Despite being a misquote, I’ve used it often myself. There is no way to tell if you are “improving” your response to a crime type if you don’t first have valid statistics for it. Why the quote always pops to mind, however, is because, in the case of cybercrime, we are doing a phenomenal job of ignoring it in official police statistics. This directly reflects the ability and the practice of our state and local law enforcement agencies to deal with online crime, hacking, and malware cases. Want to test it yourself? Call your local Police Department and tell them your computer has a virus. See what happens.
It isn’t for lack of law! Every State in the Union has their own computer crime law, and most of them have a category that would be broadly considered “hacking.” A quick reference to all 50 states computer crime laws is here: State Computer Crime Laws – and yet with a mandate to report hacking to the Department of Justice, almost nobody is doing it.
You may be familiar with the Uniform Crime Report, which attempts to create a standard for measurement of crime data across the nation. UCR failed to help us at all in Cybercrime, because it focused almost exclusively on eight major crimes that were reported through the Summary Reporting System (SRS):
murder and non-negligent homicide, rape, robbery, aggravated assault, burglary, motor vehicle theft, larceny-theft, and arson.
To capture other crime types, the Department of Justice has been encouraging the adoption of the NIBRS – the National Incident-Based Reporting System. This system primarily focuses on 52 crime categories, and gathers statistics on several more. Most importantly for us, it includes several categories of “Fraud Crimes”
- 2 / 26A / False Pretenses/Swindle/Confidence Game
- 41 / 26B / Credit Card/ATM Fraud
- 46 / 26C / Impersonation
- 12 / 26D / Welfare Fraud
- 17 / 26E / Wire Fraud
- 63 / 26F / Identity Theft
- 64 / 26G / Hacking/Computer Invasion
Unfortunately, despite being endorsed by most every major law enforcement advocacy group, many states, including my own, are failing to participate. The FBI will be retiring SRS in 2021, and as of September 2018, many states are not projected to make that deadline:
Looking at the NIBRS 2016 data as a starting point, however, we can still see that we have difficulty at the state and local police level in understanding these crimes. In 2016, 6,191 law enforcement agencies submitted NIBRS-style data. Of those 5,074 included at least some “fraud type” crimes. Here’s how they broke down by fraud offense. Note, these are not the number of CRIMES committed, these are the number of AGENCIES who submitted at least one of these crimes in 2017:
type – # of agencies – fraud type description
2 – 4315 agencies – False Pretenses/Swindle/Confidence Game
41 – 3956 agencies – Credit Card/ATM Fraud
46 – 3625 agencies – Impersonation
12 – 328 agencies – Welfare Fraud
17 – 1446 agencies – Wire Fraud
63 – 810 agencies – Identity Theft
64 – 189 agencies – Hacking/Computer Invasion
Only 189 of the nation’s 18,855 law enforcement agencies submitted even a single case of “hacking/computer invasion” during 2016! When I asked the very helpful FBI NIBRS staff about this last year, they confirmed that, yes, malware infections would all be considered “64 – Hacking/Computer Invasion”. To explore on your own, visit the NIBRS 2016 Map. Then under “Crimes Against Property” choose the Fraud type you would like to explore. This map shows “Hacking/Computer Intrusion.” Where a number shows up instead of a pin, zoom the map to see details for each agency.
|Filtering the NIBRS 2016 map for “Hacking/Computer Intrusion” reports|
As an example, Zooming the number in Tennessee, I can now see a red pin for Nashville. When I hover that pin, it shows me how many crimes in each NIBRS category were reported for 2017, including 107 cases of Wire Fraud, 34 cases of Identity Theft, and only 3 cases of Hacking/Computer Invasion:
on “Nashville” as an example
I have requested access to the full data set for 2017. I’ll be sure to report here when we have more to share.