Cybercrime: Improving international cooperation

Transcription

1 The Hague, 12/06/2015 Cybercrime: Improving international cooperation GCCS2015 Parallel session 4 Document Reference [765004] Version [2] Discussion paper Europol Public Information

2 1 Introduction In preparation for the Global Conference on Cybersecurity (GCCS) 2015, the organisers invited Europol to draft a discussion paper as input for the dedicated parallel session on Cybercrime, Improving international cooperation. As a key instrument of the European Union to support its Member States efforts in preventing and combating serious and organised crime and terrorism, Europol has had the opportunity to gain significant experience in international law enforcement cooperation. Moreover, in January 2013 the European Cybercrime Centre (EC3) was established within Europol, which also offered the organisation a front-row seat to look at the possibilities and impediments for cross-border cooperation in the particular domain of cybercrime. This paper aims to present the essential factors that Europol considers of relevance to the ability to cooperate effectively across borders. These factors have been divided over the chapters Operational Cooperation and Strategic Cooperation, depending on the kind of cooperation they predominantly affect. A third chapter is dedicated to considerations on Partnerships. The first version of this paper offered the basis for discussions among participants of the GCCS 2015 along with the introductions of the speakers. In the current version the discussions have been used to draft the final chapter where critical success factors for the improvement of international cooperation have been introduced. Under the leadership of those that contributed to this paper, concrete steps will be prepared and taken to turn the content into concrete action. This should have a tangible impact on cooperation in order to prevent and fight the various forms of cybercrime even more successfully together in the future. A report on these actions and their results will be presented at the next Global Conference on Cyber Space. Europol Public Information 2 / 12

3 2 Operational Cooperation On the positive side, cybercrime stimulates international cooperation more than most other types of crime. It is highly disrespectful to national jurisdictions and physical borders and can multiply criminal activities worldwide in a matter of seconds. It presents unprecedented challenges to law enforcement communities around the world. In particular, it makes them highly dependent on each other in dealing with these crimes and the criminals that commit them. Apart from having a common interest, it helps to also have common grounds to work together efficiently and successfully. The points on which common grounds would be beneficial are discussed in the following paragraphs. 2.1 Legal framework At the heart of operational law enforcement cooperation is the exchange of personal data on suspects of crime, with a view to collecting evidence and getting the suspects convicted. The extradition of suspects and convicted criminals is also key. These elements of cooperation require a legal basis covering the criminal offences within domestic law and the possibilities and conditions for judicial cooperation between the states involved. There are several treaties, conventions and other international arrangements that provide a legal basis for judicial cross-border cooperation. Some of these deal with cooperation in general; others are specifically dedicated to cybercrime. The Budapest Convention is a good example of the latter. It is intended to extend judicial and law enforcement cooperation against cybercrime as broadly as possible on a global level. Most beneficial for cross-border cooperation is the mutual recognition of investigative processes and in particular, if evidence has been lawfully collected in one country, that it can be used in court in another country. This is of particular value to the use of special investigative techniques. At a more regional level, there are, particularly within the EU, multiple examples of harmonisation of legislation, also with regard to cybercrime. The European Arrest Warrant is worth mentioning as well as the possibility to establish Joint Investigation Teams; an instrument that removes most barriers in the exchange of information between the countries participating in the investigation. Europol Public Information 3 / 12

4 Although helpful to achieve swift cooperation in practice, the alignment of legal systems is not a precondition for successful cross-border cooperation. Similar legal systems can for instance be found among the Member States of the Commonwealth but also the Nordic countries. Iceland, Norway, Sweden, Denmark and Finland share a judicial system that even allows them to use each other s liaison officers posted abroad. Still, differences between legal systems can be overcome and are by no means a reason or excuse for cooperation against cybercrime not to work. 2.2 Standards for data processing Apart from having a legal basis for the exchange of information, international cooperation also benefits from the alignment of standards. There are many aspects of data processing that can be standardised. A non-exhaustive set of examples is presented below. Quite important is the alignment, or an agreement on equivalence, of the levels of confidentiality. If information is for instance qualified as restricted or as secret, the treatment of such data usually comes with a set of protective measures that is deemed appropriate for the level concerned. This applies to the information processing tools, the physical location in which data can be processed and to the duly authorised officers involved in the processing. If data is exchanged between countries, similar arrangements should apply for the security conditions under which the data can be processed. Furthermore, it is necessary to agree on what constitutes personal data. Provided that a legal framework is in place and such data can be shared, then it is still important to know between cooperation partners exactly what is considered personal data, because this affects the way the information can and should be handled. As an example, IPaddresses are considered personal data in some countries, while other jurisdictions do not consider them as such. Other types of standardisation relate to reliability. In most evaluation systems the reliability consists of two parts: the reliability of the source and the reliability of the information. The use of these factors helps to make informed decisions. Data which stems from an unreliable source and which has not been confirmed should be weighted differently than information from a reliable source that also has been corroborated. Also worth considering is to establish agreed standards for the handling of data. The willingness to share information with foreign partners increases if the owner of the information can impose certain conditions and rely on its partners to adhere to these conditions. A good example of this is the sharing of information for police use only, meaning that the information cannot be used as evidence in judicial procedures. This Europol Public Information 4 / 12

