2

Treatment of Cybercrime in Current Data Collections

In this chapter, we briefly review how cybercrime and related concepts are measured in existing and developing data systems, with particular eye to the categorization schemes used in those systems.

CYBERCRIME HANDLING IN THE NATIONAL INCIDENT-BASED REPORTING SYSTEM

The Uniform Crime Reporting (UCR) Program is a data series compiled and maintained by the Federal Bureau of Investigation (FBI) based on the voluntary data contributions of thousands of state, local, tribal, and territorial (SLTT) law enforcement agencies.¹ The program began in 1929

___________________

¹ Because it is directly quoted in the Better Cybercrime Metrics Act (see Appendix A) and because it is germane to the panel’s task, an important exception to the UCR Program’s voluntary reporting structure deserves notice. The Uniform Federal Crime Reporting Act of 1988 (P.L. 115-393; 102 Stat. 4468; 34 U.S.C. § 41303) requires “all departments and agencies within the Federal government (including the Department of Defense) which routinely investigate complaints of criminal activity” to report crimes in their jurisdictions as part of the UCR Program, “limited to the reporting of those crimes comprising the Uniform Crime Reports.” However, it would be 27 years (and a concerted effort to get some federal law enforcement agencies, including the FBI itself, to report) before UCR results for federal agencies were reported in the UCR Program’s Crime in the United States report. Even the 2023 “Federal Tables” of Crime in the United States (accessible from the FBI’s Crime Data Explorer at https://cde.ucr.cjis.gov/LATEST/webapp/#/pages/downloads) include submissions from 41 federal agencies (most being Offices of Inspector General, and not including the Bureau of Indian Affairs, which is tabulated separately) and are limited to the major violent and property crimes of the old Summary Reporting System described in this paragraph and in Box 2-1.

after the completion of a standard manual for UCR data collection by the International Association of Chiefs of Police. For decades, the centerpiece of the UCR Program was the Summary Reporting System (SRS), which—as the name implies—required the compilation of summary counts of offenses known (reported) to law enforcement agencies as well as arrest totals for seven major crime types dubbed Part I offenses. These seven Part I offenses (i.e., murder, rape, robbery, aggravated assault, burglary, larceny-theft, and motor vehicle theft) were selected both because of their perceived severity and their supposed consistency in definition across U.S. states; in later years, arson and human trafficking were added to Part I by law. Meanwhile, only arrest counts were collected for several other offenses, dubbed Part II crimes and generally interpreted as less severe offenses. “False personation, pretense, statement, document, representation, claims, evidence, etc.” and “fraudulent use of telegraph, telephone messages”—predecessors of the eventual offenses of identity theft and wire fraud—were both listed as examples of the Part II offense of “embezzlement and fraud” in the original International Association of Chiefs of Police (1929, p. 28) manual that defined the UCR Program.

Part I and Part II SRS offenses, as they stood in 2014, are listed in Box 2-1. The hallmark characteristic of the SRS was its rigid adherence to a Hierarchy Rule—hierarchy in the sense of compression of information rather than rolling up (or down) to different levels of granularity in measurement. Under the SRS Hierarchy Rule, only the most serious offense in a crime incident was to be reported—homicide being the most serious, and continuing in the order listed in Box 2-1. So, for instance, only the homicide would be counted in an incident involving both homicide and motor vehicle theft. Moreover, popular attention was drawn principally to Part I offenses in determining whether crime rates were rising and falling; the arrest-only Part II offenses were given substantially less visibility.

After a task force issued recommendations for future development of the UCR Program in 1985 (Poggio et al., 1985), work began on what would become the National Incident-Based Reporting System (NIBRS), with a few pioneer law enforcement agencies beginning to submit data in the new format by the late 1980s.² The NIBRS eliminated the SRS Hierarchy Rule; all offenses (up to 10) committed as part of a single crime incident are meant to be included in a NIBRS data record. NIBRS data records for each incident grew to include nearly 60 data elements across six segments, providing a

___________________

² The task force on options for the future of the UCR Program was convened by the Bureau of Justice Statistics (BJS), an early moment in a continuing partnership between the BJS and the FBI. More recently, the BJS’s grantmaking authority was essential to the multiyear National Crime Statistics Exchange program that worked to boost reporting to the FBI’s UCR Program in NIBRS format prior to 2021.

wealth of information about each incident. The six segments of a NIBRS data record are as follows: Administrative (e.g., date and time of incident and identity of reporting law enforcement agency), Offense (e.g., offense type, method, and location), Property (e.g., type and value of property involved in the crime), Victim (e.g., demographic information and nature of relationship to offender), Offender, and Arrestee (if applicable).

Importantly, the NIBRS format permitted not only reporting of multiple offenses per incident but also a much wider variety of offense categories (see Table 2-1). The current NIBRS includes 71 specific Group A offenses under 28 categories, for which the full incident detail is meant to be reported; 10 Group B offenses are, like the predecessor SRS Part II, subject only to arrest-count reporting (Federal Bureau of Investigation, 2023b, pp. 16, 42). As depicted in Table 2-1, Group A offenses are also loosely grouped into three overarching categories, depending on whether the offense is deemed a crime against a person, against property, or against society.

Uptake of the new, detailed NIBRS reporting required substantial time and resources, and thus proceeded at a markedly slower rate than initially projected. Though NIBRS-format data were available to and analyzed by some researchers, those data were ultimately a self-selected sample of law enforcement agencies and not statistically representative of any broader population; the UCR Program itself did not publish a report of tabulations from NIBRS data until 2013. However, after 30 years of coexistence—the SRS continuing to be the official UCR format while law enforcement agencies were encouraged to invest resources in making the technological upgrade to the NIBRS format—the FBI officially discontinued the SRS as of January 1, 2021. Not all law enforcement agencies made the transition in time; as shown in Table 2-2, about 34 percent of federal and SLTT law enforcement agencies did not submit NIBRS-format data in 2021 and 2022, notably including the nation’s two largest local law enforcement agencies, the New York Police Department and the Los Angeles Police Department (U.S. Department of Justice, 2023, p. 8). Most law enforcement agencies in five populous states—California, New York, Illinois, Pennsylvania, and Florida—did not report to NIBRS in 2021; NIBRS coverage in those states improved in 2022, though Florida and Pennsylvania remained at 7.7 and 9.1 percent agency participation, respectively.³ Accordingly, the FBI’s UCR Program continues to work on increasing full NIBRS participation.

Prior to 2021, cybercrime could only (at best) enter UCR figures if it was characterized as either a type of fraud or as “all other offenses”—both Part II entries in the SRS hierarchy, thus as an arrests-only count rather

___________________

³ See https://www.themarshallproject.org/2022/06/14/what-did-fbi-data-say-about-crime-in-2021-it-s-too-unreliable-to-tell and https://www.themarshallproject.org/2023/07/13/fbi-crime-rates-data-gap-nibrs

TABLE 2-1 National Incident-Based Reporting System Offense Codes

^a Currently recoded to 11A but slated to be rejected as valid code in 2025.

^b Offenses eligible for reporting by federal and tribal law enforcement agencies only.

SOURCES: Federal Bureau of Investigation (2023b); panel added column on cyberspace location eligibility based on Federal Bureau of Investigation (2023a, p. 52).

than a measure of offenses known to police. From the outset, then, the NIBRS has markedly increased the capacity for reporting cybercrime. In Appendix C, we trace the NIBRS handling of cybercrime-related concepts through various revisions of the system’s user manual, briefly summarized in the following points.

