[Congressional Record Volume 168, Number 54 (Monday, March 28, 2022)]
[House]
[Pages H3868-H3875]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
BETTER CYBERCRIME METRICS ACT
Ms. JACKSON LEE. Mr. Speaker, I move to suspend the rules and pass
the bill (S. 2629) to establish cybercrime reporting mechanisms, and
for other purposes.
The Clerk read the title of the bill.
The text of the bill is as follows:
S. 2629
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Better Cybercrime Metrics
Act''.
SEC. 2. FINDINGS.
Congress finds the following:
(1) Public polling indicates that cybercrime could be the
most common crime in the United States.
(2) The United States lacks comprehensive cybercrime data
and monitoring, leaving the country less prepared to combat
cybercrime that threatens national and economic security.
(3) In addition to existing cybercrime vulnerabilities, the
people of the United
[[Page H3869]]
States and the United States have faced a heightened risk of
cybercrime during the COVID-19 pandemic.
(4) Subsection (c) of the Uniform Federal Crime Reporting
Act of 1988 (34 U.S.C. 41303(c)) requires the Attorney
General to ``acquire, collect, classify, and preserve
national data on Federal criminal offenses as part of the
Uniform Crime Reports'' and requires all Federal departments
and agencies that investigate criminal activity to ``report
details about crime within their respective jurisdiction to
the Attorney General in a uniform matter and on a form
prescribed by the Attorney General''.
SEC. 3. CYBERCRIME TAXONOMY.
(a) In General.--Not later than 90 days after the date of
enactment of this Act, the Attorney General shall seek to
enter into an agreement with the National Academy of Sciences
to develop a taxonomy for the purpose of categorizing
different types of cybercrime and cyber-enabled crime faced
by individuals and businesses.
(b) Development.--In developing the taxonomy under
subsection (a), the National Academy of Sciences shall--
(1) ensure the taxonomy is useful for the Federal Bureau of
Investigation to classify cybercrime in the National
Incident-Based Reporting System, or any successor system;
(2) consult relevant stakeholders, including--
(A) the Cybersecurity and Infrastructure Security Agency of
the Department of Homeland Security;
(B) Federal, State, and local law enforcement agencies;
(C) criminologists and academics;
(D) cybercrime experts; and
(E) business leaders; and
(3) take into consideration relevant taxonomies developed
by non-governmental organizations, international
organizations, academies, or other entities.
(c) Report.--Not later than 1 year after the date on which
the Attorney General enters into an agreement under
subsection (a), the National Academy of Sciences shall submit
to the appropriate committees of Congress a report detailing
and summarizing--
(1) the taxonomy developed under subsection (a); and
(2) any findings from the process of developing the
taxonomy under subsection (a).
(d) Authorization of Appropriations.--There are authorized
to be appropriated to carry out this section $1,000,000.
SEC. 4. CYBERCRIME REPORTING.
(a) In General.--Not later than 2 years after the date of
enactment of this Act, the Attorney General shall establish a
category in the National Incident-Based Reporting System, or
any successor system, for the collection of cybercrime and
cyber-enabled crime reports from Federal, State, and local
officials.
(b) Recommendations.--In establishing the category required
under subsection (a), the Attorney General shall, as
appropriate, incorporate recommendations from the taxonomy
developed under section 3(a).
SEC. 5. NATIONAL CRIME VICTIMIZATION SURVEY.
(a) In General.--Not later than 540 days after the date of
enactment of this Act, the Director of the Bureau of Justice
Statistics, in coordination with the Director of the Bureau
of the Census, shall include questions relating to cybercrime
victimization in the National Crime Victimization Survey.
(b) Authorization of Appropriations.--There are authorized
to be appropriated to carry out this section $2,000,000.
SEC. 6. GAO STUDY ON CYBERCRIME METRICS.
Not later than 180 days after the date of enactment of this
Act, the Comptroller General of the United States shall
submit to Congress a report that assesses--
(1) the effectiveness of reporting mechanisms for
cybercrime and cyber-enabled crime in the United States; and
(2) disparities in reporting data between--
(A) data relating to cybercrime and cyber-enabled crime;
and
(B) other types of crime data.
The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from
Texas (Ms. Jackson Lee) and the gentleman from Oregon (Mr. Bentz) each
will control 20 minutes.
The Chair recognizes the gentlewoman from Texas.
General Leave
Ms. JACKSON LEE. Mr. Speaker, I ask unanimous consent that all
Members have 5 legislative days to revise and extend their remarks and
include extraneous materials on S. 2629.
The SPEAKER pro tempore. Is there objection to the request of the
gentlewoman from Texas?
There was no objection.
Ms. JACKSON LEE. Mr. Speaker, I yield myself such time as I may
consume.
Mr. Speaker, I rise in support of S. 2629, the Better Cybercrime
Metrics Act. This legislation improves our understanding and tracking
of cybercrime so that we can do more to prevent it.
A 2018 Gallup Poll found that 1 in 4 Americans had been a victim of
cybercrime. And I might say that it has exponentially grown during the
pandemic. From stolen financial information, to system-wide shutdowns,
to ransomware attacks, these crimes harm our families, our businesses,
and our government.
The Council of Economic Advisers estimates that malicious cyber
activities cost our economy as much as $109 billion in 2016, and
experts believe these costs are growing. The COVID-19 pandemic has
increased opportunities for cybercrime with increases in remote work
and the time people are spending online. Hackers also took advantage of
our recovery efforts, stealing identities to file fake unemployment
claims or fraudulent loan applications. And again, in the midst of
other innocent Americans not being able to secure those dollars, and
not being able to secure unemployment claims because of the fake
process that clouded this system.
Many of the victims of these scams only learned that they were
attacked when they went to file genuine claims and were told had
already been submitted using their names or businesses.
Sadly, cybercriminals often target older Americans. In 2020, people
over 60 accounted for the most complaints of any age group as collected
by the FBI Internet Crime Complaint Center. People over 60 also had the
greatest losses, with over $966 billion lost to cybercrime in 2020.
We must do more to protect Americans from cybercrime, and that starts
with a better understanding of what it is and how it occurs. The Better
Cybercrime Metrics Act will gather experts in law enforcement,
business, and technology to create a taxonomy of cybercrime so we can
define it and classify it in a uniform way.
