Chapter 6 - Law enforcement

Common issues

Under reporting and limited sharing of information

Under reporting is a notable feature of cybercrime. Other crime areas such as fraud have long established traditional and alternate crime reporting mechanisms such as hotlines and consumer websites. Although many jurisdictions are implementing similar reporting mechanisms for cybercrime, both citizens and industry are still ill-equipped and ill-informed as to how to recognise and report cybercrime.

In addition to a general lack of awareness other issues impact on reporting levels. In child abuse cases, fear is a prevailing deterrent. In cases of data breaches there is a simple unwillingness to report. The damage caused by a data breach or network intrusion goes beyond the disclosure of data or intellectual property; the reputational damage caused by such an event may have considerable impact on a company’s image, its customer relationships and stock value. Understandably then, many breaches go unreported to law enforcement [251] for fear of the repercussions of a public exposure.

Furthermore, relevant data and information that is available to LE in one Member State is often not readily shared with other Member States.

Capability, capacity and training

While specialised cybercrime departments are an important first step for LE in combating cybercrime, as a long term solution they are insufficient. The capability to deal with crime on the Internet needs to be extended across all of law enforcement. Without officers having the skills and knowledge they need, starting with those on the ‘front line’, law enforcement will be unable to effectively recognise and react to cybercrimes.

Lack of forensic capability and capacity are often limiting factors in conducting cybercrime investigations. In some instances this can be a lack of digital forensic knowledge and expertise as well as a lack of forensic tool support. Even for well-equipped and experienced digital forensics units it is not the lack of evidence that poses a problem, it is the volume of material they are required to analyse and the time and manpower it takes to do so. A decade ago a case may have involved a few pieces of media. Today a typical case often involves multiple devices and many terabytes of data [252]. Technology cannot compensate entirely for this growth, the deficit for which must be met by human resources. Moreover, there is a tendency for companies to offer native, built-in encryption in digital devices, rendering even more advanced digital forensics techniques, such as chip-off methods for mobile phones, ineffective.

Forensic efforts are additionally hampered by the increasing level of forensic skills and techniques displayed by cybercriminals, particularly in the area of child sexual abuse online. The increasing use of encryption by offenders also causes issues for law enforcement.

The lack of capacity may also mean that forensic examinations are limited in scope to obtain evidence to support a current operation. Media obtained as part of a criminal investigation may however hold a wealth of intelligence or evidence that may either support existing investigations or could initiate new ones.

Attribution and detection

The investigation of cybercrime offences is also hampered by the level of anti-forensic measures deployed by criminals. Attribution is a major challenge for law enforcement, whether this is determining the real world identity behind an online nickname or victim identification in a child abuse case. Anonymisation techniques and the use of virtual currencies make both the technical and money trails difficult to detect and follow.

Jurisdiction

Even if the source of an attack can be identified it is unlikely to be limited to the investigating states’ own jurisdiction. Cybercrime investigations often span multiple jurisdictions globally and many attackers operate within jurisdictions with which the EU has limited co-operation. Even within the EU or when dealing with co-operative jurisdictions, slow and cumbersome Mutual Legal Assistance Treaty (MLAT) processes can significantly hamper investigations and the disproportionate effort involved in even modest cases serves as a constraint in times of austerity.

Legal framework

While some progress has been achieved in establishing a suitable legislative framework, much more requires attention, for instance in relation to the need for coherence and harmonisation of legislation across the EU and in providing the investigative legal instruments required to effectively combat cybercrime.

Current data retention laws are insufficient for law enforcement. The majority of intelligence and evidence for cyber investigations comes from private industry. With no data retention, there can be no attribution and therefore no prosecutions. In this context a new EU Directive on data retention, following the European Court of Justice’s annulment of the existing measure is urgently required.