Feb. 15, 2018
For years, people have viewed the most prominently cited cybercrime statistics with suspicion. For instance, the oft-repeated estimate that cybercrime costs $1 trillion globally per year led to a 2012 ProPublica investigation that found that number was based on some truly questionable arithmetic.
The data about cybercrime, and cybersecurity breaches more generally, is simply very sketchy. Some types of cybercrime, like ransomware, appear to be on the rise, while the costs of data breaches may be dropping, at least according to some estimates. But we often don’t know how frequently these incidents occur, or how much they cost. The challenges of measuring these statistics has only grown as the “cybercrime” label has grown to encompass pretty much any type of criminal activity involving computers, ranging from online extortion to revenge porn to denial-of-service attacks.
Part of the problem is that we’re almost always relying on companies’ self-reported estimates of how many online intrusions they’ve experienced and how much each one has cost them when we try to answer questions about the magnitude and damage of digital crimes. Depending on who is filling out these surveys at a company, respondents might try to lowball these estimates to seem more secure than they really are, or inflate them to drive greater investment in information security, or even more likely, not really know the answers in the first place.
Since these numbers are so unreliable, it was encouraging to read in a Feb. 5 New York Times article that the FBI and other U.S. law enforcement agencies are more openly acknowledging the bad data issues—and renewing efforts to count and measure cybercrimes more rigorously.
The crux of this endeavor is a new “crime classification system” that will allow for finer distinctions between certain categories of offenses that these organizations sometimes failed to count correctly. Among those crimes routinely missed in tallies, the Times reports, are: “identity theft; sexual exploitation; ransomware attacks; fentanyl purchases over the dark web; human trafficking for sex or labor; revenge porn; credit card fraud; child exploitation; and gift or credit card schemes that gangs use to raise cash for their traditional operations or vendettas.” The new system, proposed by a panel of the National Academy of Sciences, Engineering, and Medicine, is based on an existing U.N. framework that includes 11 new categories of crime (divided into 189 sublevels) intended to help law enforcement better capture and count these new types of offenses.
But while I’m all in favor of collecting clearer, more granular data when it comes to cybercrimes, the idea that a new classification system alone can patch the massive holes in existing cybercrime data overlooks the real reasons why most cybercrimes go uncounted. If we want to do a better job of counting cybercrimes, it’s important not just to rethink how they’re labeled, but also why victims are often reluctant to report them to authorities, and what alternatives law enforcement can use to collect that data from other intermediaries.
While it would be nice to have more standardized, granular labels for cybercrimes, we can see that there’s a larger issue looking at the ones that are already being captured by law enforcement agencies like the FBI’s Internet Criminal Complaint Center, known as the IC3. In 2016, the IC3 received 2,673 reports of ransomware and 17,416 reports of online extortion, which, combined, accounted for more than $17.4 million in reported losses. Yet these numbers seem incredibly low—and the FBI thinks so too. The agency told NBC News that it estimated that ransomware payments alone in 2016 probably totaled closer to $1 billion. This tracks with what IC3 director Donna Gregory told the Times, too: that she believes that the number of reported cybercrimes in the agency’s reports only represent 10 to 12 percent of the total number actually committed in the U.S. each year.
You’ll notice the key word here isn’t misclassification: It’s reported. The underreporting of crimes, not the lack of 189 subcategories for labeling offenses, lies at the heart of why these cybercrimes are hard to count and measure accurately.
There are two important motives at play here for cybercrime victims: one is embarrassment, and the other is a sense that law enforcement won’t be able to help. To understand this, it’s important to remember the nature of these schemes. People who have fallen prey to email-based extortion schemes (e.g., email messages threatening to expose recipients’ adulterous affairs to their spouses unless they make a payment to the sender), who have mistakenly opened an embarrassing attachment that encrypted their hard drive and held it ransom, or who have found their photos posted on revenge porn websites may be self-conscious about going to the police to explain their predicament. This is true of other types of crimes as well. But with cybercrimes like ransomware or extortion in particular, it’s often not clear that law enforcement will provide any significant assistance—stopping the threat of exposure, recovering data, or knowing how to stop illicit material from being shared online—so why risk the humiliation?
The way authorities have handled these crimes in the past, too, doesn’t provide victims much incentive. In 2015, for example, FBI special agent Joseph Bonavolonta told an audience at a cybersecurity conference, “To be honest, we often advise people just to pay the ransom.” (The agency later clarified that its official position was that victims should not pay online ransoms or extortion demands, especially since doing so only incentivizes the criminals to continue.) Victims of revenge porn have also reported receiving little assistance from the police when they sought help from law enforcement
Often, the only motivation for victims to go to law enforcement about such incidents is to improve the accuracy of reporting in the hopes it might lead authorities to allocate more resources for fighting these crimes in the future. But it’s a feat of altruism that’s difficult for those dealing with, say, a ticking ransom clock on their desktop.
So how can authorities collect this data without having to rely on individuals coming forward themselves? For some illicit digital activity, the answer is easy. Law enforcement is, for example, doing a better job of tracking online sales of illegal drugs by analyzing the platforms where they are being sold than waiting for buyers and sellers. To do this, officers had to figure out how to identify and collect data directly from the centralized intermediaries facilitating these crimes—in this case, the online forums where the purchases were being made.
For others, it’s become more difficult. Once upon a time, when most cybercrimes involved breaches of personal and financial information used for payment card fraud, the credit card companies and payment networks served as crucial intermediaries for collecting and aggregating statistics about the frequency and scale of these crimes. But in the past five years, we’ve seen the threat landscape dramatically shift to include newer types of cybercrime, including mass extortion attempts, denial-of-service attacks, ransomware, increasingly complex and convincing phishing schemes, insurance fraud, and other new forms of identity theft. We’ve also seen relevant intermediaries change as well. Cryptocurrency exchanges, internet service providers, and online markets for stolen information, among others, have become vital sources of information about these crimes, and counting them better will require infiltrating and collecting data from these new intermediaries in more creative and aggressive ways.
A new classification scheme that reflects modern crimes is certainly a welcome development. But we can’t expect it to address the real need for these authorities to shift from relying on victims to report these cybercrimes to hunting down and aggregating this data themselves. Getting an accurate idea of the scope and damage of incidents like ransomware, identity theft, and online narcotics sales is fundamental for our understanding of what kinds of risks we face and how we should be investing in defending ourselves against them.
Until we have more reliable numbers, we won’t be able to say anything meaningful about whether cybercrime is increasing, how much it’s costing us, how cybercriminals operate, or which types of countermeasures are most worthy of our attention and resources.