Where Are We Now? Examining the Trump Administration’s Efforts to Combat Cybercrime

Header wherearewenow v2 05
Header Tw Cyber Enforcement
Part one thirty six in the Series

Takeaways

Amid the COVID-19 pandemic, the United States has seen an acceleration of an already massive cybercrime wave. Daily reports of cybercrime to the FBI’s Internet Crime Complaint Center have nearly quadrupled since the pandemic began, to roughly 4,000 reports per day. Unfortunately, even before this crisis began, the enforcement rates for these crimes are low – for every 1,000 reported cyber incidents, only three arrests of the perpetrators occur.

In the fall of 2018, the White House released the “National Cyber Strategy of the United States,” which detailed how the Administration would create or update policies for combating cybercrime. While no implementation plan for this Strategy was ever published, Third Way conducted an analysis of publicly available information of the Administration’s actions and budgetary allocations since the strategy’s release to examine their cybercrime enforcement efforts.

The key takeaways of this analysis include:

● The Administration has taken a whole-of-nation and international approach to cybercrime enforcement with federal agencies performing at least 20 policy actions.

● These activities focus on improving domestic and international law enforcement's ability to arrest and charge criminals, strengthening international cooperation, and enhancing domestic partners’ capacities to handle cybercrime incidents.

● Despite these activities, budgets for federal agencies with cybercrime enforcement missions have not increased, and at times diminished, commensurate with the threat and priorities.

● Metrics are lacking to evaluate the effectiveness of these activities in mitigating cybercrime.

Based on this analysis, Third Way developed questions to help Members of Congress inquire about the sustainability and effectiveness of these policies. 

1. The Federal Government has taken a whole-of-nation and international approach to combat the rising cybercrime wave.

For the past two years, the US government has taken a whole-of-nation and international approach to fighting the cybercrime wave, which has increased due to the COVID-19 pandemic. The Internet Crime Complaint Center (IC3) has seen an uptick of 400% complaints a day, totaling nearly 4,000, since the pandemic began.1 Google similarly reported seeing 18 million daily malicious emails and malware related to COVID-19 in just one week in April 2020.2 As a result, the US Secret Service testified that $30 billion could be lost to cybercriminals who are taking advantage of COVID-19 stimulus programs.3 However, the perpetrators behind these crimes go largely unpunished with only three in 1,000 cases seeing an arrest, according to Third Way analysis.

Based on publicly available information, five US government entities—the Department of Homeland Security (DHS), Department of Justice (DOJ), Department of State, Federal Bureau of Investigation (FBI), and US Secret Service (USSS)—conducted at least 20 policy actions to reduce cybercrime since 2018 (excluding sanctions and indictments).4 Sanctions and indictments were not included in order to focus on the efforts that facilitate those activities to occur. These actions include establishing international norms and standards, conducting international capacity building efforts, and hosting gatherings to improve relationships with various partners, among other activities.5  The FBI, for example, held a “Ransomware Summit” in September 2019 with cyber insurance companies, private sector companies, and others to gain a better understanding of their needs. And in light of the COVID-19 pandemic, Attorney General Barr issued a memo to all US Attorneys to “prioritize the detection, investigation, and prosecution of all criminal conduct related to the pandemic.”6  More information and a full list of these policy actions can be found in the Appendix.

Most of these actions were presumably driven by the White House’s “National Cyber Strategy,” which was released in 2018 and outlined five priority actions to reduce cybercrime.7 The Strategy charges the National Security Council (NSC) to coordinate with departments, agencies, and the Office of Management and Budget on “an appropriate resource plan” for implementing the strategy but does not detail  specific budget numbers to fund these actions. It also directs federal departments and agencies to use the strategy for “execut[ing] their missions.”8 However, an implementation plan, which usually accompanies federal strategies and critical to understanding which government entities are responsible for implementing specific actions by set dates, has not been released.9

This diagram illustrates the five priority actions that the National Cyber Strategy identified to achieve their cybercrime enforcement goal and the actors involved to implement those actions.

Image Alt Text

2. The Administration is focused on improving domestic and international law enforcement’s ability to arrest and charge criminals, strengthening international cooperation, and enhancing domestic partners’ capacities to handle cybercrime incidents.

