Primer on the Costs of Cyber Espionage
Introduction
Cyber espionage is the use of cyber tools and techniques to gather intelligence or steal sensitive information from targeted entities. This form of espionage poses significant risks to national security, economic stability and corporate integrity. Given the complex and often hidden nature of cyber espionage activities, accurately measuring their costs presents a significant challenge. Traditional accounting methods and mental models of espionage may fall short in capturing the full impact of cyber espionage and recovery from these incidents, particularly those costs related to intangible assets such as brand reputation and competitive advantage. Measurement methodologies today may not be effective in capturing the full range of costs in years to come as actors adapt and tactics like supply chain attacks post costs to an ever-wider range of third parties as part of cyber espionage targeting a particular organization. Accurately measuring the costs associated with cyber espionage is thus an evolving problem space with direct implications for policy.
This primer aims to provide a brief overview of the issues involved in measuring the cost of cyber espionage and categories of those costs addressing the spectrum of espionage activities.
Espionage vs. Cyber Espionage
In traditional espionage, operatives target data they know to be valuable and protected. These operators have a clear objective, constrained by limited resources. In contrast, cyber espionage operates without prior knowledge of the information’s value. The true worth often emerges only after a breach, revealing adversaries' interests and priorities in hindsight.
Cyber espionage complements traditional methods but offers broader opportunities despite being resource intensive. Like mining unknown ore, the value of data is often discovered post-capture. This approach capitalizes on the vast amounts of digital data available, with advanced processing tools enabling faster analysis and extraction of intelligence. The lower barriers to entry in the digital space democratize espionage, allowing more actors to engage, unlike the resource-heavy requirements of traditional espionage.
Targets of Cyber Espionage
The range of potential cyber espionage targets is expanding, as adversaries are being trained to view potential targets differently because the opportunity to reach such a large number. Academia and small to medium-sized enterprises, often overlooked, could benefit from policies that support their innovative contributions. In the academic sector, there is an urgent need for basic cybersecurity measures in research projects. However, a significant challenge lies in quantifying the costs and damage, as well as understanding which targets are being selected. There is still a lack of reliable data on espionage, and improved data collection is necessary to address these issues effectively.
Measuring the secondary and longer-term effects of espionage remains difficult, especially where quantifiable metrics are unavailable. Furthermore, the human cost, such as the psychological impact of espionage, is often ignored. Assessing the cost of cyber espionage is complex, as the purpose of such activities is to gain information, not inflict immediate damage. Consequently, understanding the full impact requires better methods for evaluating both direct and indirect harm.
Measuring Costs Associated with Cyber Espionage
Direct Costs
Expenses related to cyber espionage include several key areas. Incident response and mitigation costs cover identifying, containing, and resolving the breach, often involving cybersecurity experts. System and data recovery costs arise from restoring compromised systems and retrieving lost or corrupted information. Legal and regulatory compliance expenses include legal fees, potential fines, and the cost of meeting reporting requirements. These financial burdens illustrate the wide-ranging impact of cyber espionage incidents on organizations.
Indirect Costs
Reputation damage from cyber espionage leads to long-term financial losses due to diminished trust from customers, partners, and stakeholders. Operational disruptions result in business interruptions and reduced productivity, adding to the costs. Intellectual property loss involves financial hits from the theft of trade secrets, patents, and proprietary information. The recovery from these incidents often requires significant resources and time. Loss of trust can also hinder future business opportunities. Combined, these factors contribute to a substantial and enduring financial impact on the organization.
Strategic Costs
Cyber espionage can cause a competitive disadvantage by exposing sensitive business information, weakening market position. National security risks arise from the potential compromise of military plans and intelligence operations. Broader economic impacts include weakened industries, reduced innovation, and decreased foreign investment. These consequences collectively undermine both corporate and national interests. Addressing these risks requires significant investment in cybersecurity and strategic protection.
Challenges in Measuring these Costs
Attributing the source and intent of cyber espionage is difficult, making it challenging to accurately assess specific costs. Limited access to detailed data on cyber incidents and their financial impacts further complicates cost estimation. Additionally, the constantly evolving nature of cyber threats requires adaptable measurement methodologies to maintain accuracy. Intangible costs, such as loss of trust and competitive disadvantage, are difficult to quantify and often rely on subjective judgment. These factors together create significant challenges in developing reliable cost assessments for cyber espionage. The need for better data and flexible methodologies is clear in addressing these complexities. Ultimately, understanding the full scope of cyber espionage costs requires a comprehensive approach that accounts for both financial and non-financial impacts.
