As the U.S. government faces calls for a more consistent cyber incident data tracking process, a new watchdog report shows deep-rooted disparities between how federal agencies report on, analyze, and - at the fundamental level - even define cybercrime.
Though cyber incident reporting has long been hindered by the stigma of being a victim of a cyberattack, a growing number of government officials and cybersecurity professionals have touted its benefits. Deputy Attorney General Lisa O. Monaco last year said that the cooperation of a ransomware victim - a Kansas-based healthcare provider - enabled authorities to recover ransom payments of other previously unknown victims. A Ransomware Task Force report released in May said that increased levels of reporting could help government officials and the private sector interpret whether certain steps are effective (or not) in hindering cybercriminals.
However, a new report by the U.S. Government Accountability Office (GAO) revealed that federal agencies are struggling on the backend to streamline various processes for collecting, disseminating and tracking data across investigations and prosecutions.
“Cybercrime in the United States is increasing, resulting in billions of dollars in losses and threatening public safety,” according to the GAO, which audited 12 federal agencies from May 2022 to June 2023 as directed by a provision in the Better Cybercrime Metrics Act. “However, the United States lacks comprehensive cybercrime data and monitoring, leaving the country less prepared to combat cybercrime.”
The GAO report revealed that federal agencies - including the Department of Justice (DoJ), Secret Service, Department of Homeland Security and more - utilize various mechanisms for tracking cybercrime. For example, five different federal programs identify reported cybercrimes in separate ways, including the FBI’s Internet Crime Complaint Center and its Criminal Justice Information Services’ Uniform Crime Reporting program, the DoJ's Bureau of Justice Statistics, CISA and the Financial Crimes Enforcement Network (FinCEN).
The programs in place for collecting this data vary given the purpose of these agencies; for instance, FinCEN must collect suspicious cases of illicit financial activity as directed through the Bank Secrecy Act, and sometimes this includes a cyber component. However, federal agency officials interviewed by GAO said that the lack of a central repository for cybercrime data - and the variations in how agencies collect the data - is a major challenge in streamlining cybercrime metrics.
Challenges in Cybercrime Metrics
According to a majority of the 12 agencies audited, one big obstacle stems from difficulties in measuring the extent and impact of cybercrime. While some standards exist within agencies for tracking data related to cybercrime, it's hard to capture metrics that nail down the scope. Ransomware attacks on a hospital have an entirely different meaning for victims than attacks involving credit card fraud, both in their impact and how they are resolved, for example.
In another challenge, “IRS officials reported that cybercrime often has downstream effects that are not widely known or clear at the time of the investigation,” according to the GAO report. “For instance, a hacker may steal personal information that is then sold on the dark web. The stolen information may then be used for a host of frauds including romantic, identity, tax, credit card, or benefit fraud. However, these crimes are not always committed by the same group and not always timed near each other. Thus, the effects can last years and take a significant amount of effort by individuals and agencies to resolve.”
Additionally, IRS officials that were interviewed by the GAO said that they had standards in place for tracking data, but they did not look at the impact of countermeasures, such as the number of attacks that were prevented or the amount of sensitive data that was retrieved from the dark web.
Seven out of the 12 agencies agreed that there is no shared definition of cybercrime, posing another obstacle. The classification of cybercrime is so broad - given key differences between attacks that span from phishing to wiper malware - that it is difficult to come up with terminology across the board.
One piece of this issue is that agencies also have varying ways that they distinguish between cybercrime and cyber-enabled crime. While Drug Enforcement Administration (DEA) officials define cybercrime as an incident where individuals attack cyber infrastructure (versus cyber-enabled crime, where individuals use cyber tools to conduct traditional criminal activity), the DoJ’s Computer Crime and Intellectual Property Section, which investigates computer and IP crime, instead describes the term as offenses that impact the confidentiality, availability or integrity of computer systems.
“FBI officials stated that the lack of distinction was a challenge and added that the inability to distinguish between cybercrime and cyber enabled crime hinders efforts to study, measure, or categorize these types of specific crimes,” according to the report.
The Better Cybercrime Metrics Act
While these challenges exist, the good news is that measures are being taken to improve the way the federal government tracks and analyzes cybercrime.
The Better Cybercrime Metrics Act, signed into law in May 2022, aims to help streamline the consistent reporting of cybercrime incidents. Under the law, the official incident-based reporting system used by law enforcement agencies to collect and report crime data (the National Incident Based Reporting System) is required to establish a category for cybercrime reports from federal, state, and local officials. This category is due to be completed in May 2024, according to the report.
One key part of the Better Cybercrime Metrics Act's success is the development by the DoJ and National Academies of a cybercrime taxonomy. Though the development of this taxonomy was due within 90 from the enactment of the act in 2022 (and the report on the details of the taxonomy to Congress due 1 year after that), the DoJ and National Academies had not yet entered into agreement to develop the taxonomy as of April 2023, according to the GAO.
“Provisions of the Better Cybercrime Metrics Act are aimed at addressing some of the existing limitations in how cybercrime data are collected and reported,” according to the GAO. “In particular, the development of a cybercrime taxonomy and category in FBI’s NIBRS system target the lack of a common definition and uniform approach to collecting data on cybercrime. The taxonomy is due to be completed one year after DOJ enters into its agreement with the National Academies of Science, and the establishment of a cybercrime category is due to be completed in May 2024. Thus, while it is too early to tell how effective these efforts will be in addressing existing limitations, we plan to monitor these activities.”