1

Introduction: Cybercrime Measurement, the Panel, and Its Charge

Cybercrime poses serious threats and financial costs to individuals and businesses in the United States and worldwide. Reports of data breaches and ransomware attacks on governments and businesses have become common, as have incidents against individuals including identity theft and online stalking and harassment. Concern over cybercrime has increased as the internet has become a ubiquitous part of modern life. However, comprehensive, consistent, and reliable data and metrics on cybercrime still do not exist—a paucity of vital information that undoubtedly results from the exceedingly decentralized nature of relevant data collection at the national level. The U.S. Government Accountability Office (2023; USGAO) identified at least 13 federal agencies with some stake in collecting cybercrime-related data, which the USGAO grouped into three mechanisms governing the extent and nature of the data collection:¹

• Agencies primarily tasked with the identification of cybercrime activity include the twin pillars of the U.S. national crime statistics apparatus, the Federal Bureau of Investigation’s (FBI’s) Uniform Crime Reporting (UCR) Program and the Bureau of Justice Statistics (BJS) (primarily through the National Crime Victimization Survey [NCVS] and its supplements), both within the U.S. Department of Justice (USDOJ). Other agencies sharing this identification function include the Cybersecurity & Infrastructure Security Agency in

___________________

¹ The U.S. Government Accountability Office (2023) report was mandated by the same Better Cybercrime Metrics Act that occasioned this panel’s consensus study; see Appendix A.

• the U.S. Department of Homeland Security, the Financial Crimes Enforcement Network in the U.S. Department of the Treasury, and the FBI’s Internet Crime Complaint Center (IC3).
• Seven agencies collect data related to cybercrime during investigation of crime: the FBI (through its field offices); the Bureau of Alcohol, Tobacco, Firearms, and Explosives; and the Drug Enforcement Administration of the USDOJ, as well as the U.S. Secret Service and Homeland Security Investigations of the U.S. Department of Homeland Security, the Internal Revenue Service Criminal Investigation branch of the U.S. Department of the Treasury, and the U.S. Postal Inspection Service.
• Finally, the USDOJ as a whole is responsible for collecting and tracking certain relevant information related to cybercrime during the prosecution of cases.

The USGAO’s overview of this data-collection terrain suggested wide variety in the manner and extent to which agencies collect or report data on cybercrime—and in the very capability of agencies’ case management systems to categorize crimes as cyber-related or to track or identify cybercrime at all. Importantly, the USGAO review identified several fundamental challenges to cybercrime data collection. First, agencies lack a common, consistent definition of cybercrime, which necessarily complicates comparison across agencies. Second, the agencies act in isolation on their individual parts of the broader cybercrime problem; information is not collected or integrated by a single entity. Third, agencies consistently emphasized that cybercrime is almost certainly underreported—for a variety of reasons, the most blunt (as expressed in a USGAO interview with agency staff) being that victims necessarily “lack an incentive” to report cybercrime incidents “if it is not entirely clear who can do anything about it” (U.S. Government Accountability Office, 2023, p. 25).

Against this backdrop, two laws enacted in spring 2022 required the addition of cybercrime content in U.S. national crime statistics. In March 2022, provisions in the Violence Against Women Act (VAWA) Reauthorization Act of 2022 directed the FBI to “design and create [a] category for offenses that constitute cybercrimes against individuals” in the FBI UCR Program, which aggregates returns of offenses reported to state, local, tribal, and territorial (SLTT) law enforcement agencies. The VAWA Reauthorization Act language also required the FBI to “classify each type of cybercrime against individuals that is an offense under Federal or State law” as a reportable offense in the National Incident-Based Reporting System (NIBRS), the UCR Program’s flagship database

(P.L. 117-103).² Two months later, the Better Cybercrime Metrics Act (BCMA; P.L. 117-116)³ echoed the call for the FBI to “establish a category in the [NIBRS] for the collection of cybercrime and cyber-enabled crime reports” but also required that the BJS “include questions related to cybercrime victimization in the National Crime Victimization Survey [NCVS],” the household survey that serves as the dual major component of current U.S. national crime statistics through its ability to shed light on the extent of crime that is not reported to law enforcement. The BCMA further required that the FBI’s revisions to the NIBRS expand the system’s scope to cover “cybercrime and cyber-enabled crime faced by individuals and businesses” rather than just individuals—and it further required the FBI to commission this study to provide a basis for the revisions.