Conclusion
It's crucial to distinguish between costs incurred by the private sector and those affecting national security, as quantifying private sector costs is often more straightforward. Cyberattacks have become more sophisticated, lowering costs but leading to more intricate and less severe outcomes. Discussions on espionage costs should also include moral considerations, especially from the viewpoints of the private sector, intelligence agencies, and third parties. The acceptable level of investment in cybersecurity varies among stakeholders. The real challenge for analysts is balancing these diverse stakeholder perspectives while understanding the broader systemic impacts of espionage and cybersecurity failures.
Measuring the costs of cyber espionage is a complex but important task. Employing a combination of quantitative and qualitative methods, researchers can gain a more comprehensive understanding of the financial, operational and strategic impacts of cyber espionage while acknowledging any systematic differences between conventional espionage and that taking place in or through cyberspace. This knowledge is important for developing robust cybersecurity strategies, informing policy decisions and ultimately mitigating the risks associated with cyber espionage.
Additional References
Anderson, R., Barton, C., Böhme, R., Clayton, R., Ganán, C., Grasso, T., Levi, M., Moore, T. and Vasek, M., 2019, June. Measuring the changing cost of cybercrime. In The 18th Annual Workshop on the Economics of Information Security (WEIS 2019).
Akoto, W., 2024. Who spies on whom? Unravelling the puzzle of state-sponsored cyber economic espionage. Journal of Peace Research.
Applegate, S., 2015. Cyber conflict: Disruption and exploitation in the digital age. In Current and emerging trends in cyber operations: policy, strategy and practice (pp. 19-36). London: Palgrave Macmillan UK.
Bell, R., Bennett, J.E., Boles, J.R., Goodoien, D.M., Irving, J.W., Kuhlman, P.B. and White, A.K., 2010. Estimating the Economic Costs of Espionage.
Borrett, M., Carter, R. and Wespi, A., 2014. How is cyber threat evolving and what do organisations need to consider?. Journal of business continuity & emergency planning, 7(2), pp.163-171.
Bressler, M.S. and Bressler, L., 2014. Protecting your company's intellectual property assets from cyber-espionage. J. Legal Ethical & Regul. Isses, 17, p.1.
Buchan, R. and Navarrete, I., 2021. Cyber espionage and international law. In Research Handbook on International Law and Cyberspace (pp. 231-252). Edward Elgar Publishing.
Craig, R. and Hess, J., 2015. Predictive threat analysis of american espionage. American Intelligence Journal, 32(1), pp.94-106.
Fischer, L., Uslar, M., Morrill, D., Döring, M. and Haesen, E., 2018. Study on the evaluation of risks of cyber-incidents and on costs of preventing cyber-incidents in the energy sector. European Commission: Berlin, Germany, 6, p.41.
Gilli, A. and Gilli, M., 2018. Why China has not caught up yet: military-technological superiority and the limits of imitation, reverse engineering, and cyber espionage. International Security, 43(3), pp.141-189.
Godefrey, L., 2022. Shape or Deter? Managing Cyber-Espionage Threats to National Security Interests. https://www. cia. gov/resources/csi/studies-in-intelligence/• Articles from 1955 through 2004 can be found at, 66(1), p.1.
Lin, H., 2016. Attribution of malicious cyber incidents: From soup to nuts. Journal of International Affairs, 70(1), pp.75-137.
Lindsay, J.R., 2017. Cyber espionage. The Oxford Handbook of Cyber Security.
Mészáros, A.Á. and Kelemen-Erdős, A., 2023. Industrial espionage from a human factor perspective. Journal of International Studies (2071-8330), 16(3).
Nowrasteh, A., 2021. Espionage, Espionage-Related Crimes, and Immigration: A Risk Analysis, 1990-2019.
Perera, S., Jin, X., Maurushat, A. and Opoku, D.G.J., 2022, March. Factors affecting reputational damage to organisations due to cyberattacks. In Informatics (Vol. 9, No. 1, p. 28). MDPI.
Tsagourias, N. and Farrell, M., 2020. Cyber attribution: technical and legal approaches and challenges. European journal of international law, 31(3), pp.941-967.