This legislation also adds cybercrime to two important law
enforcement tools used to track crimes: The National Incident-Based
Reporting System and the National Crime Victimization Survey. Together,
these provisions will ensure that law enforcement has a complete
picture of when and where cybercrime occurs and who is harmed by it.
Finally, this bill directs the Government Accountability Office to
conduct a study on reporting mechanisms for cybercrime and the
disparities in cybercrime data relative to other types of crime data.
Together, this legislation will put in place the tools to clearly
define and classify cybercrime, to track cybercrime, and to better
understand this serious threat.
Mr. Speaker, it is a very serious threat. And in addition to the
monetary damages, people have been personally and psychologically
impacted by losses, by lack of employability, by being rejected, for
some of these claims having to be delayed when the individual who needs
it is desperate and experiencing a desperate economic condition, to
find that they have been, in essence, gamed by a cybercriminal. We must
stop this.
And as I said earlier, one of the most vulnerable populations are
individuals over 60. And really when you find those in their seventies,
eighties, nineties, who have lived their lives, supported this Nation,
and become victims of cybercrime, it is something that compels you to
really want to stop this threat.
I commend Senators Brian Schatz and Thom Tillis for their work on
this bipartisan legislation. I also thank Representative Abigail
Spanberger for her leadership on the House companion to this bill. I
was proud to stand with her in introducing the House companion, along
with our Republican colleagues, Representative Blake Moore and
Representative Andrew Garbarino.
We must give law enforcement the tools to keep pace with new
technology and to get a step ahead of the threats faced by our ever-
evolving world. This bill takes an important step in that effort, and I
urge my colleagues to support it.
Mr. Speaker, I reserve the balance of my time.
[[Page H3870]]
Memorandum Excerpt
To: Members of the House Judiciary Committee
From: The Honorable Jerrold Nadler, Chairman, Committee on
the Judiciary
Re: Markup of H.R. 4977, the ``Better Cybercrime Metrics
Act''; H.R. 55, the ``Emmett Till Antilynching Act'';
H.R. 5338, the ``Radiation Exposure Compensation Act
Amendments of 2021''; and H.R. 5796, the ``Patents for
Humanity Act of 2021''
Date: Tuesday, December 7, 2021
On Wednesday, December 8, 2021 at 10:00 a.m. in 2141
Rayburn House Office Building, the House Judiciary Committee
will mark up the following measures: H.R. 3359, the
``Homicide Victims' Families' Rights Act of 2021''; H.R.
4977, the ``Better Cybercrime Metrics Act''; H.R. 55, the
``Emmett Till Antilynching Act''; H.R. 5338, the ``Radiation
Exposure Compensation Act Amendments of 2021''; and H.R.
5796, the ``Patents for Humanity Act of 2021''.
II. H.R. 4977, the ``Better Cybercrime Metrics Act''
H.R. 4977, the ``Better Cybercrime Metrics Act'' would
improve the U.S. government's understanding, measurement, and
tracking of cybercrime. The bill would direct the Department
of Justice to work with the National Academy of Sciences, in
consultation with relevant stakeholders, to develop a
taxonomy of cybercrime that could be used by law enforcement
to ensure that the National Incident-Based Reporting System
(NIBRS), or any successor system, include cybercrime reports
from federal, state, and local officials. It also directs the
Bureau of Justice Statistics to include questions relating to
cybercrime in the National Crime Victimization Survey. The
bill also directs the Government Accountability Office (GAO)
to report on the effectiveness of current cybercrime
reporting mechanisms and highlight disparities in reporting
data between cybercrime data and other types of crime data.
This bipartisan bill was introduced on August 6, 2021 by
Representative Abigail Spanberger (D-VA) and currently has 18
cosponsors. An identical Senate companion, S. 2629 (Schatz-
HI, Tillis-NC, Cornyn-TX, Durbin-IL), was marked up by the
Senate Judiciary Committee on November 18 and favorably
reported on a unanimous voice vote. The Chairman will offer
an amendment in the nature of a substitute to H.R. 4977.
A. General Background
Cybercrime continues to be a significant threat to
businesses, governments, and individual Americans. Cybercrime
includes a broad range of conduct including phishing,
ransomware, identity theft, and data breaches.\1\ A recent
survey found one in five Americans have been victims of
ransomware.\2\ The COVID-19 pandemic created new
opportunities for cybercrime, including COVID-related
phishing and malware, with 35.9% of the world's COVID-19
cyber threats occurring in the United States.\3\ Cyber
attackers mainly rely on phishing attacks, which is the most
common attack as measured by the number of victims.\4\
Attackers also use online tools for extortion, data breaches,
identity theft, extracting ransoms, email compromise schemes,
impersonating charities and government actors, and other
schemes.\5\ Researchers attribute the rise in attacks to the
increase in remote work and the lower security protections at
one's home compared to an office.\6\
Cybercrime is costly and harms individuals, government
entities, and businesses across a broad range of industries.
The average data breach in 2020 cost companies $3.83 million
dollars.\7\ Email compromise schemes, in which email accounts
are compromised to conduct unauthorized transfers of funds,
accounted for over $1.8 billion in losses in 2020.\8\ In the
first six months of 2021, six ransomware organizations hacked
292 organizations and stole $45 million dollars.\9\
Organizations that experienced cybercrime this year include
the Colonial Pipeline, the Steamship Authority of
Massachusetts, JBS Foods, and the Washington D.C.
Metropolitan Police Department.\10\ As shown by the gas
shortage due to the Colonial Pipeline breach, these attacks
can shut down critical infrastructure, create shortages,
increase the cost of goods and services, and cost
organizations money from both operational shutdowns and
paying ransoms to hackers.\11\ Likewise, the December 2020,
SolarWinds attack targeted SolarWinds' 300,000 customers and
endangered the cybersecurity of many federal government
agencies, including the Department of Defense, as well as 425
of the U.S. Fortune 500 companies.\12\ Cybercrime harms
businesses across all industries, but it had a particular
effect on companies responding to the COVID-19 pandemic by
disrupting COVID-19 supply chains and the government's
efforts to address the spreading virus.\13\
Bad actors gravitate to cyber-attacks because of the
anonymity the internet provides and the low chances of
getting caught. The detection and prosecution rate of cyber
criminals in the United States is .05%.\14\ Given the
difficulty in tracing and prosecuting these crimes, it is
important to further study and track them so that we can work
to prevent cybercrime. H.R. 4977, the Better Cybercrime
Metrics Act will provide law enforcement with the tools to
uniformly classify and track cybercrime, furthering the
government's understanding of this serious problem and
building the foundation for improved cybercrime prevention
efforts.