THE PANEL AND ITS CHARGE

As requested in the BCMA and sponsored by the FBI, the National Academies of Sciences, Engineering, and Medicine’s (National Academies’) Committee on National Statistics, Committee on Law and Justice, and Computer Science and Telecommunications Board convened this ad hoc consensus study panel (see Box 1-1).

The panel met in formal closed sessions five times over the course of the study and conducted additional deliberations in several virtual meetings. To inform its deliberations, the panel held several public sessions, at which invited experts shared their perspectives on cybercrime and current measurement and classification efforts. In the first public session, the panel heard from the study’s sponsors at the FBI. During the second public session, the panel heard perspectives on conceptualizing cybercrime definitions, typologies, and taxonomies; perspectives on the measurement of identity theft; and perspectives from other models, such as the Canadian model for cybercrime data collection and the Cyber Classification Compendium. The panel also gathered insights from federal and state-level law enforcement and other federal agency efforts to capture cybercrime data, including the Cybersecurity & Infrastructure Security Agency, the IC3, the Federal Trade Commission, and the Michigan Cyber Command Center, and learned about the current collection of cybercrime-related data in the NIBRS and NCVS. Finally, the panel heard perspectives from interested constituencies, including the National Cyber-Forensics and Training

___________________

² See 136 Stat. 950 in particular; P.L. 117-103 is the sprawling omnibus appropriations act for fiscal year 2002 into which numerous other bills were folded, including both the VAWA Reauthorization Act and the Cyber Incident Reporting for Critical Infrastructure Act that is a major focus in this study.

³ The full text of both the VAWA Reauthorization Act cybercrime reporting provisions and the BCMA is reprinted in Appendix A.

Alliance, the Association of State Uniform Crime Reporting Programs, the Identity Theft Resource Center, and AARP.

The panel also drew heavily on the work of the predecessor National Academies’ Panel on Modernizing the Nation’s Crime Statistics (hereafter, the MNCS panel), which was jointly sponsored by the BJS and the FBI and faced an even broader mandate than our panel: develop a taxonomy of all crime and advise on its implementation for improving U.S. crime statistics. The MNCS panel’s first report (National Academies, 2016a) provided a detailed classification of crime for statistical purposes, expressly to include new and emerging crime types that had not been factored into U.S. crime statistics to date. With respect to cybercrime (and as we discuss in more detail in Chapter 3), the MNCS panel delineated some computer-specific offenses as a subcategory of crimes involving property but—more generally—called for the use of a cybercrime-involvement attribute flag to be coded alongside a base offense (e.g., extortion or fraud) to indicate “whether the use of computer data or computer systems was an integral part of the modus operandi of the offense” (National Academies, 2016a,

p. 136). This approach would permit, for example, examination of cyberharassment and cyberbullying as instances of the base offense of harassment plus the cybercrime-involvement flag, rather than as separate offense categories. In that first report, the MNCS panel noted that cybercrime is a “sufficiently broad and diverse concept that it could warrant a fully-realized three- or four-level hierarchical classification on its own” (National Academies, 2016a, p. 153) but argued for its simple, flexible approach rather than trying to craft a specific subcategory for every new cybercrime-related variant. In its second report (National Academies, 2018), the MNCS panel turned to issues of implementation, including the fit of the expansive recommended taxonomy with extant crime statistics data-collection systems and the perennial challenge of collecting data on offenses against both individuals and businesses—themes of clear and direct import to our own panel’s task of improving cybercrime measurement. Both MNCS panel reports developed the theme that crime is too broad and varied a topic to be covered well by any single data-collection system and instead envisioned a national crime statistics system-of-systems, in which the traditional report-to-law-enforcement (i.e., NIBRS) and survey research (i.e., NCVS) approaches would be supplemented by new administrative-record-type data resources. As described in this report, we believe that the same approach applies with equal force to the broad terrain of cybercrime.

INTERPRETING THE CHARGE: THE CHALLENGES OF CLASSIFYING AND MEASURING CYBERCRIME

To carry out the statement of task, we were guided by several central precepts that underlie our approach to the study.

