4

Recommendations and Implementation Challenges

CALIBRATE EXPECTATIONS: MARKERS OF CYBERCRIME, NOT EXACT MEASUREMENT

We close this report with some guidance on implementation, beginning with a restatement of a fundamental point raised at the outset: while generating reliable national measures of cybercrime is an essential goal and improvements in cybercrime measurement are definitely possible, it is important to approach such improvements with tempered expectations. We raise this point as a respectful but firm push-back against the basic construction of the Better Cybercrime Metrics Act (BCMA; see Appendix A) that occasioned this study. We conclude that cybercrime is too broad a concept and too awkward a match with the concepts and data-collection practices of the existing national crime statistics apparatus to address well by simply “establish[ing] a category in the National Incident-Based Reporting System” (NIBRS) or “includ[ing] questions relating to cybercrime victimization in the National Crime Victimization Survey” (NCVS). Akin to our predecessor Panel on Modernizing the Nation’s Crime Statistics (hereafter, MNCS panel; National Academies of Sciences, Engineering, and Medicine [National Academies], 2016a, 2018), we stress our opinion that generation of reliable estimates of cybercrime should be the principal objective—drawing from multiple data sources, each collecting information on offenses and characteristics of offenses according to the source’s unique strengths—and that an exact enumeration of cybercrime from any single data resource is infeasible. For instance, the improved cybercrime metrics promised by the BCMA will likely come from a blending of NIBRS and Cyber Incident

Reporting for Critical Infrastructure Act (CIRCIA) reporting to benchmark levels and flows of basic cybercrime types, use of NCVS supplement survey work to illustrate the human dimensions and impact of technology-driven crime, and inference from Internet Crime Complaint Center (IC3) and CIRCIA reporting data to explain the technological story behind the figures and inform responses to the nation’s cybercrime problems.

Conclusion 4-1: Improving cybercrime measurement is important, but it is equally important that improvements be made with tempered, realistic expectations of the timing and extent of improvement. Cybercrime is an expansive and evolving topic, so it is unlikely that any single statistical source will effectively cover all of its dimensions; analysts will need to make best use of available information from an array of sources to derive markers of cybercrime activity.

MEASURING CYBERCRIME BY LEVERAGING EXISTING DATA-COLLECTION EFFORTS

National Incident-Based Reporting System

The panel’s charge tasked us to focus primarily on the fit of cybercrime into the NIBRS, and we crafted our recommended taxonomy and related guidance with an eye toward successful implementation. We agree with the MNCS panel that the nation would benefit from an extension of the NIBRS to include newer crime types not traditionally handled in police-report statistics, but we also understand that major change can be difficult and expensive. Currently, the NIBRS is establishing itself as a fully operational system; work is ongoing to get all jurisdictions to report—and report effectively—in the new format, and the NIBRS data-provider and data-user communities are still attempting to demonstrate the analytical benefits of the detailed data format. Accordingly, we cast our recommended cybercrime taxonomy as a flag of cybercrime involvement in crime incidents—not requiring a wholesale revision of crime categories up front, though we do support NIBRS’s eventual expansion to cover new and as-yet-uncovered crime types. We frame our guidance for the implementation as a series of incremental steps.

In the near term, we recommend steps to assess the current cybercrime-related content in the NIBRS and to establish conditions for successful implementation of the recommended taxonomy:

Recommendation 4-1: The Federal Bureau of Investigation Uniform Crime Reporting Program should consider the following modifications to the existing National Incident-Based Reporting System (NIBRS), preparatory to a more comprehensive cybercrime-collection effort:

1. Continue collecting the existing NIBRS offense categories of Hacking/Computer Invasion and Identity Theft, while actively encouraging participating law enforcement agencies to report these offenses;
2. Clarify the definition and intended role of the two NIBRS data elements that nominally indicate cybercrime involvement, Data Element 8 with Computer Equipment as response to Offender Suspected of Using and Data Element 9 with Cyberspace as response to Location;
3. Consider adding data/systems and digital currency/cryptocurrency as additional intangible property types in Data Element 14 (Type Property Loss/Etc.); and
4. Work with the records management system vendor community to ease NIBRS data entry and improve understanding of new elements, and incorporate information and examples associated with these modifications as part of NIBRS data-provider education and training.