B. Section-by-Section Analysis for the Amendment in the Nature of a
Substitute
Section 1. Short Title. Section 1 sets forth the short
title of the bill as the ``Better Cybercrime Metrics Act.''
Section 2. Cybercrime Taxonomy. Section 2 requires, within
90 days of the passage of the Act, the DOJ and the National
Academy of Sciences to develop a taxonomy that can be used by
law enforcement to categorize and track cybercrime, and
requires that the taxonomy be presented to Congress. The bill
authorizes $1,000,000 to carry out this section.
Section 3. Cybercrime Reporting. Section 3 requires, not
later than 2 years after the passage of the Act, the DOJ to
establish a category in the National Incident-Based Reporting
System to enable the collection of cybercrime and cyber-
enabled crime reports from Federal, State, and local
officials, incorporating the taxonomy developed under Section
2 as appropriate.
Section 4. National Crime Victimization Survey. Section 4
requires cybercrime to be added to the National Crime
Victimization Survey. The bill authorizes $2,000,000 to carry
out this section.
Section 5. GAO Study on Cybercrime Metrics. Section 5
directs the GAO to do a study on the current reporting
mechanisms of cybercrime and the disparities in data between
(A) data relating to cybercrime and cyber-enabled crime; and
(B) other types of crime data.
Endnotes
\1\ Fed. Bureau of Investigation, Internet Crime Complaint
Ctr., Internet Crime Report 2020 19 (2021) https://
www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf.
\2\ Joe Franscella, Anomali Harris Poll: Ransomware Hits 1
in 5 Americans, Anomali (Aug. 16, 2019), https://
www.anomali.com/blog/anomali-harris-poll-ransomware-hits-1-
in-5.
\3\ Trend Micro Research, Attacks from All Angles: 2021
Midyear Cybersecurity Report 23 (2021) https://
documents.trendmicro.com/assets/rpt/rpt-attacks-from-all-
angles.pdf.
\4\ Fed. Bureau of Investigation, Internet Crime Complaint
Ctr., Internet Crime Report 2020 6 (2021) https://
www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf.
\5\ Id. at 19.
\6\ The 10 Biggest Ransomware Attacks of 2021, Touro
College Illinois (Nov. 12, 2021). https://illinois.touro.edu/
news/the-10-biggest-ransomware-attacks-of-2021.php.
\7\ Ken Brisco, Cost of a Data Breach: Behind the Numbers
of a Cvbersecurity Response Plan, Secureworks (Jul. 27,
2021), https://www.secureworks.com/blog/data-breach-response-
planning-cyber-threat-intelligence.
\8\ Fed. Bureau of Investigation, Internet Crime Complaint
Ctr., Internet Crime Report 2020 10 (2021) https://
www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf.
\9\ Six Ransomware Gangs Claim 290+ New Victims in 2021,
Potentially Reaping $45 Million for the Hackers, eSentire.
https://www.esentire.com/resources/library/six-ransomware-
gangs-claim-290-new-victims-in-2021-potentially-reaping-45-
million-for-the-hackers (last visited Dec. 3. 2021).
\10\ The 10 Biggest Ransomware Attacks of 2021, Touro
College Illinois (Nov. 12, 2021), https://illinois.touro.edu/
news/the-10-biggest-ransomware-attacks-of-2021.php.
\11\ Id.
\12\ Jake Williams, What You Need to Know About the
SolarWinds Supply-Chain Attack, SANS Institute (Dec. 15,
2020) https://www.sans.org/blog/what-you-need-to-know-about-
the-solarwinds-supply-chain-attack.
\13\ Jackie Drees, Cyberattacks on COVID-19 vaccine supply
chain much larger than initially thought, IBM says, Becker's
Hospital Review (Apr. 30, 2021) https://
www.beckershospitalreview.com/cybersecurity/cyberattacks-on-
covid-19-vaccine-supply-chain-much-larger-than-initially-
thought-ibm-savs.html.
\14\ Mieke Eoyang, Alison Peters, Ishan Mehta, Brandon
Gaskew, To Catch a Hacker: Toward a comprehensive strategy to
identify, pursue, and punish malicious cyber actors, Third
Way (Dec. 3, 2021) https://www.thirdway.org/report/to-catch-
a-hacker-toward-a-comprehensive-strategy-to-identify-pursue-
and-punish-malicious-cyber-actors.
Mr. BENTZ. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, American businesses and American citizens face a growing
number of cybercrimes. Cybercrime is a particularly complicated form of
criminal conduct and one that costs Americans billions of dollars a
year in theft.
This bill would require the Attorney General to enter into an
agreement with the National Academy of Sciences to develop a method for
categorizing different types of cybercrime. The Attorney General would
also establish a cybercrime category in the National Incident-Based
Reporting System so that States can better report cybercrime data to
the Federal Government.
The bill would also require the Bureau of Justice Statistics to
include cybercrime victimization questions in the National Crime
Victimization Survey. There is no question that we must do more to
bring cybercriminals to justice.
[[Page H3871]]
In August of 2021, the Biden administration released a notorious
Russian cybercriminal early from Federal custody. The individual is
described as, ``one of the most connected and skilled malicious hackers
ever apprehended by the U.S. authorities.'' And for unknown reasons,
the administration let him out of Federal prison early and shipped him
back to Moscow.
We have asked the Biden administration's Justice Department for more
information about this early release of this cybercriminal, but we have
received nothing as of yet. Similarly, we don't have enough information
to determine whether this legislation will bring more cybercriminals to
justice. We haven't heard from relevant stakeholders on these issues,
and we haven't held hearings with experts to determine whether this is
the right step at this time.
This bill would require GAO to submit a report to Congress that
assesses the effectiveness of reporting mechanisms for cybercrime and
disparities in reporting data between cybercrime and other types of
crime.
Why aren't we starting with that?
Why are we making changes to cybercrime reporting mechanisms before
the GAO can evaluate whether the existing reporting mechanisms are
effective?
