America's Top Cyberwarrior Says Cyberattacks Cost $250 Billion A Year

The U.S.'s leading cyberwarrior says companies are losing hundreds of billions to cyberespionage and cybercrimes, and spending even more trying to prevent them.

But whether there is any cohesive strategy to tackle the problem, and whether the government even has a larger role to play, remains up for debate.

Four-star Gen. Keith Alexander, director of the supersecret National Security Agency and head of the Pentagon's Cyber Command, said the illicit cyberspace activities essentially amounted to the greatest transfer of wealth in history. Alexander warned Congress earlier this year about the dangers to national security from cyber threats.

Speaking Monday to an audience of scholars and industry experts at the American Enterprise Institute, a conservative-leaning Washington think tank, Alexander said U.S. companies lose some $250 billion to intellectual property theft every year, citing figures from Symantec, a leading security software maker. Internationally, $114 billion was lost to cybercrimes, but that number could be as high as $388 billion if the value of time and business opportunities lost is included. McAfee, the computer software and security company, gives an even higher number, saying $1 trillion is spent globally in remediation efforts.

Alexander said 2011 and early 2012 in particular has been a rough time in the fight for cyberspace. But government and companies appear to have been fighting a losing battle for three years now.

McAfee has now identified some 75 million unique pieces of malware in its databases. Botnets send out 89.5 billion pieces of spam email each day, almost a third of all emails that move through the Internet. In 2009, there were only nine cyberattacks on U.S. critical infrastructure; in 2011 there were more than 160.

No surprise then, that analysts in intelligence, business, and technologies call it one of the major challenges of the current information age. President Barack Obama called cyberthreats one of the most serious economic and national security challenges we face, in 2009.

In 2011, the number of cyberattacks increased 44 percent over the previous year, and the amount of malware on the Internet jumped some 60 percent.

Over the past year, numerous leading international and American companies have been successfully targeted by cyberattacks. Google, Booz Allen, Mitsubishi Heavy Industries, Sony, and AT&T were respectively hacked in June, August, September, October and November of 2011. Symantec itself was attacked in January 2012. In April, Nissan, Visa, and MasterCard were hacked.

That list only begins to describe some of the massive challenges facing companies today in digital self-protection. Rodney Joffe, a senior technologist at Neustar Inc. who advises the White House, told Reuters in June that of 168 companies he surveyed from the Fortune 500, 162 had been hacked in the recent past. The FBI estimates that for every company that is aware it has been hacked, 100 others don't know they have been attacked.

Alexander urged the U.S. to take a larger leading role in the current fight against cybercrime. Since America originated much of the technology being used to increase the world's connectivity, we have to be the ones to secure it, said the general.

But who specifically -- government or businesses -- would be doing that securing remains in dispute.

Experts hosted by AEI responded to Alexander's speech by pinpointing U.S. opponents in cyberspace and discussing means to tackle the problem. Michelle Van Cleave of the Homeland Security Policy Institute implicated China's cyberespionage efforts as the biggest threat to U.S. companies and law enforcement, calling the current approach to dealing with such attacks inadequate. Van Cleave reflects a growing voice in U.S. government which seeks to pressure China in particular, seeing it as the leading cyber-antagonist of the U.S.

Yet others have been cautioning against exclusively targeting China, or giving more responsibility to the U.S. government.

Adam Segal, an expert on security issues at the Council on Foreign Relations, said there was no reason to doubt China's claims that highly capable U.S. agencies like the NSA may already have deep access to Chinese government and military systems -- when the U.S. usually claims it is the other way around. Segal said the Chinese government feels victimized by the U.S., which it sees as having a major cyberspace advantage. Reliance on foreign technologies and U.S. companies like Cisco and Oracle, coupled with a new American military presence in cyberspace like the Cyber Command led by Alexander, has fostered a sense of insecurity in China.

Jeff Snyder, vice president of Raytheon, noted that America faces diverse challenges apart from state-based actors, including disgruntled employees and infiltrators foreign and domestic.

Indeed, the nature of cyberattacks means that belligerent parties are almost always difficult to trace. Alexander noted the dynamic created a fundamentally different problem from nuclear deterrent strategies of the past.

Jim Harper, the director of information policy studies at the Cato Institute, a libertarian Washington think tank, was wary of the move to hand over responsibilities for protecting private companies, especially large and wealthy private companies, to the government. Harper argued that corporations themselves have a duty to be responsible for their own security, and a liability should they fail to protect their networks. Asking the government to take on additional burdens would only increase costs to the public.

Harper believes the public does not have an inherent interest to protect the intellectual property of private parties, only to provide the means for those parties to protect themselves.

Experts largely agree that it would take at least another decade, if not longer, to create any kind of meaningful international consensus on cybersecurity norms.

In the meantime, at least according to Alexander, the threat is getting worse. He warned that while the nature of attacks today still remained largely disruptive, trends indicate that they are transitioning to becoming destructive. In other words, cyberattackers are moving not only to block communications between computers, but will soon become capable of destroying computers and the physical infrastructure they control as well.

Other countries, particularly those suspected of being the most active cyberattackers by the U.S., are not expected to cooperate easily. After all, they have plenty of reason to suspect that Pandora's box of destructive cyberattacks may have been opened by the U.S. itself. Analysts strongly consider cyberattacks carried out against Iran in 2010 and 2012 to hinder its nuclear program through computer worms Stuxnet and Flame to have been launched by Israel, likely with U.S. assistance.

In addition, the reliance of U.S. companies, government and military on digital communications makes cyberattacks an especially effective asymmetric weapon of choice for individuals and groups in places like Russia, China, and Iran.

But the future is not all that gloomy, even for those working to avert worst-case scenarios.

Alexander himself noted the astronomical changes and improvements the current information age had already made to people's lives.

In 2000, the Internet population only numbered 360 million; by the first quarter of 2012, it was already 2.3 billion strong. Around the world, 461 million mobile phones were sold in 2011, and there could be more active cell phones than human beings on the planet within the next four years. The power of social networks is also increasing. Facebook is expected to have 1 billion user accounts by August 2012, not all of which are unique, but enough to make it the third-largest country in the world, if accounts translated to population.

Think about all the opportunities that we have, said Alexander, discussing the benefits new communications and computing would have on the future of medicine, education, and scientific growth.