Definitional Issues: Crime, Cybercrime, Cybersecurity, and the Law

The first guiding precept is a direct extension of the clear focus on the fit of cybercrime and cyber-enabled crime within the existing national crime statistics apparatus, embodied in the VAWA Reauthorization Act, the BCMA, and the panel’s statement of task. Put simply, we cast this study of cybercrime as crime-centric rather than cyber-centric; we interpreted the statement of task as obligating us to consider cybercrime as crime with a cyber/criminal component rather than cyberactivity with a criminal component. The MNCS panel adopted a compound definition of crime as “a class of socially unacceptable behavior that directly harms or threatens harm to others” but also—at root—as “that activity that is both unlawful and subject to certain punishments or sanctions” (National Academies, 2016a, pp. 21, 23). Thus, the offenses defined in its proposed classifications are behavioral in nature, but the definitions almost always include the word “unlawful,”

precisely to distinguish between bad or undesirable behavior and actual crime. This study followed the same approach. We adopted the MNCS panel’s definition of crime as a basis and then defined “cybercrime” as crime in which computers, data, and networks—information and communication technology (ICT)—are central to commission of the offense.⁴ This definition focuses attention on the offending behavior/actions rather than the specific technological mechanics by which the offenses are committed. Consequently, our definition focuses on harmful cyberactivity that is distinctly unlawful rather than merely undesirable; for instance, trolling (i.e., posting deliberately provocative or disruptive content on the internet with the intent of eliciting strong reactions from others) is not in itself a cybercrime, though it can be if it crosses the line into harassment or bullying.

Two important corollaries follow from this precept. Playing out the converse, this study would have been much different if it were cyber-centric in nature, focused on computer and technology use that could be considered crime. Accordingly, in this study, we did not weigh the adequacy of cybercrime content or coverage in federal and state law but rather used existing law as a guidepost to behaviors that are already interpretable as crime or cybercrime. That said, the rate of change in ICT—and the resultant potential for important new cybercrime variants to arise—is such that it will be important to reassess and update our recommended taxonomy over time. Another important corollary relates to which “law” is the standard by which cybercrime is deemed unlawful, which hearkens to a major challenge faced by the MNCS panel in considering matters such as environmental and white-collar crime. Generally speaking—and acknowledging that lines of distinction are not always sharp in crimes involving businesses and organizations—our panel’s emphasis skews heavily toward criminal law and justice rather than civil justice or purely regulatory behaviors. On a practical level, we cannot and do not dwell on higher-level matters such as liability related to cybercrime and cybersecurity. For instance, the shape and extent of privacy legislation at the federal and state levels is an important societal issue but not directly germane to our task; we aimed to define a taxonomy that allows for measurement of when a (criminal) data breach occurs, but it was outside our direct task to weigh in on business or agency data-stewardship responsibilities or purely civil/regulatory sanctions that may arise for data holders when a breach occurs.

Relatedly, we note that cybercrime and cybersecurity (more precisely, cybersecurity incidents or breaches) are strongly related concepts, but they

___________________

⁴ Fully expanded, this means that the panel defines cybercrime as that class of socially unacceptable activity for which ICT is central to the commission of the offense, that directly harms or threatens harm to others and is both unlawful and subject to certain punishment and sanctions.

are not equivalent. Many cybersecurity incidents, being conducted with malicious intent, are cybercrimes, but the association is not automatic. Data breaches or severely disruptive cybersecurity events can happen through simple error (e.g., human or technological/programming error) or as a direct consequence of environmental or physical factors. Hence, while there is strong overlap between the concepts and much to be learned about cybercrime-measurement practices from practices that measure cybersecurity in general, it is essential that the two are not automatically equated.

Ill Fit of Cybercrime with Existing National Crime Statistics Apparatus

A second major precept underlying our panel’s approach to the problem of cybercrime classification and measurement is, again, a direct extension of the VAWA Reauthorization Act, the BCMA, and our statement of task, with their focus on the fit of cybercrime within the existing national crime statistics apparatus (i.e., NIBRS and NCVS). It is a simple point but one that we believe rises to the level of statement as a formal conclusion—it must be acknowledged that cybercrime is inherently difficult to fully square with that apparatus.

Conclusion 1-1: Measurement of cybercrime is challenging—particularly in the context of current U.S. national crime statistics—for a number of reasons, including expected underreporting, the variable scope and nature of incidents, and the changing nature of technology.