It makes more sense for us to have hearings, evaluate GAO's findings,
and hear from experts. Then we can examine whether the other provisions
of this bill are necessary and appropriate.
In another instance of putting the cart before the horse, the
Committee on the Judiciary is scheduled to hear from Bryan A. Vorndran,
the assistant director of Cyber Division at the FBI tomorrow. Perhaps
we should have waited to see what he had to say before rushing this
legislation to the floor.
Mr. Speaker, I reserve the balance of my time.
Ms. JACKSON LEE. Mr. Speaker, I yield 5 minutes to the gentlewoman
from Virginia (Ms. Spanberger), who was astute enough to be able to
offer the companion bill, and I thank her for her leadership and career
leadership on these issues.
Ms. SPANBERGER. Mr. Speaker, I rise today in support of my Better
Cybercrime Metrics Act and its companion bill in the U.S. Senate, S.
2629. And I thank the gentlewoman from Texas (Ms. Jackson Lee) for that
introduction and for her support of this bill since the moment we
introduced it.
Mr. Speaker, our Nation is under constant attack from cybercriminals.
And with the range of new threats emanating from adversaries around the
world, including the Russian Federation, Congress has an obligation to
move legislation forward that can better protect the American people,
their data, their finances, and their personal information.
Over the last few years, we have seen massive rates of cybercrime.
Millions of Americans have had their personal data compromised, their
money stolen, their identity taken, or their safety put at serious
risk. In fact, cybercrime remains the most common crime in America, and
this trend was only exacerbated by the pandemic and the many fraudsters
looking to scam vulnerable Americans in a moment of crisis or make a
quick buck off of a global catastrophe.
Unfortunately, a vast majority of these crimes are not properly
reported or tracked by law enforcement. Far too often, they are not
measured or even documented. And to make matters worse, our government
lacks the preparedness required to fully address the next generation of
cybercrime and cyberattacks.
Our legislation would give law enforcement agencies the tools they
need to better track and identify cybercrime, prevent attacks, and hold
perpetrators accountable. Our bill would require Federal reporting on
the effectiveness of current cybercrime mechanisms.
And it would go one step further--it would also highlight disparities
in reporting data between cybercrime data and other types of crime
data. This is such an important step for strengthening our
understanding and our defenses against the phishing attempts,
extortion, identity theft, and ransomware attacks that are plaguing
everyday Americans in communities and across our country. Additionally,
our bill would make sure America's law enforcement is prepared for the
next generation of cyberattacks.
Mr. Speaker, I am a proud former Federal law enforcement officer, and
I understand that local and State police and sheriff's departments are
often strained for resources. And I know that their time is precious,
so I recognize the importance of having their backs and making sure
that we have as much information as possible about potential threats.
This legislation follows through on that commitment and it is why I
am glad to see it endorsed by several national organizations--including
the National Fraternal Order of Police, the National Association of
Police Organizations, the Major Cities Chiefs Association, and the
National White Collar Crime Center, which has a presence in Virginia's
Seventh District.
In fact, this legislation--bipartisan and bicameral--was partially
inspired by the attack on the Colonial pipeline last year, something
that impacted many communities across my district.
After thousands of Virginians, their gas tanks, and their wallets
were impacted by this disruptive ransomware attack, I was proud to
build a bipartisan coalition focused on improving America's efforts to
undercut hackers, protect critical infrastructure, and strengthen
existing cybercrime prevention efforts.
Mr. Speaker, I thank my colleagues in the U.S. House of
Representatives who joined this bipartisan coalition. I thank
Congressman Blake Moore, Congressman Andrew Garbarino, and
Congresswoman Sheila Jackson Lee for their partnership. Clearly, there
is still bipartisan consensus for cybersecurity reforms and
protections.
Mr. Speaker, I also thank our friends across the Capitol complex for
ushering the Senate version through the process. Thank you to Senators
Schatz, Tillis, Cornyn, and Blumenthal for your cooperation and
leadership on this important bicameral effort.
When our bipartisan bill passes the House tonight, it will head to
the President's desk to be signed into law. And with a stroke of a pen,
we will ensure that our national crime classification system can
properly identify cybercrimes and prevent future attacks.
Once our legislation is signed into law, we will be protecting more
families who bank online. We will be protecting more businesses who
manage their employees' payroll information over the internet. We will
be protecting more seniors who are using the internet to communicate
with their loved ones far away or rely on the internet to manage their
Federal benefits, such as Social Security.
Together, we will thwart cybercriminals. And together, we will
prevent more Americans from becoming targets or victims online.
Mr. BENTZ. Mr. Speaker, I reserve the balance of my time.
Ms. JACKSON LEE. Mr. Speaker, I am prepared to close, and I reserve
the balance of my time.
{time} 1700
Mr. BENTZ. Mr. Speaker, I urge my colleagues to oppose this bill, and
I yield back the balance of my time.
Ms. JACKSON LEE. Mr. Speaker, I yield myself such time as I may
consume.
Mr. Speaker, let me just take an opportunity to thank Congresswoman
Spanberger for the knowledge she brings to this issue and to this
legislation. We have already said that this is not a harmless crime.
Mr. Speaker, I include in the Record Cybercrime predictions for 2022:
Deepfakes, cryptocurrencies, and misinformation, to further emphasize
the lack of the harmlessness that it is. It is harmful. One sentence
says it all: Fake news 2.0 and the return of misinformation campaigns.
They cite in particular COVID-19. I think all of us can attest to the
terrible damage that was done during the pandemic with the huge issues
of the question of COVID and the vaccination. Fake vaccine passport
certificates were on sale for $100 to $125, and the volume of
advertising groups and group sizes publishing sellers and multiplied
over and over again.
[From the Future, December 4, 2021]
Cybercrime Predictions for 2022: Deepfakes, Cryptocurrencies, and
Misinformation
(By Maya Horowitz)
While cybercriminals continue to leverage the impact of the
COVID-19 pandemic, they
[[Page H3872]]
will also find new opportunities to attack such as deepfakes,
cryptocurrency and mobile wallets.
In 2021, cyber criminals adapted their attack strategy to
exploit vaccination mandates, elections and the shift to
hybrid work, to target organizations' supply chains and
networks for them to achieve maximum disruption.
