Chapter 7 - Conclusions

As rates of global Internet connectivity continue to grow, the volume of attacks and the scale of their economic impact will also increase. In light of the vast cyber threat landscape and the limited availability of resources, it is essential to prioritise the right actions and initiatives.

This is particularly true for the EU given its place as a highly attractive target for cybercrime due to its relative wealth, high degree of Internet penetration, its advanced Internet infrastructure and increasing dependency on Internet-mediated services.

Joint action is required to address Cybercrime-as-a-Service. The array of online criminal services makes it possible for any criminal or organised crime group (OCG) to enter into the lucrative realm of high-tech crimes with very limited understanding of the technicalities. This includes a wide range of services which support and facilitate existing cybercrime, for instance counter-antivirus and money laundering services. These services need to be tackled with priority alongside the targeting of skilled criminal programmers. Focus on disrupting the top identified criminal forums and marketplaces, and on targeting individuals with the highest reputations on these fora therefore should be maintained.

Furthermore, coordinated international action is needed to counter and limit the abuse of anonymity on privacy networks like TOR and I2P. Criminal online markets that facilitate the trade in drugs, weapons, fake IDs and child sexual exploitation online provide a safe haven for criminals. Moreover, there are Darknet sites that promote the communication, exchange of expertise and proliferation of criminal behaviour and extremism. While respecting the privacy of law-abiding users, law enforcement should pro-actively take down these malicious sites and take action against the criminals behind them.

The abuse of anonymity in virtual currency schemes must also be addressed. Although virtual currencies can be used for legitimate financial transactions, the anonymity of such payments make them very attractive for criminals as they leave little trace of criminal transactions and money laundering. Investigative action against the criminal use of virtual currencies must be a priority.

With regard to regular online payments, citizens and companies need to be better protected against data theft and the abuse of payment credentials. Following successful actions against the procurement of air fares with stolen credit card details, other areas of abuse should be identified and addressed such as the damage caused to online vendors of electronics and luxury goods. Credit card companies and law enforcement should actively support bona fide online retailers with a view to preventing the abuse of stolen credentials and focusing on the prosecution of criminal gangs that are active in this domain.

Proliferation of broadband connection in developing countries has led to growth of on-demand streaming of Child Abuse Material. The mainstream use of social media has also lead to an increase in offences such as grooming and sexual extortion.

Not every attempt to hack, intrude or attack is successful. It often takes some experimenting. The lessons learned, also from unsuccessful attempts, can then be used against other victims. Unfortunately, data on successful and unsuccessful cybercrime attempts are usually not shared. This allows criminals to improve their modus operandi while their potential victims get no chance to protect themselves and law enforcement loses the opportunity to intervene and address the threat in a pro-active manner. This calls for collective measures to improve the international sharing of data on such incidents in a standardised and effective way, between all sectors and with law enforcement. The cyber dimension is spreading gradually across crime areas, including traditional crimes that contain progressively more cyber elements. Yet, it appears that EU law enforcement, Europol included, has not fully conceptualised how to integrate this cyber dimension into all relevant aspects of police work, let alone devise a strategy and implementation plan to make this happen. This does not mean that every police officer needs to become a cyber-expert, but rather that every officer should understand the cyber related aspects of his or her work and be competent to deal with them. Such a fundamental re-thinking of policing and embedding cyber in structures, processes and training is urgently needed, because it will take considerable time to implement the necessary changes properly while in the meantime the cyber dimension in crime continues to expand rapidly.

To keep up with those speedy developments continued investments are also needed in building up and maintaining high-tech cybercrime expertise and digital forensic capability. Considering the cross-border nature of cybercrime, it is worth investing in the (further) development and endorsement of EU-wide standards for digital forensics to ensure that evidence collected in one Member State is admissible in court in all other Member States.

Protection capabilities also must improve. Experience in reducing the number of lethal traffic accidents has demonstrated that a strong impetus by industry to implement minimum safety measures, such as safety belts in rear seats and the additional brake-light, are both possible and effective. In fact the reduction in lethal traffic accidents was successfully achieved by a combination of three strategies:

The combination of all three makes the highway a safer place to be. A similar approach should be considered for cyber security on the information superhighway. This applies to hardware and software manufacturers as well as to operators of networks and Internet services. In addition, a stronger visibility and presence online should be considered to address the phenomenon of minimisation of authority of police services online and to create credible deterrence for the criminal misuse of technologies and communication.

Moreover, the virtues of prevention and awareness deserve significantly more attention. For law enforcement there should be a clear obligation to translate new criminal modi operandi swiftly into awareness messages to inform industry and citizens alike. Governments should consider emphasising the importance of Internet security sufficiently to change the mind-set of Internet users effectively in order to embed security awareness fundamentally in their online activities.

Last but not least, the legislators in the EU should jointly agree on preparing a balanced and coherent package of legislative measures that protect citizens and businesses online and enable law enforcement and prosecution services to intervene where necessary.

This package should strike the right balance between protecting the citizen’s right to privacy, while enabling law enforcement to disrupt and investigate when there are clear indications of criminal activity. Those can in particular be identified in anonymised environments that openly aim to attract customers for illicit trade or like-minded individuals for the exchange of experience and proliferation of criminal behaviour.

The empowerment of law enforcement and judicial services should include practical investigative instruments for the detection and attribution of crimes and criminal transactions to end-users and the collection of evidence for that purpose. This implies that relevant data is retained and, where there are clear indications that crimes were committed, made available to law enforcement in accordance with clear criteria and conditions. Furthermore, an obligation for industry and critical infrastructure operators to share threat related data, also with law enforcement, is a condition-sine-qua-non to enable effective protection. The legislative package would ideally be harmonised across the EU and be interoperable with the existing legal frameworks in the Member States. This is of particular importance to facilitate a successful international law enforcement response to the variety of threats that cybercrime poses to EU society.