Published by The Lawfare Institute
in Cooperation With
As the United States moved to work from home during the coronavirus pandemic, the criminals took notice and acted. After the pandemic’s onset, the FBI saw an uptick in daily cybercrime reports in April of more than 400 percent compared to typical complaint rates. But the recent surge in ransomware attacks against health care systems, such as the University of Vermont’s Health Network, demonstrates that the impact of ransomware isn’t limited to financial crimes. What was initially dismissed as a digital version of extortion has now turned into a crime of life and death, as Germany has tragically found.
While the incoming Biden administration’s first priority will be dealing with the coronavirus crisis, the administration will also need to pursue the malicious cyber actors who have been taking advantage of the situation. Informed policies and legislation can position and resource the U.S. government and its many partners to stem the cybercrime wave.
For too long cybercrime has been considered a nuisance, a crime too hard to solve, or a rarity. But as the United States’s reliance on technology grows, so does the ability of criminals to exploit it. From 2015 to 2016, the financial impact of ransomware increased by 1,400 percent; and malicious cyber activity is estimated to have cost the U.S. economy anywhere from $57 billion to $109 billion in 2016. Nearly everyone, not just large companies, feels and fears these crimes, as reflected in a 2018 survey finding that 72 percent of respondents worried that hackers would steal their personal, credit card, or financial information, placing this concern highest among a list of 13 crimes. They have reason to fear, with roughly one in four American households reporting that they or someone in their household has been a victim of cybercrime. Despite the prevalence and impact of cybercrime, we found that only 3 in 1,000 cyber incidents reported to the FBI lead to an arrest. The real gap between incidents and arrests is likely even higher, as victims often do not report cybercrimes.
In other words, cybercrime is the most prevalent form of crime with the lowest enforcement rate. To change this, the Biden administration will need to confront several challenges that are unique to cybercrime. First and foremost, criminals tend to be located overseas and in countries that are unwilling or unable to cooperate with the United States, particularly if the criminals have ties to nation-state actors—making extradition and prosecution difficult. Second, America’s state and local law enforcement agencies lack the digital forensic capabilities to analyze digital evidence involved in cybercrime cases. This difficulty is compounded by a lack of staffing: There are nearly 3,000 open investigative and analyst positions in the country. Third, federal agency overlap and a lack of central leadership from the White House has led to inefficient and, at times, incompatible reporting systems.
With the challenges plentiful and widespread, the Biden administration will need a road map to begin overcoming this cyber enforcement gap. This is why we gathered a group of more than 30 experts to develop a comprehensive series of recommendations on what the next administration should do to combat cybercrime. These recommendations fall into three main areas: White House coordination, federal and state law enforcement reforms, and global cybercrime cooperation.
First, with cybercrime involving at least 20 federal departments and agencies, 18,000 state and local law enforcement agencies, and numerous private companies, the White House needs to be involved to cut through bureaucracy, manage partnerships and set an agenda. That is why President-elect Biden must both name a national cyber director (NCD) and provide her with the resources and personnel needed to coordinate across the federal government. To combat cybercrime, the NCD’s first actions should be to work with the intelligence community to improve the U.S. government’s cyber threat intelligence collection and sharing. This should include creating “adversary playbooks,” similar to Palo Alto Network’s playbooks, which would describe how different malicious actors operate, map their operational steps, and catalog their tactics, techniques and procedures. This effort should be coupled with a new National Intelligence Estimate that details the relationship between cybercriminals and nation-states.
The culmination of this intelligence will allow the NCD to play a nonoperational role in planning, organizing and overseeing the strategic disruption of criminal infrastructure. This will include creating a disruption framework, with interagency and private-sector input, within which government agencies can assess and prioritize when a malicious cyber act should be mitigated through traditional law enforcement approaches, through a disruption operation or a combination of both. Indeed, such a framework may have made the separate Microsoft and Cyber Command takedowns of Trickbot more effective. These and other activities will then help inform the creation of a detailed cybercrime addendum to the 2018 National Cyber Strategy, which should guide the federal government’s cyber enforcement efforts.
Second, although federal and local law enforcement agencies have taken steps to combat cybercrime, more pervasive reform is required to ensure these analog cops can pursue digital robbers. At the federal level, policies and reports such as the National Cyber Incident Response Plan, the Justice Department’s Cyber Digital Task Force Report, and the department’s Reporting Framework describe components of federal cybercrime roles and responsibilities. Yet, there is no public framework that delineates how these entities interact and coordinate with each other. While the National Cyber Investigative Joint Task Force coordinates interagency, operational efforts related to cyber investigations, no similar body exists to resolve policy disagreements over cyber enforcement.
