US Passes Law Requiring Better Cybercrime Data CollectionDOJ, FBI Tasked With Compiling Detailed Stats, Developing Taxonomy to Sort Data
U.S. President Joe Biden on Thursday signed into law the Better Cybercrime Metrics Act, which was proposed by a bipartisan group of lawmakers to improve data collection on cybercrimes. The law requires the Department of Justice and the FBI to compile detailed cybercrime statistics and develop a taxonomy to help contextualize and sort this data.
The bipartisan law is also expected to give law enforcement officials and policymakers more tools to combat cybercrime in the country. The bill was passed by the U.S. Senate in December 2021 and by the U.S. House of Representatives in March 2022.
"By collecting data on how often, when and where cyberattacks are happening, our bipartisan bill will better protect people in Hawaii from online crimes like those against our transit and water systems in Honolulu, help us support victims of online crimes, and give us more tools to go after the criminals who perpetrate them," says Sen. Brian Schatz, D-HI, who authored the legislation.
Better Cybercrime Metrics Act
The act will offer law enforcement officials a clearer picture of online crimes in the U.S. by requiring the FBI to integrate cybercrime incidents into its current reporting streams.
"As cybercriminals continue to target vulnerable populations, this data will help lawmakers make an informed case for policy changes to curtail the cybercrime wave, keep Americans safe, and bring these criminals to justice," Schatz says.
U.S. Rep. Abigail Spanberger, D-VA, who co-sponsored the legislation, says that the Better Cybercrime Metrics Act will improve how the federal government tracks, measures, analyzes and prosecutes cybercrime.
"One year ago this week, we saw the damaging effects of the ransomware attack on the Colonial Pipeline. In an instant, the American people saw how cybercrime - now the most common crime in America - could jeopardize the integrity of critical infrastructure, the American economy and our national security," says Spanberger, a former CIA case officer and former federal agent.
"And as cybercriminals increasingly adapt their methods of attack against vulnerable people and networks, the United States must improve our cybercrime classification system. Otherwise, we are risking the safety and privacy of American families, homes, businesses and government agencies," she adds.
Schatz says that the Better Cybercrime Metrics Act will:
- Require the FBI to report metrics on cybercrime and cyber-enabled crime categories, just as they do for other types of property crime;
- Encourage local and federal law enforcement agencies to report incidents of cybercrime in their jurisdictions to the FBI;
- Authorize a study at the National Academies of Science to create a taxonomy for cybercrime incidents in consultation with federal, state, local and tribal stakeholders, criminologists and business leaders that would inform the FBI's reporting of cybercrime and cyber-enabled crime;
- Require the Bureau of Justice Statistics at the Department of Justice and the Census Bureau to include questions related to cybercrime and cyber-enabled crime as part of its annual National Crime Victimization Survey.
The impact of this legislation depends entirely on the usefulness of the taxonomy itself, says Jennifer Fernick, senior vice president and global head of research at security consultancy NCC Group.
"The authors of that taxonomy need to meaningfully answer what data points about cybercrime will enable meaningful intervention for the future prevention of these crimes," Fernick, who is also a National Security Institute visiting technologist fellow at George Mason University, tells Information Security Media Group.
"It is important, for example, to distinguish at minimum between computer-related crimes that attack human judgment or exploit edge cases in business processes from crime that is enabled through specific hardware or software flaws that can be exploited by criminals attacking an organization's IT infrastructure. In the latter case, it would be valuable in particular to identify the specific software or hardware components, or even specific security vulnerabilities or CVEs, which served as the substrate for the attack, to help inform organizations about where they would most benefit from strengthening their cybersecurity defenses," Fernick says.
Bill Johnson, executive director at the National Association of Police Organizations, says that robust data on cybercrime is necessary to support and enhance the capacity of state and local law enforcement agencies to prevent, investigate and respond to such crimes.
"Until the enactment of the Better Cybercrime Metrics Act, there have been no standardized metrics for tracking cybercrime, which has hindered law enforcement's ability to fully understand its impact across the country. With these standardized metrics in place, it will be easier for state and local law enforcement to collect and report data on cybercrime incidents, leading to better investigations and prosecution of these crimes," Johnson says.
In addition, the Comptroller General, the head of the U.S. Government Accountability Office, is directed to submit a report to Congress within 180 days after the date of enactment of this act.
The report will assess the effectiveness of reporting mechanisms for cybercrime and cyber-enabled crime in the United States and disparities in reporting data between data relating to cybercrime and cyber-enabled crime and other types of crime data.
"Vulnerabilities in critical software and systems will continue to be exploited by threat actors. The most powerful way to prevent cyberattacks is to improve the security of the systems themselves, both through improving the security of software as it is developed in the first place, as well as through interventions like third-party security audits and the use of security flaw detection tools to help organizations identify and remediate security risks before they're exploited by threat actors," Fernick tells ISMG.
In March 2022, an overwhelmingly bipartisan majority of the U.S. House voted to pass the legislation. Spanberger's legislation is co-sponsored by Reps. Blake Moore, Andrew Garbarino, Sheila Jackson Lee, Brian Fitzpatrick, Ed Case, David Trone, Kweisi Mfume and Josh Gottheimer, as well as Delegate Eleanor Holmes Norton.
The U.S. Senate version of the Better Cybercrime Metrics Act is led by Sen. Brian Schatz and co-sponsored by Sens. Thom Tillis, John Cornyn and Richard Blumenthal.
Second Bill Signed, to Tackle Quantum Computing Threat
In addition to the bill fighting cybercrime, in a separate development on Wednesday, Biden also addressed the growing concern about cyberespionage and signed a national security memorandum requiring government agencies to implement measures that would mitigate risks that quantum computers pose to U.S. national cybersecurity.
"A cryptanalytically relevant quantum computer could jeopardize civilian and military communications as well as undermine supervisory and control systems for critical infrastructure," says General Paul M. Nakasone, director of the National Security Agency and Commander of United States Cyber Command. "The number one defense against this quantum computing threat is to implement quantum-resistant cryptography on our most important systems."
Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4, tells ISMG: "This is a great, proactive, further step in preparing the U.S. for the threats from sufficiently capable quantum computers. While no one, at least publicly, knows when the threat of quantum computers will be realized, we all know that it is sooner than later."
"Most quantum experts put the eventuality of quantum computers breaking much of today's cryptography at 10 years or less. I do not think anyone would be shocked if it happened in five years or less. Me, personally, I think we are talking only a few years. The question is if we and the rest of the world will be ready ... and have quantum-resistant cryptography and systems in place before the quantum cryptographic break happens? Every single company in the world should right now be preparing to convert their systems to quantum-resistant protections."