5 can be because the owner does not want the data to be known to the defence or to avoid the investigation from being jeopardised in any other way. In a relatively early stage is the agreement on digital forensic standards. This will become increasingly important for cybercrime, because it will allow information collected and processed in one country to be used as evidence in court in another country. Following on from the points above on standards for data processing, cross-border cooperation also benefits from shared or interoperable ICT tools. Having common data processing solutions in place can facilitate the secure and swift exchange of information between partners, as well as the further processing for cross-matching and analysis. 2.3 Information exchange and shared intelligence products The cornerstone of law enforcement cooperation is the exchange of information. Having a shared picture of crimes is the basis for decision making on how forces can be joined. This applies at a strategic level as well as on operational matters. Important for sharing information in addition to the conditions outlined above is to have a common understanding of what the information will be used for and how it will support joint decision making. It is therefore worth defining the objectives of the information sharing and the specification of information products that will be delivered. These can be strategic threat assessments, operational analysis reports, cross-matches, thematic assessments, trend analysis reports and several others. These information products can then be used to decide on concrete cross-border cooperation between the partners, such as joint actions or investigations. But even if countries do their own investigations, then it is still useful to benefit from each other s information and to de-conflict their activities to avoid duplication of efforts and potential interference in one another s ongoing operations. 2.4 Coordination When investigations involve more countries it is essential to foresee a coordination mechanism, ensuring that the activities of the partners concerned are aligned. This applies to the planning of activities, but also to the content. Sharing information throughout the process is vital for the coordination of activities and to make sure the right action is taken at the right time. Also when it comes to making arrests, conducting searches and seizing assets, cross-border alignment can significantly enhance the eventual results. The same applies to the interviewing of suspects and the analysis of data on seized ICT tools and infrastructure. Europol Public Information 5 / 12

6 A distinction can be made between operational police coordination of actions and judicial coordination in regard to the collection of evidence in different jurisdictions. Both are equally important to the success of the cooperation. 2.5 Other factors influencing operational cooperation After the long list of topics above that can be aligned and assimilated, there comes a point where differences have to be acknowledged and accepted. In international cooperation there will always be differences. These can be cultural, linguistic, procedural, tactical or many other kinds. To effectively overcome these differences a combination of three elements is required: mutual respect, trust and willingness to cooperate. These factors are more important than any of the other points. There are numerous examples where no cooperation is achieved even within one country, or even within one police force, if there is no willingness or trust. Legal obligations to cooperate or share intelligence are neglected if police officers do not trust each other or sense competition with their fellow officers. On the other hand, there are also many examples where none of the preconditions for cooperation were in place, but where respect, trust and willingness among the international partners enabled the achievement of joint successes. Europol Public Information 6 / 12

7 3 Strategic Cooperation Whereas operational cooperation is often subject to political sensitivity and willingness, there are still many additional opportunities for international cooperation that are politically more neutral and certainly worth exploring to complement or compensate the operational dimension. 3.1 Alignment at policy level Without the need to exchange operational information or initiate joint investigations, countries can decide to jointly address cybercrime or specific topics related to cybercrime at policy level. This can be achieved for instance by introducing new legislation or other regulatory measures. An example is the abuse of virtual currencies, like Bitcoin, for criminal transactions and money laundering. Introducing policy measures in various jurisdictions in line with the respective regulatory frameworks reduces the opportunities for criminals to benefit from unregulated matters. The policy measures do not necessarily have to be the same. Even diversity in the kind of measures taken reduces the number of safe havens available for cashing out criminal profits. Such policy alignment could even become more targeted if partners can agree. For instance, using again the example of the abuse of virtual currencies, countries could agree that each would target with priority the criminal use of Darkcoin, which is notorious for maximising the anonymity of its users. At a more general level, countries could also agree to prioritise the investigation and prosecution of specific crime types, such as online child sexual exploitation or the deployment of remote access Trojans. Each country could pursue such prioritisation individually under domestic legislation and as such contribute to the shared objective without the need for international operational cooperation. (Obviously, the effect of operational cooperation between countries would be stronger in view of the international nature of cybercrime and the dispersed actors and evidence.) 3.2 Prevention and awareness Considering the ease at which cybercrimes can be replicated across borders, victims of similar crimes are likely to be found in multiple countries. The proactive sharing of information on new threats and modus operandi to citizens and businesses can educate them on how to better protect themselves and as such minimise the impact of cybercrime. The sharing of such data between countries does not necessarily involve the exchange of any personal data to be effective. Europol Public Information 7 / 12

