The EU's efforts in fighting cybercrime: putting together legislative action, cross-sectoral and international cooperation, as well as capacity building

Cybercrime has evolved into one of the greatest challenges for the rule of law across criminal jurisdictions while the penetration of electronic evidence into of any type of crime further complicates the puzzle for criminal justice authorities. The EU’s approach the fight against cybercrime consists of a comprehensive toolkit that involves the adoption and update of appropriate legislation; the support to cooperation frameworks amongst criminal justice actors and across sectors particularly with industry; and increased focus on research and development as well as training programmes that provide access to the right technology and enhance the capacities and expertise of law enforcement and judiciary.

Written by: Michele Socco, Policy Officer, Cybercrime Unit, Directorate General for Migration and Home Affairs, European Commission.

Crime in the era of new technologies

As the digital dimension of our lives is increasing, so is the criminal activity in the cyber environment. The borderless nature of cybercrime, coupled with its characteristic low risk-high reward business model, has contributed to the wide-spreading of criminal activities where computers and information systems are involved either as a primary tool or as a primary target. The cyber dimension in most types of crimes has been constantly on the rise in the last decade, with the cross-over of the use of new technologies by organised crime groups is no longer an alarming trend but a reality. Criminals quickly deploy and adapt new technologies into their modi operandi or build brand-new business models around them with great skill and to great effect.

Fighting cybercrime more effectively is one of the three priorities under the European Agenda on Security that was adopted in April 2015, while it is also a basic pillar of the EU’s 2013 Cybersecurity Strategy that is currently under revision. Also within the framework of the multi-annual EU Policy Cycle for Serious and Organised Crime that ensures effective cooperation and coherent operational action targeting the most pressing criminal threats facing the EU, cybercrime is one of the priority areas of EMPACT (European multidisciplinary platform against criminal threats) that translates the Policy Cycle’s strategic objectives into concrete operational actions.

The EU’s approach the fight against cybercrime consists of a comprehensive set of actions along three main focal areas: appropriate legal framework; cooperation frameworks amongst criminal justice actors and across sectors particularly with industry which controls a large part of information infrastructures; and financial resources to allow for research and development that provide access to the right technology to address market failures, as well as training programmes to enhance the capacities and expertise of law enforcement and judiciary in this area.

European Cybercrime Centre (EC3), Multi-Disciplinary Centre for Cyber Innovation (MDCCI). Credits: Europol

Legislative action as the foundation

Specifically on the legislative front, the key measures for the EU’s cybercrime framework include:

  • The 2013 Directive on attacks against information systems which aims to tackle large-scale cyber attacks by requiring Member States to strengthen national cybercrime laws and introduce tougher criminal sanctions.
  • The 2011 Directive on combating the sexual exploitation of children online and child pornography, which better addresses new developments in the online environment, such as grooming.
  • The 2001 Framework Decision on combating fraud and counterfeiting of non-cash means of payment, which defines the fraudulent behaviours that EU States need to consider as punishable criminal offences. The European Commission is currently working towards the revision of this Framework Decision to cover new forms of money transmissions like virtual currencies and other aspects.

These legislative measures are based on existing standards and the models that capture international best practice frameworks of reference, namely the Council of Europe ‘Budapest Convention on Cybercrime’ and the ‘Lanzarote Convention on Protection of Children against Sexual Exploitation and Sexual Abuse’.

Complementary to these are related legislative initiatives, such as the 2016 Directive on Network and Information Security and the 2002 e-Privacy Directive which is currently under revision to align to the requirements of the General Data Protection Regulation of 2016, while a new strand of work is currently undertaken on the need to improve the enforcement of the rule of law in cyberspace and obtaining electronic evidence in criminal proceedings, including cross-border access to e-evidence.

Nevertheless, legislation is only the foundation for an effective response to cybercrime which needs to be coupled with the necessary skills to prevent, detect, prosecute and adjudicate cybercrime as well as with operational international cooperation.

Key steps addressed by the Training Governance Model, CEPOL

Operational cooperation across sectors and countries

Some key cooperation mechanisms and structures the EU has set up has been the European Cybercrime Centre at Europol (EC3) which since 2013 serves as a central hub for criminal information and intelligence and supports operations and investigations by EU Member States by offering operational analysis, coordination and technical expertise. It also provides a variety of strategic-analysis products, such as the Internet Organised Crime Threat Assessment, while it applies a comprehensive outreach function with other international partners such as INTERPOL and connects with the private sector, academia and other non-law enforcement partners. In the few years since its establishment, EC3 has already made a significant contribution to the fight against cybercrime: the number of high profile operations it supported steadily grew from 57 in 2013 to 175 in 2016. Two other significant steps in enhanced cooperation include the establishment of the EU Internet Forum in 2015 with the aim to reach a joint, voluntary approach based on a public-private partnership with ISPs to detect and address harmful material online; as well as the creation of the European Judicial Cybercrime Network in 2016 to facilitate sharing expertise, knowledge and best practice amongst experts from competent judicial authorities dealing with cybercrime, cyber-enabled crime and investigations in cyberspace.

Bridging the skills' gap

Moreover, there is broad consensus between practitioners and researchers that cybercrime investigations are hindered by insufficient knowledge and a skill gap of law enforcement officers as well as the relevant actors in the judiciary. In order to meet the vast needs of stakeholders in a concerted, complementary and sustainable manner, the key EU stakeholders - namely the European Commission, EC3 at Europol, the European Cybercrime Training and Education Group (ECTEG), the EU Agency for Law Enforcement Training (CEPOL) and Eurojust - agreed in 2015 to develop a Training Governance Model (TGM) on cybercrime. The TGM is intended to enable the creation of an effective, well-established, coordinated and sustainable mechanism that can meet the operational challenges and needs, and provide up to date training. Each stakeholder has a role in the different steps of the TGM.

As part of the TGM, the creation of a Training  Competency Framework (TCF) on Cybercrime serves as the basis for identification of the required competencies and skills in combating cybercrime for key actors ranging from law enforcement to the judiciary. As the area of cybercrime is extremely dynamic, the TCF is periodically reviewed and updated when necessary. The EU-wide needs assessment is also fundamental in identifying gaps of existing skillset and training repositories of the law enforcement and the judiciary that feeds into the prioritisation exercise. For the training design and development, ECTEG is in the lead as its objective is to provide experience and knowledge to further enhance the coordination of cybercrime training through the development of a robust and enduring training programme. Within the TGM, delivery of training is mainly led by CEPOL and the European Judicial Training Network (EJTN) that are generally responsible for the implementation of training and learning activities at European level.

Complimentary actions to creating the necessary knowledge entail research and innovation projects on digital forensics, enhancing cybersecurity and prevention, analysis of large set of data that the EU has financed through it research programme, Horizon 2020. In an effort to ensure that research is indeed targeted to the needs of law enforcement, the EU has also financed the creation of Cybercrime Centres of Excellence (in 15 EU countries) that foster the partnership between private companies, academia and law enforcement.

While these measures are functional to develop capacity within the EU, considering the borderless nature of cybercrime the EU is very much committed and engaged to capacity building in partner countries as well.

This article first appeared in the third issue of the Global Cyber Expertise Magazine - May 2017