EUROPOL – The Internet Organised Crime Threat Assessment

EU Member States investigated a number of data breaches and network intrusions. Notably there were a number of attacks on critical infrastructure – with telecommunications companies being a common target. Other instances involved breaches into private industry and government sectors and were primarily motivated by financial gain, although cases of hacktivism and intellectual property theft are also occurring.

The delivery of the Internet Organised Crime Threat Assessment (iOCTA) is one of the prioritised actions for 2014 agreed within the framework of the EMPACT policy cycle. EMPACT is aimed at coordinating the efforts of Member States’ law enforcement authorities in combating organised crime affecting the EU. Cybercrime is one of the priorities identified for the period 2014-2017, subdivided into three areas: cyber attacks, online child sexual exploitation and payment fraud.

The iOCTA was drafted by the European Cybercrime Centre (EC3) at Europol with strong support and input from Member States and cooperation partners.

The Internet Organised Crime Threat Assessment (iOCTA) informs decision makers at strategic, policy and tactical levels about on-going developments and emerging threats of cybercrime affecting governments, businesses and citizens in the EU. It draws on highly valuable contributions from law enforcement authorities in the EU and from other countries. Partners in the private sector and academia also provided important input to the report. Current and future developments such as Big and Fast Data, the Internet of Everything, wearable devices, augmented reality, cloud computing, artificial intelligence and the transition to IPv6 will provide additional attack vectors and an increased attack surface for criminals. This will be exacerbated by how emerging and new technologies will be used and how they will influence people’s online behaviour.

KEY FINDINGS

Global Trends

• Globally an estimated 2.8 billion people and over 10 billion Internet-enabled devices access the Internet. The growing adoption of the Internet provides increasing opportunities to commit crime facilitated, enabled or amplified by the Internet.
• The advent of the Internet of Everything (IoE) combined with the ever increasing number of Internet users globally creates a broader attack surface, new attack vectors and more points of entry, including social engineering methods, for criminals to exploit, making endpoint security even more important.
• As the scale of Internet connectivity, including mobile access, continues to spread, EU citizens and organisations will be subjected to a larger volume of attacks from previously under-connected areas of the world.
• The EU will remain a key target for cybercrime activities because of its relative wealth, high degree of Internet penetration, its advanced Internet infrastructure and increasingly Internet-dependent economies and payment systems.
• Attacks predominantly originate from jurisdictions outside of the EU, particularly from countries where the proceeds of online crime notably outweigh income from legitimate activities.
• In general cybercrime is increasing in scale and impact; while there is a lack of reliable figures, trends suggest considerable increases in scope, sophistication, number and types of attacks, number of victims and economic damage.
• Cybercriminals need not be present in target countries and are able to conduct crime against large numbers of victims across different countries simultaneously with minimum effort and risk.
• The trans-national nature of cybercrime creates challenges for law enforcement to secure and analyse electronic evidence in countries from where the attacks originate, where there may be no or ineffective legal tools in place or insufficient capacity.

KEY RECOMMENDATIONS

Prevention – Awareness

• Law enforcement should increase its visibility and presence online to address the phenomenon of minimisation of authority in cyberspace in order to increase public confidence in the security of the internet and offer a credible deterrent to criminals.
• Law enforcement should co-operate with third parties, including industry, in running awareness campaigns about cyber threats. This should involve measures highlighting the importance of ‘digital hygiene’ and endpoint security, the
  importance of security by design, and providing more online resources for victims to report crime and seek help and support.
• In this context, law enforcement should support the development of communication programmes to help the general public manage and maintain their privacy online and to establish the norms of social conduct in cyberspace. Particular focus should be given to children at a young age, stressing the need for safe behaviour online.
• Law enforcement should establish a channel through which details of compromised financial data discovered in the course of an investigation can be relayed to the financial sector in order to mitigate potential or further fraud.

Prevention – Capacity Building & Training

• Law enforcement needs to invest in capacity building with a view to acquiring the necessary skills, expertise, knowledge and tools to perform cybercrime investigations, Big Data analysis and Internet of Everything (IoE) related digital forensics. This should range from first responder training on the basic principles of cybercrime, to team leaders managing international cybercrime investigations and ideally be coordinated at an EU level to ensure harmonization. Synergies with the public and private sector and academia should be considered when developing new training courses
• Law enforcement should urgently develop its understanding of how virtual currencies operate, and how to recognise the wide variety of digital accounts which may hold a suspect’s digital assets as a key means to seize the proceeds of crime.

