Cyberattacks cost the United States between $57 billion and $109 billion in 2016, a White House report said Friday, warning of a “spillover” effect for the broader economy if the situation worsens.
A report by the White House Council of Economic Advisers sought to quantify what it called “malicious cyber activity directed at private and public entities” including denial of service attacks, data breaches and theft of intellectual property, and sensitive financial and strategic information.
It warned of malicious activity by “nation-states” and specifically cited Russia, China, Iran, and North Korea.
The report noted particular concern over attacks on so-called critical infrastructure, such as highways, power grids, communications systems, dams, and food production facilities which could lead to important spillover impacts beyond the target victims.
“If a firm owns a critical infrastructure asset, an attack against this firm could cause major disruption throughout the economy,” the report said.
It added that concerns were high around cyberattacks against the financial and energy sectors.
“These sectors are internally interconnected and interdependent with other sectors as well as robustly connected to the internet, and are thus at a highest risk for a devastating cyberattack that would ripple through the entire economy,” it said.
The report offered little in the way of new recommendations on improving cybersecurity, but noted that the situation is hurt by “insufficient data” as well as “underinvestment” in defensive systems by the private sector.
It said Russia, China, North Korea and other nation-states “often engage in sophisticated, targeted attacks,” with a specific emphasis on industrial espionage.
“If they have funding needs, they may conduct ransom attacks and electronic thefts of funds,” the report said.
But threats were also seen from “hacktivists,” or politically motivated groups, as well as criminal organizations, corporate competitors, company insiders and “opportunists.”
“The field of cybersecurity is plagued by insufficient data, largely because firms face a strong disincentive to report negative news,” the report said.
“Cyber protection could be greatly improved if data on past data breaches and cyberattacks were more readily shared across firms.”