In terms of defined crime categories, the NIBRS’s long-standing guidance was to code computer crime offenses as the closest substantive offense—for instance, as fraud or embezzlement. By 2013, the offense of Wire Fraud was redefined in the NIBRS to include the use of computers and electronic messaging to perpetrate fraud. In 2014, the FBI director approved the addition of Hacking/Computer Invasion and Identity Theft as Group A offenses in the NIBRS, specifically to improve coverage of cybercrime. Both offenses fall under the general heading of crimes against

TABLE 2-2 Participation in National Incident-Based Reporting System by Law Enforcement Agencies, 2021–2022

NOTES: The source report estimates that 73 percent of the U.S. population is represented by the 12,725 agencies that submitted National Incident-Based Reporting System (NIBRS) data in 2022. The number of agencies can decrease from year to year if the agency enters “covered” status, meaning that another agency assumes responsibility for reporting crime data for it, or it becomes dormant.

SOURCE: U.S. Department of Justice (2023, pp. 7–8).

property and bear code numbers designating them as variants of fraud. Though Identity Theft does not necessarily involve the use of computers or information and communication technology (ICT), electronic means have almost certainly developed into a primary method.

Since the creation of the NIBRS, a data element in the Offender segment—currently dubbed Data Element 8, Offender Suspected of Using—has seemed to permit coding offenses as being computer-related in their conduct through the option of “Computer Equipment.” However, the variable has always been curiously defined, fusing an offender’s suspected use of alcohol or drugs—two factors that potentially speak to an offender’s alertness or impairment during the offense—with “Computer Equipment,” a factor related to the general method of attack. As Appendix C notes, though, the extent to which Data Element 8 functions (or is meant to function) as a partial flag of cybercrime is an open question, as the most recent version of the NIBRS user manual describes the response option as Offender Suspected of Using “Computer Equipment (Handheld Devices)” and the only examples of the element’s use related to fatalities involving distracted driving/driving while texting. Thus, the intent of Data Element 8 pertinent to potential cybercrime involvement is unclear.

In addition to approving the new Hacking/Computer Invasion and Identity Theft categories, the FBI director approved the addition of code 58, Cyberspace, as a potential response to Data Element 9’s query for the location of the offense. A column in Table 2-1 indicates the NIBRS offenses that the most recent version of the NIBRS Technical Specification (Federal Bureau of Investigation, 2023a) indicates as eligible to use the Cyberspace code. However, since its introduction as a location response option, the user manual’s examples on the application of the Cyberspace code (detailed in Appendix C) clearly denote the internet as integral to the offense, not just computer or information technology in general (excluding, for instance, computers in isolation or in local corporate intranets).

Table 2-3 presents a basic tabulation of these two principal computer-related indicators (i.e., Offender Suspected of Using Computer Equipment and Cyberspace as Location) from the 2022 public-use NIBRS Incident File, by the first offense coded in the record. The table is meant as a rough indicator of how often the two cues are used in isolation and in combination, and not as a definitive estimate of cybercrime prevalence as measured in 2022 NIBRS data. Our general impression is that there is some possible cybercrime signal in both cues but also considerable noise. For example, Cyberspace is listed as the location for many offenses for which the NIBRS Technical Specifications say the value is ineligible (e.g., rape and both aggravated and simple assault). For some offenses—Intimidation, Hacking/Computer Invasion, Wire Fraud, False Pretenses/Swindle/

TABLE 2-3 Current Use of Computer-Related Indicators in National Incident-Based Reporting System, 2022

NOTES: National Incident-Based Reporting System (NIBRS) offenses listed in this table are the first offenses listed in the incident file. This simplification is used because the records in which either of the computer-use variables are applied tend to involve only one offense in the incident (92% of records with Cyberspace as Location, 89% of records in which offender is suspected of using computer equipment, and 89% with both). A total of 11,207,634 NIBRS incidents exist on the file. Federal agencies are not included in the data file, and hence the table omits entries for offenses eligible for reporting by federal and tribal law enforcement agencies only: 26H Money Laundering, 30A Illegal Entry into the United States, 30B False Citizenship, 30C Smuggling Illegal Aliens, 30D Re-entry after Deportation, 49A Fugitive (Harboring Escapee/Concealing from Arrest), 49B Flight to Avoid Prosecution, 49C Flight to Avoid Deportation, 58A Import Violations, 58B Export Violations, 61A Federal Liquor Offenses, 61B Federal Tobacco Offenses, 101 Treason, 103 Espionage, 360 Failure to Register as Sex Offender, 521 Violation of National Firearms Act of 1934, 522 Weapons of Mass Destruction, 526 Explosives Violations, and 620 Wildlife Trafficking.

SOURCE: Tabulation by panel member Lynn Addington from 2022 NIBRS Incident File (Bureau of Justice Statistics, 2023).

Confidence Game, Extortion/Blackmail, and Pornography/Obscene Material—the two variables could seemingly be interpreted as duplicative: very roughly equal shares applying each of the two data element indicators and a sizable number of those cases applying both. However, other crimes split differently. The interpersonal “street crimes” for which one of the computer indicators is selected (e.g., Rape, Assault, Theft from Building or Motor Vehicle, All Other Larceny, and Drug/Narcotic Violations) use the Data Element 8 Offender Suspected of Using Computer Equipment option more frequently, while the balance swings toward Cyberspace as Location for offenses like Credit Card/Automatic Teller Machine Fraud, Impersonation, and Identity Theft. We return to this point in Chapter 4, suggesting the need for reexamination and assessment of the definition and intended role of both the Cyberspace as Location and Offender Suspected of Using Computer Equipment cues.

CYBERCRIME HANDLING IN THE NATIONAL CRIME VICTIMIZATION SURVEY AND ITS SUPPLEMENTS

The core National Crime Victimization Survey (NCVS), operated by the Bureau of Justice Statistics (BJS) with the U.S. Census Bureau as data-collection agent, is a panel household survey that employs a multistage sampling design to collect data on criminal victimization incidents, regardless of whether they were reported to local law enforcement agencies. The first-stage sample of primary sampling units—counties, groups of counties, or metropolitan areas—is performed every 10 years, several years after the

most recent decennial census. The second-stage sample of housing unit addresses (housing units) is drawn each year, with selected addresses remaining in-sample for three years (and, hence, for up to seven interviews on six-month intervals).⁴ The NCVS uses computer-assisted personal interviews for initial interviews and a mix of computer-assisted personal interviews and computer-assisted telephone interviews for subsequent interviews.

NCVS interviews begin with the interviewer asking questions of a primary respondent (dubbed the household respondent) to build a roster of household members to determine their eligibility for interview, using the NCVS-500 Control Card instrument. The NCVS seeks interviews with each member of the household age 12 or older, only permitting proxy interviews in very limited circumstances. In these interviews with household members, the NCVS-1 Basic Screen Questionnaire asks respondents to recall potential victimizations over the six-month period prior to the interview; if the victimization is one of the offense types measured by the NCVS, then the interview continues with a detailed NCVS-2 Crime Incident Report questionnaire on each incident. The questions are asked with considerable care by trained interviewers, with the aim of eliciting an accurate and complete accounting of victimizations without unduly burdening or revictimizing the respondent. To the extent possible, interviews are also performed without requiring respondents to label the crime themselves (e.g., not directly asking if the respondent was the victim of an aggravated assault), instead eliciting enough information to allow construction of the proper offense type in subsequent data processing.