Cybercrime is a borderless threat that often involves the cooperation of law enforcement and diplomats in several different countries to bring perpetrators to justice. The five federal entities that engaged in cybercrime-enforcement actions recognized this and focused on reducing threats from transnational criminal organizations (TCOs), improving apprehension of criminals abroad, and strengthening partner nations’ law enforcement capacity and cooperation.10 These objectives are intrinsically linked together and cannot succeed without the success of the other. Because malicious cyber actors are often not located in the United States, the US government cannot apprehend criminals without international partners who have the means to identify and arrest a suspect. Likewise, the threat from cybercrime cannot be reduced unless the United States and cooperative governments have the capability and capacity to impose consequences on the perpetrators. Consequently, the government’s ability to fulfill these objectives require interagency and international collaboration, which were the primary audiences who benefited from these actions. As a result, the State Department has entered into bilateral agreements with partner nations, issued condemnations and warnings to nation-states where cybercrime emanates, and engaged in international bodies to advance policies to deter cybercriminals.

In addition to international engagement, DOJ, FBI, DHS, and USSS worked with state, local, and private partners to improve cybercrime incident reporting and response. Public-private partnership is particularly imperative because cybercriminals use private-sector networks and infrastructure to commit crime, which is then often used against private companies. In fact, one success during the COVID-19 pandemic has been federal law enforcement agencies strengthening and expanding relationships with companies to remove (or takedown) hundreds of malicious websites (or domains).11 Similarly, federal agencies have created new task forces with Connecticut, Delaware, Virginia, and West Virginia to investigate and prosecute cybercrime related to the pandemic.12 However, whether these partnerships will become institutionalized post-pandemic or dissolved remains to be seen. Unfortunately, sustaining long term public-private partnerships may be hampered due to the Justice Department aggressively pushing for weaker encryption standards and other odious actions taken by the Trump Administration that private companies disagree with.13

3. Budgets for federal agencies with cyber enforcement missions have not increased, and at times diminished, commensurate with the threat and their priorities.

Despite these promising actions, the Trump Administration has not increased funding commensurate with the growing rate of cybercrime for the key entities with cybercrime enforcement missions. This then raises questions on the long-term sustainability of these efforts. In some cases, the Administration has attempted to cut or defund programs focused on cybercrime, but Congress has pushed back on some of these reductions during the annual appropriations process.

For example, although the National Cyber Strategy identified international capacity building as a primary objective, the White House proposed in its budget to reduce the State Department’s International Narcotics and Law Enforcement Bureau’s global capacity building programming for cybercrime and intellectual property rights from $10 million to $5 million, the past three years.14 Congress rejected these cuts and has thus far appropriated the full $10 million. Nonetheless, this $10 million pales in comparison to the $86 million in capacity building funding for countering terrorism and violent extremism included in the Fiscal Year (FY) 2020 budget.15

The Administration also defunded training opportunities for state and local law enforcement—a primary goal for DHS—in its FY 2020 and FY 2021 Congressional Budget Justification.16 The Administration recommended cutting the National Computer Funding Institute (NCFI), which offers training courses to state and local law enforcement, prosecutors, and judges, from $30 million to $4 million for FY 2021.17 This reduction is alarming because the NCFI is estimated to need $35 million to operate at full capacity.18 Similarly, the FBI’s National Domestic Communications Assistance Center (NDCAC), which offers various technical and training assistance to state and locals on digital evidence, had a proposed decrease of 11% in FY 2020. Over the past eight years, the NDCAC budget has decreased 25% while the FBI’s total budget has increased roughly 16% in that same time.19

Without proper resources to keep up with the increasing cybercrime threat, the entities tasked with implementing the Administration’s cyber strategy will be stretched thin and hindered in making these efforts as effective and sustainable as possible.

4. Metrics are lacking to assess the effectiveness of these actions in reducing cybercrime.

Quantitative metrics are unavailable to assess whether any of these actions are reducing cybercrime. The National Cyber Strategy does not detail, for example, any framework for monitoring and evaluating the impact of its proposed actions or call for any implementing entities to develop such frameworks. These metrics are essential for evaluating how many law enforcement personnel need to be trained to improve response efforts, the impact of indictments and apprehensions on deterring criminals, and the percentage increase in international capacity-building efforts needed to combat cybercrime.20 While these national strategies tend to be broad and non-prescriptive, they are often accompanied with strategic implementation plans that detail these types of metrics and how they should be achieved.21 No such implementation plan has been released for this strategy. Further, whether someone is regularly assessing and coordinating the Administration’s policy actions is unclear. The recent US Cyberspace Solarium Commission’s report highlighted this challenge and noted the need for a National Cyber Director in the White House to coordinate cybersecurity strategy throughout the executive branch.22

