WASHINGTON — Here's today's quiz: What poses the greatest threat to America's economy? (a) federal budget deficits; (b) China; (c) trade deficits; (d) ineffective schools; (e) the internet; (f) none of the above.
The correct answer is (e), the internet — the technological wonder of the age.
True, all the other threats are real. Runaway budget deficits could raise interest rates. China could overtake the United States in some high-technology industries. Inadequate schools could mean scarcities of skilled workers. All these developments could slightly slow economic growth or raise unemployment.
By contrast, the internet — if turned against us through hacking and cyberattacks — could conceivably shut down most of the economy. It represents a "potential threat to all Americans using any information and communications technologies" — that is, almost everyone.
We have this warning not from some obscure academic or business group but from the annual report of the White House Council of Economic Advisers, which devotes a whole chapter to the dangers of a hostile internet. It cites one study estimating $1 trillion worth of damage from an attack on "critical infrastructure" — say, the power grid or the payment system.
Even this figure seems far too low. Virtually everything depends on reliable electricity: elevators, lights, computers, refrigerators. The list goes on. A crippled power grid would broadly disrupt everyday activities and routines. The potential damage and disorder to the $20 trillion U.S. economy could be massive and, possibly, incalculable.
What we now know is that the internet has many warlike features. Curiously, the study has no discussion of Russia's meddling in the 2016 election, but the omission reinforces the basic message: Despite the good it does, the internet makes possible destructive behaviors that, only a decade ago, were barely imaginable.
Relying on data from Verizon, the CEA study classifies cyberwarriors into four major groups: (1) nation-states that spy on or disrupt their adversaries; the major players here are China, Russia, North Korea and Iran (the United States should probably be added to this list); (2) criminals engaging in identity theft and "ransomware" — the stealing of data that is promised to be returned upon payment of a given fee; (3) business competitors that steal proprietary technologies and trade secrets; (4) company "insiders," usually disgruntled workers "looking for revenge or financial gain." In addition, there are various freelancers: people with a political agenda or who hack for fun.
According to the Verizon data, about half the "threat actors" are criminals and about a fifth are groups affiliated with nation-states. Interestingly, about a quarter of cyberattacks are caused by insiders.
The CEA study provides many examples of computer breaches. In 2017, Equifax (one of the largest credit bureaus, rating consumers' financial reliability) was successfully hacked, with attackers gaining more than 140 million personal records (names, addresses, Social Security numbers). In 2014, hackers penetrated Home Depot's computers through the network of a supplier, compromising more than 50 million accounts.
For now, the internet's greatest threats are more theoretical than real. The costs can be huge for individual households, companies, government agencies (designs for the F-35 fighter were stolen and allegedly transferred to the Chinese, who incorporated some features in their newest fighter, the J-31). But the collective impact of these individual losses has yet to cause a breakdown of the broader economy through the widespread attacks on critical infrastructure.
Just how much of a burden computer crime now imposes on the United States is hard to know. In its report, the CEA estimated the cost in 2016 as somewhere between $57 billion and $109 billion. Though these are large amounts, they're less than 1 percent of the U.S. economy (gross domestic product). For 2016, the estimates were between 0.3 percent and 0.6 percent of GDP.
Whatever the most realistic figure, says the CEA, it's probably unrealistic. The reason: Many companies don't fully report cyberbreaches. "Underreporting is pervasive," says the CEA. Companies fear their stock prices will decline or that consumers will stay away from their brands or that their vulnerability to computer crime will invite more cyberattacks. And we are compounding our vulnerabilities by making more and more devices dependent on the internet (ex. driverless cars).
This is a treacherous moment. It may be that all the countries that have advanced cyberweapons are reluctant to deploy them fully against critical infrastructure for fear of retaliation. This self-restraint, if that's what it is, bodes well. But will it last?