectual-property theft lessens companies’ abilities to gain a full return on their inventions, and so they turn to other activities to make a profit, the report states. That depresses overall global rates of innovation, it said.

The report stated that countries appear to tolerate cybercrime losses as long as they stay at less than 2 percent of their national income. If losses rise above 2 percent, “we assume it would prompt much stronger calls for action as companies and societies find the burden unacceptable,” it said.

The report breaks the harm into three categories, without giving figures. The largest, it said, is intellectual property theft. The second is financial crime, or the theft of credit card and other types of data largely by criminal rings. The third is theft of confidential business information to gain an advantage in commercial negotiations or business deals.

CSIS used several methods to arrive at a range of estimates, from $375 billion to as much as $575 billion. Researchers looked for published data from governments around the world. They interviewed officials in 17 major countries. And they came up with a predictive model based on a CSIS report last year that estimated the cost of cybercrime to the U.S. economy. Their figures also included the cost of recovering from cyberattacks.

The main assumption they used was that the cost of cybercrime is a constant share of national income — at least in countries with similar levels of development.

In less developed countries, that cost is about 0.2 percent of gross domestic product, and in advanced economies it is almost 1 percent.

In 2009, McAfee issued a news release that pegged global economic losses at more than $1 trillion. The figure was cited by the White House and then-National Security Agency director Gen. Keith B. Alexander. But this year’s CSIS report concluded that it was unlikely that cybercrime cost more than $600 billion, which is the cost of the global drug trade.

The researchers said cybercrime and economic espionage require a response on par with global efforts to reduce drug trafficking. Besides better cybersecurity technologies, they said, governments need to devote resources to building defenses and to commit to observing existing international commitments to protect intellectual property.

Source: KrebsOnSecurity

eBay is asking users to pick new passwords following a data breach earlier this year that exposed the personal information of an untold number of the auction giant’s 145 million customers.

In a blog post published this morning, eBay said it had “no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.”

Assisted by federal investigators, eBay determined that the intrusion happened in late February and early march, after a “small number of employee log-in credentials” that allowed attackers access to eBay’s corporate network were compromised. The company said the information compromised included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. eBay also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users.

The company said it will begin pushing out emails today asking customers to change their passwords. eBay has not said what type of encryption it used to protect customer passwords, but it previous breaches are any indication, the attackers are probably hard at work trying to crack them.

If you’re an eBay user, don’t wait for the email; change your password now, and make it a good one. Most importantly, don’t re-use your eBay or PayPal password elsewhere. If you did that prior to today, it’s a good idea to change that password to something unique at the other sites that shared it. And be extra wary of phishing emails that spoof eBay and PayPal and ask you to click on some link or download some security tool; attackers are likely to capitalize on this incident to spread malware and to hijack accounts.

eBay and PayPal users who haven’t already done so should consider using the PayPal Security Key, a two-factor authentication solution that can be used to add for additional security on both sites.