8 Also, it is possible to develop joint campaigns to inform the general public about cyber threats. Important economies of scale can be made in this regard. Yet the effect of such communication is strongest if it also respects local cultures and reality. It should therefore come from entities that are trusted and close, and should be broadcast in the local language. 3.3 Training & capacity building One of the biggest challenges for law enforcement is for its workforce to keep up with training needs to prevent and combat cybercrime effectively. This challenge is fuelled by the expanding nature of cybercrime affecting increasingly more aspects of policing, and by the continuous, high-speed evolution of technology. The expanding nature requires that police officers across law enforcement organisations need to be educated on the cyber elements that are of relevance to their work and on the technical capabilities that digital forensics can offer. The high-speed evolution calls for permanent updating of training material and sharing of latest information and best practices among practitioners. The demands this combination brings in terms of resourcing heavily impacts small and large countries alike. As such, it constitutes a perfect area for cross-border cooperation in order to maximise efficiencies. Moreover, any weaknesses in cybercrime fighting capacities among law enforcement across the world automatically create opportunities for criminals that can operate from or through such areas where enforcement is limited. The assimilation of training and sharing of expertise and best practices also enhances the possibilities for swift operational cooperation between countries. 3.4 Research & Development Another challenge for law enforcement is to have the appropriate tools. The creation, testing and validation of new digital forensic analysis tools requires a lot of time, and keeping pace with technological developments can be really difficult. Also the quantities of data to be processed are rapidly increasing. This applies to the number of seizures of digital evidence and to the volumes of data per seizure. Obviously, these factors urge countries to join forces in developing processing tools for digital forensic investigations. Having shared development programmes not only increases the efficiency in delivering tools, but also facilitates the exchange and acceptance of evidence produced with those tools by partners abroad. Europol Public Information 8 / 12

9 4 Partnership Addressing the previously presented conditions will definitely stimulate international cooperation. An additional opportunity to promote in particular structural cooperation, whether operational or strategic, is to conclude partnerships. In the paragraphs below the main categories of partnerships are introduced. 4.1 Law enforcement cooperation International cooperation between law enforcement services is indispensable to prevent and fight cybercrime successfully. Building partnerships among them seems simple and obvious. Yet already within the law enforcement domain there are many different partners that can be considered. At the top of the list is of course cooperation between cybercrime divisions. But then there are those of multiple services, depending on the law enforcement architecture of countries. Cyber divisions can be found in regular police services, customs organisations and military police organisations. But there are also some specialised branches such as fraud teams or online child sexual exploitation divisions. Equally worth mentioning are judicial authorities and the specialised structures those have created to focus on cybercrime. Apart from the identification of the right partners abroad, it is also important to consider the kind of cooperation. The partnership can aim at establishing bi-lateral or multi-lateral cooperation. Bi-lateral cooperation is often established between two countries or organisations. For multi-lateral cooperation specific institutions are often established. Interpol is probably the best known multi-lateral partnership between police forces, and its newly established IGCI (INTERPOL Global Complex for Innovation) in Singapore is focused specifically on cooperation against cybercrime. But cooperation structures are also established at regional level. Europol, Ameripol and Aseanapol are structures for police cooperation, whereas Eurojust serves as a good example of international judicial coordination. The content of the partnerships depends on the aims and intentions of the participants. In police cooperation, both bi-lateral and multi-lateral cooperation can be strengthened by the posting of liaison officers. A successful pilot was recently concluded with the colocation of cyber liaison officers in the Joint Cybercrime Action Taskforce (J-CAT). This team has been established as an operational investigative branch attached to the European Cybercrime Centre at Europol with representatives of several EU Member States and some other countries spread over another three continents. The success of this cooperation is positively influenced by the fact that most of the conditions for Europol Public Information 9 / 12