Partnerships

• As cybercrime investigations and electronic evidence often span multiple jurisdictions, it is essential that law enforcement efforts in combating cybercrime are sufficiently supported at the legal and policy levels. Together with Eurojust and other relevant stakeholders, this will require developing more efficient and effective legal tools, taking into account the current limitations of the Mutual Legal Assistance Treaty (MLAT) process, and further harmonisation of legislation across the EU where appropriate.
• The dynamic, evolving and trans-national nature of cybercrime demands an equally diverse and flexible response by law enforcement in close international strategic and operational partnership with all relevant stakeholders.
• Public private partnerships and co-operation and coordination with all relevant stakeholders, including the academic community, will play an increasingly important role.
• As a number of cyber threats emanate from non-EU states, law enforcement needs to explore strategic and operational cooperation and capacity building possibilities with law enforcement in states that criminals operate from. This must be intelligence led and coordinated with relevant stakeholders to prevent overlaps and duplication of effort.

Protection

• In the context of the proposed EU Directive on Network and Information Security, there is a need for a balanced and harmonised approach to information sharing and reporting from national and international stakeholder communities. This should include reporting of certain suspicious activities to national cybercrime centres and the European Cybercrime Centre at Europol.
• Legislators in the EU need to provide law enforcement with the legal instruments it requires to allow it to disrupt and investigate criminal activity, and to access the information it needs in order to apprehend criminals that undermine
  public safety and economic interests.
• Law enforcement should prepare for the transition period from IPv4 to IPv6 and the potential abuse of ICANN’s new generic top-level domains. This should include acquiring the necessary knowledge, skills and forensic tools

Investigation

• Law enforcement should concentrate on pro-active, intelligence-led approaches to combating cybercrime in a prioritised manner, focusing on high impact areas. This will require leveraging existing platforms, such as the European Cybercrime Centre and its respective Focal Points and Interpol’s Global Complex for Innovation, to allow for the pooling of intelligence to better co-ordinate activity and make best use of limited resources.
• In order to measure the scale and scope of cybercrime in a consistent way, there is a need for improved monitoring, reporting and sharing of cybercrime-related data in a standardised EU-wide manner. Law enforcement should work
  with all relevant stakeholders on developing the necessary processes, protocols and trust relationships, considering the tools and services provided by the European Cybercrime Centre and the centre’s potential role as an information and intelligence sharing hub.
• Common digital forensics standards and procedures, including tools and data formats, to facilitate cross-border investigations and the exchange of electronic evidence should be developed and implemented.
• Law enforcement should focus its activities on the top identified criminal forums and marketplaces and on targeting individuals with the highest reputations on these platforms. Given the present predominant use of the Russian language, many law enforcement services will need to increase or adapt their language capabilities.
• Law enforcement should focus with priority on dismantling criminal infrastructure, disrupting the key services that support or enable cybercrime and prosecuting those responsible for malware development, as the numbers of highly skilled cybercriminals are limited and their skills are hard to replace.
• Law enforcement should target for apprehension and prosecution the developers of malware. Many of the more pernicious variants are controlled by closed criminal circles, the disruption of which would have considerable impact.
• Following the successful operations against airline sector fraud other areas of Internet facilitated payment card abuse should be identified and addressed on a global, European or national level.
• The increase of both cyber-enabled and facilitated crime should be met with a proportionate increase of relevant resources and skills within law enforcement.
• In the context of relevant EU legal frameworks and regulations, law enforcement needs to be equipped with the tools and techniques necessary to address the increase in and further sophistication of encryption and anonymisation.

Not every attempt to hack, intrude or attack is successful. It often takes some experimenting. The lessons learned, also from unsuccessful attempts, can then be used against other victims. Unfortunately, data on successful and unsuccessful cybercrime attempts are usually not shared. This allows criminals to improve their modus operandi while their potential victims get no chance to protect themselves and law enforcement loses the opportunity to intervene and address the threat in a pro-active manner. This calls for collective measures to improve the international sharing of data on such incidents in a standardised and effective way, between all sectors and with law enforcement. The cyber dimension is spreading gradually across crime areas, including traditional crimes that contain progressively more cyber elements. Yet, it appears that EU law enforcement, Europol included, has not fully conceptualised how to integrate this cyber dimension into all relevant aspects of police work, let alone devise a strategy and implementation plan to make this happen. This does not mean that every police officer needs to become a cyber-expert, but rather that every officer should understand the cyber related aspects of his or her work and be competent to deal with them. Such a fundamental re-thinking of policing and embedding cyber in structures, processes and training is urgently needed, because it will take considerable time to implement the necessary changes properly while in the meantime the cyber dimension in crime continues to expand rapidly.

Source: europol_iocta_web_report