IT Life

Experts Debate Whether Cybercrime Profits Surpass Drug Trafficking

U.S. Treasury advisor Valerie McNevin's claim about how much cybercriminals are making is sparking push-back from experts who aren't sure it's on the mark.
A statement that cybercrime proceeds amounted to more than $105 billion in 2004, made Nov. 28 during a banking security conference in Riyadh, Saudi Arabia by U.S. Treasury advisor Valerie McNevin, is sparking push-back from experts who aren't sure it's on the mark.

McNevin's claim was reported by Reuters and widely circulated. While no one disputes that the cost of cybercrime can be devastating, several experts are questioning the profit claims.

"This is just total bunk," Richard Stiennon, VP of Threat Research, wrote on on

Stiennon, a former vice president of research for Gartner Inc., has covered security topics extensively, is not alone.

Peter Andrews questioned the statement in published reports on

"Frankly, the figures don't add up," Andrews, site community leader, said on a discussion forum linked to his article. "They make a sensational headline."

Andrews said research shows that spammers who send out 100 million emails and earn $10 for each response to spam are likely to bring in only $10,000. He said the cost to providers, anti-spam service providers and readers is at least 10 times greater.

The definition of Cybercrime in McNevin's claim was broadened from phishing and fraud, to include extortion, piracy, child pornography, corporate espionage and manipulation of stocks. Despite that wider net, Top Layer Networks CEO Peter Rendall said in an interview Thursday that it's tough to pinpoint how much money is lost, and made, through cybercrime.

"I'm not sure where she gets her numbers from," Rendall said. "I think it's a fact that the vast majority of cybercrime goes unreported. So, I think they're astronomical but difficult to determine. Mot of it's coming out of areas where the Internet laws are so lax that you can't do anything about it."

If you take down Internet activity, you cut into company revenue, but the total loss doesn't usually flow into a cyber criminal's hands, he said.

Those who earn their living at cybercrime are earning about $40,000 to $60,000 per attack, Rendall said.

Of course, those targeted pay a steep price.

Reducing piracy alone would give the United States a $125 billion boost, according to a study by the Business Software Alliance.

Rendall said one customer lost more than $3 million in profit after being down one weekend. The cost actually is likely much higher if customer loyalty hasn't been built and potential revenue sources are lost, he said.

Rendall agreed with McNevin that attacks appear to be proliferating while also becoming more powerful and sophisticated. He also agreed with her point that the pace of attacks – both the in way they evolve and in the way attackers elude detection – presents challenges for keeping up.