McAfee: '$1 trillion global cyber crime cost was over the top'

McAfee CTO Mike Fey admits to 'flawed' estimate for global cyber crime costs

Mike Fey, global chief technology officer at security software company McAfee, has retracted the company's claims that pinned worldwide losses from cyber crime at more than $1tn, adding that supposedly more conservative (gu)estimates were also "hard for me to swallow".

"I wish we had never put a dollar figure on it," Fey told the Australian Financial Review. "[It is] very scary to just latch onto the number."

"People take that half-a-trillion number, and say ‘that's what it's worth'. What they forget is organisations are spending a very large amount of money to defer attacks today - so there's an additive number that has to go on top of that. It would be like saying car crashes kill three people a year in this particular city, so how much should we invest in stop lights. It's flawed."

McAfee, which is now owned by semiconductor giant Intel, claimed in a report in 2009 that the global cost of cybercrime was more than $1tn. This figure has been used by politicians in the US and elsewhere to justify big increases in state cyber security spending and tough new laws.

A more sobre recent report from McAfee slashed its estimates by more than two-thirds - to $300bn - but also emphasised that putting an accurate figure on such losses was hard to do.

"It's very difficult to put a dollar figure on it," Fey continued. "When you meet an engineer that has spent a good chunk of his life working on some innovation and it's stolen overnight, you get a good feeling for what [intellectual property] loss means.

"It is the shift in a moment's instance from an innovative company set strategically, to loss. It becomes difficult for that company to invest in innovation."

Fey also criticised companies that largely ignore computer security risks, believing that cyber criminals will not be interested in their company. But he also said that laws requiring companies to publicly report attacks typically penalise those firms that do take cyber crime seriously - and hence can recognise such attacks when they occur - rather than less well-prepared companies that might not even know when they have been hit.