Federal agencies and departments’ strategies also lack metrics to assess their progress. The State Department’s strategy does not include quantitative or qualitative metrics to assess how well it is building international cooperation and capacity, which is one of their key goals.23 As a result, bipartisan congressional leaders have called for further clarity on what metrics are being used.24 DOJ, on the other hand, views success as 90% of cybercrime cases going “favorably,” and DHS wants “.5” law enforcement personnel trained.25 However, not all indictments are public, making it difficult for the public to know if they are achieving their goal. The DHS metric, too, was obscure in what “.5” meant and lacks context in how many law enforcement personnel are needed to reduce the cybercrime enforcement gap. Further, US law enforcement faces tremendous gaps in capturing the totality of cybercrime incidents and reporting the enforcement actions taken against the perpetrators. Numerous national commissions have called on the US government to address this core challenge.26

As a result of these gaps, adequately measuring the United States’ progress in reducing cybercrime and bringing cybercriminals to justice remains a challenge.

5. Questions for Congress and Conclusion

While the Administration has taken several policy actions to combat cybercrime, questions remain about their long-term institutionalization, sustainability, and effectiveness.  Members of Congress should consider these concerns and raise the following questions when conducting hearings, drafting legislation, and considering appropriations for the relevant US government entities:

  1. When will the White House release an implementation plan for its national cyber strategy?
  2. How much is the federal government spending on cybercrime enforcement overall and do the key agencies and departments believe they have enough resources and personnel to meet the strategic objectives set in the White House strategy?
  3. What changes must be instituted to establish better metrics to measure the rate of cybercrime and evaluate the impact of efforts aimed at reducing it and holding accountable the perpetrators? In the absence of success metrics, what impact does the Administration believe its efforts have had in reducing cybercrime?
  4. Who is coordinating the various cybercrime enforcement policy actions across the federal government to ensure we are being as effective and efficient as possible?
  5. What will happen with the various cybercrime initiatives established or expanded during the COVID-19 crisis after the pandemic subsides? How do we ensure that the lessons learned during this crisis to educate the public about and impose consequences on the perpetrators of cybercrime are carried forward for future crises?

The Administration has undertaken a number of policy actions to advance its commitments in its 2018 National Cyber Strategy related to cybercrime. Yet, areas exist that require increased congressional scrutiny to better understand how implementation is moving forward and the overall impact of these efforts. By raising these questions, Congress can begin to shed light on the issues that may need further attention when appropriating funds and drafting legislation, and ultimately helping to ensure cybercriminals do not operate without retribution.

Topics
  • Cybersecurity57

Endnotes

  1. Tucker, Eric and Christina A. Cassidy. “FBI official: Number of coronavirus cyber complaints on rise.” AP News, 21 Apr. 2020, https://apnews.com/dadffbc0337943a08a82f8d57d340795. Accessed 6 May 2020.

  2. Kumaran, Neil and Sam Lugani. “Protecting businesses against cyber threats during COVID-19 and beyond.” Google Cloud, Google, 16 Apr. 2020, https://cloud.google.com/blog/products/identity-security/protecting-against-cyber-threats-during-covid-19-and-beyond. Accessed 8 May 2020.

  3. Miller, Maggie. “Senior official estimates $30 billion in stimulus funds will be stolen through coronavirus scams.” The Hill. June 9th, 2020. https://thehill.com/policy/cybersecurity/501936-senior-official-estimates-30-billion-in-stimulus-funds-will-be-stolen?utm_campaign=wp_the_cybersecurity_202&utm_medium=email&utm_source=newsletter&wpisrc=nl_cybersecurity202. Accessed 10 June 2020.   