Though the switch to the NIBRS has expanded the scope of crime coverage—and the reports of the MNCS panel (National Academies, 2016a, 2018) argue convincingly for a still-wider scope—U.S. crime statistics remain heavily geared toward the measurement of so-called street crime, meaning violent and interpersonal crime. Relative to the traditional crime types, cybercrime is difficult to conceptualize in current crime statistics because, depending on the definition and framing of the incident, the “cyber” component of cybercrime offenses could be characterized as the victim, offender, modus operandi, motive, location, or even the weapon used in the offense. The existing national crime statistics apparatus is primarily focused on person-level reporting, with accurate measurement of commercial, institutional, and organizational crime being a long-standing challenge—a difficulty for our work given the extent to which cybercrime is targeted at businesses and organizations.

As a further complication, cybercrime is subject to inherent, expected underreporting to SLTT law enforcement by individuals and businesses alike. Individuals may not report incidents of cybercrime simply because they may not be aware that they are the victim of a cybercrime (e.g., not

knowing of inclusion in a data breach unless notified) or they may not find it natural or helpful to report to law enforcement (e.g., reporting credit card theft to the card issuer to gain immediate relief but not filing a report with local police). Businesses and organizations, meanwhile, may be reluctant to report cybercrime incidents to law enforcement, at least in part due to fear of reputational damage and commensurate competitive disadvantage. In addition, as discussed further in Chapter 2, businesses and organizations may already be obligated to report major cybersecurity incidents (many of which are cybercrimes) to various incident-report teams and cybersecurity entities, and reporting to local authorities may be considered superfluous. As the U.S. Government Accountability Office (2023, p. 25) report bore out, businesses and individuals alike may lack incentive to report cybercrime to relevant authorities due to the perception that local authorities are equipped neither to make restitution for losses nor to apprehend offenders, and thus there is nothing to be gained from filing a report. Furthermore, while some state and large-city law enforcement agencies may have dedicated cybercrime offices or teams that investigate criminal cyberincidents, that is not universally the case. Thus, individuals who do want to report, for example, an experience of computer-based consumer fraud to local law enforcement may be referred to the same support organizations and entities (e.g., Better Business Bureau or AARP) that may in turn suggest notifying local law enforcement—a cycle borne out of basic confusion over which cybercrime incidents should be reported and to whom.

As yet another complication, there are several long-standing challenges in measuring crime in current data-collection systems that may be especially problematic in focusing on cybercrime, several of which are raised in the MNCS panel’s reports. These challenges may make the boundaries and basic parameters of cybercrime incidents difficult to determine or report.

• Cybercrimes that affect systems or networks are quintessential examples of what the MNCS panel described as nondenumerable crimes (National Academies, 2018, p. 32), for which it is difficult to generate a meaningful, accurate incident count or other metrics. Cybercrime attacks can have ripple effects, possibly beginning with one or a small number of target devices but ultimately swelling to affect (if not directly victimize) thousands or millions of downstream individuals. In the panel’s view, it is difficult to say for certain how many offenses or how many victims should be counted to fairly represent a ransomware attack on a hospital, for example: the single machine(s) in which the attack was successful or the number of accounts or machines baited; the number of locked machines or potential users of those specific on-network but locked devices; or the broader pool

