Better Cybercrime Metrics Act signed into law, pledges improvements to federal action on cybercrime

With the signing of the Better Cybercrime Metrics Act last week, President Joe Biden welcomed a new cybersecurity bill into law, promising improvements to how the federal government prosecutes, measures, and tracks cybercrime. 

Backed by the National Fraternal Order of Police and other national law enforcement organizations, the bill originally introduced by U.S. Rep. Abigail Spanberger (D-VA) – a former Central Intelligence Agency (CIA) case officer and federal agent – was created with the understanding that the federal government currently lacks an effective system to chart the growing phenomenon of cybercrime. 

Four years ago, a 2018 nonpartisan study from Gallup determined that nearly one in four U.S. households were victims of cybercrime. However, the report estimates that many more go unreported and untracked. According to the Federal Bureau of Investigation (FBI) Internet Crime Report of 2020, this environment fostered 791,790 complaints from Americans, amounting to more than $4.1 billion in losses. This included incidents of compromised business emails, phishing scams, and ransomware alike. Through its Recovery Asset Team and affiliated partners, the FBI managed to freeze approximately $380 million of reported losses that year. 

“One year ago this week, we saw the damaging effects of the ransomware attack on the Colonial Pipeline,” Spanberger said. “In an instant, the American people saw how cybercrime —now the most common crime in America — could jeopardize the integrity of critical infrastructure, the American economy, and our national security. And as cybercriminals increasingly adapt their methods of attack against vulnerable people and networks, the United States must improve our cybercrime classification system. Otherwise, we are risking the safety and privacy of American families, homes, businesses, and government agencies.”

As a result, the Better Cybercrime Metrics Act will lay the groundwork for a system to track cybercrime incidents and allow U.S. law enforcement agencies to identify cyber threats better and shield them against future attacks. Specifically: 

• The Government Accountability Office (GAO) will be required to evaluate current cybercrime mechanisms and identify disparities in reporting data between cybercrime and other types of crime.
• The National Crime Victimization Survey will need to incorporate questions related to cybercrime in future surveys.
• The U.S. Department of Justice (DOJ) will contract with the National Academy of Science to create a taxonomy of cybercrime usable by law enforcement.
• Cybercrime reports from federal, state, and local officials will now be included in systems like the National Incident Based Report System.

“Robust data on cybercrime is necessary to supporting and enhancing the capacity of state and local law enforcement to prevent, investigate and respond to such crimes,” Bill Johnson, executive director of the National Association of Police Organizations (NAPO), said. “Until the enactment of the Better Cybercrime Metrics Act, there have been no standardized metrics for tracking cybercrime, which has hindered law enforcement’s ability to fully understand its impact across the country. With these standardized metrics in place, it will be easier for state and local law enforcement to collect and report data on cybercrime incidents, leading to better investigations and prosecution of these crimes.”

The legislation was initially introduced in August 2021, with a Senate companion bill passed that same December. The House version finally passed in March 2022.