On February 16, 2018, the Council of Economic Advisers (CEA) published a report detailing the economic impact of “malicious cyber activity” on the U.S. economy. The report estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016 alone. However, the report prefaces its findings by noting that “[t]he total cost of malicious cyber activity directed at U.S. entities is difficult to estimate because … many data breaches go undetected, and even when they are detected, they are mostly unreported, or the final cost is unknown.” The report also notes that the cyber-related losses extend well beyond the initial attack or data breach and may include spillover effects to economically linked firms, an increase in cybersecurity defense measures, and “a drag on economic growth” created by the underlying cyber threats.

The CEA defines malicious cyber activity as “an activity, other than one authorized by or in accordance with U.S. law, that seeks to compromise or impair the confidentiality, integrity, or availability of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or the information resident thereon.” The report groups cyber threat actors into six groups: nation-states, corporate competitors, hacktivists, organized criminal groups, opportunists and corporate insiders.

The report identifies public-sector programs that can assist businesses in enhancing their cybersecurity, such as the Department of Homeland Security’s Automated Indicator Sharing program, which Thompson Hine previously analyzed in the context of electric energy infrastructure. However, the CEA found that “[w]hile government can help address some elements of cyber protection issues, the most direct actions in cybersecurity are in the hands of the private sector. Private firms are ultimately in the best position to figure out the most appropriate sector- and firm-specific cybersecurity practices.” The report identifies cybersecurity technologies that may enhance network defenses: security intelligence systems, block-chain technology and authentication procedures. The report also lauds industry-led cyber threat information sharing forums, and identifies the cyber insurance market as an area of “quick growth.”

The CEA, an agency within the Executive Office of the President, is responsible for, inter alia, providing the president objective economic advice on the formulation of both domestic and international economic policy, and for issuing studies and recommendations with respect to matters of federal economic policy and legislation as the president may request.