The great strength of the NCVS approach is that it gathers information about crime victimizations whether or not the incidents were reported to SLTT law enforcement agencies. Thus, the NCVS serves as a complement to police-report statistics like those of UCR/NIBRS. UCR and NCVS estimates are complementary, nonredundant measures, and comparison between the sources and their trends provides a more comprehensive view of crime in the United States. However, the resulting insight into the “dark figure of crime” not reported to police (Biderman & Reiss, 1967) depends upon the aptness of the comparison between the UCR and the NCVS, namely the consistency of definitions and concepts between the two sources. The NCVS began (as the National Crime Surveys) in the 1970s, and so its essential point of comparison was—and largely remains—the Part I offenses of the UCR SRS. Accordingly, the underlying crime classification used in

___________________

⁴ The NCVS also includes a sample of group quarters (GQ) locations that is drawn from the first-stage primary sampling units every three years. Only certain types of noninstitutional GQs are eligible for inclusion, including college housing, group homes, and workers’ quarters and dormitories; institutional GQs such as correctional facilities and skilled nursing facilities, as well as other noninstitutional GQs like military quarters, shelters, and maritime vessels, are out-of-scope for the NCVS (Bureau of Justice Statistics, 2017).

NCVS processing, shown in Box 2-2, is consistent with the “street-crime” focus of SRS crime categorization in Box 2-1, with the addition of Purse Snatching/Pocket Picking and—the NCVS being premised on self-reported victimization incidents—the exclusion of homicide. There are important practical reasons for keeping the core NCVS focused on a relatively small set of crimes, including time burden and facilitating cooperation with survey respondents. Asking additional questions on the NCVS-1 Basic Screen Questionnaire lengthens the time of the interviews, particularly if those questions elicit additional victimization instances that would be subject to the same detailed NCVS-2 Crime Incident Report questionnaire.

The NCVS has a long-standing penchant for improvement and reinvention; a major redesign in the early 1990s occasioned the formal name change from the National Crime Survey to the current NCVS, with a simultaneous retooling of the Basic-Screen-Questionnaire-and-Incident-Report approach. The 2024 NCVS will contain new instruments following another multiyear redesign, again aiming to increase the amount of contextual information captured in the interview while making the experience as easy as possible for respondents. So, in the context of cybercrime measurement, it is important to recognize that the NCVS did critical early work in this area. Figure 2-1 displays the bank of computer crime questionnaires that was included in the NCVS-1 Basic Screen Questionnaire between 2001 and 2004, emphasizing individuals’ experiences with computer-related crimes in the context of personal use, not work-related use (unless in operation of a home business). The question set prompted respondents to recall five types of computer-related crime—fraud in an online purchase, computer virus, threats by online messaging or email, unrequested obscene communications via online means, and software copyright violation, as well as a write-in category for other computer-related crimes. However, the computer crime questions did not request a count of such incidents, overall or by type, and reports of these computer-related incidents did not trigger completion of an NCVS-2 Crime Incident Report. The questions were added in July 2001 and removed in July 2004 (Bureau of Justice Statistics, 2017, p. 53), and analyses of the resulting data do not appear to have factored into the BJS’s Criminal Victimization report series during the period.

The primary means by which the NCVS program has expanded its substantive reach—and ventured into the measurement of cybercrime concepts—is the periodic fielding of supplemental modules of questions. These supplements may be administered to NCVS respondents if they meet eligibility criteria, even if they have no crime incidents to report in the core NCVS survey. As summarized in Table 2-4, three supplements have comprised the main source of cybercrime-related content for the NCVS following the 2004 discontinuation of the computer crime questions; a fourth supplement, the School Crime Supplement (SCS), touches on the particular

incidence of bullying (which is typically not considered a crime in itself) and cyberbullying (which is more commonly defined as a crime).

We briefly describe these major cybercrime-related supplements in the following subsections, and one cross-cutting theme is worth noting first. The 2001–2004 NCVS-1 Basic Screen Questionnaire items on computer crime (Figure 2-1) include one that hints at a unique strength of the survey approach to measuring crime and cybercrime: in addition to providing insight on incidents that were not reported to law enforcement or other authorities, it can also suggest reasons why the incidents were not reported. This feature has also been utilized in subsequent cybercrime-related supplements. Box 2-3 presents a composite listing of response options for the

question on why an offense was not reported to local law enforcement or other authorities from the two most recent iterations of the Identity Theft Supplement (ITS) and Supplemental Fraud Survey (SFS), to illustrate the valuable contextual information that can be derived from survey work.

Identity Theft, Fraud, and the Identity Theft Supplement and Supplemental Fraud Survey

The Federal Trade Commission (FTC) began collecting consumer complaints in its Consumer Sentinel Network in 1997, and shortly thereafter received statutory authority to serve as the centralized complaint and

TABLE 2-4 Overview of Cybercrime-Related Supplements to the National Crime Victimization Survey

NOTE: NCVS, National Crime Victimization Survey.

SOURCE: Adapted and updated from Bureau of Justice Statistics (2017) through reference to individual supplement pages and questionnaires at https://bjs.ojp.gov/data-collections/search

consumer resource clearinghouse for victims of identity theft. Broadening its study of the problem, the FTC commissioned Synovate (2003) to conduct a telephone household survey in March–April 2003, asking about incidences of identity theft, victims’ experiences, and whether incidents were reported to any authorities. A National Institute of Justice–funded review of data-collection work by Newman and McNally (2005) commended the pioneering FTC work and noted the lack of a centralized criminal justice database on identity theft and fraud incidents. This review spurred additional data-collection efforts associated with the NCVS.

In 2004, the respondent-level computer crime questions were removed from the NCVS-1 Basic Screen Questionnaire and a new set of 10 identity theft questions was added. As with the computer crime questions, reported identity theft instances were not subject to the detailed NCVS-2 Crime Incident Report questionnaire; however, the identity theft questions were household level, and thus only the principal household respondent was

asked to describe any such “episodes of identity theft discovered by you or anyone in your household during the last 6 months.”⁵ The questions focused on three principal variants of identity theft: (a) misuse of an existing credit card account, (b) misuse of some other type of existing account, or (c) attempt to use personal information to open a new account (credit card or other). Follow-up questions asked whether the incident occurred once or in combination with other identity theft attempts, the amount lost, whether the misuse caused subsequent hardship (e.g., being turned down for loans), and how the victim became aware of the theft. Curiously, though, the questionnaire did not ask whether the incident was reported. The questions remained on the NCVS-1 Basic Screen Questionnaire into 2008, and the BJS issued two reports from these early efforts at national-level estimates (Baum, 2006, 2007).

___________________

⁵ See https://bjs.ojp.gov/content/pub/pdf/ncvs104.pdf

In 2008, the set of identity theft questions was converted into a new rotating supplement to be added to the NCVS for six-month periods (Langton & Planty, 2010). The initial 2008 ITS expanded to include 67 questions in several module groups, including modules on how and when the identity theft was discovered, how the victim responded (e.g., report to authorities and to credit bureaus and satisfaction with the response), emotional impact on the victim, known information on the offender (e.g., relationship to victim), financial impact, knowledge of attempted-but-failed instances of identity theft over the past two years, and risk avoidance (i.e., measures taken in reaction to the identity theft).⁶ The ITS has now been fielded six times, retaining the same basic structure. Specifically regarding cybercrime, the ITS’s reference to cyber or computer involvement in the offense is not overt. However, from the first ITS to the most recent iteration in 2021,⁷ the ITS questionnaire has typically ended with some cyber-related questions as context. A question on whether the respondent purchased anything via the internet in the past year has dropped off, perhaps reflecting the ubiquity of ecommerce, but ITS iterations have all generally asked respondents if they have ever been notified of their personal information being involved in a data breach.