• of individuals suffering harm from the incident, such as people harmed by the inability to access medicine or treatment due to the ransomware lock. Likewise, a corporate data breach could expose millions of individuals to some chance of harm through identity theft; if all of these incidents are to be reported to law enforcement, the question is whether the resulting spike in local crime statistics would be a local, state, or federal responsibility. Likewise, even the number of suspected offenders in a cyberattack can be difficult to ascertain.
• The NIBRS and NCVS are intended to capture both completed and attempted offenses, although some crime types are logically more prone to having attempted-but-incomplete occurrences go unreported or even unnoticed by potential victims. Cybercrime measurement systems should likewise include both attempts and completions—for instance, the development of malicious software is commonly considered a crime in itself, regardless of whether the code is activated (or effective)—but cybercrime suggests additional complexities. For example, for the sake of tractability, it makes sense to treat a completed denial-of-service attack as a single incident, a barrage of illegitimate traffic that overwhelms a targeted system, yet that underlying single barrage may comprise thousands if not millions of disruptive requests/pings. But drawing a line between an attempted-but-unsuccessful denial-of-service attack and a (noncriminal) high-volume day may be difficult, leave aside measuring potential attacks that are actively blocked or prevented by cybersecurity measures.
• The single point-in-time nature of crime statistics data collection is a challenge for measuring many offense types; at the time that a crime becomes known to local law enforcement, little may be known about the offender, and those answers await further investigation (if they are available at all). This may be particularly vexing in the cybercrime context, where the full extent of actors involved in the perpetration may take weeks or months to determine. This timing issue may affect the determination of what label might apply to a cybercrime; for example, a single ransomware attack or an isolated denial-of-service attempt may be part of a broader Advanced Persistent Threat, a program of coordinated, sustained cyberattacks, and establishing connections between the events may require additional investigative time. It may be difficult to peg specific times related to incidents like the deployment of spyware, performing passive monitoring of the system; the time when the spyware is detected may be known, but it may take time to unravel how long the software was in place.

Finally, the evolving nature of technology results in continually evolving cybercrime types and nomenclature; managing that flux can be difficult when generating crime statistics. Such evolution fundamentally heightens the importance of a mechanism for occasional updating and revision of a cybercrime taxonomy. In Chapter 3, we argue that this rate of change is also a reason for a taxonomy to focus on a relatively small number of behavior-specific (vs. technology-specific) offenses rather than trying to carve out hyper-specific categories for every slight variant. We describe the general nature of federal and state cybercrime law in Appendix C and the specific nature of the NIBRS implementation in Chapter 2 but, in this overview, suffice it to say that the closest fit for some cybercrime offenses as currently defined in the NIBRS bears the name of an outdated communication technology (i.e., wire fraud); even references to computers and network involvement may fail to convey the sweep of computing technology (e.g., smartphones and social media platforms); and reconciling current cybercrime definitions with the capabilities of new and emerging technologies is a major looming problem. A closing precept, and one that shaped the panel’s approach to this study, is that the heightened interest in measuring cybercrime comes at a critical juncture for both major planks of the existing national crime statistics apparatus into which we aim to craft a larger role for cybercrime. Though the FBI’s UCR Program has been in operation since 1929 and the NIBRS has been in development for nearly 40 years, the NIBRS only became the program’s flagship in January 2021, after the official retiring of the predecessor Summary Reporting System. The NIBRS is still in the early stages of near-full-scale implementation and still grappling with the challenge of ensuring that the nation’s more than 18,000 law enforcement agencies comply with the new reporting standard. Meanwhile, the NCVS is presently in the midst of one of the cycles of major revision and reinvention that have been a hallmark of the survey’s quality and success, while contending with the pervasive challenges of survey nonresponse and difficulties in conducting survey interviews. These developments—and corresponding developments in the general arena of cybersecurity reporting described in Chapter 2—all argue for caution regarding the extent of change that is feasible and realizable in these and other systems driving cybercrime measurement. This report focuses on both near-term objectives and longer-term, more aspirational objectives, in the hopes of preventing the perfect from being the enemy of the good.

ORGANIZATION OF THE REPORT

The analysis of cybercrime classification and measurement in this report unfolds in three major pieces. Chapter 2 discusses current data collections that touch on aspects of cybercrime, including the NIBRS and the NCVS.

In these synopses, we place particular attention on the offense code lists used in data-collection efforts. In Chapter 3, we turn to various approaches advanced for classifying cybercrime, both independently and in the context of all crime. We develop a set of principles and desired design features and, based on those, present a recommended taxonomy for cybercrime classification. Finally, Chapter 4 lays out the panel’s recommendations for implementing the cybercrime taxonomy, including opportunities for leveraging existing data-collection efforts and aspirational goals for future cybercrime measurement.

Several appendices provide additional detail. Appendix A reprints both the 2022 cybercrime reporting visions in the VAWA Reauthorization Act and the BCMA. Appendix B is this panel’s main deliverable—the recommended classification of cybercrime for statistical purposes, with definitions and specific inclusions in each category. Appendix C lists cybercrime offenses defined in current systems and law. Appendix D provides biographical sketches of panel members and principal staff.

This page intentionally left blank.