By Grant Geyer | April 1, 2022 

Prompted by a notable disparity in reporting of cybercrime incidents versus other types of crime data, The House of Representatives this week passed the Better Cybercrime Metrics Act. The bill moved through the Senate in December, and is expected to be signed into law by President Biden. 

The act—which received bipartisan approval—aims to improve current reporting of cybercrime statistics to the federal government. Improved data collection will provide law enforcement and policymakers with better visibility into online scams and other internet-centric criminal activity, said Rep. Abigail Spanberger (D-Va.), who introduced the bill last December. 

“Our legislation would give law enforcement agencies the tools they need to better track and identify cybercrime, prevent attacks, and hold perpetrators accountable,” she said.

Some estimates say only 10% to 12% of cybercrime victims report incidents in the U.S. In spite of those low reporting numbers, the FBI and other law enforcement agencies report billions in losses annually to ransomware, data breaches, and fraudulent activity online. 

“Our nation is under constant attack from cyber criminals,” Spanberger said as the bill moved through the House. “And with a range of new threats emanating from adversaries around the world—including the Russian Federation, Congress has an obligation to move legislation forward that can better protect the American people, their data, their finances, and their personal information.”

While the notion of cybercrime may initially create an image of fraudsters targeting consumers, cybercrime has far reaching implications for businesses, especially in light of the increasing digital footprint and modernization happening in the U.S. economy. Whether it’s using analytics for predictive maintenance in factories, checking safety conditions in pipelines, or adjusting the mix of chemicals in our drinking water, new emerging technologies such as XIoT and cloud analytics have enormous potential to create efficiencies and competitive advantages. 

While digital technologies produce better business outcomes, in parallel they create new forms of cyber risk, as we saw last year with ransomware and extortion-style incidents impacting critical services in the oil and gas, food and beverage, and healthcare industries. Simply put: while digital technologies can improve our lives, their abuse has the potential to cause harm in the physical world.

With this increase of connected devices linking the cyber and physical worlds, the time is ripe for legislation such as the Better Cybercrime Metrics Act. The law will create a quantifiable situational awareness for the U.S. Government, law enforcement, and businesses so they can choose the right cyber defenses and invest in the right proportion to the risk. 

Some of the act’s key points include:

  • Creation of a taxonomy by the National Academy of Sciences for the purpose of categorizing cybercrime. The taxonomy would aid the FBI in classifying incidents within the National Incident-Based Reporting System. 
  • The Department of Justice, meanwhile, would be required to include cybercrime questions as part of its annual National Crime Victimization Survey.
  • The FBI would also be required to ensure that cybercrime metrics are reported similarly to other personal and property crimes
  • Local and federal law enforcement would also be required to report cybercrime incidents to the FBI. 

In the same way we measure the health of our economy by tracking GDP, employment, and other key metrics, the sooner we can provide quantifiable, trustworthy and transparent data on cyber crime, the sooner we can grasp and deal with the problem in a proportional manner. Having a baseline is also critical to understanding the impact of public policy, corporate governance, and workforce education on dealing with the problem. 

Passage of this act follows signing of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into law. The legislation requires critical infrastructure owners and operators to report significant cyber incidents within 72 hours, and any ransom payments related to ransomware attacks within 24 hours. The Cybersecurity and Infrastructure Security Agency (CISA) is the incident reporting clearinghouse identified in this legislation, which includes industrial control systems, SCADA systems, distributed control systems, and programmable logic controllers as information systems covered by the law. 

The Better Cybercrime Metrics Act is a strong complement to the incident reporting legislation. As the old saying goes: You can’t manage what you can’t measure. Ultimately, organizations need to determine if their investments in keeping their enterprises secure are effective and sufficient. The legislation helps put corporate decision makers in the driver’s seat to make informed decisions on cyber risk governance.