Similar to identity theft, the BJS’s extension of the NCVS to probe consumer fraud came after valuable initial telephone survey work sponsored by the FTC, conducted in 2003, 2005, 2011, and 2017.⁸ For its own SFS to the NCVS, fielded in October–December 2017, the BJS set out to study seven specific types of financial fraud, representing the top-level categories of financial fraud against individuals in a taxonomy for financial fraud developed by the Stanford Financial Fraud Research Center and the FINRA Foundation (Beals et al., 2015).⁹ These seven types, based on the purported benefit underlying the fraud, are prize or grant, phantom debt collection, charity, employment, consumer investment, consumer products or services, and relationship/trust fraud. To count an incident as fraud, the 2017 SFS required that the fraud must have been completed and the victim must have lost money (Bureau of Justice Statistics, 2017, p. 12). The SFS questionnaire is designed like an NCVS in a microcosm, with a screen questionnaire eliciting recall of incidents of each of the seven types of fraud (while also endeavoring to avoid using the word “fraud”) followed by an incident report to gather more detailed information. Specifically in terms of cybercrime, it is

___________________

⁶ See https://bjs.ojp.gov/content/pub/pdf/its_08.pdf

⁷ See https://bjs.ojp.gov/document/itsq21.pdf

⁸ See https://www.ftc.gov/news-events/news/press-releases/2019/10/ftc-releases-results-2017-mass-market-consumer-fraud-survey

⁹ The Beals et al. (2015) taxonomy was also a basis for the specification of fraud as an offense in the National Academies of Sciences, Engineering, and Medicine (2016a, pp. 144–148) classification of crime for statistical purposes.

important to note that the method by which the fraud was perpetrated is not directly asked in the SFS questionnaire but arises indirectly for some specific fraud types: the Charity Fraud incident report asks whether a crowdfunding website was used, and most of the response options describing how first contact was made in a Relationship/Trust Fraud incident are electronic or social media–related.¹⁰

The BJS summarized the resulting data from the 2017 SFS in its own report (Morgan, 2021) and commissioned a separate review of the quality of the supplement by Langton et al. (2023), which included comparison with estimates of fraud from numerous other sources, including the NIBRS and the predecessor surveys. The 2017 SFS remains the only administration of the supplement as of late 2024, likely owing to the principal, unusual result studied by the Langton et al. (2023) review: estimates of individual financial fraud in other data sources range widely (and may include differences in defining covered fraud types), but the SFS’s estimate of 1.2 percent of persons age 18 or older experiencing financial fraud in 2017 seems small relative to other reported estimates. That said, another round of the SFS is reported to be forthcoming at the time of this writing.

Cyberstalking and the Supplemental Victimization Survey

The Office on Violence Against Women sponsored the first Supplemental Victimization Survey (SVS) to the NCVS in 2006 to measure stalking, and the supplement has since been administered in 2016 and 2019. The best way to portray the crime content and basic approach of the SVS is to review the first (screener) question on the instrument that the NCVS/SVS interviewer reads to any NCVS respondent age 16 or older (see Box 2-4).¹¹ The first notable feature of the question is that it spells out a detailed 12-part classification of types of stalking behaviors—incidences and consequences of which are discussed in the rest of the survey—without actually using the word “stalking” to avoid any unwanted connotations or instinctual reactions. Second, the embedded classification of stalking behaviors has two higher-level categories. Responses a–f are “traditional,” mainly physical stalking behaviors, including direct physical surveillance, while responses g–l all fall under the general heading of “stalking with technology.” The report on the outcomes of the 2019 SVS emphasizes that cyberstalking (as defined in federal law; see Appendix C) and stalking with technology are very close in concept but not identical—the essential difference being that the text messages clause in Box 2-4 item g would likely be covered

___________________

¹⁰ See https://bjs.ojp.gov/content/pub/pdf/sfs_2017.pdf

¹¹ The minimum response age was lowered from 18 to 16 for the second and subsequent administrations of the SVS.

by definitions of cyberstalking, but the pure telephone and voice message contact modes in item g might not (Morgan & Truman, 2019, p. 3).

Federal law describes two other essential elements to the definition of stalking/cyberstalking (18 U.S.C. § 2261A(2); see Appendix C), and incorporating these elements affects the way the SVS proceeds. First, like the general offense of harassment, stalking/cyberstalking is a repeated-course-of-conduct offense, meaning that a single instance of the stalking behaviors in Box 2-4 does not constitute a stalking/cyberstalking offense; there must be two or more instances.¹² Second, the course-of-conduct actions must produce either actual fear (i.e., substantial emotional distress) or reasonable fear (i.e., threatened or completed attack on the victim, someone close to the victim, or a pet, sufficient to cause fear for their safety). In administrations to date, the SVS has taken a slightly unusual approach to the course-of-conduct problem,

___________________

¹² This is the case even with the plural forms of key nouns in the Box 2-4 options, such as the “phone calls” and “text messages” of option g and “e-mails or messages” of option k.

defined as the repeated occurrence of one of the specific stalking behaviors depicted in Box 2-4 (as determined by a follow-up question if only one “Yes” response is received) or the occurrence of multiple stalking behaviors (Morgan & Truman, 2019, p. 3). The SVS asks a follow-up question as to whether any of the experienced stalking behaviors caused actual fear and, similarly, whether any caused reasonable fear. If the course of conduct and either actual or reasonable fear are established, the respondent is queried about the details of the incident, including knowledge of the offender(s), purported motive, and whether the incident was reported to authorities.

Cyberbullying and the School Crime Supplement

The recurring SCS to the NCVS is the product of a long-standing partnership between the BJS and the National Center for Education Statistics in the U.S. Department of Education. The SCS, which has been administered on a roughly biennial cycle since 1999 (and fielded twice previously in 1989

and 1995), has always included some content related to bullying. The SCS bullying content was revised in the 2005 administration of the supplement, to ask about bullying behaviors in a manner more consistent with definitions under joint development by the U.S. Department of Education and the U.S. Centers for Disease Control and Prevention (CDC; Gladden et al., 2014).¹³ Though some bullying behaviors mentioned in earlier versions of the SCS could arguably be carried out by electronic/computer means, it was not until the 2022 SCS that changes were made aiming to better capture cyberbullying (or electronic bullying, as it is labeled by Gladden et al. [2014]). These changes included revising the introduction to the main bullying question to say that “these [unwanted behaviors] could occur in person or using technologies, such as a phone, the Internet, or social media”¹⁴ and the addition of a separate category for “purposely shared your private information, photos, or videos in a hurtful way.”¹⁵ Note, however, that the changes served to capture more electronic bullying behavior but did not necessarily distinguish it from conventional bullying; the distinction remains murky in that some of the other bullying behaviors (e.g., “made fun of you, called you names, or insulted you in a hurtful way” or “spread rumors about you”) could occur by either electronic or nonelectronic means. The results of the most recent administration of the SCS, in 2022, are summarized by Irvin et al. (2024).

Two general points about bullying and cyberbullying are worthy of brief mention in the context of current data sources. First, bullying is necessarily a difficult concept for national crime statistics because there is wide variation in the degree to which the states classify and consider bullying a crime in their penal or criminal codes, as opposed to regulating the behavior under the state’s education code. Likewise, there is variation in the ways in which cyberbullying—if called out specifically in state law—is handled, though some states directly criminalize cyberbullying because of the potential for adults to perform the bullying actions while posing as

___________________

¹³ Prior to deployment, the questions were cognitively tested by U.S. Census Bureau staff (Pascale et al., 2014).

