Search Penny Hill Press

Thursday, July 26, 2012

Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement

Kristin M. Finklea
Specialist in Domestic Security

Catherine A. Theohary
Analyst in National Security Policy and Information Operations

Twenty-first century criminals increasingly rely on the Internet and advanced technologies to further their criminal operations. These criminals can easily leverage the Internet to carry out traditional crimes such as distributing illicit drugs and sex trafficking. In addition, they exploit the digital world to facilitate crimes that are often technology driven, including identity theft, payment card fraud, and intellectual property theft. Cybercrimes have economic, public health, and national security implications, among others. For over three decades, Congress has been concerned about cybercrime and its related threats. Today, these concerns often arise among a larger discussion surrounding the federal government’s role in ensuring U.S. cyber security.

Conceptualizing cybercrime involves a number of key elements and questions that include where do the criminal acts exist in the real and digital worlds (and what technologies are involved in carrying out the crimes), why are malicious activities initiated, and who is involved in carrying out the malicious acts?

• One way of viewing cybercrimes is that they may be digital versions of traditional, real world offenses. They could be considered traditional, or “real world,” crimes if not for the incorporated element of virtual or cyberspace. In some instances, however, it may seem that law enforcement struggles to keep up with developments in the virtual world, which transform routine activities once driven by paper records in the real world. As a result, criminals are often prosecuted using laws intended to combat crimes in the real world.

• The distinction between cybercrime and other malicious acts in the virtual realm is the actor’s motivation. Cyber criminals can exhibit a wide range of self interests, deriving profit, notoriety, and/or gratification from activities such as hacking, cyber stalking, and online child pornography. Without knowing the criminal intent or motivation, however, some activities of cyber criminals and other malicious actors may appear on the surface to be similar, causing confusion as to whether a particular action should be categorized as cybercrime or not. When referring to cybercrime incidents, terms such as cyber attack, cyber espionage, and cyber war are often loosely applied, and they may obscure the motives of the actors involved.

• Criminal attribution is a key delineating factor between cybercrime and other cyber threats. When investigating a given threat, law enforcement is challenged with tracing the action to its source and determining whether the actor is a criminal or whether the actor may be a terrorist or state actor posing a potentially greater national security threat. This is highlighted by examining the online collective known as Anonymous. Some refer to Anonymous as a group of online activists, others see the collective as a group of criminal actors, and still others have likened it to online insurgents.

The U.S. government does not appear to have an official definition of cybercrime that distinguishes it from crimes committed in what is considered the real world. Similarly, there is not a definition of cybercrime that distinguishes it from other forms of cyber threats, and the term is often used interchangeably with other Internet- or technology-linked malicious acts. Federal law enforcement agencies often define cybercrime based on their jurisdiction and the crimes they are charged with investigating. And, just as there is no overarching definition for cybercrime, there is no single agency that has been designated as the lead investigative agency for combating cybercrime.

Congress may question whether it is necessary to have a clear definition of what constitutes cybercrime (e.g., S. 2105, S. 3414) and what delineates it from other real world and cyber threats. On one hand, if the purpose of defining cybercrime is for investigating and prosecuting any of the various crimes under the broader cybercrime umbrella, it may be less critical to create a definition of the umbrella term and more imperative to clearly define which specific activities constitute crimes—regardless of whether they are considered real world crimes or cybercrimes. On the other hand, a distinction between cybercrime and other malicious activities may be beneficial for creating specific policies on combating the ever-expanding range of cyber threats. If government agencies and private sector businesses design strategies and missions around combating cybercrime, it may be useful to communicate a clear definition of cybercrime to those individuals who may be involved in carrying out the strategies.

The United States does not have a national strategy exclusively focused on combating cybercrime. Rather, there are other, broader strategies that have cybercrime components (a selection of which are presented in the Appendix). Policymakers may question whether there should be a distinct strategy for combating cybercrime or whether efforts to control these crimes are best addressed through more wide-ranging strategies such as those targeting cyber security or transnational organized crime. Congress may also question whether these broader strategies provide specific cybercrime-related objectives and clear means to achieve these goals.

Comprehensive data on cybercrime incidents and their impact are not available, and without exact numbers on the current scope and prevalence of cybercrime, it is difficult to evaluate the magnitude of the threats posed by cyber criminals. There are a number of issues that have prevented the accurate measurement and tracking of cybercrime. For one, the lack of a clear sense of what constitutes cybercrime presents a barrier to tracking inclusive cybercrime data. Additionally, much of the available data on cybercrime is self-reported, and individuals or organizations may not realize a cybercrime has taken place or may elect—for a host of reasons— not to report it. Policymakers may debate whether to direct a thorough evaluation of the threats posed by cyber criminals.

Date of Report: July 20, 2012
Number of Pages: 30
Order Number: R42547
Price: $29.95

Document available via e-mail as a pdf file or in paper form.

To Order:

R42547.pdf  to use the SECURE SHOPPING CART


Phone 301-253-0881

For email and phone orders, provide a Visa, MasterCard, American Express, or Discover card number, expiration date, and name on the card. Indicate whether you want e-mail or postal delivery. Phone orders are preferred and receive priority processing.

Follow us on TWITTER at or #CRSreports