EUROPOL’s Master Keystroke: The architecture of cyber superiority in a crime-free EU

Troels Oerting is the current Head of European Cybercrime at EUROPOL and acting head of Europol’s Counter Terrorism and Financial Intelligence Centre. He has over 30 years of law enforcement experience, serving previously as the Director of the Danish NCIS, the National Crime Squad, SOCA (Serious Organized Crime Agency), and Director of Operations for the Danish Security Intelligence Services. He has previously discussed law enforcement’s role in hacking back against cybercriminals when facing cross-border and jurisdictional issues. He represents Europol at ICANN and the ITU.

What are the top three cybercrime threats in 2015?

Three major threats exist for the coming year, and beyond. The first concerns the expansion and refinement of the “Crime-as-a-Service” model, as well as increased use of underground fora and marketplaces by cybercriminals and traditional OCGs (Organized Crime Groups), particularly on Darknets. These fora and marketplaces function as an exchange of increasingly sophisticated tools and services as well as technical skills and expertise required to commit crime enabled, facilitated, or amplified by the Internet.

These marketplaces will also continue to facilitate the growth of other types of crime, such as the trade in stolen goods, drugs, weapons, and counterfeited items as well as money laundering. With successful and visible concerted law enforcement actions such as Operation Onymous, cybercriminals are likely to respond by intensifying their efforts to abuse anonymization services and encryption; for instance, by focusing their activities on P2P marketplaces like OpenBazaar or virtual currencies providing true anonymity such as Darkcoin.

Next is “Malware-as-a-Service”. We are likely to see the development of more sophisticated malware, including ransomware and banking trojans, and a rise in related attacks, for instance in the area of online banking. Malware developers are likely to increasingly target open source software, particularly in cases of known vulnerabilities; for example, the Heartbleed or Shellshock bug, as well as devices running Android. This includes phones as well as smart TVs and others.

Finally, we’ll see increased vulnerabilities surrounding the Internet of Things as more and more interconnected and Internet-facing devices create a broader attack surface, giving new attack vectors and more points of entry for cybercriminals. Criminals are likely to use these new attack vectors to not only attack individuals but also businesses, including operators of critical infrastructure, for instance in the area of smart meter networks. These attacks will range from stealing data and facilitating data breaches to disrupting services and committing fraud – for example, by manipulating meter readings.

Fighting cybercrime appears to be on the collective European agenda. Why haven’t we seen better cross-national cooperation?

Cybercrime is a truly transnational crime, the fight against which typically involves different jurisdictions and actors in different countries. As a consequence, cybercrime investigations face a number of obstacles related to jurisdictions, national legislation, digital forensic standards, know-how and expertise, and the handling of electronic evidence.

There is significant diversity between the legal frameworks across the EU. This impacts the ability to work effectively at a cross-national and international level. In particular, the legal instruments for online detection, lawful interception, decryption, under-cover work, and the attribution of cybercrimes to criminals are not consistently available, let alone aligned. This is further complicated by the fact that victims of cybercrime in the EU are frequently targeted by attackers in non-EU countries. In the event of two or more countries having to cooperate outside of existing legal frameworks that specifically address the needs of cross-national cybercrime investigations, abilities are limited by the general Mutual Legal Assistance (MLAT) regime.

Despite these challenges, we have seen significant progress and improvement in cross-national cooperation over the last few years, not least because of the decision to establish the European Cybercrime Centre (EC3), which, at its core, provides a platform for the coordination of high-impact multi-national cybercrime operations.

At the policy level, there have been a number of initiatives to improve and harmonize relevant legislation over the last few years such as the Network and Security (NIS) Directive adopted by European Parliament in March. The Convention on Cybercrime deserves mention as well, as it provides a framework for cooperation for EU member states that have signed and ratified it. A number of non-EU countries have joined the convention as well.

EUROPOL is a multi-national police force. How do you successfully leverage the organization to meet member state needs, given the last question?

Since the EC3 officially commenced its activities on 1 January 2013, it has provided substantial operational, analytical and strategic support for EU law enforcement in the three mandated areas – online fraud, online child sexual exploitation, and cybercrime – affecting critical infrastructure and information systems in the EU. This has included support for large-scale, multi-national operations with international partners, drawing also on Europol’s existing infrastructure and law enforcement network.

Law enforcement cannot fight cybercrime in isolation. Therefore, EC3 not only puts great emphasis on developing relationships with law enforcement agencies within and outside Europe, but also reaches out to the private sector, academia, and partner organizations such as ENISA, CEPOL, Eurojust, and Interpol.

A very good example of EC3’s efforts to meet the needs of member states in the efficient and effective global cooperation in fighting cybercrime is the recently established Joint Cybercrime Action Taskforce (J-CAT). This is an international operational task force under the leadership of the UK’s National Crime Agency.

It was launched to tackle online crime by pooling resources from EU Member States and key partners from around the world. Law enforcement officers from EU and non-EU countries have joined the J-CAT with a view to coordinating international investigations against key cybercrime threats and top targets. The J-CAT provides an environment that expedites the coordination and cooperation among its members – Cyber Liaison Officers – who have direct access to their national counterparts.

What is the biggest vulnerability to European infrastructure from cybercrime?

Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems controlling critical infrastructure have gradually become more accessible remotely via the Internet. Often these systems have not been designed with remote or Internet access in mind, or they run on software that has reached end-of-life such as Windows XP, which makes them vulnerable to cyber attacks. Cyber threats are therefore becoming a core challenge for the operators of critical infrastructure.

The risk of a malicious attack became apparent when Stuxnet was used to target control systems for nuclear centrifuges. The possibility of such cyber attacks poses an increasing threat to EU critical infrastructure as well, especially when considering cross-sector dependencies and cascade effects where an outage in one critical infrastructure sector may have an impact on other sectors.

Using Stuxnet as an example, social engineering or the ‘human factor’ is another vulnerability for critical infrastructure. Even mission critical facilities that are not accessible online may be compromised by employees that connect infected devices to the internal network.

Feature Photo: cc:/(AVG Technologies)