The U.S. Is Less Prepared to Fight Cybercrime Than It Could Be

Cybercrimes in the United States have resulted in hundreds of billions of dollars in losses, and threaten public safety and economic security. The victims are widespread and include individuals, schools, businesses, utilities, and governments. For example, ransomware attacks—an increasingly common and dangerous form of cybercrime—have been launched against public elementary and secondary schools across the country. During these attacks, schools’ computer systems were hijacked using malicious software, preventing their use and resulting in monetary losses to individual school districts of up to $1 million, as well as weeks of lost learning.

As another example, the U.S. Marshals Service reported in February that it had been the victim of a ransomware attack where hackers accessed sensitive files, including information about investigative targets and employees’ personal data.

Federal law enforcement agencies are using a variety of mechanisms to track and prevent cybercrimes. But in a recent report, we found that these efforts have limitations that have left the U.S. less prepared to combat these crimes. Today’s WatchBlog post looks at our recent report.

Image

Why is tracking and reporting on cybercrime difficult?

Cybercrime generally includes criminal activities that target a computer or network to cause damage or steal information. It also includes the use of computers to conduct criminal activity, like using the internet to facilitate the sale or exchange of illicit goods like illegal drugs or weapons. The very nature of cybercrimes makes them difficult to track, as well as sometimes difficult to detect. Through the internet, cyber criminals can remain anonymous. They do not need to be physically close to their victims to commit a crime. Technology also allows criminal actions to occur in other states or internationally. This has increased the challenges for law enforcement, which in some cases has to coordinate with other countries to combat crimes.  

The information provided by victims of crimes is important for tracking and combating cybercriminal activities. But some victims are hesitant to come forward because they don’t know who to report an attack to or what can be done about it. Similarly, some businesses may also not report cybercrimes to protect their reputation. Even when federal law enforcement receives information on crimes, it faces some internal limitations that prevent it from fully utilizing this information to combat activities. For example, federal law enforcement agencies—including the FBI, Secret Service, Drug Enforcement Administration and others—do not define cybercrime the same way. What is considered cybercrime at one agency may not be defined as such at another. This impacts each agencies’ ability to share important information and coordinate efforts. Federal agencies also use a variety of mechanisms to collect and report on the extent and impact of cybercrime, such as web portals to collect complaints from the public or reports of cyber incidents. But, they lack a central repository for cybercrime data.

Combined, these limitations mean that federal law enforcement lacks a comprehensive picture of the amount and types of cybercrime. This makes it difficult for law enforcement to know how much and where to target resources to combat it.

What’s being done to address these limitations?

In 2022, Congress required the Department of Justice to develop categories of cybercrime so that agencies have shared language to classify and track these incidents. The department told us that it is taking steps to address this requirement. Officials also said the department plans to develop a cybercrime-specific category for the FBI’s National Incident-Based Reporting System, which collects reports on crime from law enforcement across the country. These steps should give law enforcement agencies tools they need to collect more accurate and complete data on cybercrime. This is crucial for countering the effects of cybercrime on American society and on individuals.

The below graphic shows the types of mechanisms used by key federal agencies for collecting and reporting data on cybercrime. Learn more about federal efforts and the challenges in combatting the growing number of cybercrimes by reading our June report.

Image

• Comments on GAO’s WatchBlog? Contact blog@gao.gov.