Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Evidence suggests that the U.S. Loses Hundreds of Billions to Cybercrime, Possibly as much as 1 % to 4 % of GDP Annually

Cybercrime

Cybercrime puts America’s competitive edge and economic future at risk; however, there is some debate as to the extent that this activity is impacting economic activity. Many have questioned the validity of estimates of cybercrime losses, concluding that “they are so compromised and biased that no faith whatever can be placed in their findings” (Florencio and Herley 2016). NIST AMS 100-32 addresses a number of issues and challenges by using a large dataset and taking a number of approaches to increase accuracy and reliability.

The NIST report estimates the 2016 losses to be between $167.9 billion and $770.0 billion or between 0.9 % and 4.1 % of U.S. GDP, a substantial amount of loss that is based on business’ estimates of their losses. For manufacturing, the loss is between $8.3 billion and $36.3 billion or 0.4 % and 1.7 % of manufacturing value added.

The most widely cited estimate of losses for cybercrime in the U.S., which is from McAfee (2014), is that cybercrime amounts to 0.64 % of U.S. GDP (i.e., $107.4 billion, which would equate to $119.8 billion in 2016). The low estimate of $167.9 billion (i.e., 0.9 % of GDP), presented in NIST AMS 100-32, is calculated making the assumption that those who did not respond to a Bureau of Justice Statistics survey did not experience any losses. This amounted to 77 % of the 36 000 businesses surveyed being presumed as having no loss. Therefore, the true loss is likely to be higher than the low estimate. Despite making an assumption resulting in a downward biased lower boundary, it is still 40 % higher than the McAfee estimate, which is acknowledged by McAfee as having a great level of uncertainty. The results from NIST AMS 100-32 suggest that cybercrime losses might be much higher than the generally accepted values.

It is important to note that if the Bureau of Justice Statistics data discussed in the report is representative, that is, if the average losses per company of the respondents equals the actual average U.S. losses per company, then the losses approach the high estimate of $770 billion.

Released May 27, 2020