The sophistication and scale of cyberattacks will continue
to break records and we can expect a huge increase in the
number of ransomware and mobile attacks. Looking ahead,
organizations should remain aware of the risks and ensure
that they have the appropriate solutions in place to prevent
them without disrupting their normal business flow. To stay
ahead of threats, organizations must be proactive and leave
no part of their attack surface unprotected or unmonitored or
otherwise risk becoming the next victim of sophisticated,
targeted attacks.
Global cybercrime predictions for 2022
Fake news 2.0 and the return of misinformation campaigns
The claim of `fake news' surrounding contentious issues has
become a new attack vector over previous years without people
really understanding its full impact. Throughout 2021,
misinformation was spread about the COVID-19 pandemic and
vaccination information. The black market for fake vaccine
certificates expanded globally, now selling fakes from 29
countries. Fake `vaccine passport' certificates were on sale
for $100-120 and the volume of advertisement groups and group
sizes publishing sellers multiplied within the year. In 2022,
cyber groups will continue to leverage these types of fake
news campaigns to execute cybercrime through various phishing
attacks and scams.
In addition, prior to the 2020 US presidential election,
Check Point researchers spotted surges in malicious election-
related domains and the use of ``meme camouflage'' aimed at
shifting public opinion. In the run-up to the US midterm
elections in November 2022, we can expect to see these
activities in full effect and for misinformation campaigns to
return on social media.
Cyberattacks targeting supply chains
Supply chain attackers take advantage of a lack of
monitoring within an organization's environment. They can be
used to perform any type of cyberattack, such as data
breaches and malware infections.
The well known cybercrime--SolarWinds supply chain attack
stands out in 2021 due to its scale and influence, but other
sophisticated supply chain attacks have occurred such as
Codecov in April, and most recently, Kaseya. Kaseya provides
software for Managed Service Providers and the REvil
ransomware gang exploited the company to infect over 1,000
customers with ransomware. The group demanded a ransom of $70
million to provide decryption keys for all affected
customers.
Supply chain attacks will become more common and
governments will have to establish regulations to address
these attacks and protect networks. They will also look into
collaborating with the private sectors and internationally to
identify and target more threat groups operating on global
and regional scales. In 2022, expect to discover more about
the global impact of the infamous Sunburst attack.
The cyber `cold war' intensifies
The cyber way is intensifying, and taking place online as
more nation-state actors push Western governments to continue
to destabilize society. Improved infrastructure and
technological capabilities will enable terrorists groups and
political activists to further their cybercrime agendas and
carry out more sophisticated, widespread attacks.
Cyberattacks will increasingly be used as proxy conflicts to
destabilize activities globally.
Data breaches are larger scale and more costly
Going into 2022 we will see an increase in data breaches
that will be larger scale. These breaches will also have the
potential to cost organizations and governments more to
recover. In May 2021, a US insurance giant paid $40 million
in ransom to hackers. This was a record, and we can expect
ransom demanded by attackers to increase in 2022.
Technology cybersecurity predictions for 2022
Mobile malware attacks increase as more people use mobile
wallets and payment platforms:
In 2021, 46 percent of organizations had at least one
employee download a malicious mobile application. The move to
remote work for almost entire populations across the world
during the COVID-19 pandemic saw the mobile attack surface
expand dramatically, resulting in 97 percent of organizations
facing mobile threats from several attack vectors. As mobile
wallets and mobile payment platforms are used more
frequently, cybercrimes will evolve and adapt their
techniques to exploit the growing reliance on mobile devices.
Cryptocurrency becomes a focal point for cyberattacks
globally
When money becomes purely software, the cybersecurity
needed to protect us from hackers stealing and manipulating
bitcoins and altcoins is sure to change in unexpected ways.
As reports of stolen crypto wallets triggered by free
airdropped NFTs become more frequent, Check Point Research
(CPR) investigated OpenSea and proved it was possible to
steal crypto wallets of users by leveraging critical
security. In 2022, we can expect to see an increase in
cryptocurrency related attacks.
Attackers leverage vulnerabilities in microservices to launch
largescale attacks
The move to the cloud and DevOps will result in a new form
of cybercrime. With microservices becoming the leading method
for application development, and microservices architecture
being embraced by Cloud Service Providers (CSPs), attackers
are using vulnerabilities found in microservices to launch
their attacks. We can also expect to see large scale attacks
targeting CSPs.
Deepfake technology weaponized
Techniques for fake video or audio are now advanced enough
to be weaponized and used to create targeted content to
manipulate opinions, stock prices or worse. As in the case of
other mobile attacks that rely on social engineering, the
results of a phishing attacks can range from fraud to more
advanced espionage. For instance in one of the most
significant deepfake phishing attacks, a bank manager in the
United Arab Emirates fell victim to a threat actor's scam.
Hackers used AI voice cloning to trick the bank manager into
transferring $35 million. Threat actors will use deepfake
social engineering attacks to gain permissions and to access
sensitive data.
Penetration tools continue to grow
Globally in 2021, 1 out of every 61 organizations was being
impacted by ransomware each week. Cybercrime through
ransomware will continue to grow, despite the efforts of law
enforcement to limit this growth globally. Threat actors will
target companies that can afford paying ransom, and
ransomware attacks will become more sophisticated in 2022.
Hackers will increasingly use penetration tools to customize
attacks in real time and to live and work within victim
networks. Penetration tools are the engine behind the most
sophisticated ransomware attacks that took place in 2021. As
the popularity of this attack method grows, attackers will
use it to carry out data exfiltration and extortion attacks.
Ms. JACKSON LEE. Mr. Speaker, I include in the Record the article:
``Ho, Ho, Ho, Holiday Scams'' FBI Portland. During the 2020 holiday
season, this article says this FBI Internet Compliance Center received
more than 17,000 complaints regarding the nondelivery of goods
resulting in losses of more than $53 billion.
[From FBI Portland, December 1, 2021]
Ho, Ho, Ho, Holiday Scams!
(By Beth Anne Steele)
If you're doing online shopping this holiday season, be on
the lookout for scammers trying to steal a deal, too!
During the 2020 holiday shopping season, the FBI Internet
Crime Complaint Center (IC3.gov) received more than 17,000
complaints regarding the non-delivery of goods, resulting in
losses of more than $53 million. The FBI anticipates this
number could increase during the 2021 holiday season due to
rumors of merchandise shortages and the ongoing pandemic.
