U.S. President Joe Biden has signed the Better Cybercrime Metrics Act, aiming to improve how the federal government tracks, measures, analyzes and prosecutes cybercrime.
Endorsed by the National Fraternal Order of Police and several national law enforcement organizations, the act will build a system to track cybercriminal incidents to combat rising cyber and cyber-enabled crimes.
In addition, the act aims to improve cybercrime metrics by requiring the Government Accountability Office (GAO) to report on the effectiveness of current mechanisms and highlight disparities in reporting data between cybercrime data and other types of crime data.
The bipartisan legislation also requires:
- The National Crime Victimization Survey to incorporate questions related to cybercrime in its survey instrument,
- The U.S. Department of Justice to contract with the National Academy of Sciences to develop a taxonomy for cybercrime that can be used by law enforcement, and
- The National Incident Based Reporting System — or any successor system — include cybercrime reports from federal, state, and local officials.
The absence of a detailed and consistent system for collecting and categorizing data on cybercrime hinders the federal government from fully understanding the scope of the cybercrime problem, further preventing law enforcement from protecting against cybercrime. By some estimates, the Federal Bureau of Investigation (FBI) only collects about one in 90 of all cybercrime incidents in its Internet Crime Complaint Center (IC3) database.
Security leaders think the legislation is a step in the right direction, and organizations can benefit from better reporting and categorization of incidents. Craig Lurey, CTO and Co-Founder at Keeper Security, believes it will also help both cyber professionals and the government understand and prioritize the most important attack vectors organizations must be protected against, especially as these attacks evolve.
Better categorization, says Archie Agarwal, Founder and CEO at ThreatModeler, will, in turn, standardize the kinds of threats organizations face: the adversaries that promulgate attacks, as well as the nature and impact of a successful attack. “As the government mandates and recommends more reporting, organizations will have more examples that mirror their own exposure, as well as associated damages and costs. Disclosure, generally, is something that government departments and private industry fear alike. A mandated reporting standard and taxonomy will make it harder for firms to pave over detail and magnitude of their security incidents using their own marketing and language,” Agarwal explains.
A larger benefit of the legislation may be the increased attention on cyberthreats by organizations, notes John Yun, Vice President of Product Strategy at ColorTokens, explains. “There have been many cases where organizations have renewed focus and subsequent budget allocated following government agency involvement. It provides organizations the additional justifications and reasons for prioritizing cybersecurity needs.” Yun points to the development of the Risk Management Framework (RMF) by NIST, for example, which brought much-needed attention to zero trust architecture.
“Developing a common language and taxonomy about cyberattacks is also crucial for defining metrics and sharing [threat intelligence] across the cyber defender community,” says Michael Mumcuoglu, CEO and co-founder at CardinalOps. However, Mumcuoglu recommends the National Academy of Sciences build upon existing, widely-used industry standards — such as MITRE ATT&CK, a standard taxonomy for describing adversary techniques based on real-world observations, and VERIS, a set of metrics that use a common language to describe security incidents — rather than reinventing the wheel.
Overall, the legislation “is an important step to make it harder for cybercriminals to do damage,” Lurey says.