II: Conceptual Issues for Congress and LE on Cybercrime

Posted on 5 June 2012 by


I’m at a conference in Philadelphia today on Organized Retail Crime (an area I’m becoming increasingly passionate about) but I wanted to mention the publication by the Congressional News Service of an important document on cybercrime.

And I’m not just saying it’s important because it echoes stuff we’ve said here for the last year!

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement by Kristin M. Finklea and Catherine A. Theohary is an absolutely excellent overview of the current state of cybercrime definition and legislation in the United States – it even touches on Europe as well.

[By the way, in one of the footnotes within the report, the authors link to another fantastic resource: a compendium of legislation, hearings, directives and other publications being considered, discussed, written and passed around by the 112th congress. The report, by Rita Tehan, is available at CNS.]

The foundational claims of the report are (1) that there is actually no definition of cybercrime in the United States, and (2) there are no metrics about cybercrime in the United States.

If this sounds familiar, it’s because we’ve lost our voices shouting this from the rooftops.

Finklea and Theohary also state that there’s currently a dog’s dinner of agencies trying to jockey for predominance in cybercrime prosecution, all without mandate, definition, resources and, in some cases, a clue.

Federal law enforcement agencies often define cybercrime based on their jurisdiction and the crimes they are charged with investigating. And, just as there is no overarching definition for cybercrime, there is no single agency that has been designated as the lead investigative agency for combating “cybercrime.”

Among the important issues raised in the report are mentions of attribution (whodunnit?) and motivations (Why?). These are incredibly important.

Dave and I continue working with agencies around the country, private sector representatives in retail, credit card and other stakeholder organizations, and now with prosecutors to help articulate what is reasonably in the realm of the possible in terms of investigators working cyber crime cases.

  • We must define our terms.
  • We must create metrics, and take heed of the lessons they bring.

And (and you will hear this a lot from us this year) we need to take, prosecute and win – and lose! – some cybercrime cases. No one ever goes to jail if their crime isn’t prosecuted.

No one stops doing cybercrime because they got away with one.

Prosecutors must take risks, push the envelope of the existing laws and their experience to find the limits of current laws, so that they may articulate what legislative tools they need to be successful. This may mean losing some cases. It’s necessary.

You’ll hear a lot about this from us this year, too.