Select Page

Seizing AI’s Trillion Dollar Cyber Opportunity

By Matt Mittelsteadt, Cato Institute

 

Perhaps the biggest near-term AI opportunity is reducing cybercrime costs. With serious attacks unfolding almost daily, digital insecurity’s economic weight has truly grown out of control. Per the European Commission, global cybercrime costs in 2020 were estimated at 6.5 trillion euros (around $7.65 trillion)Since then, costs have only spiraled. In 2025, Cybersecurity Ventures estimates annual costs will hit $10 trillion, a showstopping 9 percent of global GDP. As Bloomberg notes, global cybercrime is now the world’s third-largest economy. This is truly an unrivaled crisis.

Thankfully, it is also an unrivaled opportunity. Given the problem’s sheer scale, any technology, process, or policy that shaves off just a sliver of these cyber costs has percentage point growth potential. Reduce cyber threats, and abundance will follow.

To seize the opportunity, our single best hope is AI. There’s no question human engineers have failed to contain this cost crisis. As threats rapidly proliferate, human labor has remained profoundly limited. Thankfully, a truly promising set of AI technologies is emerging to not only manage the challenge but also significantly reduce total costs. If we play our cards right—and make prudent policy choices—substantial economic possibilities are ours to seize.

The Software Translation Opportunity

Putting promise into perspective, let’s focus on one “big rock” AI cyber opportunity: translating software from one programming language to another.

Today, 70 percent of all software vulnerabilities are associated with a particularly nasty class of defect called “memory safety vulnerabilities.” Exploited correctly, these bugs can allow criminals to alter data, command systems, and wreak all manner of cyber havoc. They can also be costly. In 2014, just one memory safety bug was responsible for undermining the encryption of essentially all major internet services. This forced an estimated $500 million in maintenance and millions more in theft and damage.

Thankfully, these costly insecurities have a simple root cause: legacy programming languages. In any software coded in older languages like C, memory safety vulnerabilities are endemic and unavoidable. In software coded in modern “memory safe” languages like Rust, they are all but extinct. To solve this supermajority of cyber issues, all that’s needed is to rip and replace old code.

Despite this cyber silver bullet existing for years, human limitations and the problem’s sheer scale have stalled action. Today, there are billions of unsafe lines of code across billions more programs. What’s more, code translation often takes years, is incredibly costly, and depends on a vanishingly small labor pool. Human-led action has failed to meet the moment, and our incredible cyber costs are the result.

The only solution is automation, and thankfully, near-term AI is poised to tackle this implementation challenge. Earlier this year, Morgan Stanley put into use a partial AI solution. To ease translation, the firm developed a system that takes in old code and outputs “crosswalk” instructions to guide rapid recoding. In just six months, the firm reports savings of 280,000 developer hours—roughly the equivalent of 140 full-time employees. Already, AI is catalyzing accelerated action.

For success across the global economy, however, action needs to be more than fast. It must be effortless. As AI can already write code and even autonomously complete real-world software engineering tasks, it’s likely that AI will soon be able to autonomously manage code translation. Indeed, moonshots such as DARPA’s project TRACTOR, aiming to update all software written in the unsafe C language, and countless private sector efforts are blazing ahead on this challenge. Cheap, scalable, easy-to-use automated solutions may soon be within grasp.

The point of this memory safety rabbit hole is to show that decisive AI action on the cyber cost problem is indeed possible. In 2019, Android made the strategic decision to prioritize such memory-safe development and in just three years, the costliest vulnerabilities, those classified as “severe,” dropped by more than half. With the coming AI automation, such fantastic results could soon be enjoyed by developers in all nations, of all skill levels, and without Android’s resources. It’s no jump of imagination to assume that if code translation can slash the count of severe bugs in half and mitigate 70 percent of all software vulnerabilities, wild cost savings will follow.

Seizing AI Abundance

The immense potential of software translation is far from the only near-term AI opportunity. Already, studies have proven AI can automate vulnerability detection—that is, AI can discover serious security issues without human involvement. Soon, software could be proactively secured even before it ships. Likewise, advances in AI task completion suggest software patches could soon be automated. In a few years, software fixes could be generated and shipped just moments after insecurities are discovered. Beyond, we find countless other possibilities in advanced cyber intelligence, threat detection, real-time response, and more.

As with all things, the road to success will run through ever-rocky policy. To develop these tools, moonshot public sector investments already underway by agencies like DARPA could indeed help hasten development. That said, there is significantly more opportunity in the lavish trillions that industry is pouring into AI development. To reap these benefits, policymakers must continue to ensure that private sector engineers have the free hands required to innovate, build, and continuously improve these technologies.

A perhaps more critical effort will be enabling the rapid domestic and global diffusion of mature cyber AI tech. These costs can only be reduced if this technology is used widely. To ensure domestic diffusion, policymakers must avoid unharmonized regulations that could snarl rapid deployment in a needless web of compliance, uncertainty, and checklists. For global diffusion, Washington must avoid any trade policies or export controls that seek to limit the trade of cyber-defensive AI systems. Finally, to keep usage costs low, we must continue enabling essential open-source development.

As policymakers actively formulate AI policy frameworks, defending this cyber opportunity must be central.To reiterate: just a fractional cyber cost reduction represents a trillion-dollar possibility.With the right choices, emerging AI could slash costs and unleash untold abundance. Let’s get this right. 

 


Matthew Mittelsteadt is a technology policy research fellow at the Cato Institute.