Cybercrime, such as hacking and ransomware attacks, is increasing in the United States—leading to billions of dollars in losses and threatening public safety.
Several federal agencies work to detect, investigate, and prosecute cybercrimes. Agencies vary in how they collect data on these crimes, and there is no official definition of cybercrime. As a result, this data may not be consistent or complete.
In 2022, Congress required the Department of Justice to develop definitions and categories for cybercrimes in its national crime reporting system—which should help law enforcement agencies comprehensively track and monitor these crimes.
GAO identified 12 agencies, including the Department of Justice, Federal Bureau of Investigation, and Internal Revenue Service; the entire list is included in the report.
Strengths of these mechanisms included specific functionality for capturing cybercrime attributes to facilitate information sharing. Limitations included variations in how systems classify and track cybercrime and the absence of a central mechanism that collects data on cybercrime. These are partly due to the lack of an official or commonly agreed-on definition of cybercrime.
Agencies also identified differences between data reported on cybercrime (including cyber-enabled crime) and other types of crime. For example, cybercrime may not be consistently tracked because it is not always associated with a specific type of offense. In addition, victims may be hesitant to report cybercrime because of lack of familiarity or reputational concerns.
Agencies identified challenges in defining shared metrics. These include measuring the extent and impact of cybercrime, agreeing on a definition of cybercrime, and coordinating among law enforcement agencies at various levels. The Department of Justice (DOJ) effectively developing a cybercrime taxonomy and category in its national crime reporting system should help address these challenges. GAO intends to monitor future efforts, including those to develop cybercrime categories and ensure consistent reporting.
The Better Cybercrime Metrics Act, enacted in 2022, requires DOJ to develop a taxonomy for types of cybercrime and cyber-enabled crime and establish a category in its National Incident-Based Reporting System to collect reports for cybercrime from law enforcement. The act also includes a provision for GAO to report on existing cybercrime reporting mechanisms.