¹⁴ Previously, as in the 2019 version of the SCS, a question about where the bullying incidents occurred listed “Online or by text” as a response option; see https://bjs.ojp.gov/sites/g/files/xyckuh236/files/media/survey/2019_scs.pdf. The location question was not asked in the 2022 questionnaire, part of broadening the supplement’s scope from the traditional “at school” to the more inclusive “during school.”

¹⁵ See https://bjs.ojp.gov/sites/g/files/xyckuh236/files/media/survey/2022_scs.pdf. Another category/response in the main bullying question, number 22 on the questionnaire, makes explicit mention of social media: “excluded you from activities, social media, or other communications to hurt you.”

juveniles on social media and electronic forums.¹⁶ Second, as types of behavior that straddle the line between criminal and education/civil law, bullying and cyberbullying are covered to some extent in other educational and public health data surveillance systems, including the Youth Risk Behavior Survey coordinated by the CDC, the Health Behaviour in School-Aged Children Survey coordinated by the World Health Organization, and the National Survey of Children’s Exposure to Violence jointly sponsored by the U.S. Department of Justice and the CDC (National Academies, 2016b).

Cybercrime Against Businesses, and the National Computer Security Survey

For purposes of measuring cybercrime, the major drawback of the NCVS and its supplements is that, being household surveys, they only examine offenses against survey respondents—individual persons, not businesses or organizations. This was not always the case, however. As described in more detail by the National Research Council (2008), the NCVS began in 1972 as the National Crime Surveys—plural—and included two commercial components, a national sample of 15,000 businesses and targeted samples of 2,000 businesses in 26 cities (data were only collected from eight of the focus cities at a time). However, an early review by an even more distant predecessor of our panel (National Research Council, 1976) recommended that city-specific sampling be stopped in favor of boosting the national sample size of the household crime survey and also advised that the commercial victimization survey be suspended and reassessed. Combined with budgetary reasons and perceived inadequacy of the business sampling frame then in use, the commercial victimization component of the National Crime Surveys was eliminated shortly thereafter.

Interest in commercial victimization has resurfaced over the years, and the emergence of cybercrime spurred particular attention. In 2001, a second effort to measure crimes against businesses was cosponsored by the BJS and the National Cyber Security Division of the U.S. Department of Homeland Security (USDHS); RAND was engaged as the data-collection agent, and the

___________________

¹⁶ For example, Louisiana Revised Statute 14:40.7 (added in 2010, revised 2019; Title 14 is Criminal Law) defines cyberbullying—“transmission of any electronic textual, visual, written, or oral communication with the malicious and willful intent to coerce, abuse, torment, or intimidate a person under the age of eighteen”—as a crime, punishable by fine or imprisonment when the offender is an adult but “governed exclusively by Title VII of the Children’s Code” (i.e., the juvenile justice system) when the offender is under age 18. This overlaps with more wide-ranging anti-bullying laws enacted in 2022 and 2024 (Louisiana RS 17:416.14, Title 17 being the Education title of the statutes), including more detailed definitions and “electronic communication” as a means of bullying, but focused on establishing comprehensive policy within school districts rather than criminal sanctions for the offense.

survey was conducted first as a pilot and then in full in 2005. This effort, dubbed the National Computer Security Survey (NCSS), was developed to measure the nature and extent of computer security incidents, monetary costs, and other consequences. The specific types of incidents covered by the NCSS are shown in Box 2-5, and Box 2-6 shows that the NCSS also asked responding companies and organizations why incidents were or were not reported to law enforcement or other authorities. The survey collected data from 7,818 businesses. Although 67 percent of responding businesses detected cybercrime in 2005, most businesses did not report cyberattacks to law enforcement (Rantala, 2008).

Though the NCSS remains listed on the BJS’s website as an active program, it has not been fielded since the single instance in 2005, possibly owing to a lower-than-expected response rate (23%) in the initial administration (Rantala, 2008, p. 15).

OTHER ENTITIES COLLECTING CYBERCRIME-RELATED DATA, PARTICULARLY FRAUD

Internet Crime Complaint Center

The FBI’s Internet Crime Complaint Center (IC3) was originally founded as the Internet Fraud Complaint Center in 2000, adopting the current name and a broader focus in 2003. The IC3 primarily functions as an avenue for receiving complaints of internet-facilitated and internet-related crimes from the public. IC3 analysts assess the public reports for validity (U.S. Government Accountability Office, 2023). Commonly, the relevant financial institution is contacted (i.e., to ensure that no further harm has been done to the victim’s account); the incident is also referred to the appropriate FBI field office, if necessary, for further

investigation (Quigley, 2024). Complaints are submitted through the IC3 Network, which includes an online complaint referral form and an associated database of complaint information. The complaint form itself does not require the respondent to categorize the incident as a crime/cybercrime directly, but it provides an open-text field for response that analysts can fill in, based on the data provided, to classify the incident by type. An annual report (e.g., Federal Bureau of Investigation, 2023c,

2024) summarizes the number and geographical distribution of reported offenses, along with an estimate of the monetary losses incurred through the offenses. In 2023, IC3 received 880,418 complaints amounting to losses totaling $12.5 billion (Federal Bureau of Investigation, 2024).

The annual reports regularly contain a table showing reported offenses within the past three years; four years of these three-year tables are combined in Table 2-5 to convey the range of offenses covered by the IC3 and shifts in their categorization over time. Numerous variants of fraud (labeled by the purported benefit in the fraud) dominate the listings in IC3’s reports, befitting the organization’s original name, but other cybercrime types (e.g., ransomware, crimes against children, and harassment/stalking) are reported to IC3 by the public and hence show up in IC3 annual reports. There is no apparent underlying structure to the IC3’s list of covered offenses, save that it shifts slightly from year to year and is revised based on changes in frequency of particular groups of offenses.

Federal Trade Commission’s Consumer Sentinel Network

The FTC’s Consumer Sentinel Network is a centralized database and repository for customer complaint data. While the IC3, initially established to monitor internet fraud, has expanded its scope to include other types of cybercrime, the FTC’s collection remains focused, in extensive detail, on crimes of fraud and identity theft as well as related scams and bad business practices. The same law that defined the federal offense of identity theft (P.L. 105-318; see Appendix C) defined the FTC as the “centralized complaint and consumer education service for victims of identity theft,” directing the FTC to “log and acknowledge” consumer complaints and to refer them to credit reporting agencies and law enforcement agencies as appropriate. The Consumer Sentinel Network database is populated by reports from the public through its online portal, but also extensively through data provided by other contributors (e.g., the IC3, the Better Business Bureau, the Consumer Financial Protection Bureau, and state attorneys general). In 2023, the FTC collected 2.6 million reports classified as fraud, with $10.3 billion in reported losses (Fletcher, 2024). Box 2-7 shows the top-level report categories defined in the Consumer Sentinel Network, including 17 categories for fraud and seven categories for identity theft, all based on the good or service the offender is attempting to collect through the fraud or identity theft. The companion list of Consumer Sentinel Network report subcategories¹⁷ defines a pool of 97 goods, services, or other objectives of fraudulent activity. There is inherent fluidity to these categorizations; in discussion with the

___________________

¹⁷ See https://www.ftc.gov/system/files/ftc_gov/pdf/CSNPSCFullDescriptions.pdf

TABLE 2-5 Victim Count in Crime Types Reported in Internet Crime Complaint Center Annual Reports, 2018–2023

^a Renamed BEC (Business Email Compromise) from BEC/EAC (latter meaning Email Account Compromise) in 2022 report.

