Cybercrime as a Tax on the Internet Economy

I was reading this 2014 McAfee report on the economic impact of cybercrime, and came across this interesting quote on how security is a tax on the Internet economy:

Another way to look at the opportunity cost of cybercrime is to see it as a share of the Internet economy. Studies estimate that the Internet economy annually generates between $2 trillion and $3 trillion, a share of the global economy that is expected to grow rapidly. If our estimates are right, cybercrime extracts between 15% and 20% of the value created by the Internet, a heavy tax on the potential for economic growth and job creation and a share of revenue that is significantly larger than any other transnational criminal activity.

Of course you can argue with the numbers, and there’s good reason to believe that the actual costs of cybercrime are much lower. And, of course, those costs are largely indirect costs. It’s not that cybercriminals are getting away with all that value; it’s largely spent on security products and services from companies like McAfee (and my own IBM Security).

In Liars and Outliers I talk about security as a tax on the honest.

Posted on September 1, 2016 at 9:49 AM32 Comments


Gweihir September 1, 2016 11:19 AM

In a sense, most crime is a “tax” on freedom. Freedom is essential, but it does allow people to misbehave. If if gets out of hand, a regulation mechanism (law enforcement) is employed to reduce the tax to acceptable levels. (Incidentally, that is the only legitimate reason why to have laws and law enforcement, their self-glorification as “protectors” is just propaganda. They are and have to be mostly reactive and the “protection” value of that is pretty low.)

Of course the irony here is that while law enforcement advocated increasing their power and reach (which removes and reduces freedoms) to deal with the problem, this does usually not reduce crime and usually does not get more criminals caught. Hence calling for surveillance, backdoors, etc. does not make anybody more secure, but it makes anybody less free at great cost to everybody.

albert September 1, 2016 12:57 PM

Well put. I might add that the largely unbridled lust for profit ensures that there will never be proper attention to Computer Security. This is throw-the-dice capitalism, where security is probability-driven, much like occupational safety issues. Unfortunately, many companies have screwed themselves by ignoring such issues. However, most still exist, and ‘recover’, usually with taxpayers help. Perhaps if more were totally screwed, the others would pay a little more attention…
. .. . .. — ….

Dot your Ps and Cross your Qs September 1, 2016 3:02 PM

Tax is a nice emotionally-freighted word for the authoritarian bureaucrats you deal with, but in terms of standard microeconomics NSA/FBI/DHS are undermining Internet security, creating vulnerabilities to state or private predation as an externality. Remediation requires costly security. That means NSA is Dioxin, the Internet is Love Canal, and IBM security is a for-profit EPA. And Comey is an insane quack who won’t let your kid go to school unless she’s up to date on her therapeutic Dioxin shots.

retusty September 1, 2016 3:26 PM

Cybercrime is a “tax” on e-commerce in the same way that Al Capone “sold insurance.” Describing as such is a grossly inadequate euphemism — what we’re seeing is connivance in the victimization of a sector of the population in exchange for a position of dominance in SIGINT. Bringing that 15-20% value down would be relatively simple: stop introducing backdoors in hardware (e.g. routers), roll out ubiquitous client-to-client encryption, stop subverting encryption standards, roll out legislation that holds companies financially accountable when they fail to patch their vulnerabilities, upgrade old protocols (e.g. POP3 and SMTP) to more security and privacy-conscious alternatives (e.g, protocols that don’t default to clear text would be a great start).

Oh, and stop losing your 0-days to Russian hackers.

John September 1, 2016 6:36 PM

@ retusty

Cybercrime is a “tax” on e-commerce in the same way that Al Capone “sold insurance.”

Insurance industry itself is a tax on the economy. They are rent-seeker down to its core definition. In order to insure, it must first hoard capitals and push regulations thru, thus satisfying the “rent” and “seek” dogma.

tyr September 2, 2016 1:15 AM

What I find interesting from a historical perspective
is that the current systems of “law” enforcement were
created for capitalism to protect the rich man from
the poor. This creeping Crimism was forged in an era
of scarcity and hasn’t a clue as to how to deal with
an era of abundance in which science and technology
has remade the conditions of the world to the point
people no longer keep dogs as an emergency backup
food supply. It becomes even more interesting when
arguments against the slightest possibility of any
change are touted as unthinkable for reasoning of
300 or 400 years ago.

Estimates of the impacts are likewise suspect since
the losses quoted are so far out of whack with any
sanity as to make the whole idea of ‘cybercrime’
debates look like an inmate debate in Bedlam. Do
things happen that are pointers to necessary change ?
Yes but handing out stiff prison sentences to young
people for being curious or hounding them to death
for being intelligent doesn’t serve any section of
society a good result.

In the meantime technology marches on leaving the
outworn and useless world behind with nothing to
show for it but a bunch of antiquated notions in
the lawbooks used to attempt to keep the future
from occurring.