Three important points are embedded in these near-term recommendations. First, we acknowledge that the crime types added in earlier attempts to gain an understanding of cybercrime—Hacking/Computer Invasion and Identity Theft—are a reasonably good starting position. Hacking/Computer Invasion is an adequate initial casting of pure cyber-dependent crime, and our recommended taxonomy-based cybercrime-involvement flag would (through main category 1) provide a breakdown of those offenses by the basic nature of the harm. Identity Theft is slightly more problematic because such incidents need not necessarily involve computer use (and thus are not automatically cybercrime), but Identity Theft has high public salience and breaks the mold of traditional street crime by using identity as an intangible property type. Hence, rather than requiring that Hacking/Computer Invasion and Identity Theft be fundamentally redefined and overhauled up front, the greater imperative is to make data collection for these crime types a stronger norm for the NIBRS.

A second point embedded in this guidance is that implementation of a useful cybercrime-involvement attribute variable will benefit from taking stock of the two existing but fundamentally limited NIBRS data elements that speak to pieces of cybercrime. Data Element 8 has always been an awkwardly constructed variable, fusing response options that indicate whether an offender was believed to be under the influence of mind-altering substances (i.e., the current alcohol and drug response options) with the option of noting use of computer equipment by the offender. The recent redefinition of “Computer Equipment” to “Computer Equipment (Handheld Devices)” seems to make the data element more internally consistent,

casting computer involvement as another distraction/“under the influence” dimension (i.e., driving while texting), but does so at the expense of letting the data element serve as a potential marker of cybercrime. Meanwhile, the addition of Cyberspace as a response category for location is useful but also slightly murky. The definition and examples suggest the need for internet involvement and consequently blur differences between the vector by which the attack was perpetrated (i.e., the technological/communications medium used in the offense) and the actual geographic location where the harm was realized. Our recommended taxonomy is meant to provide a more effective cybercrime-involvement indicator and we urge its implementation, but we also note the importance of clarifying the intent and objectives of the existing related data elements first.

A third embedded point is also consistent with the work of the MNCS panel: the notion that data systems like the NIBRS will be most effective when generation of their data submissions is a routine by-product of agencies’ day-to-day use of their own records management systems (RMS). As long as the NIBRS requires special, additional processing (particularly by agencies that may lack resources dedicated to the task), obtaining full and accurate participation will be challenging. Hence, we urge the involvement of the RMS vendor community in making NIBRS features and indicators easier to enter accurately.

These near-term, preparatory suggestions are meant to ease the way for fundamental change.

Recommendation 4-2: Following the preparatory steps of Recommendation 4-1, and possibly in conjunction with adoption of a modern classification of crime for statistical purposes, the Federal Bureau of Investigation should incorporate the cybercrime taxonomy in Recommendation 3-1 as a new, mandatory data element in the National Incident-Based Reporting System Incident Segment. Implementing this new data element may involve consolidating or revising existing computer/cyber-related responses in Data Elements 8 and 9.

Though we do not escalate it to the level of a formal recommendation, we present an additional consideration for the future, motivated by the implementation history of the Uniform Crime Reporting (UCR) Program and the NIBRS. State, local, tribal, and territorial law enforcement agencies commonly worry that addition of new crimes and concepts generates spikes in their observed crime rates. This is of particular concern for something like wider coverage of cybercrime, which could increase the number of incidents reported to local law enforcement that are not directly actionable, thus distorting arrest statistics and casting law enforcement work in a negative light. Hence, we suggest that the NIBRS program consider

adding an additional clearance code for cybercrime, to clarify that local law enforcement not be held liable for the increased number of unresolved/unresolvable cases on their books.

National Crime Victimization Survey

With respect to the NCVS, our guidance is similar if more pointed in terms of long-term work. The household-survey nature of the NCVS makes it uniquely suited to generate contextual information about crimes and cybercrimes with a distinctly personal effect (e.g., consumer fraud)—and simultaneously makes it ill-suited to assess other crimes with more indirect effects (i.e., unauthorized system access or the other purely cyber-dependent crimes in our recommended taxonomy). Moreover, a critical aspect of the NCVS in illuminating personal-impact cybercrimes is its capacity to suggest explanations about why incidents may not be reported to law enforcement or other authorities. Understandably, the cybercrime types that best match the capabilities of the NCVS—cyber-involved identity theft, fraud, stalking, and harassment—are already the focus of principal NCVS supplemental surveys. Brinton et al. (2023) observe that, with additional research, personal-impact cybercrimes such as phishing/social engineering (as a variant of fraud) and image-based sexual abuse (including cyber-enabled sextortion) might be usefully examined by the NCVS, and we concur—with the proviso that periodic supplements may be the best vehicle for NCVS cybercrime content rather than the core NCVS instrument itself.

