Head of the Europol Cybercrime Centre, Steve Wilson shares how his organisation is tackling cybercrime and explains why a collaborative approach is needed
In an ever changing digital world, cybercrime has become one of the major challenges for organisations throughout Europe. Set up in 2013 by Europol, the European Cybercrime Centre aims to strengthen the law enforcement responses to cybercrime. Costing EU Member States an estimated €265 billion a year, protecting European citizens, businesses and governments from online crime is essential for the economy.
Head of the Europol Cybercrime Centre, Steve Wilson answers Open Access Government’s questions about tackling the worldwide problem and the challenges that come along with it.
What are the main challenges with tackling cybercrime?
One of the greatest challenges for investigating cybercrime has always been attribution. You may find an online nickname associated with some form of criminality, or perhaps obtain an IP address, but determining who is behind that alias or IP address has always been the greatest obstacle.
What we call the loss of location is a big issue for law enforcement agencies. This is linked to the increasing criminal use of encryption, as well as anonymisation tools, virtual currencies and Darknets such as TOR1, which have led to a situation where establishing the physical location of a perpetrator, the criminal infrastructure that is being used to facilitate cybercriminality or the relevant electronic evidence has become increasingly difficult. In these situations, it is often unclear which country has jurisdiction and what legal framework regulates the collection of evidence or the use of special investigative powers.
However, undoubtedly one of the biggest challenges we face now is related to the loss of data or the inability to access relevant intelligence and evidence, often because of encryption. A growing number of manufacturers and electronic service providers implement default encryption of their services and devices. At the same time, tools that enable personal encryption of communications and other data are widely available. While this counts as a positive development to increase cybersecurity in general, traditional investigative techniques like wiretapping are becoming less effective, and the possibilities of digital forensic analysis are severely hampered as criminals are also protecting their data with encryption. It is important to note that the criminal use of encryption is a threat that cuts across all crime areas, not just cybercrime.
The widening criminal use of cryptocurrencies such as bitcoin2 and the increased use of tumbler/mixer services3, effectively prevent law enforcement from ‘following the money’ and significantly complicate the possibilities for asset recovery and the prevention of fraudulent transactions.
The constantly evolving nature of cybercrime requires law enforcement to continuously update their skills and expertise. This requires up-to-date, relevant and standardised training. While we currently do not have EU-wide standards for training and certification, we are actively involved with other stakeholders such as the EU Commission, CEPOL, the European Cybercrime Training and Education Group (ECTEG) and Eurojust to establish a Training Governance Model at EU level, which aims to address these points. This is based on a Training Competency Framework that we helped develop, which identifies the main roles in law enforcement and the judiciary involved in combatting cybercrime and the corresponding required skill sets. The Training of Trainers (TOT) Project and the training activities under the EMPACT policy framework are already paving the way towards addressing the expertise gap at EU.
How important are partnerships such as, with Europol and the Global Cyber Alliance to help tackle the problem worldwide?
Tackling cybercrime is not a responsibility that law enforcement can, or should, shoulder alone. Cybercrime and cybersecurity are cross-cutting issues so it is very important to align and cooperate with the relevant players in this area such as GCA and others if we want to be on the forefront of the fight against cybercrime.
Cybercrime in particular requires close cooperation and working trust-based partnerships with industry, the financial sector, the CERT/CSIRT community, academia and other stakeholders as they all hold parts of the puzzle that are required to effectively and efficiently tackle cybercrime. We have different advisory groups representing different stakeholder communities that offer a great platform to establish and develop our partnerships.
For us this of course also includes close cooperation with the EU institutions and other EU agencies such as ENISA, CERT-EU, Eurojust or CEPOL.
By sharing best practices, lessons learned and tools we are building and further expanding a resilient network better prepared to face cybercrime and cybersecurity risks, thereby contributing to a safer and more secure cyberspace.
Why is the EU a particular threat for cybercrime?
The internet penetration rate for Europe is now close to 77%. This has a direct impact on the life of EU citizens and businesses alike since most aspects of our daily life now have a digital component. Many EU countries maintain fast, resilient internet infrastructure which attracts not only industry but also cybercriminals who use it to carry out their attacks.
Moreover, the EU has a well-established, internet facing financial sector and e-commerce industry, which are key targets for cybercriminals.
These factors, together with the relative economic affluence of the region, make Europe an attractive target for cybercrime.
How much does cybercrime cost victims throughout Europe each year? And, how much of a problem has cybercrime become?
One of the measurable costs of cybercrime is the continued increase in the global investments made on cybersecurity. It is however very difficult to obtain accurate figures on the costs of cybercrime due to underreporting, lack of common definitions and difficulties in assessing the damages caused by cybercrime. While it is possible to estimate some costs, direct financial costs for example, other damages are harder to evaluate, such as the financial damage to a company’s reputation or the loss of intellectual property. There are some studies which forecast that global cybercrime costs will be in excess of $6 trillion annually by 20214.
Cybercrime has become increasingly financial motivated, banks and the financial sector are a key target for cybercriminals, with some of the main threats being banking Trojans, ATM malware, DDoS attacks, card-present and card-not-present fraud, CEO or Business E-Mail Compromise (BEC) fraud and ransomware. The crime-as-a-service business model which underpins cybercrime provides access to cybercrime tools and services that allow even entry-level cybercriminals to conduct attacks hugely disproportionate their skill level, often for negligible costs. Couple this with the increased digitisation or citizens’ lives, businesses, and public services and we have a substantial problem indeed.