``Oftentimes when we talk about cyber crimes, we are
referring to massive intrusions into financial institutions
or ransomware attacks against large providers. Smaller cyber
scams run by individuals or groups can be just as frustrating
and difficult for families this time of year when all you
want to do is provide the perfect gift for your family. The
best thing you can do to be a savvy shopper is to know what
scams are out there and take some basic precautions,'' says
Kieran L. Ramsey, special agent in charge of the FBI in
Oregon.
Here's a look at some of the more common scams:
Online Shopping Scams:
Scammers often offer too-good-to-be-true deals via phishing
emails, through social media posts, or through ads. Perhaps
you were trying to buy tickets to the next big concert or
sporting event and found just what you were looking for--at a
good deal--in an online marketplace? Those tickets could end
up being bogus. Or, perhaps, you think you just scored a
hard-to-find item like a new gaming system? Or a designer bag
at an extremely low price? If you actually get a delivery,
which is unlikely, the box may not contain the item you
ordered in the condition you thought it would arrive. In the
meantime, if you clicked on a link to access the deal. you
likely gave the fraudster access to download malware onto
your device, and you gave him personal financial information
and debit/credit card details.
Social Media Shopping Scams:
Consumers should beware of posts on social media sites that
appear to offer special deals, vouchers, or gift cards. Some
may appear as holiday promotions or contests. Others may
appear to be from known friends who have shared the link.
Often, these scams lead consumers to participate in an online
survey that is designed to steal personal information. If you
click an ad through a social media platform, do your due
diligence to check the legitimacy of the website before
providing credit card or personal information.
Gift Card Scams:
Gift cards are popular and a great time saver. but you need
to watch for sellers who say they can get you cards below-
market value. Also, be wary of buying any card in a
[[Page H3873]]
store if it looks like the security PIN on the back has been
uncovered and recovered. Your best bet is to buy digital gift
cards directly from the merchant online. Another twist on
this scam involves a person who receives a request to
purchase gift cards in bulk. Here's how it works: the victim
receives a spoofed email, a phone call, or a text from a
person who they believe is in authority (such as an executive
at the company). The fraudster tells the victim to purchase
multiple gift cards as gifts. The victim does so and then
passes the card numbers and PINs to the ``executive'' who
cashes out the value.
Charity Scams:
Charity fraud rises during the holiday season when people
want to make end-of-year tax deductible gifts or just wish to
contribute to a good cause. These seasonal scams can be more
difficult to stop because of their widespread reach, limited
duration and, when done online, minimal oversight. Bad actors
target victims through cold calls, email campaigns,
crowdfunding platforms, or fake social media accounts and
websites. Fraudsters make it easy for victims to give money
and to feel like they're making a difference. The scammer
will divert some or all the funds for personal use, and those
most in need will never see the donations.
Tips to Avoid Being Victimized:
Pay for items using a credit card dedicated for online
purchases, checking the card statement frequently, and never
saving payment information in online accounts.
Never make purchases using public Wi-Fi.
Beware of vendors that require payment with a gift card,
wire transfer, cash, or cryptocurrency.
Research the seller to ensure legitimacy. Check reviews and
do online searches for the name of the vendor and the words
``scam'' or ``fraud.''
Check the contact details listed on the website to ensure
the vendor is real and reachable by phone or email.
Confirm return and refund policies.
Be wary of online retailers who use a free email service
instead of a company email address.
Don't judge a company by its website. Flashy websites can
be set up and taken down quickly.
Do not click on links or provide personal or financial
information to an unsolicited email or social media post.
Secure credit card accounts, even rewards accounts, with
strong passwords or passphrases. Change passwords or
passphrases regularly.
Make charitable contributions directly, rather than through
an intermediary, and pay via credit card or check. Avoid cash
donations, if possible.
Only purchase gift cards directly from a trusted merchant.
Make sure anti-virus/malware software is up to date and
block pop-up windows.
What to Do if You Are a Victim:
If you are a victim of an online scam, the FBI recommends
taking the following actions:
Report the activity to the Internet Crime Complaint Center
at IC3.gov, regardless of dollar loss. Provide all relevant
information in the complaint.
Contact your financial institution immediately upon
discovering any fraudulent or suspicious activity and direct
them to stop or reverse the transactions.
Ask your financial institution to contact the corresponding
financial institution where the fraudulent or suspicious
transfer was sent.
Ms. JACKSON LEE. Mr. Speaker, I include in the Record the article:
``Without major changes, more Americans can be victims of online
crime'' The Hill. ``When you turn on the TV or read the newspaper, it
is hard to ignore headlines: `Colonial Pipeline a Victim of Massive
Ransomware Attack.' `50 Million People Affected by T-Mobile Data
Breach.' `Hackers Exploit SolarWinds to Spy on U.S. Government
Agencies.' ''
[From The Hill, Aug. 30, 2021]
Without Major Changes, More Americans Could Be Victims of Online Crime
(By Rep. Abigail Spanberger (D-VA))
When you turn on the TV or read the newspaper, it's hard to
ignore the headlines: ``Colonial Pipeline a Victim of Massive
Ransomware Attack.'' ``50 Million People Affected by T-Mobile
Data Breach.'' ``Hackers Exploit SolarWinds to Spy on U.S.
Government Agencies.''
These major attacks represent a serious threat to our
economy and our national security. After the Colonial
Pipeline attack impacted thousands of our neighbors in
Central Virginia, I was adamant about how our government must
vastly improve its efforts to undercut the activity of
hackers, protect critical infrastructure, and strengthen our
cybercrime prevention efforts.
But the story of cybercrime in 2021 goes far beyond these
news-making cyberattacks--it extends into our communities,
our neighborhoods, and our homes.
If you are a family banking online, a business managing
your employees' payroll information, or a senior accessing
federal benefits on the internet, you are no stranger to
thinking about how a cyber breach or attack could affect you.
Even worse, you might already be one of the millions of
Americans whose personal data has been compromised, money or
identity stolen, or safety put at risk.
In 2018, Gallup found that nearly one in four U.S.
households has been a victim of cybercrime--making it the
most common crime in America. To confront cybercriminals and
their enablers, we need to have a better understanding of
these incidents. However, many of these cases--a vast
majority of these crimes--are not properly reported or
tracked by law enforcement Often, they are not measured at
all.
