Worst-Case Aggregation: $100 billion

In the previous post we saw that the idea of aggregated damages is probably at least 2300 years old. These days we have means of aggregation that Kautilya never dreamed of, from ships to planes to telephones to satellites to the Internet. So what’s the most aggregation we can expect to see for damages on the Internet?

At a conference in May, two researchers attempted to answer that question wiith a paper:

“Worms represent a substantial economic threat to the U.S. computing infrastructure. An important question is how much damage might be caused, as this figure can serve as a guide to evaluating how much to spend on defenses. We construct a parameterized worst-case analysis based on a simple damage model, combined with our understanding of what an attack could accomplish. Although our estimates are at best approximations, we speculate that a plausible worst-case worm could cause $50 billion or more in direct economic damage by attacking widely-used services in Microsoft Windows and carrying a highly destructive payload.”

“A Worst-Case Worm,” Nicholas Weaver, Vern Paxson

This $50 billion dollar estimate is actually conservative. The paper was supposed to have three authors, not two; the third author thought a higher estimate should be included.

Also, the estimate given is only for the United States. About half of the Internet is outside the U.S., so it is probably safe to assume that total worldwide damages would be even higher. A simple linear multiple of 2 may not be accurate, since the rest of the world isn’t as closely connected topologically the U.S. is. On the other hand, most of the Internet in the rest of the world is in Europe, Japan, East Asia, Canada, Australia, and New Zealand, all of which are tightly connected within themselves and closely connected to the U.S. The Slammer worm, for example, did not respect national boundaries.

So there is good research to indicate that the fears some Fortune 500 CEOs have of a $100 billion dollar risk are very well founded.