We Need Better Cybercrime Data

Eileen Decker, Mieke Eoyang
Wednesday, April 15, 2020, 8:00 AM

The Cyber Solarium Commission report recommends Congress create a Bureau of Cyber Statistics. But the commission’s recommendation does not explicitly call for a major category of data that we need to understand.

Banner reading "CYBERSPACE" hanging from a rafter, 2011. (Flickr/Nicolas Nova, https://flic.kr/p/axX8Dy; CC BY-NC 2.0, https://creativecommons.org/licenses/by-nc/2.0/)

Published by The Lawfare Institute
in Cooperation With

Cybercrime represents one of the fastest growing types of crime in the U.S., resulting in millions of victims and hundreds of millions of dollars in economic damages.

This new reality should come as no surprise. As the recently released Cyber Solarium Commission report observes:

The digital connectivity that has brought economic growth, technological dominance, and an improved quality of life to nearly every American has also created a strategic dilemma. The more digital connections people make and data they exchange, the more opportunities adversaries have to destroy private lives, disrupt critical infrastructure, and damage our economic and democratic institutions.

The report notes that to create policies to better deal with cyberattacks, policymakers and analysts need greater insights into the severity and scope of these attacks. To that end, the commission recommends Congress create a Bureau of Cyber Statistics within the Department of Commerce to collect and provide statistical data on cybersecurity and the cyber ecosystem. The specific types of data to be collected are not identified, but the stated objective of the collection process is to define the national cyber risk, help the insurance industry to create more accurate risk models, and help the government craft more effective cybersecurity policies and programs. Their thinking is commendable: Better data will drive better policy.

But the commission’s recommendation does not explicitly call for a major category of data that we need to understand in order to adequately respond to the rising number of cyberattacks: cybercrime data. In addition to collecting private-sector data, we need a comprehensive system to track and measure criminal activity in cyberspace.

Without better cybercrime information, law enforcement lacks one of its most effective crime-fighting tools: good data. Unlike traditional crime-reporting mechanisms, there are few crime-reporting options for cybercrime victims. Local law enforcement often feel ill equipped to handle such cases, unable to identify the jurisdiction in which the crime occurred and lacking the resources for cyber investigations. Cybercrime can be self-reported to the FBI’s Internet Crime Complaint Center (IC3), which gathers data for statistical purposes. However, the FBI acknowledges that this system severely undercounts the amount of criminality. The bureau estimates that it receives reports for only approximately one in 10 cybercrime incidents. An analysis of public opinion data about the frequency of cybercrime suggests that the FBI’s undercount is off by a factor of 100. These insufficient reporting systems leave victims without recourse for reporting incidents of cybercrime, and leave law enforcement in the dark about the magnitude of the problem. Simply put, you cannot stop what you do not count.

In the non-cyber context, good data has led to needed reforms in policing and crime reduction. For example, national crime statistics prompted the shift to community policing, one of the most fundamental changes in America’s modern approach to crime.

Comprehensive crime data isn’t just important to policymaking and forecasting. It also plays a role in the day-to-day work of police departments.

For example, the CompStat system uses crime data to inform street-level policing, specifically focusing on murder, robbery, rape, aggravated assault, burglary, theft, vehicle theft and arson. These common street crimes, classified as Part I crimes by law enforcement, were first identified by the International Association of Chiefs of Police in 1929 as the most serious, frequent and pervasive crimes that warranted counting. Now, decades later, these same crimes form the foundation for the CompStat evaluation process. CompStat’s system of consistent and verifiable crime data collection and analysis professionalized police work, making it more effective. CompStat is now an important accountability tool, compelling police departments to take direct responsibility for their crime problems.

Deploying data through CompStat has proved to be effective where it matters most: in reducing crime. In an evaluation of national crime trends between 1990 and 2016 aimed at identifying the various factors that contributed to the decline in crime, New York University’s Brennan Center for Justice found that CompStat systems, while not the only factor, contributed a 5 to 15 percent decrease in reported crime.

Unfortunately, we do not know if these decreases are just masking a crime shift from the streets to the internet. While bank robberies have declined since the mid-1990s, cybercrime has increased dramatically. Elder fraud, extortion, sextortion, identity theft, ransomware and other online cybercriminal conduct are not systematically tracked but are now far too common. Yet, we have no idea how common they are due to our failure to effectively count these crimes, leaving too many cybercriminals acting with impunity. According to an analysis of U.S. government data, only three in 1,000 reported cybercrimes result in arrest.

Further, many observers suggest cybercrime is rising during the novel coronavirus outbreak, including targeting of hospitals, testing labs, and a teleworking and vulnerable public. Data about changes in the frequency and nature of cybercrime is critical to protecting the public during this time of crisis.

To correct this situation, policymakers need to take a number of concrete steps. First, the U.S. needs to include more cybercrime categories in the National Incident-Based Reporting System (NIBRS), the U.S.’s national crime-reporting tool. Congress should mandate collecting data on cybercrime as it previously did with hate crimes and human trafficking. Finally, the U.S. needs to fund this effort and provide local police departments, especially smaller ones, with grants and financial resources to build reporting capacities.

To be sure, obtaining accurate cybercrime statistics poses unique challenges including the risk of double counting when a crime is reported by multiple jurisdictions; the difficulty associated with defining specific cybercrimes, particularly when jurisdictions have differing definitions or none at all; the years-long investigations involved with attributing cybercrime to nation-state actors; and the prevalence of global espionage. But without a unified commitment to addressing this exploding crime trend, we will not solve these challenges. It’s not just us, the National Academy of Sciences has also recommended the nation overhaul its crime reports.

The Cyber Solarium Commission was correct in determining that the U.S. lacks clarity about the nature and scope of cyberattacks, without which policymakers cannot develop “nuanced and effective policy responses.” Failing to focus on cybercrime from the call for metrics means we will continue to fly blind when it comes to cybercrime enforcement efforts. If we don’t know how or where the crime is occurring, we cannot make decisions on how to resource or equip law enforcement to address it. Cybercrime victims deserve better.

Eileen Decker is a former U.S. attorney, a lecturer at the University of Southern California, and the president of the Los Angeles Police Commission.
Mieke Eoyang is the vice president for the National Security Program at Third Way and a former professional staff member of the House Permanent Select Committee on Intelligence.

Subscribe to Lawfare