What do the numbers say about Cybercrime? Not much. No one is using them.
There is a popular quote often mis-attributed to the hero of Total Quality Management, Edward Deming: "If you can't measure it, you can't manage it."Its one of the first things I think about every year when the FBI releases their annual Crime Statistics Report, as they just did for 2017. (The "mis-attributed" is because for all the times he has been quoted, Deming actual said almost the exact opposite. What he actually said, in "The New Economics," was: "It is wrong to suppose that if you can’t measure it, you can’t manage it – a costly myth.")
Despite being a misquote, I've used it often myself. There is no way to tell if you are "improving" your response to a crime type if you don't first have valid statistics for it. Why the quote always pops to mind, however, is because, in the case of cybercrime, we are doing a phenomenal job of ignoring it in official police statistics. This directly reflects the ability and the practice of our state and local law enforcement agencies to deal with online crime, hacking, and malware cases. Want to test it yourself? Call your local Police Department and tell them your computer has a virus. See what happens.
It isn't for lack of law! Every State in the Union has their own computer crime law, and most of them have a category that would be broadly considered "hacking." A quick reference to all 50 states computer crime laws is here: State Computer Crime Laws - and yet with a mandate to report hacking to the Department of Justice, almost nobody is doing it.
You may be familiar with the Uniform Crime Report, which attempts to create a standard for measurement of crime data across the nation. UCR failed to help us at all in Cybercrime, because it focused almost exclusively on eight major crimes that were reported through the Summary Reporting System (SRS):
murder and non-negligent homicide, rape, robbery, aggravated assault, burglary, motor vehicle theft, larceny-theft, and arson.
The data for calendar year 2017 was just released this week and is now available in a new portal, called the Crime Data Explorer. Short-cut URL: https://fbi.gov/cde
To capture other crime types, the Department of Justice has been encouraging the adoption of the NIBRS - the National Incident-Based Reporting System. This system primarily focuses on 52 crime categories, and gathers statistics on several more. Most importantly for us, it includes several categories of "Fraud Crimes"
- 2 / 26A / False Pretenses/Swindle/Confidence Game
- 41 / 26B / Credit Card/ATM Fraud
- 46 / 26C / Impersonation
- 12 / 26D / Welfare Fraud
- 17 / 26E / Wire Fraud
- 63 / 26F / Identity Theft
- 64 / 26G / Hacking/Computer Invasion
Unfortunately, despite being endorsed by most every major law enforcement advocacy group, many states, including my own, are failing to participate. The FBI will be retiring SRS in 2021, and as of September 2018, many states are not projected to make that deadline:
https://www.fbi.gov/file-repository/ucr/nibrs-countdown-flyer.pdf |
In the just-released 2017 data, out of the 18,855 law enforcement agencies in the United States, 16,207 of them submitted SRS "old-style" UCR data. Only 7,073 (42%) submitted NIBRS-style data.
Unfortunately, the situation when it comes to cybercrime is even worse. For SRS-style reporting, all cybercrimes are lumped under "Fraud". In 2016, SRS reported 10.6 Million arrests. Only 128,531 of these were for "Fraud" of which cybercrime would be only a tiny portion.
Of those eight "fraud type" crimes, the 2017 data is not yet available for detailed analysis (currently most of state data sets, released September 26, 2018, limit the data in each table to only 500 rows. Since, as an example, Hoover, Alabama, the only city in my state participating in NIBRS, has 3800 rows of data, you can see how that filter is inadequate for state-wide analysis in fully participating states!
Looking at the NIBRS 2016 data as a starting point, however, we can still see that we have difficulty at the state and local police level in understanding these crimes. In 2016, 6,191 law enforcement agencies submitted NIBRS-style data. Of those 5,074 included at least some "fraud type" crimes. Here's how they broke down by fraud offense. Note, these are not the number of CRIMES committed, these are the number of AGENCIES who submitted at least one of these crimes in 2017:
type - # of agencies - fraud type description
==============================================
2 - 4315 agencies - False Pretenses/Swindle/Confidence Game
41 - 3956 agencies - Credit Card/ATM Fraud
46 - 3625 agencies - Impersonation
12 - 328 agencies - Welfare Fraud
17 - 1446 agencies - Wire Fraud
63 - 810 agencies - Identity Theft
64 - 189 agencies - Hacking/Computer Invasion
Only 189 of the nation's 18,855 law enforcement agencies submitted even a single case of "hacking/computer invasion" during 2016! When I asked the very helpful FBI NIBRS staff about this last year, they confirmed that, yes, malware infections would all be considered "64 - Hacking/Computer Invasion". To explore on your own, visit the NIBRS 2016 Map. Then under "Crimes Against Property" choose the Fraud type you would like to explore. This map shows "Hacking/Computer Intrusion." Where a number shows up instead of a pin, zoom the map to see details for each agency.
Filtering the NIBRS 2016 map for "Hacking/Computer Intrusion" reports |
Clicking on "Nashville" as an example |
I have requested access to the full data set for 2017. I'll be sure to report here when we have more to share.