Investigation

• Law enforcement needs to have the tools, techniques and expertise to counter the criminal abuse of encryption and anonymity.
• Law enforcement should continue to focus on attribution and intelligence development in order to identify, locate and prosecute key criminal individuals to achieve a more permanent impact on the criminal community.
• It is essential for law enforcement to continue to allocate sufficient resources to investigate the malware and services that enable other cyber attacks.
• Booter/stresser tools are responsible for a growing proportion of DDoS attacks. A concerted and coordinated effort is required by law enforcement to tackle this threat.
• Following the success of the European Money Mule Action (EMMA) initiatives in 2015 and 2016, more European countries should endeavour to contribute and engage in the related operational and prevention activity. This will result in a greater and more widespread impact on this key area of criminality.
• Given the additional challenges investigations on the Darknet present to law enforcement, effective deconfliction, collaboration and the sharing of intelligence is essential. This will help to prevent duplication of effort, facilitate the sharing of tactics and tools, and increase understanding of the threat.
• Law enforcement should make greater use of the Europol Malware Analysis System (EMAS) by submitting ATM and PoS malware samples, in order to identify links to other cases and improve a community-wide understanding of the threat.
• There should be a continuous effort from all parties to prioritise the victims in the investigation of CSE. That includes law enforcement investing human and IT resources to improve the opportunities for victims to be identified. Such strategies are regularly demonstrated to be valuable in locating children harmed by abuse and preventing further abuse.
• Taking a phenomenon-centred approach rather than an incident-centred one, successful initiatives targeting fraud in the airline industry should be replicated to cover additional sectors. Operations to target offenders arriving at a physical location to benefit from fraudulent transactions, such as car rentals or other pre-ordered services, may be particularly effective.

Capacity building & training

• To cope with the criminal use of encryption, law enforcement must ensure it has the training and resources it requires to obtain and handle digital evidence in situ using techniques such as live data forensics, while mindful of the need to avoid weakening cybersecurity in general⁸.
• Law enforcement must continue to develop and invest in the appropriate specialised training required to effectively investigate highly technical cyber attacks. A foundation level understanding of cyber-facilitated and cyber-enabled crime, including the basics of digital forensics (e.g. how to secure/seize digital evidence) should be required by all law enforcement officers, especially first responders.
• Given the rapidly changing nature of cybercrime and the pace at which technology evolves, there is a need for a more adaptive and agile approach to research and development, including funding opportunities, with a view to delivering relevant results in a more timely manner.
• As the criminal use of virtual currencies continues to gain momentum, it is increasingly important for law enforcement to ensure that cybercrime and financial investigators have adequate training in the tracing, seizure and investigation of virtual currencies.
• A coordinated effort should be made by law enforcement to engage with countries where compromised cards are cashed out and where goods purchased with compromised cards are reshipped.
• Darknets are an environment where cyber-facilitated crime is becoming firmly established. This is a cross-cutting issue that requires support from specialists in multiple crime types. It is not feasible or practical that all such crime is dealt with by cybercrime units when the predicate crime is related to drugs, firearms or some other illicit commodity. It is essential therefore that appropriate training and tool support is extended to those working in these areas to provide them with the required knowledge and expertise.

Prevention

• When it comes to addressing volume crimes, investing resources in prevention activities may be more effective than investigation of individual incidents. In addition to raising awareness and providing crime prevention advice the campaigns should advise the public on how to report the crimes.
• Prevention campaigns should not focus solely on preventing citizens and businesses from becoming victims of cybercrime, but also on preventing potential cybercriminals becoming involved in such activity. Such campaigns must highlight the consequences of cybercrime for both the victim and perpetrator.
• Prevention campaigns should be coordinated with other national and international organisations.
• Law enforcement should to maintain the current momentum in prevention and awareness campaigns relating to mobile malware.
  • Encouraging the use of security software and the reporting of attacks gives law enforcement and the security industry an overall clearer picture and a greater capacity to mitigate the threat.
• Alongside NGOs and private industry, law enforcement must maintain its focus on the development and distribution of prevention and awareness raising campaigns. Such campaigns must be updated to encompass current trends such as sexual extortion and coercion and self-generated indecent material.
  • Raising awareness and providing children, parents, guardians and carers with the appropriate knowledge and tools are essential to reduce this threat.

Partnerships

• Law enforcement must continue to forge and maintain collaborative, working relationships with academia and the private sector.
  • The comparison of law enforcement, industry and internet security perspectives on malware threats highlights how small a piece of the overall picture law enforcement actually sees. Law enforcement must continue to investigate reported attacks, but must also be informed by the views of other sectors.
• Additional effort is required, through more focused information sharing within law enforcement and/or partnership with private industry, to link cases of card fraud. This would facilitate the identification of organised crime groups involved in card fraud.
• Law enforcement must continue to cooperate with private industry and other law enforcement partners to conduct large-scale operations, both to disrupt cybercrime and to reassure the public and business that law enforcement are actively seeking to protect them.
  • This should also include clear rules of engagement, so that digital evidence acquired through private entity action is admissible in judicial proceedings.
• In cases where authorities have to report incidents to the national Cyber Security Incident Response Team (CSIRT), agreements should be undertaken to make sure that law enforcement is able to follow up with criminal investigations when needed⁹.
• Law enforcement should make themselves aware of any packet station services¹⁰ operating in their jurisdictions in order to build working relationships with them to mitigate the abuse of these services.
• As the criminal use of virtual currencies continues to gain momentum, it is increasingly important for law enforcement to build and maintain relationships with the virtual currency community, in particular virtual currency exchangers.

Legislation

• The difficulties faced by law enforcement operating lawfully in the Darknet are clear, with many jurisdictions restricted by their national legislation. A harmonised approach to undercover investigations is required across the EU.
• While securing critical infrastructures remains a private sector responsibility, attention should be given by regulators to the compliance of IT systems and mandatory security-by-design.
  • There needs to be a baseline of security standards for those operating systems that manage critical industrial systems, transportation, power grids or air traffic¹¹.
  • There is a need for provisions aimed at protecting critical infrastructures¹² and securing network and information systems¹³ in order to align cyber security capabilities in all the EU Member States and ensure efficient exchanges of information and cooperation.
• In order to improve criminal justice in cyberspace, existing domestic procedures for the acquisition of electronic evidence should be harmonised. This would include a common approach to cooperation with ISPs, streamlining existing MLA procedures¹⁴ and a possible rethinking of how to establish jurisdiction in cyberspace.
• In order to avoid safe havens where criminals can avoid investigation and prosecution, harmonisation of the criminalisation of certain conduct is required¹⁵.
• The Budapest Convention should be implemented in full by all signatories, including EU Member States. Assessments performed by the Cybercrime Convention Committee (T-CY)¹⁶ have shown that not all Parties to the Convention make full use of the opportunities offered. They also show that implementation of it in the national legal frameworks of some of its members is incomplete or not in line with the Convention.
• Steps should be taken to facilitate intensified cooperation across government (predominantly law enforcement, intelligence services and armed forces), to allow information sharing and a coordinated approach to response to serious cyber attacks.