^b Check Fraud added to Credit Card Fraud in 2022 report.

^c Renamed Malware from Malware/Scareware/Virus in 2022 report.

^d Renamed Phishing from Phishing/Vishing/Smishing/Pharming in 2022 report.

^e Renamed Real Estate from Real Estate/Rental in 2020 report.

NOTES: —, category not used in reporting year; IPR, intellectual property rights; TDoS, Telephony Denial of Service. Rows indicating the separate handling of harassment, terrorism, and threats of violence are grouped at the end, out of alphabetical order, for ease of comparison. The only added calculations are the italicized entries for Phishing/Spoofing in 2018, summing the individual Phishing and Spoofing entries because the two offense types were not previously reported as a combined sum.

SOURCES: Panel generated from “Last-Three-Year Complaint Comparison” table in Internet Crime Report issues for 2020–2023 (Federal Bureau of Investigation, 2021, 2022, 2023c, 2024).

panel, Fletcher (2024) included Miscellaneous Reports and Unspecified Reports—as well as the Privacy, Data Security, and Cyber Threat report category (through which the FTC receives some reports and complaints about general cybercrime)—as types of fraud, identifying 47 subcategories. This fluidity is meant to keep FTC’s taxonomy of report types as an evolving system, with categories and subcategories created and collapsed over time based on the data being reported and permitting focus on emerging areas/issues of interest. Fletcher (2024) noted that categorization based on the type of good or service at issue avoids the definition of categories based on demographics, contact methods, and monetary loss—so, for instance, reports are not classified as “elder fraud,” “phone scams,” or “high-loss fraud”; however, that information is collected in the data series, which generally enables distinguishing between cybercrime- and noncybercrime-related instances. The code list of report categories is periodically reviewed; members of the public making reports to the FTC are asked to self-select a category, or one may be assigned by staff (e.g.,

through rules-based classification), and the FTC works to crosswalk its classification scheme with those of its data contributors.

Other Entities

Cyber-involved fraud is so ubiquitous and widespread that many other agencies and organizations are working in the field, among them AARP’s Fraud Watch Network, the Better Business Bureau, and the Identity Theft Resource Center. For instance, AARP’s Fraud Watch Network operates a free helpline, through which all members of the public can report incidents of fraud and receive support from trained volunteers. Reports made through the helpline are sent to the FTC’s Consumer Sentinel Network database (described earlier in this chapter). AARP’s Fraud Watch Network receives roughly 100,000 reports annually and approximately 300–500 calls per day (Fetterhoff, 2024). In 2024, victim reports to the helpline included identity theft; impostor business; tech support and computer viruses; fraudulent

sales; online dating and romance schemes; impostor government schemes; sweepstakes, prize, or lottery schemes; unauthorized money withdrawal; investment fraud and schemes; and phishing (Fetterhoff, 2024). However, the AARP’s focus is understandably less on data collection and analysis and more on providing fraud victims with an empathetic ear and necessary information services.

As the U.S. Government Accountability Office (2023) report observed, and as noted by our predecessor Panel on Modernizing the Nation’s Crime Statistics, other law enforcement agencies (e.g., Homeland Security Investigations and the U.S. Postal Inspection Service) and information reporting/surveillance systems (e.g., the Financial Crimes Enforcement Network of the U.S. Department of the Treasury) gather information about incidents that may constitute cybercrime, but still operate outside the existing national crime statistics apparatus.

COLLECTION OF CYBERSECURITY INCIDENT INFORMATION AND CYBERCRIME-RELATED INFORMATION FROM BUSINESS AND INDUSTRY

Trusted Entities and Information Sharing Safe-Havens: Information Sharing and Analysis Centers/Organizations and the National Cyber-Forensics and Training Alliance

Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) are nonprofit organizations intended to serve as trusted entities for information sharing on cybersecurity and cyberthreats. ISACs are public-private partnerships that began to form after issuance of Presidential Decision Directive/NSC-63 in May 1998,¹⁸ which tapped agencies to designate sector coordinators in each of several critical infrastructure sectors to examine and address vulnerabilities to cyberattack. The term ISAO was formally defined in the Homeland Security Act of 2002 (P.L. 107-296; 116 Stat. 2151). ISACs are specific to business/industry sectors falling under the general heading of critical infrastructure, while ISAOs are more flexible in their membership (i.e., they include nonprofit organizations or government agencies) and subject-matter focus area. As of the most current listing, 27 member ISACs (e.g., the Aviation ISAC, Emergency Management and Response ISAC, and Financial Services ISAC) voluntarily contribute to a National Council of ISACs that serves as an operational and coordinating arm across the sectors,¹⁹ while Executive Order 13691 (February 13, 2015) authorized the creation of the

___________________

¹⁸ See https://clinton.presidentiallibraries.us/items/show/12762

¹⁹ See https://www.nationalisacs.org/members

ISAO Standards Organization to develop similar coordinating resources for the ISAOs.²⁰

Through real-time information sharing on cybersecurity incidents and vulnerabilities as well as best practices for countering them, ISACs and ISAOs promote collaboration in hardening defenses against cyberthreats. Threat information is typically reported to ISACs or ISAOs through both formal channels (e.g., automated threat-sharing systems) and informational channels (e.g., direct communication), which ISACs then analyze (typically in anonymized form) and return to member organizations as actionable alerts or guidance. In this work, ISACs frequently interact with the Cybersecurity & Infrastructure Security Agency (CISA) of the USDHS.

The National Cyber-Forensics and Training Alliance (NCFTA) performs a similar function, more formally adding domestic and international law enforcement to the mix. Founded in Pittsburgh in 2002, the NCFTA physically co-locates representatives from private industry and law enforcement with a dedicated team of analysts, with the dual intent of fostering a trusted and neutral environment for collaboration and developing strategies for mitigating and disrupting cybercrime threats (LaVigna, 2024). In a sense, the NCFTA is a model for incentivizing information sharing and collaboration across businesses and organizations, where the incentive is actionable intelligence and realized solutions for major cyberthreats.

Collectively, for purposes of this study, ISACs, ISAOs, and the NCFTA provide useful examples for promoting a culture of information sharing and data sharing within safe havens, across industry and government—even if publication of data products is not part of their current role.

Verizon Data Breach Investigations Reports

The Verizon Data Breach Investigations Report (DBIR) is an annual report series, compiled since 2008 by Verizon Business and its Verizon Threat Research Advisory Center team, based on voluntary submission of cybersecurity incident data from an evolving set of contributors. Data are contributed in or converted to a specific coding schema known as the Vocabulary for Event Recording and Incident Sharing (VERIS); data analyses are made public in the DBIR but the raw data are not, though a VERIS Community Database is an open, publicly available compilation of data breach incidents that have been publicly disclosed.²¹ The 2024 edition of the DBIR lists approximately 80 contributing organizations and entities,

___________________

²⁰ In October 2015, the University of Texas at San Antonio (in partnership with the Logistics Management Institute and the Retail Cyber Intelligence Sharing Center) was selected to serve as the ISAO Standards Organization; see https://www.isao.org/about/history/

²¹ See http://verisframework.org/vcdb

including the FBI IC3, NCFTA, the U.S. Secret Service, CISA, and the public VERIS Community Database, and includes analysis of 30,458 cybersecurity incidents, “of which 10,626 were confirmed data breaches [with] victims spanning 94 countries” (Verizon Business, 2024, p. 5). VERIS is premised on the definition of an incident as “a series of events that adversely affects the information assets of an organization.”²² Accordingly, assets are the first of what VERIS describes as the “4 A’s” that combine to characterize a cybersecurity incident:

• Assets are the system and network components affected in the incident, with variables identifying the asset’s variety (e.g., specific categories of servers, networks, devices, and people), ownership, management, hosting, and accessibility;
• Attributes are the security attributes of the asset affected in the incident, which VERIS groups into three paired categories—confidentiality/possession, integrity/authenticity, and availability/utility;
• Actors are the “offenders” in the incidents whose actions affected the asset, with many subcategories under the general headings of external (to the organization) actors, internal actors, and partner actors; and
• Actions are the specific behaviors and operations that affected the asset.

