As security specialists, we regularly see claims about the escalating scale of cybercrime, often hearing staggering claims that it’s a "multi-trillion dollar problem." 

I’ve never seen any comprehensive take down or, for that matter, coherent substantiation of such claims. But, intuitively, I find them suspicious especially when the projections would have such crime overtake the GDP of the planet before long. I suspect the actual issue here is a categorization problem - although deliberately hyping this does serve certain think-tanks and companies. For example, is the execution of a crime using digital channels by definition cyber-crime or is it just crime? It’s a bit like Covid deaths vs. someone dying of other causes but testing positive for Covid and it being categorized as a Covid death. As with a lot of things in cyber, and beyond, if we can correctly categorize then quantify the problem then we have a decent chance of tackling it. 

So, when I saw the recent National Academies of Sciences report on Cybercrime Classification and Measurement I was hoping it would get to the heart of this issue. At 161 pages it’s hardly a pithy read, and, sadly, it misses an opportunity to really nail the problem to its core but it does provide a crucial lens through which to understand the foundational challenges in categorizing and quantifying this pervasive threat.

Separating Fact from Fragmented Data

The report doesn’t directly validate or refute claims that cybercrime is a multi-trillion dollar problem. Instead, it meticulously highlights the profound challenges in obtaining comprehensive, consistent, and reliable data and metrics on cybercrime. The current landscape is described as "fragmented and hampered by challenges such as underreporting, the variable scope and nature of incidents, and the rapidly evolving nature of technology". A fundamental impediment, as the report underscores, is the lack of common, consistent definitions of cybercrime across various agencies and reporting mechanisms - in the US and beyond.

The report provides concrete, albeit partial, evidence of significant financial impact. In 2023, the FBI's Internet Crime Complaint Center (IC3) received complaints detailing losses totaling $12.5 billion. The Federal Trade Commission (FTC) collected 2.6 million reports classified as fraud, with $10.3 billion in reported losses in the same year. These figures, while substantial, represent only reported losses from specific, and often siloed, data collection efforts. 

Cybercrime poses serious threats and financial costs to individuals and businesses in the United States and worldwide. However, the existing U.S. national crime statistics system has limited coverage of cybercrime, a critical gap in our understanding and response capabilities. Recent laws have mandated the integration of cybercrime content into national crime statistics and stimulated further study, notably the production of the National Academies report.

A U.S. Government Accountability Office (USGAO) review underscored the decentralized nature of cybercrime data collection, identifying at least 13 federal agencies with some responsibility for gathering relevant information. This fragmentation leads to fundamental challenges, including the lack of common, consistent definitions of cybercrime, few mechanisms to combine and analyze data, and a pervasive lack of incentive among cybercrime victims to report incidents. 

The study frames "cybercrime" as "crime-centric," meaning unlawful behavior with a cyber or computer component, aligning with federal and state criminal codes. It’s crucial to distinguish that while cybercrime and cybersecurity incidents are strongly related, they are not equivalent. Current systems like the National Incident-Based Reporting System (NIBRS), the FBI's primary crime reporting system, have made some strides. "Wire Fraud" was updated in 2013 to include computer use, and in 2015, "Hacking/Computer Invasion" and "Identity Theft" were added as new crime types, along with "Cyberspace" as a location option. 

The National Crime Victimization Survey (NCVS) complements police data by capturing unreported victimizations. It has expanded its reach into cybercrime through periodic supplements focusing on identity theft, fraud, cyberstalking, and cyberbullying.

Beyond these core systems, other entities like the FBI's IC3 and the FTC's Consumer Sentinel Network primarily collect data on fraud-related cybercrimes. The report also highlights the value of Information Sharing and Analysis Centers (ISACs) and Organizations (ISAOs), along with the National Cyber-Forensics and Training Alliance (NCFTA), as models for fostering information sharing between the private sector and law enforcement. The Verizon Data Breach Investigations Report (DBIR) further illustrates efforts to classify and analyze cybersecurity incidents.

