The notion that cybercrime exceeds drug trade is a myth

It appears that the assertion that cybercrime now brings in more money to criminals than the drug trade is a myth. A leading security researcher has unpicked the origins of the notion that revenues from cybercrime exceeds those from the global drug trade, a notion repeated by a senior security officer at AT&T before Congress last week.

Ed Amoroso, senior vice president and chief security officer of AT&T, told a Congressional Committee on 20 March that cybercrime was a $1 trillion a year business. The assertion was made not only in Amoroso’s responses to questions, but also in written testimony. His testimony was made at a hearing of the Senate Commerce, Science, and Transportation Committee. The end of paragraph 5 of the written submission states:

Last year the FBI announced that revenues from cyber-crime, for the first time ever, exceeded drug trafficking as the most lucrative illegal global business, estimated at reaping more than $1 trillion annually in illicit profits.

As Richard Stiennon points out the quoted figure would make cybercrime bigger than the entire IT industry. The top 10 Fortune 50 firms turned over $2 trillion last year. Put another way, revenues from cybercrime exceed those of AT&T itself ($119 billion in 2008) by a factor of around eight.

Estimates of the drug trade peg annual revenues at about $400 billion. There is no figure on this from the FBI much less a comparative figure comparing cybercrime and drug trade revenues. Stiennon, chief research analyst at IT-Harvest, guesses that cybercrime profits might be worth about $1 billion a year, which seems much more plausible.

John Leyden writes that it would be mindblowing to think that cybercrime revenues exceed the GDP of Saudi Arabia ($555 billion in 2007), with all its oil income. How, then, could this notion have taken hold? Stiennon offers an explanation. The idea that cybercrime revenue trumps that of the drug trade were first mentioned by Valerie McNiven, a consultant to the U.S. Treasury Department in November 2005. The figure cited at the time was the still-implausible $105 billion, Stiennon reports.

The same figure, mentioned by a lawyer to a Reuters stringer and thereafter repeated by the PR departments of security firms, reappeared again in a September 2007 speech by the chief executive of McAfee, David DeWalt.

Eighteen months later the number has grown so that the figure cited is $1 trillion but, as Stiennon points out, the form of language is virtually identical. Earlier this week security firm Finjan published a press release (“Finjan confirms cybercrime revenues exceeding drug trafficking”) supporting the myth, most recently relayed by Amoroso before Congress.

Leyden asked Finjan whether it wanted to rethink what it said. Not a bit of it, the security firm responded. “In our Q1 2009 report on cybercrime, for example, we revealed that one single rogueware network are raking in $10,800 a day, or $39.42 million a year,” it said. “If you extrapolate those figures across the many thousands of cybercrime operations that exist on the Internet at any given time, the results easily reach a trillion dollars.”

You can read more about the ongoing debate about the volume of cybercrime revenues in Stiennon’s posting on the ThreatChaos blog.