The list of threat Actions is the closest analogue to a cybercrime offense list in VERIS, and the varieties of Actions defined in VERIS are enumerated in Box 2-8. Each of the seven main varieties—Malware, Hacking, Social Engineering, Misuse of Assets, Physical Actions, Error (Human or Technological), and Environmental—generally includes a list of vectors by which the action was perpetrated (e.g., email attachment or direct install for malware, physical access or web application for hacking). VERIS Actions include two varieties that are pointedly not cybercrime related (i.e., Error, Human or Technological, and Environmental) but five that are highly relevant (i.e., Malware, Hacking, Social Engineering, Misuse of Assets, and Physical Actions).

EMERGING COLLECTIONS OF CYBERSECURITY AND CYBERCRIME-RELATED INCIDENTS

As fragmented as crime statistics data collection is, the situation is arguably even more complicated in the arena of general cybersecurity.

___________________

²² See http://verisframework.org/incident-desc.html

When major computer security incidents occur—events that may or may not constitute cybercrime but nonetheless pose a threat to commerce and well-being—in government, business, and industry, a daunting and duplicative set of reporting requirements is triggered. In September 2023, the Cyber Incident Reporting Council (CIRC), established by the USDHS, issued its report Harmonization of Cyber Incident Reporting to the Federal Government (U.S. Department of Homeland Security, 2023) (hereafter, the Harmonization report). The report identified at least 45 federal cyberincident reporting requirements currently enforced by 22 agencies, along with 7 proposed requirements still under development. Notably, one of these seven emerging incident reporting regimes is mandated by the same law—the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), discussed further in this section—that mandated the creation of the CIRC and the Harmonization report itself.

Untangling and understanding these reporting requirements is a difficult task. For example, the Harmonization report notes that businesses in the financial services sector alone face reporting requirements from eight agencies—the Commodity Futures Trading Commission, the Federal

Deposit Insurance Corporation, the Federal Housing Finance Agency, the Federal Reserve Board, the Financial Crimes Enforcement Network of the U.S. Department of the Treasury, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission (SEC)—that vary in their application to businesses in the sector and in the required timeline for reporting. Issues raised concerning cyberincident reporting and the CIRC’s suggestions to resolve them are similar to the cybercrime reporting challenges detailed in the U.S. Government Accountability Office (2023) report on cybercrime. The report clearly distinguishes between possible redundancy in the mechanics of reporting incidents and simply deeming the multiple reporting requirements as duplicative; the reporting itself can be standardized and streamlined to some extent, but the requirements may serve equally legitimate information needs and other important purposes. The Harmonization report calls for development of a standardized set of definitions (in particular, of what constitutes a reportable cyberincident), timelines, and reporting triggers, and suggests model language for each. The report also suggests the creation of a unified reporting portal and development of information sharing protocols to distribute timely and actionable data to the appropriate agencies.

Cybersecurity & Infrastructure Security Agency and the Cyber Incident Reporting for Critical Infrastructure Act

At present, the CISA gathers voluntary reports from businesses, organizations, and the public on cybersecurity incidents under the authority granted it as the designated federal information security incident center by the Federal Information Security Modernization Act of 2014 (FISMA; P.L. 113-283). FISMA defines a reportable “incident” as “an occurrence that—(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies” (44 U.S.C. § 3552), thus encompassing both cybercrime and noncybercrime.

Enacted into law on March 15, 2022, CIRCIA (P.L. 117-103,²³ with technical amendments in P.L. 117-263 [December 23, 2022]; codified at 6 U.S.C. 681–681g) authorized CISA to implement a system for mandatory reporting of cyberincidents by businesses in 16 critical infrastructure

___________________

²³ Specifically, CIRCIA is Division Y of P.L. 117-103, the broader Consolidated Appropriations Act, 2022, that provided appropriations for nearly all federal agencies for fiscal year 2022. The Violence Against Women Act Reauthorization Act of 2022 that partially motivates this study is Division W of the same appropriations act.

sectors.²⁴ The CIRCIA act required the CISA to issue a notice of proposed rulemaking (NPRM), which it did in a Federal Register notice dated April 4, 2024 (U.S. Department of Homeland Security, 2024), and to publish the final rule within 18 months of the NPRM (meaning that the final rule is expected in late 2025, and mandatory CIRCIA reporting is slated to begin in 2026).²⁵

The CIRCIA NPRM applies mandatory reporting requirements to “covered entities,” which refers to businesses in 16 sectors designated by the federal government as critical infrastructure; sector-specific criteria govern inclusion under the rule, though businesses that exceed the small business size standard for a particular industry are automatically covered. The NPRM defines a “cyber incident” as “an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system; or actually jeopardizes, without lawful authority, an information system” (89 F.R. 23766).²⁶ The CIRCIA NPRM then defines a “substantial cyber incident” as (89 F.R. 23767)

The definition explicitly excludes “the threat of disruption as extortion” (i.e., the mere threat of disruption does not qualify as a ransomware

___________________

²⁴ The critical infrastructure sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.

²⁵ The acronym “CIRCIA” has come to refer to both the emerging incident reporting system and the law that directed its creation. Hence, even though the usage is redundant with keywords in the acronym, we hereafter speak of the “CIRCIA act” as the text of the law, of the “CIRCIA NPRM” as the draft rule for public comment, and of “CIRCIA reporting” as the objective of the new system.

²⁶ In this definition, the CIRCIA NPRM preserves the CIRCIA act’s sharp distinction between “imminent” and “actual” jeopardy; the act’s definition of “cyber incident” explicitly “does not include an occurrence that imminently, but not actually, jeopardizes” an information system or the information contained therein (136 Stat. 1039).

incident) as well as events that are lawfully authorized (e.g., conducted pursuant to a warrant) or executed at the direct request of the owner or operator of the affected system (89 F.R. 23767).²⁷ Rounding out the fundamental definitions, a “covered cyber incident” is a “substantial cyber incident experienced by a covered entity” (89 F.R. 23766).

Subject to certain exceptions spelled out in detail, the basic timelines of mandatory CIRCIA reporting are exactly those detailed in Section 2242 of the CIRCIA act itself: “a covered entity that experiences a covered cyber incident shall report the covered cyber incident to [CISA] not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred,”²⁸ and “a covered entity that makes a ransom payment as the result of a ransomware attack against the covered entity shall report the payment to [CISA] not later than 24 hours after the random payment has been made” regardless of whether the ransomware attack itself qualifies as a “covered cyber incident” (136 Stat. 1043).

