The Lack of Cybercrime Statistics: Why the Threat Is Bigger than We Think It Is

November 13, 2015 |
The Lack of Cybercrime Statistics: Why the Threat is Bigger than We Think It Is (iStock/luismmolina)

How great is the threat of cybercrime to you or your business?

You may think it’s possible to answer this question with a reasonable degree of confidence. It’s easy, after all, to assume that law enforcement and the IT security community have accurate and complete data at their disposal on the frequency of cyber attacks, the organizations they target, and the damage they cause.

The reality, however, couldn’t be more different. The way we measure cybercrime in the US today simply isn’t reliable enough to know this with any degree of certainty – and the statistics we do have only show the tip of the iceberg.

Where do Today’s Cybercrime Statistics Come From?

First, consider our current reporting system for cyberattacks. In 47 states, organizations are required by law to notify customers and other relevant parties when their data is compromised by hackers. However, this only applies to personally identifiable information (PII) – there’s no legal requirement for organizations to issue notifications when their intellectual property (IP) or some other kind of data is stolen.

Should those organizations suffer cyberattacks, the correct course of action is to log a complaint with the local FBI field office or the FBI’s Internet Crime Complaint Center (IC3). However, this is not mandatory, nor are the number of complaints received a statistically valid measure of the frequency of cybercrime. Many incidents go unreported, while others – such as the more high-profile, public ones – attract an above-average volume of complaints.

Meanwhile, local police departments can’t be counted on to produce reliable cybercrime statistics because their own definitions of cybercrime are so inconsistent. Some will categorize identity theft and a subsequent financial loss as a larceny, whereas others will classify it as fraud, forgery, or something else entirely. And again, compared to robberies, burglaries and assault, cybercrime is often unreported in the first place.

Finally, we can look to independent studies for some idea as to the scale of the threat. Verizon’s annual Data Breach Investigations Report is one example of this. However, while Verizon’s methodology is sound, there’s still the problem of underreporting and it generally only indicates the trends in cyber crimes that companies are willing to report. While it is useful in determining whether cybercrime is increasing or decreasing year on year – it’s not an absolute measure of how much of it is out there.

On the whole, the data we have at our disposal is fragmented and incomplete, and our system for reporting cybercrime is vastly inferior to the Uniform Crime Reports (UCR) that have been used by the FBI to track other offenses centrally for the last 80-plus years. The threat could be much, much bigger than we think it is.

Taking Action to Measure and Combat Cybercrime

The paucity of reliable cybercrime statistics has potentially far-reaching implications. As a country, we’re convinced that crime is down, and there’s data – such as the UCR – to support this. But what if criminality is simply moving into the cyber arena? And what could the consequences be of having no way of tracking this?

Without statistics, it becomes difficult to steer government policy and strategy to combat cybercrime, and it becomes difficult for law enforcement to assign sufficient resources to the problem. Until the situation is improved, things are likely to get worse before they get better.

The lesson for the average US business, meanwhile, is this: any data you see on cybercrime, however strongly-worded the report or high the numbers, is based on inconsistent reporting. All you’re seeing is the tip of the iceberg.

Back to Blog Home

Leo Taddeo

Leo Taddeo
Chief Security Officer
www.cryptzone.com

Leo Taddeo is the Chief Security Officer (CSO) for Cryptzone, a provider of dynamic, context-aware network, application and content security solutions. Taddeo, former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office, is responsible for analyzing the cybersecurity market to help shape Cryptzone’s vision for security solutions. Taddeo provides deep domain insight into the techniques, tactics and procedures used by cybercriminals, to help Cryptzone continue to develop disruptive solutions that enable customers to defend against advanced threats and breaches.

Prior to Cryptzone, Taddeo led more than 400 agents and professional support staff in cyber investigations, surveillance operations, information technology support and crisis management for the FBI. He oversaw high profile cases, including Silk Road, Blackshades and JP Morgan.

Previously, Taddeo served as a Section Chief in the International Operations Division, where he managed FBI operations in Africa, Asia and the Middle East. Taddeo has held various roles of increasing responsibilities in the field, including supervising a joint FBI/New York City Police Department Joint Terrorism Task Force and serving as the Legal Attaché in Rome, Italy.

After receiving his degree in applied physics from Rensselaer Polytechnic Institute in 1987, Taddeo served as a tank officer in the U.S. Marine Corps. In 1991, he was awarded a Purple Heart and Bronze Star Medal for valor for service in the Gulf War. Taddeo then earned a Juris Doctor from St. John’s University and joined the New York law firm of Mound, Cotton & Wollan, where he practiced civil litigation until entering the FBI.

Taddeo is a graduate of the CISO Executive Program at Carnegie Mellon University. He also maintains the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler certifications.

Leave a Reply

Your email address will not be published. Required fields are marked *