By Joseph Menn
SAN FRANCISCO (Reuters) - A $1 trillion estimate of the global cost of hacking cited by President Barack Obama and other top officials is a gross exaggeration, according to a new study commissioned by the company responsible for the earlier approximation.
A preliminary report being released Monday by the Center for Strategic and International Studies and underwritten by Intel Corp's <INTC.O> security software arm McAfee implicitly acknowledges that McAfee's previous figure could be triple the real number.
The original estimate first appeared in a 2009 press release extrapolating from surveys whose authors last year sharply criticized the method. As the White House, intelligence officials and members of Congress pressed for legislation to improve protection from cyber-espionage, they cited it as reason to take action.
Asked if the No. 2 security software vendor would remove the trillion-dollar estimate from its website, McAfee Vice President of Government Relations Tom Gann said that was "a good question" but that he didn't know the answer.
"This study here is newer, it's based on extra rigorous work, and once it's made public, this is clearly the one we're going to focus on," Gann said.
The preliminary report by CSIS, a Washington think tank with expertise in cybercrime and cyber espionage, cites a host of problems in reaching a solid estimate of damage to the global economy, including the methodology biases that keep many surveys from being representative and the inability of many companies to know what was been stolen from them.
More subtle issues include the fact that customers who shun one company after a breach might spend just as much elsewhere. The greatest losses might be in abandoned innovation and high-paying jobs after digital technology is stolen and imitated elsewhere. But it can take years to replicate such products, and the receiving companies could actually lose as well if they come to rely on theft and cut back on their own research, CSIS said.
With so many caveats, the group was understandably hesitant to embrace any one new number. In fact, it put out several within the 17-page draft report.
Near the beginning, the authors say that annual U.S. losses "may reach $100 billion." Later on, they say U.S. losses might have a "lower limit" of $20 billion to $25 billion and a high end of $140 billion.
They also say that global losses are "probably" in the "range" of $400 billion, a fraction of a percentage point of global income. Further on, they say global losses are "probably" in the "range" of $300 billion.
Perhaps more surprisingly, an embargoed version of McAfee's press release about the study once again exaggerates the underlying findings, if not as badly as McAfee's 2009 release did.
It says CSIS "posits a $100 billion annual loss to the U.S. economy" when the study actually puts that figure near the top of a wide range.
And the release says "the researchers estimate the range for cybercrime loss to the global economy is between $100 billion and $500 billion."
The $100-to-$500 billion range appears only once in the CSIS report, in this context:
"A very crude extrapolation would be to take this ($20 billion to $140 billion) range for the U.S., which accounts for a little more than a fifth of global economic activity, and come up with a range of $100 billion to $500 billion for global losses.
"This is almost certainly an overestimate," the CSIS team concluded, in part because less developed economies rely less on computer networks and intangible property.
(Editing by Eric Walsh)