Challenges in Cybercrime Metrics
According to a majority of the 12 agencies audited, one big obstacle stems from difficulties in measuring the extent and impact of cybercrime. While some standards exist within agencies for tracking data related to cybercrime, it’s hard to capture metrics that nail down the scope. Ransomware attacks on a hospital have an entirely different meaning for victims than attacks involving credit card fraud, both in their impact and how they are resolved, for example.
In another challenge, “IRS officials reported that cybercrime often has downstream effects that are not widely known or clear at the time of the investigation,” according to the GAO report. “For instance, a hacker may steal personal information that is then sold on the dark web. The stolen information may then be used for a host of frauds including romantic, identity, tax, credit card, or benefit fraud. However, these crimes are not always committed by the same group and not always timed near each other. Thus, the effects can last years and take a significant amount of effort by individuals and agencies to resolve.”
Additionally, IRS officials that were interviewed by the GAO said that they had standards in place for tracking data, but they did not look at the impact of countermeasures, such as the number of attacks that were prevented or the amount of sensitive data that was retrieved from the dark web.
Seven out of the 12 agencies agreed that there is no shared definition of cybercrime, posing another obstacle. The classification of cybercrime is so broad – given key differences between attacks that span from phishing to wiper malware – that it is difficult to come up with terminology across the board.
One piece of this issue is that agencies also have varying ways that they distinguish between cybercrime and cyber-enabled crime. While Drug Enforcement Administration (DEA) officials define cybercrime as an incident where individuals attack cyber infrastructure (versus cyber-enabled crime, where individuals use cyber tools to conduct traditional criminal activity), the DoJ’s Computer Crime and Intellectual Property Section, which investigates computer and IP crime, instead describes the term as offenses that impact the confidentiality, availability or integrity of computer systems.
“FBI officials stated that the lack of distinction was a challenge and added that the inability to distinguish between cybercrime and cyber enabled crime hinders efforts to study, measure, or categorize these types of specific crimes,” according to the report.