Report on the “CCB Efforts on Cybercrime” Session

Report | GFCE V-Meeting “CCB Efforts on Cybercrime” | 12 May 2020

The CCB Efforts on Cybercrime meeting was an open session in the GFCE V-meeting program, with the intention that GFCE members and partners not well acquainted with the topic of cybercrime could join the session and learn more about cyber capacity building efforts in this field.

This session aimed to get a better picture of what has been happening in this space considering the recent pandemic and what effect this might have had for a concurrent rise in cyberattacks and cybercrime. With the scale of the problems now becoming clearer, the potential knock-on effects for capacity building efforts are many. Stakeholders therefore shared their perspectives and experiences, talking about how this has affected their activities as well as their outlook on recovery and for continuing the fight against cybercrime.

The session was structured around a series of presentations and interventions from representatives of Council of Europe, United Nations Office on Drugs and Crime (UNODC), Europol, FireEye Mandiant and the Global Cyber Alliance. The session was moderated by Ms. Allison Peters, Deputy Director of the National Security Program at Third Way.

In her opening remarks Ms. Peters mentioned the strong belief of Third Way that criminal justice approaches are critical to addressing cybercrime, including imposing consequences on perpetrators. According to research conducted by Ms. Peters with the World Economic Forum, despite consensus on the need for cyber capacity building, governments are still not allocating sufficient resources to addressing the cyber enforcement gap. With the recent pandemic exacerbating these problems, the question is not only how to strengthen the capacity of the public and private sectors to combat cybercrime but now becomes about making these efforts more institutionalized and sustainable in the long term. Other factors for capacity building include the impact of the pandemic on resources, as well as the changing geopolitical landscape and what implications this may have for negotiations in multilateral fora. 

Mr. Alexander Seger, Head of the Cybercrime Division at the Council of Europe, followed this introduction with talking about the need for capacity building efforts aimed at a more effective criminal justice response, particularly as the cyber enforcement gap highlights that a very small percentage of perpetrators of cybercrime are actually being brought to justice as things currently stand. Legislation is the starting point of these capacity building efforts and good progress has been made in this area, with countries developing legislation broadly based on the Budapest Convention.  However, a connected issue is the lack of capacity of authorities to apply and enforce legislation – the priority should therefore be on training law enforcement authorities and equipping them with specialized skills to respond to the challenges. This is part of a long-term response, with the current crisis underscoring the importance of addressing cybercrime and representing a real test of the capacity of organizations to respond at all levels.

With reference to the recent UNODC report on Cybercrime and COVID19Ms. Live Brenna of the UNODC noted that the recent pandemic has led to an increase in the use of online services from different groups, each of which are uniquely susceptible to cybercrime. Cybercrime is evolving in response to these developments – the threat assessment of UNODC identifies the particular risks that have been exacerbated by the current pandemic and presents some recommendations for addressing these risks. Acknowledging the note of Mr. Seger on the fact that 2020 will see reduced capacity of law enforcement agencies to tackle cybercrime, the intervention of UNODC also confirmed that this is an issue for international organizations as they are funded by member states and therefore their resources for funding cyber capacity building projects are now limited.

Dr. Philipp Amann highlighted the approach of Europol European Cybercrime Center (EC3) in attempting to narrow the enforcement gap through coordination. EC3 continues to strengthen cooperation with its partners at all levels and is primarily focused on opening Europol’s platform for law enforcement during the current pandemic. Cyber criminals are very quick to innovate, adapt to the crisis and develop their modus operandi – this is true for traditional areas of cybercrime, but equally for new areas with the current pandemic opening novel ways for cybercriminals to operate through implementing these adaptations. One particular noteworthy aspect is that ransomware is on the rise, as are malicious Domain Name attacks. In cybercrime prevention, the gold standard is to close the enforcement gap and go after criminals, but prevention represents what might be called the ‘platinum standard’ (sliding left of the kill chain) – in this context, EC3 have various materials on prevention and awareness campaigns that might be of use to other stakeholders. EC3 also continues to provide operational support to partners, offering coordination capabilities and use of an existing network to disrupt criminal investigations. This entails operational, analytical & technical support, but also OSINT and the provision of secure online collaboration and communication solutions. Through these means, EC3 is committed to capacity building and innovation, working with partners to increase skills and expertise of law enforcement whilst developing and assessing the benefits of technological tools and services for use by law enforcement. Ultimately their aim is to help inform policy developments and legislation in order to have a comprehensive approach in combatting cybercrime.

In the address of FireEye Mandiant, Mr. Jon Ford went back to the issue brought up earlier on the low rate of perpetrators of cybercrime being brought to justice, providing an anecdote from his time in government functions on the approach they employed in tackling cybercrime, going after the top 20 cybercrime targets and trying to make a real impact on a global scale. Though this approach had some success, it does not distract from the reality that enforcement of cybercrime regulations and the ‘platinum standard’ of prevention is a very difficult task particularly when uncoordinated. In this respect, Mr. Ford highlighted that law enforcement agencies can only do so much in enforcing their own laws, whilst they also face a number of limitations such as lack of jurisdiction to enforce those laws and impediments in the quantity or quality of data they have access to. FireEye is focused on the common goal of moving towards prevention of crime rather than being primarily about response as we currently are. One key aspect that FireEye is able to leverage in this regard is their access to intelligence at a very early stage – from their network of sensors across the globe they have the ability to see actors begin to tool up in real time before actually conducting attacks. Something that has become apparent is that cybercriminal actors are now tending to use older techniques rather than new methods. This is likely due to the current focus of defenders on trends and potential future developments with much less focus on tried and tested techniques, creating a blind spot in response and prevention. In a final note, Mr. Ford mentioned the need for technical and political attribution as being critical for advancing the discussion on legislation and policies for cybercrime prevention that are impacting us globally.

Participants in the session also had the opportunity to hear from Global Cyber Alliance, a not-for-profit organization focuses on reducing cyber risk by developing and deploying practical, real-world solutions that measurably improve our collective cybersecurity. GCA was established with the support of several organizations, with a number of law enforcement entities also part of their founding organizations. Mr. Terry Wilson, Global Partnership Officer at GCA, gave his thoughts on the need to measure the impact of cyber capacity building whilst looking at what we are aiming to achieve and defining our level of ambition. This issue is not just about capacity, but should also take account of the capabilities and the level of confidence that is required. Mr. Wilson queried what this ambition should be – should it be aspirational, such as an online environment where we are all able to connect and communicate both economically and socially in a secure environment – is this aspirational or is it also achievable? Perhaps it is more realistic to build the capacity of entities to operate whilst under persistent threat and enabling them to embrace disruption safely and whilst building confidence. Given the current context this is a pertinent question that applies to most stakeholders active in this field. To achieve either of these we need to develop capacity through both technical and behavioral interventions. The risks are undeniable, but we can make efforts in reducing it. This requires global cooperation, the development of concrete solutions and really being able to measure whether we are impacting on cybercrime. A clear and concrete objective is to raise the level of entry into cybercrime – as the example of Mr. Wilson highlighted, to have organizations acting with impunity and trying to legitimize themselves is absolutely unacceptable from a law enforcement perspective. This is one of the reasons why we need collaboration and cooperation between stakeholders. Only through linking the skills and expertise of private organizations with public organizations and breaking through policy silos to develop effective solutions with measurable results can we address the challenges that face us.