“If you see something, say something” but “Who you gonna call?” – Problems in the reporting of cybercrime

The references in the title represent two key problems of cybercrime prevention to date. The former is a campaign slogan created for the New York Metropolitan Transport Authority (MTA) after the terrorist attacks of 11 September 2001, later adopted by the US Department of Homeland Security. The slogan was supposed to encourage members of the public to report suspicious activity and prevent potential terrorist attacks in cities around the US.

The latter quote needs less explanation. It is the famous question from the catchy movie soundtrack by Ray Parker Jr. The answer to this famous question matches the title of the movie – Ghostbusters! How are these two lines related and to what do they refer in the realm of cybersecurity, more specifically, cybercrime?

See something, say something!

Law Enforcement Agencies (LEAs) and cybersecurity experts repeatedly note that cybercrime is severely underreported. According to Eurostat and the EU Cybersecurity Strategy from 2020, 83 per cent of EU Internet users have never reported a cybercrime. A more alarming statistic shows that when comparing the numbers of computer-related crime documented in 2020-2021 by the Telephone-operated Crime Survey for England and Wales (TCSEW) run by the UK Office of National Statistics, and the numbers of offences reported to the police and recorded by the National Fraud Intelligence Bureau (NFIB), only around 1.5% of computer-related crime is reported to the police in the UK. That means that around 98.5% of cybercrime remains unknown to the police.

This is an enormous problem, according to Europol’s Internet Organised Crime Threat Assessment (IOCTA) Report from 2020. The report explains that “under-reporting prevents law enforcement from forming the bigger picture and gathering reliable data”. Conversely, “the more victims report a crime, the more data law enforcement can gather and the more likely connections between different crimes can be established”. LEAs around Europe, with the help of international organisations and the EU, have been making efforts to increase public awareness of cybercrime and the need to report it. However, despite these efforts, reporting numbers remain low.

After 9/11, US law enforcement realised that it needed public help to prevent terrorist attacks and thus the campaign slogan see something, say something was born. However, in contrast to the terrorism at the scale the world witnessed on 11 September 2001, cybercrime remains invisible and elusive to both investigators and the public. Despite its vast public threat, cybercrime can be too complex for victims to understand, making it hard to “see” or “say” something about it. For this reason, similar slogans and campaigns to mobilise the public will have little effect.

Who ya gonna call?

However, even if cybercrime was to become a widely acknowledged public threat and a Europe-wide awareness campaign yielded higher engagement from the public (and private) sector, the second key problem for preventing and investigating cybercrime remains – who ya gonna call?

There currently is no Europe-wide blueprint on how national LEAs should be structured, especially in terms of how and at what level cybercrime units should be operating. This also extends to the reporting of cybercrime, which can vary from country to country. In Ireland, for example, citizens should report cybercrimes to their local Garda (name for Irish police) station. However, if a member of the public “feels” that they “experienced a cyber security incident that may have a national impact”, they should contact the National Cyber Security Centre (NCSC). Similar discrepancies exist in other countries, making it confusing for members of the public.

But the problem doesn’t end once a cybercrime is reported. Throughout Europe, there is no harmonised way of cooperation between local and centralised levels of law enforcement on issues of cybercrime, nor is there sufficient expertise to appropriately deal with these matters. The IOCTA Report from 2020 explains that “local police units may not have the expertise to assist a victim of cybercrime,” and notes that “information reported to local police may not find its way to national or central units”. As a result, “law enforcement is unable to connect the dots on a national scale and with their respective international partners”.

Once a report is lodged, sharing information within or across jurisdictions is further encumbered by differing registration and classification systems. As the report explains, in some countries “ransomware, for example, was not a separate category” but would be assigned a code at reporting stage for the general category of “data breaches”. This can lead to classification problems, as different types of crimes fall into the same category. Such data may not be useful in another country where more specific categorisation of cybercrimes is commonplace.

The EU is aware of these problems and is supporting experts and LEAs via different mechanisms, including funding projects run by international consortia whose objective is to research these issues and offer actionable suggestions. The CYBERSPACE project is aiming to help overcome these issues by providing research into the cybercrime situation in Europe and identify where significant reporting gaps exist, as well as where data sharing and cooperation can be improved. To achieve this, the project is actively seeking input from a wide range of stakeholders to obtain a multi-disciplinary as well as cross-cultural perspective of the cybercrime panorama in the EU.

Nikola Tomic, Trilateral Research

(Note: This blogpost has been adapted from a piece that was written by the same author for the Internal Security Forum: https://www.isflive.org/s/blog-article/a0t6M00000GcLcNQAV/if-you-see-something-say-something-but-who-ya-gonna-call-cybercrime-edition)