Recommendation 4-3: The Bureau of Justice Statistics should leverage its existing National Crime Victimization Survey supplements with cybercrime-related content (Supplemental Fraud Survey, Identity Theft Supplement, Supplemental Victimization Survey) to contribute to the nation’s understanding of cybercrime. This includes refining the content of those supplements as needed as well as working with data users to facilitate analysis and use of the resulting data, including comparison with other data sources.

Recommendation 4-4: Pending the availability of additional resources for victimization survey work, the Bureau of Justice Statistics should consider increasing the frequency of the three existing cybercrime-related supplements or the fielding of a dedicated cybercrime supplement.

To clarify this point, there are two logical extensions that could be made to include more cybercrime-related content in the core NCVS as opposed to the periodic supplements. The first would be to change the NCVS-2 Crime Incident Report to include relevant content, such as a flag for cyber/computer

involvement in the crime. The important limitation of this approach is that to be administered in the NCVS-2 Crime Incident Report, a respondent would still need to indicate the occurrence of a crime type covered in the NCVS. Hence, the follow-up question would provide a relatively narrow look at cyber-enabled or cyber-incidental interpersonal crimes. This limitation suggests a need for the second approach—a much larger expansion that would include cybercrime-related content in the NCVS-1 Basic Screen Questionnaire, thus triggering additional interview cases to collect detailed information with the NCVS-2 Crime Incident Report. At this time, the panel does not recommend adding cybercrime content to the core NCVS instruments, as illustrated by lack of formal mention in Recommendation 4-4, because it is unclear whether the benefit of the information would outweigh the substantial additional resources needed to add the content.

Other Data-Collection Systems

The MNCS panel envisioned improvements to the two current pillars of U.S. crime statistics (i.e., the Federal Bureau of Investigation [FBI]’s UCR and the NCVS) alongside work with “a variety of primarily administrative record-type data sources, primarily for coverage of new crime types that are outside the scope” of the other collection methodologies (National Academies, 2018, p. 39). This multiple-source approach is particularly relevant to cybercrime. Because our charge (and the BCMA that motivated it) is heavily focused on the extant data collections of the NIBRS and NCVS, we do not offer specific recommendations for potential new data-collection systems. However, we do support the approach—we encourage that development of such systems be monitored and studied, so they can eventually play a role in thorough cybercrime measurement. Statistics Canada is beginning to require its constituent law enforcement agencies to report data using a detailed list of cybercrime codes; it is important to examine this work as it progresses, to apply lessons learned to the U.S. NIBRS data collection and training. Similarly, as the release of a final rule approaches and timely reporting of major cybersecurity incidents in important sectors of the U.S. economy and government becomes mandatory, it is important that the CIRCIA collection and similar reporting rules instituted by the Securities and Exchange Commission (SEC) be nurtured and evaluated. The CIRCIA, in particular, is intended to collect information about (and payments made in) ransomware incidents as a major area of focus. Though neither the CIRCIA nor the SEC collection is currently explicitly envisioned as part of the nation’s cybercrime data-collection apparatus, the potential is great and, as we discuss later in this chapter, is a critical part of the long-term future of cybercrime measurement.

ASPIRATIONAL GOALS FOR CYBERCRIME MEASUREMENT

Governance and Coordination of National Cybercrime Statistics

In making the case for crime measurement as a system-of-systems, the MNCS panel emphasized that addressing the lack of an overall governance and coordination structure is the most pressing need in crime statistics. Currently, no entity is directly tasked with drawing inference from multiple sources of crime data, much less setting data-collection standards and common definitions. The MNCS panel noted the need for these functions in a series of conclusions (National Academies, 2018, Conclusions 3.1 and 3.2) and designated the actor that it considered best suited to establish said coordination and governance protocols (National Academies, 2018, Recommendation 3.1):

The same concerns and arguments apply to cybercrime measurement as to the measurement of all crime, and we agree that coordination and governance functions are critical for producing improved cybercrime metrics. However, given how much cybercrime occurs outside the normal reach of the NIBRS and NCVS—the nation’s core crime statistics sources—and given the range of public- and private-sector sources at work in the cybercrime arena, we take a slightly different approach in formalizing our guidance on overall structure. We argue for the creation of an information clearinghouse model for cybercrime data, tasking a yet-to-be-determined entity to gather and draw inference from cybercrime information obtained from multiple sources.

Conclusion 4-2: As is true of crime statistics in general, the thorough and effective measurement of cybercrime and cyber-enabled crime will remain largely unobtainable absent the development of a governance and coordination process for the collection of cybercrime reports and statistics. Cybercrime measurement is sufficiently fragmented that it is

in particularly acute need of an information clearinghouse apparatus, meaning the designation of a specific party or parties to compile the various cybercrime measures that are and will be available and analyze common findings and trends.

