Press room of the European Commission inside the Berlaymont building, Brussels. Taken on EU open day 2007. (Photo credit: Wikipedia) |
Today, the European Commission adopted a Communication on a European Cybercrime Centre, to be established within the EU law enforcement agency, Europol. The Centre is to become the focal point in the fight against cybercrime in the Union.
Why do we need a European Cybercrime Centre?
The benefits of cyberspace have changed our lifestyles and the way business is conducted. Almost three quarters of European households have Internet access, about a third of the citizens in the Union use home banking. The Internet – started just a mere 30 years ago – makes an immense collective knowledge available to those who connect. The digital economy, with innovative business ideas, holds the promise of growth, important in this current period of economic strain.
However, in recent years, the downside of cyberspace has emerged more clearly as well. Both the volume and the damage inflicted by cybercrime have increased considerably. Online criminal activity comprises a vast range of offences, spanning from identity theft and hijacking web accounts to child sexual abuse, to computer fraud and credit card scams and to serious cyber attacks against public and private information systems (IT systems). Organised crime has discovered the potential of cybercrime and is becoming ever more present in cyberspace.
Cybercrime is a global phenomenon and has become a crime committed on a massive scale with a low detection risk. Jurisdictional boundaries and a lack of information sharing present huge obstacles to the swift detection, investigation and prosecution of cyber criminals. Trained investigators, prosecutors and judges are not available in all Member States and investigative and forensic capacities vary across the EU. Cooperation between law enforcement and other players holding valuable information to better tackle cybercrime is patchy.
These developments start to affect citizens' trust in online security and undermine prospects for the legitimate digital economy. It is for these reasons that, in 2010, the Council tasked the Commission with verifying the feasibility of establishing a European Cybercrime Centre that would become Europe's focal point in the fight against cybercrime.
What is the impact of Cybercrime?
Comprehensive data on the true incidence of cybercrime is not readily available. According to leading Internet security firms, the volume of and the damage caused by cybercrime is rising. This data is backed by partial information available from some Member States' police services.
Moreover, the extent of cyber-attacks affecting public and private information systems clearly increased in 2011 and early 2012. New ways of perpetuating online fraud or cyber attacks appear on a regular basis. Regular advances in information technology make it difficult to foresee what techniques cybercriminals will employ in the future. However, it seems safe to believe that both private and commercial IT users will continue to be increasingly targeted. Another important trend is the rising prevalence of smartphone hacking.
Studies and estimations suggest upward criminal trends in many illegal online activities. In 2011 Norton (a cyber-security firm) estimated that the total global cost of cybercrime was between USD 114 and USD 388 billion. In a 2011 study for the UK Home Office, cybercrime was reportedly costing the UK €30 billion a year - €21 billion of which was attributed to UK businesses. According to the Belgian economic and Financial Crime division, recorded computer crime offences and Internet frauds raised from just above 4000 in 2008 to over 7000 in 2010.
According to the German Criminal Police Office statistics, in Germany, the recorded cases of ''phishing" in online banking (online spying activity that makes users reveal passwords or sensitive data) increased from just less than 2000 incidents in 2008 to over 5000 in 2010. In the UK, according to the Garlik UK Cybercrime report, bank account takeovers increased by 207 percent between 2008 and 2009, with total losses reaching €65,9 million. In 2008 there were almost 44 000 phishing websites targeting UK banks and building societies.
There are 150 000 viruses and other types of malicious code in circulation, and, in 2009, 148 000 computers were estimated to be compromised per day (source Europol).
Between 250 000 and 600 000 Facebook accounts are blocked every day, after various types of suspected hacking attempts.
How will the European Cybercrime Centre go beyond what is already being dealt with by Europol?
The Commission has proposed to establish the European Cybercrime Centre within the European Police Agency, Europol. Under its current mandate, Europol already deals with computer crime. However, given the current limited resources, Europol cannot, for example, efficiently gather information from various sources as the new Centre will, nor does Europol have the capacity to respond to queries from law enforcement authorities, the judiciary and the private sector.
The Centre, while to be placed in Europol, will pursue a shared cross-community approach to tackling cybercrime. Via its Programme Board, the know-how of important partners such as Eurojust, CEPOL, ENISA and Member States as represented by the European Cybercrime Task Force, would be brought in. Another novelty key to the Centre's success will be the exchange of information with partners beyond the law enforcement community. Since cyberspace and the Internet's infrastructure are for the most part owned by the private sector, only a shared, cross-community approach will bring enduring results in the fight against cybercrime.
What will the new Centre do?
The main task of the European Cybercrime Centre is to –disrupt the operations of organised crime networks that commit a large share of the serious and organised cybercrimes. Offences include those generating large criminal profits, those causing serious harm to their victims or those affecting our vital infrastructure and IT systems.
The Centre will gather information from a variety of sources – not only law enforcement authorities – to support investigations conducted by Member States' authorities. This will allow the Centre to identify the most dangerous, pressing cybercrime threats and single out key cybercrime networks in the EU. The Centre will also provide an early warning system for national law enforcement on new vulnerabilities criminals have started to exploit or on how to handle new, technically challenging cases.
The Centre will further develop a common standard for cybercrime reporting so that serious cybercrime can be reported to national law enforcement authorities in a uniform way. Information from a citizen in one Member State reporting a compromise of his bank account could easily be linked to other citizens reporting similar incidents affecting the same bank in their respective countries. In such cases, the Centre will be able to immediately alert all other Member States' authorities.
The Centre will also respond to queries from cybercrime investigators, prosecutors and judges as well as the private sector on specific technical and forensic issues, and would bring together the various players in cybercrime training with the aim of increasing the overall offer of training possibilities and expanding such courses to the judiciary.
Finally, the Centre would assume the collective voice of European cybercrime investigators, providing a platform to develop common positions of Union law enforcement authorities on key issues, for example on Internet governance structures or in building trusted networks with the private sector and non-governmental organisations, and providing the natural interface for international initiatives to curb cybercrime, such as Interpol's work in this domain.
What else is being done to combat cybercrime?
Cybercrime has been a key priority for the Commission since at least 2007. Following the adoption of a Framework Decision on attacks against information systems in 2005, extensive consultations at EU-level have taken place, resulting in the 2007 Communication from the Commission entitled "Towards a general policy on the fight against cyber crime". Most recently, a Commission Communication in 2009 on Critical Information Infrastructure Protection, entitled "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience", highlighted the threat posed by cyber attacks, and the need to secure our information systems. 2010 saw a legislative proposal for a Directive to update the aforementioned Framework Decision, the text of which is currently being debated in the European Parliament. In 2011, a Directive on combating the sexual exploitation of children online and child pornography was adopted which is now being implemented.
Later in 2012 the Commission, together with the European External Action Service, intends to present a comprehensive strategy for European cyber-security.