JG4 September 2, 2016 6:00 AM

reality is a tax on stupidity. @tyr there was some excellent content about the transition from medieval law enforcement, with most of the heavy lifting done by the peasants, to policing at the dawn of the industrial era. I don’t have the links handy, but it is a fascinating topic. Your point about dogs is well taken, but they have some additional utility, like providing warning of two-legged predators and other disturbances in the night. cats provided the anti-mouse utility, as well as fur for mittens and hats. both cats and dogs tend to immunize kids against asthma.

paul September 2, 2016 9:08 AM

There’s another indirect cost that doesn’t even go to the security companies: transactions that people avoid making because they’re worried about the risk. That probably hits new players hardest.

The Grinch September 2, 2016 9:38 AM

And then there’s the “Wendy Oltman Tax”, where 10% of what you read on the internet is some SEO spammer trying to wedge “her” foot in the door of intelligent discussions.

Impossibly Stupid September 2, 2016 11:08 AM

It’s only so large a “tax” because companies gobble up so much data they want to then “secure”. If you don’t like paying so much for security infrastructure, stop needlessly locking up so many things. Not everything on the Internet needs to be monetized and turned into an economy.

Eric Kincaid September 2, 2016 11:44 AM

Malware is clearly a significant drain, and reprehensible. However, it should be noted that without it, our software would be even more of a joke than it already is, and silent actors (e.g. state actors, rather than criminals) would have an even easier job of surveillance and disruption. What is amazing is that the level of criminal hacking has not already driven software to be semi-secure. This is probably because the costs are not borne by the software vendors. Perhaps we need a system where the cost of defense (e.g. anti-malware software expenditures) is paid by software vendors based on their penetration rate?

Alex September 2, 2016 12:21 PM

“hacking threat” cost and cybercrime cost are always inflated, and frequently presented to the public in tandem with the “4 horsemen of the infocalypse” scenarios that are difficult or impossible to argue with.

The number 1, most effective informational weapon in use today, is psychology.

Wmamt, Wmamt September 2, 2016 12:44 PM

Hey speaking of cybercrime, FBI released a factual summary of how Clinton disseminated TS/SAP and agent identities to the world and administered CIA’s clandestine-crime slush fund under diplomatic cover using CIA moles in DoS. A factual summary, you know, like when you say you saw shooters on the grassy knoll and FBI says what you mean is Oswald did it.

Slime Mold with Mustard September 2, 2016 12:57 PM

@ paul

Outstanding observation. I have not ever purchased anything over the internet in my own name. Step One is to search for desired item, and see if it is available “brick and mortar” within 50 miles (retailers are well aware of this). If not, Step Two is to pay less paranoid friends (henceforth – “suckers”) to purchase such things. For a few things, I have gone completely “black”. That is a different topic.

My personal practice has not kept my PID (Personal Identity Information) off the Inter-nut. My medical data was stolen three different times. My Army data was stolen in the OPM hack.

@ Tyr

A few of your comments have this so completely backwards, it is difficult to know where to begin. I will only highlight that:
The overwhelming number of victims of crime are, and have always been, the poor.
In human history, among the first hires (or slaves) were always guards. The idea of guarding the people generally was, and is, a very liberal social program.
Social order certainly benefits the rich: It benefits the lower classes much more.

I really don’t go in for flame wars. It’s just that Critical Theory has been in critical condition since conception.

Grauhut September 2, 2016 4:51 PM

@retusty: “Cybercrime is a “tax” on e-commerce in the same way that Al Capone “sold insurance.” Describing as such is a grossly inadequate euphemism — what we’re seeing is connivance in the victimization of a sector of the population in exchange for a position of dominance in SIGINT.”

Well spoken!

The capabilities of the IC should of cause be used to protect the people from cypercrime.

To reclassify these crimes as a tax means they are not willing to do that.

tyr September 2, 2016 5:10 PM


Merely paraphrasing from Adam Smith who was
fortunately unaware of critical theory.
I don’t expect any postmodern thinker to
be able to follow thoughts anathema to
their worldviews.

Mr. Happy September 3, 2016 9:58 AM


Maybe no squid = dead canary. We return you now to your regular Stygian pit of (probably well-justified) paranoid despair. 😉

The Ghost of Richard Rorty September 3, 2016 12:12 PM

The idea that “security is a tax on the honest” misconceptualizes the issue because it begs the question as to why honesty is the default. All crimes are social inventions and as such they represent a moral or social judgement imposed by one group of people on another group of people. Honesty is whatever the powerful say it is. The camouflage of the cuttlefish or the ink of the octopi is dishonest in the same sense that insider trading or identity theft is dishonest–they are behaviors of animals trying to survive in their environments. Honesty is a relational construct, there is nothing essential about it.

Mr. happy September 3, 2016 12:26 PM

Now I’m kinda leaning toward a different explanation, e.g., Bruce deliberately didn’t kick off the regular squid because that’s all part of some sort of online “Stanford Prison Experiment” he’s conducting.