CIRCIA’s emphasis on gathering information on ransomware payments and incidents is not surprising, given that the CIRCIA act took shape in the wake of the May 2021 ransomware attack on the Colonial Pipeline that sparked panic fuel buying and fuel shortages. Moreover, the information that the CISA intends to collect in CIRCIA reporting is extensive and daunting. The draft CIRCIA NPRM specification of minimum information content for an initial report of a covered cyberincident is

___________________

²⁷ Two aspects of these definitions are worthy of note. First, from the perspective of potential cybercrime measurement, basic unauthorized access/trespass (except under the conditions of clause (4) of the substantial cyber incident definition) and attempted-but-not-completed breaches and attacks would typically qualify as cybercrime but—in and of themselves—do not appear to qualify for mandatory CIRCIA reporting. Second, the definition differs from (and is generally more narrow than) the model definition of a “reportable cyber incident” set out by the USDHS Harmonization report (U.S. Department of Homeland Security, 2023, p. 26):

A reportable cyber incident is a cyber incident that leads to, or, if still under the covered entity’s investigation, could reasonably lead to any of the following: (1) a substantial loss of confidentiality, integrity, or availability of a covered information system, network, or operational technology; (2) a disruption or significant adverse impact on the covered entity’s ability to engage in business operations or deliver goods, or services, including those that have a potential for significant impact on public health or safety or may cause serious injury or death; (3) disclosure or unauthorized access directly or indirectly to non-public personal information of a significant number of individuals; or (4) potential operational disruption to other critical infrastructure systems or assets.

²⁸ The 72-hour benchmark is also suggested as the model timeline by the USDHS Harmonization report (U.S. Department of Homeland Security, 2023, p. 28), which notes that agencies can and should continue to require incident reports in less than 72 hours (e.g., when potential threat to national security or public safety is especially high, as with transportation operational systems). The model definition provides for the option of a longer-than-72-hour window in “incidents that involve the loss of personal information without further impact on business operations” and the potential harm is relatively slight.

shown in Box 2-9 and spans 10 main items, including potentially sensitive information on vulnerabilities exploited in the attack and the security measures in place; the CIRCIA NPRM’s minimum specification for a Ransomware Payment Report is an even longer 14-item list, and a separate passage (Section 226.13) of the draft rule lists 10 broad categories of system log data and other forensic data and records that must be retained in connection with reported incidents. Despite this detail and the clearly defined focus on ransomware, it is difficult to discern something akin to a list of possible reportable events that might map to a cybercrime offense list. The information items in Box 2-9 suggest that cybercrimes such as unauthorized access and deployment of malware are possible elements of a CIRCIA incident, on which detailed information is required to be collected, but the exact manner in which that information will be collected and coded is unclear. Separately, in October 2024, CISA submitted revised versions of its existing reporting forms for review by the U.S. Office of Management and Budget’s Office of Information and Regulatory Affairs, pursuant to the terms of the Paperwork Reduction Act,²⁹ and the draft question list adopts the VERIS framework’s list of actions (see Box 2-8) to describe events. However, in filing the revised reporting forms for review, CISA emphasized that these forms are entirely distinct from CIRCIA reporting, for which a new and separate web-based form will be created.

Mandatory Cyberincident Reporting to the Securities and Exchange Commission

In August 2023, the SEC issued a new final rule on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” (Securities and Exchange Commission, 2023) that adds “material cybersecurity incidents” to the significant events that require public disclosure by publicly traded companies using Form 8-K. Form 8-K filings have traditionally been required for major events in the conduct of business—such as leadership changes, acquisitions, or sales—that may impact a company’s market value. Prior to this rule, cybersecurity incidents were often inconsistently reported across different forms, leading to gaps in transparency. The new rule mandates that material cybersecurity incidents be reported to the SEC within four business days³⁰ of the incident being deemed material—a threshold that differs from the CIRCIA’s requirement for critical infrastructure sectors

___________________

²⁹ See https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202307-1670-004, corresponding to Information Collection Review Reference Number 202307-1670-004, CISA Reporting Forms, and the associated docket for the CISA Incident Reporting Form, at https://www.regulations.gov/docket/CISA-2024-0025

³⁰ The rule allows for delays in filing if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety (88 F.R. 51899).

to report significant cyberincidents to CISA within 72 hours and ransomware payments within 24 hours.

The rule further requires companies to describe their processes for assessing and managing cybersecurity risks, as well as to disclose the roles of management and the board of directors in overseeing these risks.

Both the requirement to file Form 8-K and the timing of such reports depend on the determination of whether a cyberincident is “material.” While the rule does not provide specific guidance on how to determine materiality, it relies on the SEC’s established practice, supported by case law, that information is material if a reasonable investor would consider it important in making investment decisions. The SEC’s definition of “cybersecurity incident” is general in nature—“an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein”—and thus seems to include both incidents that are recognizable as cybercrimes and incidents that are not.

Another important difference between the new SEC Form 8-K requirements and the emerging CIRCIA reporting, noted by the SEC rule, is the intended role of the information disclosure. Though the CIRCIA permits and expects that incidents reported to CISA may be shared with law enforcement entities, in the interest of coordinating all-of-government response to emerging threats and deterring future cyberattacks, the data are otherwise meant to be confidential disclosures. However, in the SEC context, public (and investor/stakeholder) awareness is the main impetus; disclosures are intended to get information (e.g., on major cybersecurity incidents) to public investors in a timely manner, so that they are aware of risks that may impact the company’s performance.

INTERNATIONAL PARALLELS: CYBERCRIME DATA COLLECTION IN CANADA

Collection of crime statistics in Canada is coordinated by the Canadian Centre for Justice and Community Safety Statistics (CCJCSS), a program within Statistics Canada. The primary vehicle, analogous to the U.S. UCR Program, is also branded UCR but is known as the Uniform Crime Reporting Survey. Under Canadian law, the Royal Canadian Mounted Police and every police service in Canada are required to report crime data to the CCJCSS; the system has developed into monthly extracts directly from police records management systems (RMS), with various iterations of the UCR Survey being incorporated into the RMS technical specifications.

Version 2.2 of the UCR Survey, introduced in 2004, added a two-field Cyber Crime variable to the data collection, based on the general definition

of cybercrime as “a criminal offence involving a computer as the object of the crime or the tool used to commit a material component of the offence” (Canadian Centre for Justice Statistics, Policing Services Program, 2008, p. 61). The first field asked whether the incident involved a cybercrime under this definition (Yes, No, or Unknown as to whether the incident involved a computer or the internet). If the answer in the first field was “Yes,” the second field delineated two broad categories for the cybercrime type as well as an “Unknown” response option (Canadian Centre for Justice Statistics, Policing Services Program, 2008, p. 62):

• Target, meaning that “a computer or the internet is the target of the crime,” thus including offenses such as “computer hacking, defacing websites and unauthorized use of computer systems”; and
• Instrument, meaning that “computers or the Internet are tools used to commit the crime,” as in “distribution/sale of child pornography over the Internet, criminal harassment via emails, or fraud perpetrated over the Internet.”

Sauvé and Silver (2024, p. 10) note that the UCR Survey evolved the description of the Cyber Crime variable to reference ICT generally, where “ICT includes, but is not limited to, the internet, computers, servers, digital technology, digital telecommunications devices, phones and networks.”

In Version 2.4 of the UCR Survey, which took effect in 2021 and began full implementation in spring 2024, the cybercrime type indicator was substantially revised and replaced with a new classification variable. The revision drew from the creation of a Cyber Classification Compendium (CCC), an attempt to create a crosswalk between cybercrime offense types and definitions in international and U.S. law (Wright & Parker, 2023). As discussed further in Chapter 3, the CCC partitions cybercrime into nine broad categories: Malware; System and Service Availability; Information Gathering; Intrusion; Data Release (information security compromise); Frauds; Abusive Content; Exploitation, Harassment, or Abuse of a Person; and Uncategorized (Wright, 2024; Wright & Parker, 2023). Because full implementation began only recently, it is not yet known how effective the variable has been in practice.