By some estimates, the Federal Bureau of Investigation
(FBI) may only collect about one in 90 of all cybercrime
incidents in its Internet Crime Complaint Center (IC3)
database. The lack of information about cyber and cyber-
enabled crime is divorced from what Americans are actually
facing on a day-to-day basis an increased risk of cybercrime.
What's more, these crimes are rising at an alarming rate.
Compounding this challenge is the fact that federal, state,
and local governments do not have a comprehensive, effective
system to measure cybercrime. In 2021--decades after the dawn
of the internet age--we remain woefully unprepared to prevent
or respond to the next generation of cyberattacks.
Accountability for these crimes--and protection against
them--can't fully take shape until we have a clear picture of
the current state of play. For this reason, we need to take
real steps to improve how we track, measure, analyze, and
prosecute cybercrime.
Earlier this month, I introduced the bipartisan Better
Cybercrime Metrics Act, which would allow our federal
government and law enforcement to better track and identify
cybercrime, prevent attacks, and go after perpetrators. This
bill would strengthen our understanding and our defenses
against the phishing attempts, extortion, ransomware, and
identity theft that are plaguing everyday Americans.
As a former federal law enforcement agent, I understand
that local and state police and sheriff's departments are
often strained for resources and time. And as a former CIA
case officer, I recognize the importance of gathering as much
information as possible about potential threats--so that we
can prevent attacks on American citizens and American
businesses.
If signed into law, the Better Cybercrime Metrics Act would
improve our cybercrime metrics, anticipate future trends, and
make sure law enforcement has the tools and resources they
need.
Our bill would require federal reporting on the
effectiveness of current cybercrime mechanisms and highlight
disparities in reporting data between cybercrime data and
other types of crime data.
Additionally, it would require the National Crime
Victimization Survey to ask questions related to cybercrime
in its surveys--and it would make sure that the FBI's
National Incident Based Reporting System include cybercrime
reports from federal, state, and local officials.
Notably, our bill would also require the U.S. Department of
Justice to contract with the National Academy of Sciences to
develop a standard taxonomy for cybercrime. These metrics
could be used by law enforcement across the board.
I was proud to introduce this legislation alongside my
colleagues U.S. Reps. Blake Moore (R-Utah), Andrew Garbarino
(R-N.Y.), and Sheila Jackson Lee (D-Texas). Clearly, there is
consensus for these reforms and protections across the
political spectrum.
In the Senate, a companion bill is being led by Sen. Brian
Schatz (D-Hawaii). Joining him are Thom Tillis (R-N.C.), John
Cornyn (R-Texas), and Richard Blumenthal (D-Conn.). I am
proud to have their partnership on this important, bicameral
effort.
With this legislation and an improved understanding of the
threats ahead, we can prevent more Americans from becoming
targets--or victims--online.
Ms. JACKSON LEE. Mr. Speaker, I include in the Record the article
titled: ``U.S. Military Has Acted Against Ransomware Groups, General
Acknowledges.''
[From the New York Times, December 5, 2021]
U.S. Military Has Acted Against Ransomware Groups, General Acknowledges
(By Julian E. Barnes)
Simi Valley, Calif.--The U.S. military has taken actions
against ransomware groups as part of its surge against
organizations launching attacks against American companies,
the nation's top cyberwarrior said on Saturday, the first
public acknowledgment of offensive measures against such
organizations.
Gen. Paul M. Nakasone, the head of U.S. Cyber Command and
the director of the National Security Agency, said that nine
months ago, the government saw ransomware attacks as the
responsibility of law enforcement.
But the attacks on Colonial Pipeline and JBS beef plants
demonstrated that the criminal organizations behind them have
been ``impacting our critical infrastructure,'' General
Nakasone said.
In response, the government is taking a more aggressive,
better coordinated approach against this threat, abandoning
its previous hands-off stance. Cyber Command, the N.S.A. and
other agencies have poured resources into gathering
intelligence on the ransomware groups and sharing that better
understanding across the government and with international
partners.
[[Page H3874]]
``The first thing we have to do is to understand the
adversary and their insights better than we've ever
understood them before,'' General Nakasone said in an
interview on the sidelines of the Reagan National Defense
Forum, a gathering of national security officials.
General Nakasone would not describe the actions taken by
his commands, nor what ransomware groups were targeted. But
he said one of the goals was to ``impose costs,'' which is
the term military officials use to describe punitive
cyberoperations.
``Before, during and since, with a number of elements of
our government, we have taken actions and we have imposed
costs;'' General Nakasone said. ``That's an important piece
that we should always be mindful of.''
In September, Cyber Command diverted traffic around servers
being used by the Russia-based REvil ransomware group,
officials briefed on the operation have said. The operation
came after government hackers from an allied country
penetrated the servers, making it more difficult for the
group to collect ransoms. After REvil detected the U.S.
action, it shut down at least temporarily. That Cyber Command
operation was reported last month by The Washington Post.
Cyber Command and the N.S.A. also assisted the F.B.I. and
the Justice Department in their efforts to seize and recover
much of the cryptocurrency ransom paid by Colonial Pipeline.
The Bitcoin payment was originally demanded by the Russian
ransomware group known as DarkSide.
The first known operation against a ransomware group by
Cyber Command came before the 2020 election, when officials
feared a network of computers known as TrickBot could be used
to disrupt voting.
Government officials have disagreed about how effective the
stepped-up actions against ransomware groups have been.
National Security Council officials have said activities by
Russian groups have declined. The F.B.I. has been skeptical.
Some outside groups saw a lull but predicted the ransomware
groups would rebrand and come back in force.
Asked if the United States had gotten better at defending
itself from ransomware groups, General Nakasone said the
country was ``on an upward trajectory.'' But adversaries
modify their operations and continue to try to attack, he
said.
``We know much more about what our adversaries can and
might do to us. This is an area where vigilance is really
important,'' he said, adding that ``we can't take our eye off
it.''
Since taking over in May 2018, General Nakasone has worked
to increase the pace of cyberoperations, focusing first on
more robust defenses against foreign influence operations in
the 2018 and 2020 elections. He has said that his commands
have been able to draw broad lessons from those operations,
which were seen as successful, and others.
