Underreporting is widespread. Many individuals and especially businesses do not report cybercrimes due to concerns about reputation, liability, or perceived lack of enforcement benefit.

Federal cybercrime data collection is fragmented. At least 13 federal agencies hold some responsibility to gather data, using differing definitions and systems, with no centralized integration.

Current classification systems do not reflect modern cybercrime. Indicators like “computer equipment used” are inconsistently applied, and newer threats such as phishing or ransomware are not well categorized.

Cybersecurity incidents and cybercrimes are related but distinct. Not all security breaches are crimes, and not all cybercrimes result from system compromise.

Prepare to integrate the proposed cybercrime taxonomy (Recommendation 3-1) as an attribute or flag in NIBRS. (Recommendation 4-2)

Cybercrime is inherently difficult to define and measure. Incidents can involve multiple actors, jurisdictions, and targets, and frequently use emerging technologies not reflected in standard crime categories.

Encourage more consistent reporting of existing cyber-relevant categories like identity theft and hacking. (Recommendation 4-1.1)

Clarify and strengthen existing NIBRS elements related to cybercrime, such as “computer equipment used” and “cyberspace” location codes. (Recommendation 4-1.2)

Consider including data/systems and digital currency/cryptocurrency as types of property lost. (Recommendation 4-1.3)

Ease the transition of changes to NIBRS by working with the records management system vendor community and providing adequate education and training. (Recommendation 4-1.4)

Refine and increase the use of NCVS supplements related to cybercrime, e.g., identity theft, fraud, and stalking. (Recommendation 4-3)

Explore more frequent administration of the three cybercrime-related supplements to improve timeliness and trend analysis or consider developing a dedicated cybercrime supplement to the NCVS. (Recommendation 4-4)

Consider conducting an establishment survey or additional rounds of the 2006 National Computer Security Survey to understand crime/cybercrime victimization experiences by businesses and organizations. (Recommendation 4-5)

To address these limitations, the report recommends a new taxonomy that classifies cybercrime into six mutually exclusive categories based on the offense target and degree of cyber involvement. The taxonomy is designed to be implementable in current systems as an attribute or flag, not a replacement for existing crime codes. It offers a structured framework to guide data collection and reporting without requiring wholesale redesign. This makes it easier for the nation to get the consistent data it needs to understand cybercrime better.

The structure and assumptions of existing crime statistics systems limit their ability to capture cybercrime. NIBRS and NCVS were designed forphysical, interpersonal, or property crimes, not for offenses involving digital systems, intangible assets, or cross-jurisdictional incidents. Cybercrime challenges standard data elements, such as offense types, victim counts, and location codes, and lacks clear analogues in current classification schemes.

The report outlines specific recommendations for improving cybercrime data within current systems. For NIBRS, these include refining data elements related to computer use and offense location, encouraging use of existing cybercrime categories, and eventually adopting the taxonomy as a new data element. For NCVS, the report advises maintaining a modular supplement strategy, refining content, and considering more frequent administration of cyber-related supplements.

Accurately measuring cybercrime will require coordinated use of multiple data sources, including law enforcement data, victimization surveys, incident reporting systems, and industry data. A centralized governance mechanism is needed to define terms, align data systems, and integrate findings. The report emphasizes the need for a national cybercrime information clearinghouse and recommends that federal agencies work together to coordinate measurement efforts, reduce redundancy, and address long-standing data gaps.