CYBERSECURITYNeed for National Information Clearinghouse for Cybercrime Data, Categorization of Cybercrimes: Report

There is an acute need for the U.S. to address its lack of overall governance and coordination of cybercrime statistics, according to a new report from the National Academies of Sciences, Engineering, and Medicine. The report, requested by Congress in the 2022 Better Cybercrime Metrics Act, recommends that relevant federal agencies create or designate a national information clearinghouse to draw information from multiple sources of cybercrime data and establish connections to assist in criminal investigations.

Cybercrimes encompass a wide range of illegal cyber-dependent or cyber-enabled actions against individuals, businesses, and government entities, including identity theft, online stalking, phishing, hacking and sale or release of stolen content, denial of service attacks, ransomware, destructive malware, and computer-related acts of terrorism.

Cybercrime poses serious threats and financial costs to individuals, businesses, and government agencies both in the U.S. and abroad, and incidents have become increasingly common in recent years. However, is has proved difficult to gain a full understanding of why cybercrime is on the rise. The current national crime statistics system has limited coverage of cybercrimes, and existing data measurement efforts aimed at tracking such crimes are fragmented, the report says.

According to the report, at least 13 federal agencies collect cybercrime data, but the agencies lack shared, consistent definitions of cybercrimes, and they act in relative isolation in this area. Efforts are also hampered by challenges such as underreporting, the rapidly evolving nature and use of technology, and the variable scope and nature of incidents. In particular, determining the boundaries of cybercrime incidents is problematic, as the crimes can have ripple effects on thousands or millions of individuals at a time, raising questions over whether the affected data holder should be counted as the sole victim of the crime.  

“Getting a full accounting on cybercrimes is challenging due to its nature, and there is no single solution that will provide a complete picture of cybercrime — but measurement improvements are certainly possible, and we view this report’s recommendations as a solid set of steps forward,” said Hal Stern, chair of the committee that wrote the report, and distinguished professor of statistics at the University of California, Irvine. “We will have to continue adapting the ways we categorize and track cybercrimes to keep up with changes in technology and the ways we as a society use technology.”

As requested by the Better Cybercrime Metrics Act, the report sets out a taxonomy defining major categories of cybercrimes to provide a clear structure to aid in the development of shared statistical measures. The report does not call for an overhaul of the National Incident-Based Reporting System, the crime data collection program administered by the FBI, but rather recommends that the FBI adopt this taxonomy to build on the foundation laid over a decade ago when cybercrime began to emerge as a prominent category of crime. In the future, the taxonomy should be amended to account for trends in reported data as well as emerging technologies such as artificial intelligence and quantum computing, which could create the need to define new offenses.

The report suggests both short-term and long-term improvements to cybercrime coverage in the National Crime Victimization Survey, the household survey conducted by the Bureau of Justice Statistics that provides insights on crime regardless of whether incidents are reported to local law enforcement. These include building upon and repeating the content of survey supplements that cover cybercrimes such as identity theft and cyberstalking.

The report also emphasizes that beyond improving governmental statistical measures and coordination, efforts to improve cybercrime measurements must also rely on the continuing — and ideally, increased — participation of businesses and organizations in reporting cybercrime incidents. This has been historically complicated, due to companies’ reluctance to appear vulnerable, liability issues, and a range of other factors. For example, financial institutions that fall victim to a data breach frequently weigh the need to inform affected clients against the perception of culpability for ineffective defense.

The study — undertaken by the Committee on Cybercrime Classification and Measurement — was sponsored by the Federal Bureau of Investigation. The National Academies of Sciences, Engineering, and Medicine are private, nonprofit institutions that provide independent, objective analysis and advice to the nation to solve complex problems and inform public policy decisions related to science, engineering, and medicine. They operate under an 1863 congressional charter to the National Academy of Sciences, signed by President Lincoln.