President Joe Biden on Thursday signed into law a bill that aims to improve how the government tracks, measures, analyzes and prosecutes cybercrime.
The Better Cybercrime Metrics Act, which was first introduced in the Senate in August 2021, will build a system to keep tabs on cybercrime incidents with an end goal of better identifying threats and preventing attacks. The act cracks down on consistency issues around how cybercrime is both reported and tracked: While federal law enforcement agencies must report crime through the FBI per the Uniform Crime Reporting Act of 1988, federal agencies like the FBI and the Secret Service, which often have jurisdiction over cybercrimes, are not consistently reporting these numbers into federal systems, the bill's sponsors have argued. Meanwhile, state and local law enforcement reporting on cybercrime is also limited.
“By strengthening our data collection, anticipating future trends, and giving law enforcement the tools they need, we are taking common sense steps to keep the American people safe online,” said U.S. Rep. Abigail Spanberger (D-Va.), who sponsored the legislation and who is a former CIA case officer and federal agent, in a Thursday statement.
The act will require the official incident-based reporting system used by law enforcement agencies to collect and report crime data (the National Incident Based Reporting System) to establish a category for cybercrime reports from federal, state, and local officials within the next two years.
As part of the act, the Government Accountability Office (GAO) will also look at the effectiveness of current cybercrime mechanisms and specifically any disparities between reporting this type of data and other types of crime data.
“Hopefully, with this bill, it will give federal law enforcement the information it needs to be able to allocate resources to holistically combat and respond to cyber threats.”
The act will also require that cybercrime is incorporated into several existing systems used to track crime. For instance, the Department of Justice (DoJ) will be required to contract with the National Academy of Sciences to develop a taxonomy for categorizing different types of cybercrime impacting businesses and individuals, which can then be used by law enforcement in future tracking metrics. Also, the National Crime Victimization Survey will be required to incorporate questions related to cybercrime in its survey instrument.
Of note, several cybercrime tracking programs do exist, including the FBI’s well-known Internet Crime Complaint Center (IC3) that tracks internet-related crime like business email compromise, phishing attacks and romance scams. However, this act would focus on a more consistent and comprehensive mechanism for collecting and reporting cybercrime across several law enforcement agencies.
The act is also part of a greater effort by the U.S. government to increase transparency around cybersecurity incidents. The Strengthening American Cybersecurity Act of 2022, which passed the Senate in March, for instance, would give critical infrastructure entities a 72-hour reporting deadline to notify the Cybersecurity and Infrastructure Security Agency (CISA) after experiencing a cyberattack. And last year, the U.S. Securities and Exchange Commission (SEC) proposed a set of rules that would require publicly traded companies to disclose security incidents within four days after they have been discovered.
Crane Hassold, director of threat intelligence with Abnormal Security, said that the Better Cybercrime Metrics Act is a "much-needed legislation" for the U.S. government to not only understand cybercrime levels, but also to be able to adjust the level of resources needed to defend against these threats accordingly.
“One of the biggest obstacles the federal government has fighting cybercrime is that it's missing accurate, comprehensive data to understand the overall impact of cyber threats that would allow them to prioritize their efforts accordingly,” he said. “Hopefully, with this bill, it will give federal law enforcement the information it needs to be able to allocate resources to holistically combat and respond to cyber threats.”