Anyone who keeps up with current events knows that both the economic costs of trying to secure our systems and the economic impact of failure to secure them are growing. Most people don’t realize the current cost and rate of growth.
Here’s how to think about it. Imagine if all the economic activity devoted to guarding against hackers and all the economic activity resulting from their activity–let’s call this the global hackonomy–was attributed to a single imaginary country–let’s call it Hackistan, then Hackistan’s economy–estimated at $2-3 trillion in 2015 would have made it one of the ten largest economies in the world. And if projections for 2021 are accurate, Hackistan will move into fifth place, behind the United States, the European Union, China, and Japan.
The Hackistanian hackonomy includes the value of goods and services bought and sold in the fast-growing black, gray and white markets for hacking tools, techniques, and services; the value of money and other financial assets stolen by hackers; the money exchanged for information stolen by hackers; the ransom demanded and paid for decrypting files or ceasing Denial of Service (DoS) attacks; the money spent on products and services intended to protect individuals and organizations against hackers.
The contribution of any economic sector to GDP is the monetary value of the goods and services in that sector. It doesn’t matter whether they are the result of creating something of value or are the result of repairing or replacing something of value that has been destroyed. So the economy of Hackistan includes all the exchanges of value between hackers and the outside economy and all the costs of recovering from damages caused by hacking.
Hackistan’s economy is growing far faster than the rest of the world’s economy. High returns make hacking profitable for criminals and criminal organizations and valuable to nation-states that benefit from both the costs that must be borne by their adversaries and the value of the money and information that they can steal. So elite talent around the world is drawn to developing hacking tools and techniques. And as regions without sufficiently many economic opportunities attach to the internet, the best opportunities for some of their most talented citizens is developing hacking tools, or using the tools that have already been developed.
Hackers who develop new techniques don’t have to resort to shadowy markets to make money. There are overlapping markets–white, gray, and black–where hackers can make money. The market includes companies like Google and Microsoft that pay hefty rewards to hackers who discover ways to bypass the security they’ve tried to build into their products. Google’s “bug bounty” program, for example, paid out nearly $3M in 2017. It includes companies like HackerOne, and BugCrowd that run vulnerability disclosure and bounty programs. It includes Zerodium a company that publishes a price list with payments up to $1.5 million dollars for “zero-day” exploits. (A zero-day is a previously unknown ways of compromising computer systems.) Zerodium makes money by using the information that it’s gained to help protect its customers. It may also sell the reported exploits to the NSA and other government entities. Exodus Intel is another company in the market for zero day exploits.
The NSA is in the market, as revealed by Edward Snowden and later
HackingTeam is an Italian company that sells hacking technologies for use by worldwide law enforcement and intelligence communities. HackingTeam was itself hacked in 2016 and its list of customers revealed.
Bad as things are they are likely to get worse. A lot of hacking is labor-intensive work. While some of the work is the development of novel techniques, most of it is pattern recognition and application and adaptation of existing techniques based on the patterns that have been found. It’s demanding work but can be automated using Machine Learning techniques. Smarter hacking tools can help less skilled hackers carry out attacks that today only the best hackers–the ones employed by nation-states can carry out. The result is that the impact of hacking will grow even faster.
Cyberkinetic systems are computer controlled systems with energetic physical consequences. If someone hacks into an information system they can change ownership of an information asset–including money. But if someone hacks into a cyberkinetic system they can destroy property or injure or even kill people.
The use of AI to help hack systems gives a wider range of actors the ability to hack cyberkinetic systems. And since most such systems are in the West, it threatens the Western economic and political order.