Whether you write it as “cybercrime” or “cyber crime,” the operative word is crime. Each instance of ransomware, data exfiltration, or other illicit access is a crime. Here’s the problem: a huge percentage of that crime goes unreported. It’s a major problem we have in the cybersecurity realm, especially in the small to mid-market business arena.
Cybercrime is arguably one of the most complicated crimes to deal with. Threat actors use sophisticated techniques to conceal their identity, and they use even more sophisticated techniques to hide the totality of their crime portfolio. The good news, particularly in the US, is that we have the most sophisticated cyber intelligence resources on the planet. We just recently saw the Department of Justice make some amazing announcements that really shows the ability of our law enforcement partners to track down anyone, anywhere, despite their efforts to hide.
So, we have the capability. Why isn’t it more fruitful? That brings me back to the whole point of this article, cybercrime goes woefully underreported. Each and every single ransomware incident is a crime. Is the FBI going to be able to investigate every one? Nope. That’s not what they are here for. The charter of DOJ and DHS (CISA) is to investigate and understand the totality of the impact of cybercrime. Given the prevalence and frequency of small time attacks, it would be impossible for them to investigate every single incident. However, having access to the data on the totality of impact is crucial.
This is where public/private partnerships come in. If we partner with our colleagues at CISA and the FBI by providing the critical data they need, they can build better trends around particular threat actors. These trends create chains of evidence and help steer investigative teams and counterintelligence teams in the right direction, they help them reach anyone anywhere.
Gathering this data over time also has massive impact on the future of cybercrime prevention and law enforcement. Right now, there is little legal grounds to properly prosecute threat actors. Cases are often built on top of existing financial crime laws but are often not enough focused on the cyber incident itself. Let’s be honest with ourselves, the CFAA is super outdated. It doesn’t cover the totality of today’s threat landscape by a longshot. By understanding damages across a myriad of cases, and including the SMB space, congress and the DOJ can look to build smarter enforcement mechanisms that are aligned to the nature of the actual crime at hand.
For example, if you were to go to your local convenience store and swipe a candy bar, you’re looking at (depending on the jurisdiction), something like a petty theft or shoplifting charge. If you steal a really expensive item, say your neighbor’s McLaren, you’re looking at Grand Theft. The penalties for that are vastly different (often a small fine vs a lot of prison time). Cybercrime needs a similar framework. If I get caught doing a small time $100 ransomware attack on a single consumer, the punishment should be quite different than taking down a major oil pipeline.
And speaking of infrastructure. Imagine an incident where a major electrical utility is brought down, or an entire regional medical system and its hospitals. That’s a very different crime than swiping $100k off of a small business. Some might argue grand theft vs a terrorist attack. You see my point. Crime in general is complicated, and cybercrime is its own class of crime that needs its own framework for enforcement.
Now let’s imagine we continue to ignore the need to report cybercrime. We continue secretly paying ransoms, recovering without telling anyone, et al. Whether or not we get the voice of the SMB into the conversation, the government is going to act. Imagine if congress wrote laws and the DOJ produced enforcement mechanisms under that scenario. Imagine if all they really knew about were large scale attacks like Colonial? Then what? The standards for enforcement would look vastly different. Maybe stealing your neighbor’s McLaren is the cyber equivalent of stealing a candy bar? If we, as providers to the SMB, don’t get their voice in, we’re doing the entire sector a disservice.
So all of that is really to say: start reporting cybercrime. Help create the data needed and, over time, help motivate the LE & IC communities go after the bulk actors against SMB. One reported incident of $50k looks a lot different than 500 reported incidents (with the same IoCs) ranging from $10k to $500k. Suddenly, that becomes a juicy target.
How to Report Cybercrime (in the US)
In the USA, the Cybersecurity & Infrastructure Security Agency (CISA) component of the Dept. of Homeland Security is the main agency in charge of cybersecurity. They also accept reports of cybercrime and are tasked with sharing that information to private infrastructure partners, the intelligence community, and law enforcement at all levels. They accept reports through Computer Emergency Readiness Team website at https://us-cert.cisa.gov. To report a crime, navigate to the US-CERT website and scroll down a bit. You’ll see reporting options right on the home page:
Simply select the best option (such as reporting malware vs phishing incidents). Protip: Ransomware goes in the malware category. If you have IoCs to share, you can even share those (which again go into a feed for other public/private partners).
Disclaimer: I’m not a lawyer. The DOJ is law enforcement, DHS works closely with DOJ. If you’re worried about the risks, consult a competent attorney. Also, in a major incident, work with your insurance company to bring the right resources to bear.