Cyber Classification Compendium
Cross-Walking Cybercrime Laws, Statistics, and Taxonomies
Cybercrime is one of those fascinating fields where everyone has a different definition. For a while, experts in the field had a general “I’ll know it if I see it” approach because the laws varied widely between jurisdictions and companies. But now, the field has become so complex that cybersecurity experts are forced to try to understand the laws, proceedings, and jurisdictions of the criminal justice system where the definition of what is illegal can change based on a court decision. In contrast, justice personnel are forced to understand the jargon, which constantly evolves, and technical nuances of a victim’s report and then make decisions on how that information will be interpreted in different jurisdictions. Anyone looking to compare statistics between websites, jurisdictions, or other reporting mechanisms is even further stymied by inconsistent terms. This is the niche where the Cyber Classification Compendium makes a difference.
In the United States, federal law enforcement officers involved in cybercrime cases tend to follow the Computer Fraud and Abuse Act of 1986 (CFAA) 18 U.S.C. § 1030 as well as varying related statutes and laws regarding unauthorized access, trespass, copyright, identity theft, and so on. Each state defines cybercrime and related crimes separately in their criminal codes, while smaller departments often have a general sense of what the chief or sheriff wants to be marked as cybercrime. It can almost be a game of hot potato, as complaints are referred to online collection points like the Internet Crime Complaint Center (IC3) or worse, filed and lost because U.S. crime statistics do not currently cover cybercrime.
Internationally, the cybercrime laws range even more broadly, as countries prioritize incidents based on the Budapest Convention, local politics, and other factors. In Canada, for instance, Criminal Code R.S.C. 1985, c. C-46 342.1 defines the laws regarding the unauthorized use of a computer, while the mischief component of 430 Wilful and Forbidden Acts in Respect of Certain Property is used for mischief to data, and Canada’s Anti-Spam Legislation (CASL) speaks to issues surrounding the installation of computer programs. Similar to the United States, small departments have a general sense of what might constitute a cybercrime, but there are different interpretations, and incidents are often referred to the Royal Canadian Mounted Police (RCMP).