  4. The agencies and departments listed are only those that we found to implement policy actions and is not a holistic list of federal entities with cybercrime enforcement missions. For more information on federal agencies and departments with cybercrime enforcement missions, please see Gaskew, Brandon. “Reader’s Guide to Understanding the US Cyber Enforcement Architecture and Budget.” Third Way, February 21, 2019

  5. Congressional actions, such as the CLOUD Act, and indictments were not included in this analysis.

  6. Lyngaas, Sean. “Inside the FBI’s quiet ‘ransomware summit’.” CyberScoop, Scoop News Group, 6 Nov. 2019, https://www.cyberscoop.com/fbi-ransomware-summit/. Accessed 11 May 2019; William Barr. “COVID-19 - Department of Justice Priorities.” United States Office of the Attorney General, 16 Mar. 2020, http://www.documentcloud.org/documents/6811684-Bill-Barr-DOJ-Priorities-Coronavirus-Scams.html. Accessed 11 May 2020.  

  7. The United States White House. “National Cyber Strategy of the United States of America.” Nov 2018, pp. 5, https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf. Accessed 11 May 2020.

  8. The United States White House. “National Cyber Strategy of the United States of America.” Nov 2018, pp. 3, https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf. Accessed 11 May 2020.

  9. An example of a strategic implementation plan is the “2011 Strategic Implementation Plan for Empowering Local Partners to Prevent Violent Extremism in the United States.” Obama White House. “2011 Strategic Implementation Plan for Empowering Local Partners to Prevent Violent Extremism in the United States.” December 11, 2011 https://obamawhitehouse.archives.gov/sites/default/files/sip-final.pdf Accessed May 12, 2020.

  10. These categories align with the White House National Cyber Strategy’s priority actions.

  11. “Department of Justice Announces Disruption of Hundreds of Online COVID-19 Related Scams.” Press Release, United States Department of Justice, Office of Public Affairs, 22 Apr. 2020, https://www.justice.gov/opa/pr/department-justice-announces-disruption-hundreds-online-covid-19-related-scams. Accessed 11 May 2020.

  12. “Connecticut Announces Joint Federal-State COVID-19 Fraud Task Force.” Press Release, United States Department of Justice, U.S. Attorney’s Office, District of Columbia, 6 May 2020, https://www.justice.gov/usao-ct/pr/connecticut-announces-joint-federal-state-covid-19-fraud-task-force. Accessed 11 May 2020; “Top Federal and State Prosecutors Form Delaware COVID-19 Anti-Fraud Coalition.” Press Release, United States Department of Justice, U.S. Attorney’s Office, District of Delaware, 24 Apr 2020, https://www.justice.gov/usao-de/pr/top-federal-and-state-prosecutors-form-delaware-covid-19-anti-fraud-coalition. Accessed 11 May 2020; “Federal and State Officials Launch Virginia Coronavirus Fraud Task Force.” Press Release, United States Department of Justice, U.S. Attorney’s Office, Western District of Virginia, 20 Mar. 2020, https://www.justice.gov/usao-wdva/pr/federal-and-state-officials-launch-virginia-coronavirus-fraud-task-force. Accessed 11 May 2020; “Federal and State Officials Launch West Virginia Coronavirus Fraud Task Force.” Press Release, United States Department of Justice, U.S. Attorney’s Office, Northern District of West Virginia, 31 Mar. 2020, https://www.justice.gov/usao-ndwv/pr/federal-and-state-officials-launch-west-virginia-coronavirus-fraud-task-force. Accessed 11 May 2020.

  13. Geller, Eric. “‘Apple has to help us’ - Trump, Barr turn up heat on encryption fight.” Politico, Jan 22, 2020, https://www.politico.com/news/2020/01/22/apple-has-to-help-us-trump-barr-turn-up-heat-on-encryption-fight-102410. Accessed 21 May 2020;  Sacchetti, Maria. “‘Kids in cages’: House hearing examines immigration detention as Democrats push for more information.” The Washington Post, 10 July 2019,  https://www.washingtonpost.com/immigration/kids-in-cages-house-hearing-to-examine-immigration-detention-as-democrats-push-for-more-information/2019/07/10/3cc53006-a28f-11e9-b732-41a79c2551bf_story.html. Accessed 11 May 2020.

  14. Peters, Allison and Amy Jordan. “Countering the Cyber Enforcement Gap: Strengthening Global Capacity on Cybercrime.”  Journal of National Security Law and Policy, 13 Feb. 2020, https://jnslp.com/wp-content/uploads/2020/02/Countering_the_Cyber_Enforcement_Gap.pdf. Accessed 11 May 2020; Hindocha, Anisha. “2020 Reader’s Guide to Understanding the US Cyber Enforcement Architecture and Budget. Third Way, Third Way, 26 Mar. 2020, https://www.thirdway.org/report/2020-readers-guide-to-understanding-the-us-cyber-enforcement-architecture-and-budget. Accessed 11 May 2020.