There is a vital need for a clearinghouse and coordinating/governance structure for cybercrime statistics to canvass and analyze the full set of data sources that provide insight on cybercrime problems. This clearinghouse could perform cross-cutting data analyses that consider points of agreement and disagreement between these sources, consider their strengths and weaknesses (including any sources of bias), and build models for their use and interpretation. But, more fundamentally, there is a pressing need for a coordination and governance structure to adjudicate many of the issues raised in Chapter 1 that complicate the fit of cybercrime with existing national crime statistics. In other words, it is the panel’s opinion that the structure should weigh in on counting rules for handling multivictim offenses and on the development of informative metrics beyond the basic incident count (e.g., the expanded victim count, the monetary cost of cybercrime incidents, and the level of harm inflicted). On a basic level, a coordination structure that brokers data sharing across parties may make it possible to address a long-standing, fundamental problem. If individual victims continue to find it unnatural to report cybercrime occurrences to their local law enforcement agencies (currently the only way these occurrences can enter the NIBRS), then perhaps the advice from all sides should be to advise victims to report to the IC3 (or the Federal Trade Commission, or some other entity), which could then report data to the NIBRS. But, clearly, such an arrangement would only work with effective governance of the data flows.

While the natural complement to Conclusion 4-2 would be a recommendation suggesting an organization to coordinate and govern such an information clearinghouse (or an organization to designate such a clearinghouse), we prefer to note the absence of these structures and reinforce this need without designating particular entities. We concur with the MNCS panel that the U.S. Office of Management and Budget may be ideally positioned to broker and structure the necessary discussions across federal agencies, but until the effectiveness of federal aggregations of both public- and private-sector cybercrime-related data collections at covering the range of cybercrime activity is demonstrated, we find it inadvisable to offer a concrete recommendation. Indeed, Verizon’s work coordinating input from government and industry partners in its Data Breach Investigations Report (DBIR) series is a model that merits additional study. It could also be argued that the information clearinghouse function for cybercrime fits within the legally defined mission of the Bureau of Justice Statistics or the Cybersecurity & Infrastructure Security Agency, or within the stated mission of

the FBI’s IC3. Furthermore, the March 2022 Violence Against Women Act Reauthorization Act language on cybercrime enforcement authorized issuance of grants to a nonprofit organization to create a National Resource Center on Cybercrimes Against Individuals, among the tasks of which is to “disseminate information and statistics related to [the] incidence of cybercrimes against individuals” and conduct research on cybercrime against individuals (136 Stat. 949). Such a center might play a substantial role in data-collection efforts, but the formative grant was only issued very recently, in September 2024.¹ Finally, improvements to cybercrime measurement are resource-intensive and costly; hence, we do not deem it appropriate to make a formal recommendation that might impose a major unfunded mandate on any particular agency or organization.

An essential task of the coordination and governance structure eventually established for cybercrime measurement will be assessing data quality and using those insights to periodically revise and refine the taxonomy, categories, codes, and examples used in data collection. We view our recommended taxonomy as a first start rather than a static document. We were purposefully sparing in identifying specific cybercrime-category subdivisions, largely to accommodate the precision of data likely to be reported in the current NIBRS and NCVS systems. As collection takes place, unanticipated richness of available data might suggest the utility of new category breaks, which would ideally be considered on a periodic basis. It will also be important to review taxonomy categories, codes, and examples on a regular basis, to ensure that the materials (particularly implementation examples) are inclusive of new and emerging technologies such as artificial intelligence and quantum computing.

Businesses and Organizations as Actors in Crime and Cybercrime Data Collection

In addition to drawing insight from a variety of data resources, successful cybercrime measurement will also rely on the increased and continuing participation of businesses and organizations in reporting cybercrime incidents. This is historically difficult in the standard crime statistics context (e.g., businesses unwilling to report theft/pilferage that might suggest competitive vulnerability or weaknesses) but is even more difficult in the area of cybercrime—alongside the sheer volume of cyberattacks aimed at corporate systems and networks and the resistance to appearing vulnerable, complex

___________________

¹ On September 25, 2024, the grant to establish a National Resource Center on Cybercrimes Against Individuals, authorized by the Violence Against Women Act Reauthorization Act of 2022, was awarded to the nonprofit firm AEquitas; see https://www.justice.gov/opa/media/1372136/dl

issues of liability may arise for some business sectors. A financial institution that falls victim to a data breach incident may have to weigh the need to inform affected clients with perceived culpability for ineffective defense. Social media sites and internet service providers are the platforms for various interpersonal offenses and cybercrimes, and many more attempted offenses that fall short, but there is no good sense of how often they are reported to any authorities and compared with numbers of completed offenses.