Marcos Malo September 3, 2016 1:04 PM

Maybe better to look at cyber security as a utility that must be paid for, like electricity or trash pick up. Government or private companies might be responsible for infrastructure and service up to the curb, but households are responsible for the wiring in their homes or collecting and putting out the garbage. Likewise, government should be responsible for a security infrastructure, but organizations and individuals are still responsible for the security of their networks and computing devices.

It’s not a perfect analogy, but it’s better than criminal profits as a legitimate tax.

albert September 3, 2016 1:17 PM


I hope the squid hasn’t replaced the canary. Renaming it to ‘canary’ occasionally might be a little too obvious:)

@Bruce, @Moderator(s),

While enjoy the squid posts, if you guys could just post an ’empty’ squid post when you don’t have time to find a new squid topic, it would be much appreciated. They help to keep out the rabble from ‘legitimate’ threads.

At least, in theory…

. .. . .. — ….

r September 3, 2016 1:25 PM

@Marcus Malo,

Households are not responsible for wiring up their own home, we have to jump through hoops known as CODES and INSPECTION. That is how security should be ‘required’, right now as I posted in the other thread we have an environment of “general contractors” that is almost entirely devoid of “structural engineers”. Now, even real engineers make mistakes and requirements change as reality rises to perception (from physics, think earthquakes) but if the general contractors were encouraged to act more like responsible structural engineers and given the tools to do so AND used them – things might be considerably better off. Do you want some 20yr old who works at McDonalds rewiring his duplex? I sure as hell don’t.

Marcos Malo September 3, 2016 3:23 PM

So you like my analogy? We’re in a pre- building code period. What are building codes? Codified best practices.

Consider trash services and imagine an overbearing government that “insured cleanliness” for everyone by entering your home to sort and remove the trash. They might also inspect your home for any stray trash that didn’t get thrown in the appropriate waste basket.

r September 3, 2016 3:49 PM


Yeah, but I suspect the reason that the building codes are still being held back is because the financial codes haven’t been codified and united under a single roof yet. 🙂

Impossibly Stupid September 4, 2016 9:48 AM

The main problem I see with the the building-code-as-security analogy is that standards for construction are relatively fixed, and old buildings seem to be grandfathered in unless they pose a serious danger. For security, everything is a danger and the “code” needs to be updated frequently.

It’s also complicated by government involvement when best practices are something that get actively sabotaged by agencies like the NSA. Imagine what building codes would look like if the police were allowed to influence them to make their job easier (and how much criminals would love them for it, because it would make their job easier, too).

Anon September 4, 2016 1:07 PM

A big problem with improving security of existing code is everyone is afraid of making breaking changes. That mind-set should be eliminated, with people wanting to use new features being required to update their own products.

If we keep failing to fix fundamentally broken code because it will “break the internet”, then everyone deserves to lose data.

If people are unwilling to update their software after they’ve written V1.0, they have no business writing software.

Bob September 4, 2016 7:43 PM

@ Anon wrote, “If people are unwilling to update their software after they’ve written V1.0, they have no business writing software.”

This is interesting because it is the case in any type of man-made system because no man is perfect because there is always a greater unknown. Thus, experienced system designers have accustomed to bake in mechanisms where a sytem’s rigidity is reduced. This is known as backdoors in some circles, and frontdoor in others.

Otter September 5, 2016 5:45 AM

@ Impossibly Stupid “Imagine what building codes would look like if the police were allowed to influence them to make their job easier…”

No need to strain yourself. In many jusridictions, building codes are available online. Design changes to make your home police-proof, or even burglar-proof. Then try to talk your building inspector to pass them. Or save yourself a lot of trouble, and boast publicly that you can keep the police out physically, or legally.

k15 September 8, 2016 12:02 PM

On the one hand yes, transactions that people avoid making. On the other hand, if they can get you to buy an item, then have you feel unsafe about either using or returning it, they might get you to buy a replacement and boost their economy.

Anon September 9, 2016 9:54 PM

“McAfee” and “security” are mutually exclusive.

Who would trust an application that by design requires total access to the system on which it runs, to provide “protection” from threats chosen by them, in ways that are less than perfect?

It is well-known that all these products can, and are, bypassed by skilled developers of malware/viruses on a daily basis, so why do people use them as if they are infallible?

IMHO they encourage risky behavior, and provide only a false sense of security, whilst providing a “highly trusted” platform to be exploited by the developer of the AV/AM product.

Anon10 September 12, 2016 7:24 AM

The largest component to cybercrime/cybertheft is intellectual property theft. The Microsoft Research link doesn’t say the costs of cybercrime are overestimated, so much as that’s it impossible to estimate with the data that we have. The Anderson paper says the Detica estimate has no obvious foundation. Even if that were true, that still doesn’t tell us whether their estimate is too high or too low, since Anderson doesn’t provide his own estimate of the costs of IP theft. Implying that it might be low because of the example of one product line Windows from one company Microsoft seems a little ridiculous. Even in that case, how many pirated copies of Windows are out there?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.