Therefore, we recommend that the NCD lead a temporary, interagency working group with relevant agencies to develop policies and resolve disputes where interagency coordination and consultation is required. This new Cybercrime Working Group should work to enhance intergovernmental and public information sharing; improve interagency coordination by clearly delineating federal roles and responsibilities; and bolster cybercrime data-collection efforts to better inform policy and assist victims. For example, the group should create a uniform definition for cybercrime that the federal government can use for creating policies and informing data collection efforts, while giving state and local criminal justice partners incentives to adopt a similar definition. This definition could then be enumerated in a National Security Presidential Directive (NSPD)—similar to NSPD 54, which defined “cyberspace.”
We also make several recommendations for how the federal government can strengthen state and local cybercrime capabilities. This includes expanding cybercrime categories in the National Incident-Based Reporting System—the federal system where state and local law enforcement agencies report crime. The government should also spur the uptake of the reporting system: Currently, only half of state and local law enforcement agencies submit data to the NIBRS. And it should ensure that the system is fused with other data systems, like the FBI Internet Crime Complaint Center. Currently, of the 50-plus offenses listed in the NIBRS, only one—hacking/computer invasion—is designated for cybercrime, leading to vast undercounts. With better data, federal and local policymakers can make more informed policy decisions and allocate funds commensurate with the threat.
The federal government can also strengthen the 17 Regional Computer Forensic Labs—FBI labs that conduct digital forensic activities for law enforcement—and expand grant programs, like the Paul Coverdell Forensic Science Improvement Grants, to fill the digital forensic gap at the state and local levels. And as these law enforcement agencies improve their capacities, the government should consider how to expand and incentivize participation on federal task forces, such as the FBI’s Cyber Task Forces and the U.S. Secret Service’s Cyber Fraud Task Force.
Third, cybercriminals are often located overseas yet target victims within the United States. Quite simply, this means we cannot investigate or arrest perpetrators without the cooperation of other governments. Yet the U.S. international engagement architecture is not set up at the level needed, nor operated at the efficiency required, to overcome these challenges. While the United States was the first country to establish an international coordinator for cyber issues, the office has since been downgraded in the State Department, signaling to allies and adversaries alike that cyber diplomacy is not a top U.S. priority. We recommend that the next secretary of state establish an Office of International Cyberspace Policy in the State Department, headed by an ambassador-level position, to coordinate all cyber diplomacy matters, including cybercrime. Both Democrats and Republicans should, however, work to pass legislation that codifies this office, like the Cyber Diplomacy Act of 2019, and adequately resource it to fulfill its mandate. The activities of this office should be guided by a new, global cyber engagement strategy that promotes a free, open, and secure Internet, while pushing for and compelling behavior change in states that are ignoring, abetting, ordering, or conducting cybercrime and/or other forms of malicious cyber activity.
Achieving these goals will require increases in targeted capacity building for countries that may be willing to cooperate with the United States in cybercrime cases but do not have the capabilities to do so and alignment with a new comprehensive framework to monitor and evaluate the effectiveness of this capacity building. Capacity building should involve training foreign law enforcement personnel on the legal and technical means to investigate and prosecute cybercrime, as well as strengthening rule of law and anti-corruption efforts. To this end, the State Department should establish a criterion to select countries to participate in a pilot program for cyber capacity building efforts. But the department should also put in place an assessment, monitoring and evaluation (AM&E) framework to determine the impact of this programming and avoid unintended consequences, such as abuse of law enforcement tools for corrupt purposes. This framework should eventually be included as a component of a broader department-wide AM&E framework and should also provide necessary additional resources for attaches, legal and cyber advisers, and other personnel in foreign missions to help build the capacity of foreign governments to bring cybercriminals to justice. These efforts will require a robust strategy for whether and how the U.S. government will engage in negotiations on cybercrime and cyber norms with countries on the other side of these debates, such as Russia and China. And to overcome the challenges that exist in sharing data in cybercrime cases across borders, the U.S. government must prioritize signing new executive agreements with countries under the CLOUD Act and adopt a number of reforms to make the process for facilitating cross-border data sharing under mutual legal assistance treaties more effective and efficient.
Cybercrime is not the only priority among the myriad challenges confronting the nation’s cybersecurity, but it is the most pervasive and the one felt by nearly all Americans. And the response to the coronavirus will surely, and rightfully so, take precedence over all policy matters. But the Biden administration must deal with a multitude of crises wrought by the pandemic, including the one ravaging cyberspace. With this road map, the country can finally achieve better cybercrime enforcement that deters and punishes criminals and, ultimately, protects the American people.