  15. Peters, Allison and Amy Jordan. “Countering the Cyber Enforcement Gap: Strengthening Global Capacity on Cybercrime.”  Journal of National Security Law and Policy, 13 Feb. 2020, https://jnslp.com/wp-content/uploads/2020/02/Countering_the_Cyber_Enforcement_Gap.pdf. Accessed 11 May 2020.

  16. United States Department of Homeland Security. “The DHS Strategic Plan Fiscal Years 2020 - 2024.” Pp. 69, https://www.dhs.gov/sites/default/files/publications/19_0702_plcy_dhs-strategic-plan-fy20-24.pdf. Accessed 11 May 2020. 

  17. Hindocha, Anisha. “2020 Reader’s Guide to Understanding the US Cyber Enforcement Architecture and Budget. Third Way, Third Way, 26 Mar. 2020, https://www.thirdway.org/report/2020-readers-guide-to-understanding-the-us-cyber-enforcement-architecture-and-budget. Accessed 11 May 2020.

  18. Carter, William A, and Jennifer C Daskal. “Low-Hanging Fruit: Evidence-Based Solutions to the Digital Evidence Challenge.” Center for Strategic and International Studies, July 2018, pp. 14-15. csis-prod.s3.amazonaws.com/s3fs-public/publication/180725_Carter_DigitalEvidence.pdf?tAGR_DvxRdp0RspiGYNGcGKTUjrGY3rN. Accessed 12 May 2020.

  19. The National Domestic Communications Center Executive Advisory Board. “Report to the Attorney General.” National Domestic Communications Assistance Center, Federal Bureau of Investigation, July 2019, https://ndcac.fbi.gov/file-repository/second-report-to-ag-20190716.pdf/view. Accessed 11 May 2020.

  20. These four examples of metrics align with four of the five the National Cyber Strategy’s priority actions.

  21. An example of a strategic implementation plan is the “2011 Strategic Implementation Plan for Empowering Local Partners to Prevent Violent Extremism in the United States.” Obama White House. “2011 Strategic Implementation Plan for Empowering Local Partners to Prevent Violent Extremism in the United States.” December 11, 2011 https://obamawhitehouse.archives.gov/sites/default/files/sip-final.pdf Accessed May 12, 2020.

  22. US Cyberspace Solarium Commission. “United States Cyberspace Solarium Commission Report.”  US Cyberspace Solarium Commission, March 2020. https://drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view Accessed May 11, 2020.

  23. United States Department of State, United States Agency for International Development. “Joint Strategic Plan FY 2018 - 2022.” Feb 2018. https://www.state.gov/wp-content/uploads/2018/12/Joint-Strategic-Plan-FY-2018-2022.pdf. Accessed 11 May 2020.

  24. Engel, Eliot L. and Michael T. McCaul. “Letter to GAO about capacity building efforts request.” 18 Jun. 2019, United States House of Representatives Committee on Foreign Affairs. https://foreignaffairs.house.gov/_cache/files/a/9/a969e79e-450a-4539-a775-bc5e142d7cc4/E1AECFDABCB820F5611621130CA47D9F.ele-mccaul-to-dodaro-gao-request-cyber-resilience-6-18-2019.pdf. Accessed 21 May 2020.

  25. United States Department of Justice. “DOJ Strategic Plan for Fiscal Years 2018 - 2022.” Feb. 2018, pp. 28, https://www.justice.gov/jmd/page/file/1071066/download. Accessed 11 May 2020; United States Department of Homeland Security. “The DHS Strategic Plan Fiscal Years 2020 - 2024.” Pp. 69, https://www.dhs.gov/sites/default/files/publications/19_0702_plcy_dhs-strategic-plan-fy20-24.pdf. Accessed 11 May 2020.  

  26. Mehta, Ishan. “The Need for Better Metrics on Cybercrime.” Third Way, Third Way, 1 Oct. 2019, pp. 5. http://thirdway.imgix.net/pdfs/the-need-for-better-metrics-on-cybercrime.pdf. Accessed 21 May. 2020.