10 operational cooperation as listed above, were already fulfilled between the partners to this initiative. 4.2 Multi-disciplinary partnerships The interconnectivity between sectors in society and the facilitation of that by the Internet also calls for a broad, inclusive approach in dealing with the threats of cybercrime. The ICT industry, social media companies, Internet security firms, the banking sector, industrial manufacturers, CERTs, the telecom sector, including Internet service providers, research institutes and academia, all have a role to play. Law enforcement has become heavily dependent on various sectors. This applies to getting information, expertise, resources, support and more. Botnets can be taken down without police involvement. Legal action by the private sector is taken against the misuse of Internet services. The enforcement landscape and the attribution of roles among the actors have shifted remarkably. At the same time, a multitude of international multi-disciplinary partnerships has already emerged: National Cyber-Forensics & Training Alliance; European Cybercrime Training & Education Group; European Financial Coalition against commercial sexual exploitation of children online; and many, many more. Joining partnerships and signing up for a meaningful cause has become relatively easy. Of course what matters is contributing. 4.3 Sector-specific cooperation In addition to the multi-disciplinary partnerships it is worth law enforcement considering engaging with certain sectors in a targeted way, to allow for dedicated attention to the specifics of such a sector. These could be the vulnerabilities and threats affecting a branch or the possibilities to engage private sector partners in the law enforcement response to certain crimes. Good examples are the opportunities offered by targeted cooperation with the financial sector, the telecom industry, social media, Internet security and CERTs. Each sector can offer a wealth of information; actively contribute to prevention programmes and awareness campaigns and advise on priorities for law enforcement action. Compared to the participation in multi-disciplinary partnerships, which is also important in its own way, the sector-specific approach allows for slightly closer and more trustful cooperation and can therefore deliver even more valuable results. As such, this approach is particularly suitable for more sensitive cooperation. Europol Public Information 10 / 12

11 5 Critical success factors Improving international cooperation is far easier in theory than in practice. To increase the chances of success this chapter offers a number of factors to consider when planning concrete steps for improvement. Innovative. Yes, but not necessarily. If there are existing solutions that work, there is no need to take risks with experiments. However, given the diversity and complexity of cybercrime challenges, thinking out of the box may well help to develop a new approach that does address problems that appeared insurmountable in the past. Scalable. Initiatives taken to improve cooperation must be suitable at several levels. They need to work in the bigger scheme of things and tie in with other, overarching factors of cooperation and at the same time, they need to work at micro-level in the everyday practice of concrete operations. This also applies to the approach towards crimes. Cases should not be looked at in isolation. Instead, they should be seen in the broader scope of the problem to be addressed most effectively. This calls for a thematic orientation, which can only flourish if the bigger picture can be visualised and addressed, requiring extensive data sharing and successful partnerships. Problem-specific. Even though cybercrime is fairly generic, the conditions for prevention and combating may well differ significantly from one environment to another. Instead of looking for a global one-size-fits-all solution, attention must be given to local conditions to resolve issues successfully. A good example of this is capacity building. Huge efforts are needed across the world to get the required know-how, skills, tools and manpower in place to deal with cybercrime. But what needs to be done in Europe may differ a lot from what needs to be done in the Middle-East, North America or Africa. Brave. The fight against cybercrime will not be won by easy, quick wins. Solutions that are more likely to succeed require courage and perseverance. Worth mentioning in this respect are partnerships that push actors out of their comfort zone. Cooperation between law enforcement and national intelligence services or the military is a good example, especially considering that even more natural partnerships such as those between police and prosecutors may sometimes already cause discomfort. Forward-looking. Improvements in international cooperation should predominantly focus on the challenges of tomorrow, rather than on the realities of today. First of all, because it usually takes time to implement new cooperation frameworks. Secondly, Europol Public Information 11 / 12

12 because it allows the changes needed for the international cooperation to go hand-inhand with the adjustments aimed at addressing future challenges. This is not only more efficient, but also enables better integration of the international cooperation into new work processes. Multi-faceted. Since dealing with cybercrime involves many aspects, the international cooperation should equally take into account the multiple dimensions of handling cybercrime effectively, including protection, investigation, prevention and capacity building. The international framework should support a multi-actor eco system in which the relevant stakeholders have and can take up their role without competition or redundant overlapping with others. This applies to law enforcement, prosecution, CERTs, the Internet security industry, ISPs, the financial sector, critical infrastructure owners, academia, the military, the media and many others. Many individual sectors have their own international networks and the dynamics of these need to be understood, respected and considered. International by design. In view of the cross-jurisdictional reality of the Internet, the international dimension should be at the heart of any approach to dealing with cybercrime and cyber security. As such, the aspects related to international cooperation can be considered by default and from the outset and not merely as additional complexities to be addressed as part of the implementation of solutions that were already decided. Europol Public Information 12 / 12