To improve future cybercrime measurement, it will be important to monitor the development of CIRCIA and SEC mandatory-report systems for registering major cybersecurity incidents. Though it is not positioned as such in its formative documents, it would be ideal for the CIRCIA collection—with its broad sweep and its detailed focus on ransomware incidents—to evolve into a statistical data collection, with the resulting data illustrating sector-wide trends and informing responses and interventions to cybercrime attacks. In many ways, there are important parallels between the birth of the CIRCIA data collection (compiling data from thousands of businesses and organizations) and the dawn of the UCR Program in 1929 (drawing data from thousands of law enforcement agencies). However, a key difference between them is the mandatory-versus-voluntary nature of reporting. The histories of the UCR Program and the NIBRS provide some useful paths that the CIRCIA collection might emulate, but they also suggest development pitfalls to be avoided.

The participation of a wide variety of governmental and business actors in the compilation of the Verizon DBIR series and the work of the Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) demonstrate how information sharing can benefit collectives of businesses and organizations. The Verizon DBIR underscores the importance of data and analytics as a first step in understanding and addressing problems, and the ISACs and ISAOs incentivize information sharing by businesses and organizations that might otherwise be reluctant to do so—the reward being joint work on common problems within a particular business sector or group. Going forward, these information-sharing vehicles could evolve to include the generation of reliable, consistent statistical insights. In particular, cross-sector and multisector information-sharing safe havens like the National Cyber-Forensics and Training Alliance will hopefully gain a wider footing, encouraging work on solutions and defenses and alleviating frustrations that some businesses and organizations may feel about the isolation of their particular sector in a major cyberthreat landscape.

Finally, we observe that the nation’s understanding of crime benefits from having a survey-based measure (i.e., the NCVS) that serves as a conceptual counterpart to police-report data on crime involving individuals. We think it is important to note that survey-based methods may have similar

utility regarding business cybercrime data, though we readily note that history is not rich with success in this area. A survey of businesses’ victimization experiences was part of the original National Crime Survey program, but that and other components were discontinued in the mid-1970s, prior to the redesigns that ultimately repositioned this program as the NCVS household survey. Since then, forays into commercial victimization surveys have been rare. As discussed in Chapter 2, the Bureau of Justice Statistics conducted one round of the National Computer Security Survey in 2006, asking a sample of businesses about cybersecurity and cybercrime incidents, but the survey has not been repeated. However, general improvements in conducting establishment surveys and, perhaps, increased interest in crime committed against businesses and organizations of all sizes suggest that the time may be ripe to at least revisit the concept of a commercial victimization survey, with cybercrime as an important component of any such development.

Recommendation 4-5: Pending the availability of resources to do so, the Bureau of Justice Statistics and federal agency partners should consider conducting additional rounds of the 2006 National Computer Security Survey, or otherwise field an establishment crime/cybercrime victimization survey, to collect data on crime/cybercrime victimization experiences by businesses and organizations. Such efforts should build on improvements in the conduct of establishment surveys and serve as a complementary marker of cybercrime that is not reported to authorities.

We emphasize that this is very much an aspirational recommendation, not a suggestion for immediate work. We further note that the first step in this area need not be a fully realized, national-scale, industry-comprehensive survey; structured pilot survey work involving Verizon DBIR participants or ISAC/ISAO memberships could provide useful insight on feasibility.

Exploring the Cybercrime and Cybersecurity Nexus

In closing, we return to one of our opening precepts: our panel’s charge obliged us to emphasize the “crime” part of cybercrime and the fit of cybercrime within the nation’s crime statistics data-collection systems. As data collection evolves, ideally incorporating the conceptual base in our recommended taxonomy, it will be important for discussions to address the “cyber” part of cybercrime as well. National crime statistics have long been criticized for not venturing much beyond incident counts—difficult though those can be to produce in their own right—but cybercrime metrics that draw from the surrounding cybersecurity realm may prove to be very

valuable resources. In addition to estimates of the cost inflicted by cyberattacks, cybersecurity monitoring data on the nature of attempted-but-failed attacks and detected-but-deflected attacks, analyzed with respect to the specific technological vectors along which the attacks are conducted, may serve to inform understanding of crime in the same manner that studies of policing, community resilience, and deterrence enhance overall understanding of crime.