The landscape of cyber incident reporting is undergoing significant change with emerging mandatory rules, notably the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), and the Securities and Exchange Commission’s (SEC) introduction of rules requiring publicly traded companies to disclose material cybersecurity incidents. 

Recommendations: A Path Forward, Incrementally

The report outlines a path for improving cybercrime measurement, emphasizing practical, incremental steps while maintaining aspirational long-term goals.

• Calibrated Expectations: Embracing a System-of-Systems Approach. A key recommendation is to approach improvements in cybercrime measurement with tempered, realistic expectations. Given the broad and evolving nature of cybercrime, no single statistical source will effectively cover all its dimensions. Instead, the objective should be to generate reliable estimates by leveraging a "system-of-systems" approach, drawing information from multiple data sources, each contributing according to its unique strengths.

• National Incident-Based Reporting System (NIBRS)

  • Continue collecting existing NIBRS offense categories of Hacking/Computer Invasion and Identity Theft, while actively encouraging participating law enforcement agencies to report these offenses.

  • Clarify the definition and intended role of existing NIBRS data elements that nominally indicate cybercrime involvement.

  • Consider adding "data/systems" and "digital currency/cryptocurrency" as additional intangible property types.

  • Collaborate with the records management system (RMS) vendor community to streamline NIBRS data entry and enhance understanding of new elements.

  • The FBI should incorporate the recommended cybercrime taxonomy as a new, mandatory data element in the NIBRS Incident Segment. 

  • An additional consideration, not a formal recommendation, is for the NIBRS program to consider adding an additional clearance code for cybercrime to address law enforcement concerns about increased numbers of unresolved cases distorting crime statistics.

• National Crime Victimization Survey (NCVS). Leverage existing NCVS supplements (Supplemental Fraud Survey, Identity Theft Supplement, Supplemental Victimization Survey) with cybercrime-related content to enhance the nation's understanding of cybercrime.

• Other Data-Collection Systems. While not offering specific recommendations for other systems, the report encourages their development and eventual role within the "system-of-systems" approach. This includes monitoring and evaluating collections like CIRCIA and SEC mandatory reporting for their potential to provide useful cybercrime information, particularly on ransomware. The report also suggests examining Statistics Canada's progress with its detailed cybercrime codes for lessons applicable to U.S. NIBRS implementation and training.

Conclusions: The Imperative for Coordinated Insight

The thorough and effective measurement of cybercrime and cyber-enabled crime will remain largely unobtainable without the development of a governance and coordination process for data collection. Given the highly fragmented nature of cybercrime measurement, there is an acute need for an information clearinghouse apparatus. This entity would be responsible for compiling, analyzing, and assessing common findings and trends from the various available and emerging cybercrime measures. Such a clearinghouse would be vital for articulating basic rules for accurate data collection, such as counting rules for multi-victim incidents, and clarifying the ideal avenues for cybercrime reporting by individuals. 

The successful measurement of cybercrime will demand increased and sustained participation from businesses and organizations in reporting incidents. The evolution of CIRCIA and SEC mandatory reporting systems should be closely monitored as they hold the potential to become robust statistical data collections, particularly regarding ransomware. Information-sharing vehicles like the Verizon DBIR series, ISACs, ISAOs, and the NCFTA also offer unique contextual and empirical insights, demonstrating the value of collaborative intelligence.

Bottom line: While the report doesn’t deliver on directly supporting or debunking the more outlandish claims of the scale of cybercrime ("multi-trillion dollar problem") it does substantiate the common knowledge that cybercrime is a serious threat with significant financial costs. The current challenge is less about the magnitude of the problem itself, and more about our inability to accurately and consistently measure it due to fragmented data, inconsistent definitions, and a lack of unified governance. We need a better "system-of-systems" approach. that can truly illuminate the scope and impact of cybercrime, moving us beyond anecdotes and towards actionable intelligence.