``Take a look at the broad perspective of adversaries that
we've gone after over a period of five-plus years: It's been
nation-states, it's been proxies, it's been criminals, it's
been a whole wide variety of folks that each require a
different strategy,'' he said. ``The fundamental piece that
makes us successful against any adversary are speed, agility
and unity of effort. You have to have those three.''
Last year's discovery of the SolarWinds hacking, in which
Russian intelligence agents implanted software in the supply
chain, giving them potential access to scores of government
networks and thousands of business networks, was made by a
private company and exposed flaws in America's domestic
cyberdefenses. The N.S.A's Cybersecurity Collaboration Center
was set up to improve information sharing between the
government and industry and to better detect future
intrusions, General Nakasone said, although industry
officials say more needs to be done to improve the flow of
intelligence.
General Nakasone said those kinds of attacks are likely to
continue, by ransomware groups and others.
``What we have seen over the past year and what private
industry has indicated is that we have seen a tremendous rise
in terms of implants and in terms of zero-day vulnerabilities
and ransomware,'' he said, referring to an unknown coding
flaw for which a patch does not exist. ``I think that's the
world in which we live today.''
Speaking on a panel at the Reagan Forum, General Nakasone
said the domain of cyberspace had changed radically over the
past 11 months with the rise of ransomware attacks and
operations like SolarWinds. He said it was likely in any
future military conflict that American critical
infrastructure would be targeted.
``Borders mean less as we look at our adversaries, and
whatever adversary that is, we should begin with the idea
that our critical infrastructure will be targeted:' he told
the panel.
Cyber Command has already begun building up its efforts to
defend the next election. Despite the work to expose Russian,
Chinese and Iranian efforts to meddle in American politics,
General Nakasone said in the interview that foreign malign
campaigns were likely to continue.
``I think that we should anticipate that in cyberspace,
where the barriers to entry are so low, our adversaries are
always going to be attempting to be involved;'' he said.
The recipe for success in defending the election, he said,
is to provide insight to the public about what adversaries
are trying to do, share information about vulnerabilities and
adversarial operations, and finally take action against
groups trying to interfere with voting.
While that might take the form of cyberoperations against
hackers, the response can be broader. Last month, the Justice
Department announced the indictment of two Iranian hackers
the government had identified as being behind an attempt to
influence the 2020 election.
``This really has to be a whole-of-government effort,''
General Nakasone said. ``This is why the diplomatic effort is
important. This is why being able to look at a number of
different levers within our government to be able to impact
these type of adversaries is critical for our success.''
Ms. JACKSON LEE. The roll call goes on and on and on.
I thank my colleagues for their words of support for this bipartisan
legislation. I believe the time is now. We are going to continue this
journey. This is not the last legislative initiative, that is why we
will be holding a hearing tomorrow with the representative from the FBI
because this is a growing continuing project and problem. If I might
use the terminology, we will have to re-image constantly.
This legislation is also supported by law enforcement groups and
those with particular expertise in cybercrime, including the National
Fraternal Order of Police, the Major Cities Chiefs Association, and the
National Association of Police Organizations, the National White Collar
Crime Center, and the Cybercrime Support Network.
Mr. Speaker, I thank Senator Schatz, Senator Tillis, and as I
indicated, our colleague, Representative Spanberger for their
leadership on this bipartisan legislation. I am glad to have joined it
and I urge all of my colleagues to join me in supporting it.
Mr. Speaker, I yield back the balance of my time.
Ms. JACKSON LEE. Mr. Speaker, I rise in support of S. 2629, the
``Better Cybercrime Metrics Act.''
This legislation improves our understanding and tracking of
cybercrime so that we can do more to prevent it.
A 2018 Gallup poll found that one in four Americans has been a victim
of cybercrime.
From stolen financial information, to systemwide shutdowns, to
ransomware attacks, these crimes harm our families, our businesses, and
our government.
The Council of Economic Advisers estimated that malicious cyber
activities cost our economy as much as $109 billion in 2016, and
experts believe these costs are growing.
The COVID-19 pandemic has increased opportunities for cybercrime,
with increases in remote work and the time people spend online.
Hackers also took advantage of our recovery efforts, stealing
identities to file fake unemployment claims or fraudulent loan
applications.
Many of the victims of these scams only learned they were attacked
when they went to file genuine claims and were told that one had
already been submitted using their name or business.
Sadly, cyber criminals often target older Americans. In 2020, people
over 60 accounted for the most complaints of any age group, as
collected by the FBI Internet Crime Complaint Center.
People over 60 also had the greatest losses, with over $966 million
lost to cybercrime in 2020.
We must do more to protect Americans from cybercrime, and that starts
with a better understanding of what it is and how it occurs.
The Better Cybercrime Metrics Act will gather experts in law
enforcement, business, and technology to create a taxonomy of
cybercrime so that we can define it and classify it in a uniform way.
This legislation also adds cybercrime to two important law
enforcement tools used to track crimes, the National Incident-Based
Reporting System and the National Crime Victimization Survey.
Together these provisions will ensure that law enforcement has a
complete picture of when and where cybercrime occurs, and who is harmed
by it.
Finally, this bill directs the Government Accountability Office to
conduct a study on reporting mechanisms for cybercrime, and the
disparities in cybercrime data relative to other types of crime data.
Together this legislation will put in place the tools to clearly
define and classify cybercrime, to track cybercrime, and to better
understand this serious threat.
I commend Senators Brian Schatz and Thom Tillis for their work on
this bipartisan legislation. I also thank Representative Abigail
Spanberger for her leadership on the House companion to this bill. I
was proud to stand with her in introducing the House companion, along
with our Republican colleagues, Representative Blake Moore and
Representative Andrew Garbarino.
[[Page H3875]]
We must give law enforcement the tools to keep apace with new
technology and to get a step ahead of the threats faced by our ever-
evolving world.
This bill takes an important step in that effort and I urge my
colleagues to support it.
The SPEAKER pro tempore. The question is on the motion offered by the
gentlewoman from Texas (Ms. Jackson Lee) that the House suspend the
rules and pass the bill, S. 2629.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds
being in the affirmative, the ayes have it.
Mr. CLYDE. Mr. Speaker, on that I demand the yeas and nays.
The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution
8, the yeas and nays are ordered.
Pursuant to clause 8 of rule XX, further proceedings on this motion
are postponed.
____________________