What are the key challenges and threats with regards to cybercrime?
The term cybercrime covers a wide range of criminality. Some of the main threats we highlighted in the 2016 IOCTA were the aforementioned crime-as-a-service business model that promotes the connection between specialist providers of cybercrime services and tools and real-world organised crime groups. Ransomware particularly that which uses encryption, is the leading malware threat and is likely to remain so in the near future. In the area of payment fraud, we have seen the development of logical and malware attacks against ATMs and the compromise of contactless (NFC) cards. When it comes to Child Sexual Exploitation, the live streaming of abuse is becoming a bigger issue with the use of end-to-end encrypted platforms for sharing media, coupled with the use of largely anonymous payment systems. One of the cross-cutting challenges we are facing in the fight against cybercrime is the abuse of Darknets and encryption.
Some of the other challenges we face are related to legislation, despite the existence of international legislative instruments, differences in domestic legal frameworks in the EU Member States and international instruments often prove to be a serious impediment to international criminal investigation and prosecution of cybercrime. This is partly due to an incomplete transposition of international instruments to domestic legislation. The main differences regard the criminalisation of conduct and provisions to investigate cybercrime and gather e-evidence.
The complex transnational nature of cyber investigations require a strong cooperation effort, not only from Law Enforcement Agencies across Member States, but also in third countries and with private organisations, but Europol has been proven to have a leading role in facilitating this articulation, being an exceptional information hub, providing expertise and operational support.
As technology continues to evolve, how do you think cybercrime will evolve with it? Are we ready to tackle this?
Cybercriminals are very flexible and quick to adopt, abuse or exploit any new technology which can enhance their criminal lifestyles. We need to invest in training and capacity building and keep the pace with technological developments to beat cybercriminals in their own game. Relevant alliances and Public-Private Partnership initiatives are fundamental to achieve this, law enforcement cannot fight this fight alone: it takes a network to defeat a network.
It is also essential to raise awareness of cybercrime threats, not just within industry, but with the public, who are regularly the victims of cybercrime. Every person adequately equipped to defend themselves is another person prevented from becoming a victim. To some degree cybercrime may even be a generational problem. Just as sanitation and personal hygiene has led to a reduction in diseases and infection, similarly, the new generation of internet users should have digital hygiene engrained into them from an early age which will be a critical defense against cybercriminals.
Since it was established in 2013, how has the Cybercrime Centre helped to reduce the amount of cybercrime in the EU?
One of the most recent examples I can provide is the dismantling of the Avalanche network which was used as a delivery platform to launch and manage mass global malware and money mule recruiting campaigns. Europol hosted the command post during the action day and supported Germany in close cooperation with the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice and the FBI, Eurojust and global other global partners during the course of the investigation. The operation marks the largest ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked.
Another good example of how EC3 has not only helped to reduce the amount of cybercrime, but also helped to identify and save child victims from abuse was through the third Victim Identification Task Force (VIDTF). VIDTF saw 25 experts in victim identification from 16 countries and 22 agencies coming together to work on shared materials at Europol’s headquarters over 12 days. They were supported by Europol staff, all specialists and analysts in this crime area, and together we were able to successfully identify several victims of child sexual exploitation and save them from further abuse.
Through our innovative and collaborative approach, we have also have a big impact in the area of fraud. For example, in the last Global Airline Action Day 193 individuals suspected of travelling with airline tickets bought using stolen, compromised or fake credit card details were detained.
Furthermore, EC3 plays a key role not only on the operational side but also on the strategic and prevention aspect. Since 2013, we have produced a yearly Internet Organised Crime Threat Assessment5 which provides a number of key recommendations to address the issues and challenges of cybercrime, and identifies several priority topics to inform the definition of operational actions for EU law enforcement in the framework of the EU Policy Cycle. On the prevention side, we have launched several campaigns, including the No More Ransomware initiative6, which is not only an awareness campaign for victims of ransomware but also a place to go to when you fall victim of this crime. As such, it is also an excellent example of what we can achieve collectively together with industry and other law enforcement partners in countering one of the main cybercrime threats.
Overall, I would say we have been having quite a relevant role in helping to reduce cybercrime. We aim to continue doing it, always improving, in cooperation with other relevant stakeholders.
1 According to the IOCTA 2015 and 2016, cybercriminals make increasing use of Darknets and other similar areas offering a high degree of anonymity. These environments are also increasingly hosting hidden services and marketplaces devoted to traditional types of crime, such as the drug trade, selling stolen goods, firearms, compromised credit card details, forged documents, fake IDs, and the trafficking of human beings.
2 Unlike centralised virtual currencies such as WebMoney or Perfect- Money, decentralised virtual currencies such as Bitcoin do not have a single administrating authority that controls the currency.
3 A tumbler or a mixer is a service that attempts to break the links between the original and the final address by using several intermediary wallets. The service may also randomise transaction fees and add time delays to transactions.
4 https://www.herjavecgroup.com/wp-content/uploads/2016/08/Hackerpocalypse.pdf
6 https://www.nomoreransom.org/
Steve Wilson
Head of the Cybercrime Centre
Europol