Wednesday, November 13, 2019

Cybercrime deterrence begins with metrics


The importance of metrics to crime deterrence would appear to be both critical and obvious and yet there is clearly a large cybercrime metrics gap: official statistics about crimes committed in cyberspace seem scarce relative to those documenting the incidence and impact of traditional or “meatspace” crimes. 

I have been talking about the cybercrime metrics problem for many years, notably at Virus Bulletin in 2015 (you can find my paper, a video of my talk, and my slides here: Sizing cybercrime: incidents and accidents, hints and allegations). 

More recently, namely Q3 of 2019, I wrote a law review article titled Advancing Accurate and Objective Cybercrime Metrics (publication pending). I did this as part of the Third Way Cyber Enforcement Initiative, an impressive effort to bring together an inter-disciplinary group of experts to develop ways forward on the cybercrime problem. This has already produced results, an excellent summary of input on The Need for Better Metrics on Cybercrime, from Third Way Policy Advisor, Ishan Mehta.

My paper for this project situates the efforts needed to obtain accurate and objective cybercrime metrics within the broader work of reforming traditional crime reporting which currently fails to meet the needs of information-based criminal policy. With a case study of identity theft, the paper illustrates disparities between current government and private-sector metrics while highlighting the importance of timely metrics to the work of countering rapidly evolving cybercrimes. After reviewing promising ways forward already developed by a range of experts, the paper concludes that meaningful action to improve crime metrics is possible; however, this will take more political will than has so far been mustered and so suggestions for how this might be generated are provided.

I will be giving a flashtalk on the paper at the upcoming symposium at New York University: Catching the Cybercriminal: Reforming Global Law Enforcement. Then I will report back here.