«Brussels, 27.3.2013 COM(2013) 173 final 2013/0091 (COD) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the European Union ...»
“An information fusion function would ensure information collection on cybercrime from the widest array of public, private and open sources, enriching available police data” and the Council notes in its Conclusions that it should be “the focal point in the fight against cybercrime in the Union, contributing to faster reactions in the case of cyber attacks”.
Services The set of services provided by Data Fusion can be clustered as follows. For each one of
them, it is indicated if it is a new task for Europol or the improvement of an existing one:
1. NEW TASK - Bridge the current gaps in the information available from the communities responsible for cyber-security and for tacking cybercrime. One of the action will be to improve the requirements to report cybercrime offences to national law enforcement authorities;
2. NEW TASK - Provide an oversight for Member States on significant cases and investigations in the EU, in order to enable preventive or investigative coordination to maximise the outcome and minimise the investment of resources;
3. NEW TASK – Pro actively scan the environment, identifying new threats as they emerge, updating stakeholders accordingly;
4. NEW TASK - Provide a 24/7 Cybercrime Help Desk for MS’ law enforcement units;
5. NEW TASK – Coordinate the EUROPOL-CERT activities in order to enhance the information exchange with the CERT community;
EN EN Resources Europol does not have the very specific profile in house to perform data fusion function. That is why this part of the EC3 has to be prioritized for in 2014 and 2015. In 2013, and until the full allocation of staff, work-a-rounds are introduced to build a very basic data fusion service.
This will not form a long term solution and optimum service expected of the EC3 by the Commission, Council and MS and other stakeholders.
2014 (+ 1 AD5) = 4 TA In 2014, data fusion staff will focus on tasks 1, 4 and 5 above. Task 2 and 3 will be started but await 2015 to be at full potential.
2015 (+ 7 AD5) = 11 TA The additional staff requested for 2015 is the minimum necessary to bring this crucial service to an acceptable level. The additional staff requested in 2015 will bring Data Fusion to cruise speed. It will help to ensure the fulfillment of the minimum requirements expressed by the Commission and the Council. As Data Fusion should function on a 24/7 basis, 8 FTEs + 1 team leader is the minimum staffing level required to man a 24/7 service. The remaining 2 FTEs will focus on tasks 1, 2 and 3.
2016 – 2019 (+ 1 AD5) = 12 TA The aim is to reach a staffing level of 12 TA in 2019, ensuring a proper support across all tasks, and already capitalizing on the upward trends in the volume and number of cyber information.
2. OPERATIONS Definition Operations coordinate high profile cross border operations (or investigations), provide operational analysis and support, technical and digital forensic examinations in the Lab and on-the-spot.
It delivers high-level technical, analytical and forensic expertise in joint investigations of cybercrime cases and strives to support the best possible outcome and facilitate liaison with Law Enforcement outside the EU.
In close cooperation with EUROJUST and INTERPOL, it supports and coordinates complex transnational cases in order to avoid the overlapping and duplication of efforts among the cybercrime units in the Member States and partner countries.
Services The set of services provided by Operations can be clustered as follows. For each one of them,
it is indicated if it is a new task for Europol or the improvement of an existing one:
1. IMPROVEMENT – Analysis of EC3 information in order to support MS operations and to facilitate the delivery of operational intelligence. This supports high profile investigations/ operations, complex transnational cases and Joint Investigation Teams;
2. IMPROVEMENT - Technical support delivered on the spot or from Europol headquarters to MS. This can be done through the use of a mobile toolkit, allowing analysts and/or specialists to provide direct forensic support to ongoing EN EN investigations. It can also be done through the use of the Cyber Forensic Lab at Europol HQ;
3. IMPROVEMENT - Coordination of operations by organising operational meetings, supporting Joint Investigation Teams, and assistance in the delivery of EMPACT priorities on cybercrime, online child sexual exploitation and payment card fraud.
Resources 2014 (+ 7 AD5) = 28 TA 2015 (+ 10 AD5) = 38 TA 2016-2019 (+10 AD5) = 48 TA The resource allocation for Operations is closely based on the RAND Europe feasibility study which provided the basis for the Commission’s Communication on the establishment of EC3.
Essentially, RAND’s resource allocation at the end of 2014 is contingent upon the scale of cybercrime and the number of cases supported.
Cognizant that the information flow coming in through Europol’s Secure Information Exchange Network Application (SIENA) system has significantly increased over the course of the last two years, data trends on the use of SIENA clearly indicates that there has been a mild increase in the number of requests sent and received (14%) by Europol and a significant increase in the number of high-profile operations (HPO) supported by Europol through TWINS, TERMINAL and CYBORG (62%). There is indeed a growing need for capacity to ensure that the specialised units have sufficient human capital to continue providing the necessary high-quality criminal intelligence analysis for cybercrime matters.
In 2012, 17 TA were supporting 44 high profile operations and 2593 operational requests.
This gave a ratio of less than 1 TA dealing with 2 high profile operations and 153 operational requests. This is partially addressed with an addition of 4 TA in 2013, but as the number of cases continues to increase and as high profile operations require continuous support for duration of 6 to 24 months, Operations remains understaffed.
The below table shows a projection of the support level provided by Operations until 2019, providing that the number of requests continues to grow at the same rate and that the number of high profile operations will stabilise around 100 from 2014 onwards.
Nr of TA
This tables shows that the increase of staffing will not significantly improve the operational support. It will mainly keep it on a reasonable level. As a high profile operation (HPO) requires continuous support for duration of 6 to 24 months, prioritisation in all mandated areas will continue when a case is submitted. This will still lead to the delivery of a basic service to cases that would normally necessitate fully fledged support.
It is worthwhile to note that capitalising on this upward trend of cybercrime-related workload the benchmark for full-time equivalent posts (FTEs) would be more than 70 TA in Operations in 2014 based on the approach employed in the RAND Feasibility Study.
In that regard, with a request of 48 TA augmented by 2 to 6 SNEs in 2019 (depending on the MS capabilities), Europol’s approach is more than reasonable when trying to meet the EU citizen expectation in a time of budget austerity.
The requested posts are specialists and analysts spread across the EC3 mandated areas.
Non-operational areas of EC3 Although the core EC3 activity will be operational, the Commission and the Council have underlined the need to establish wider partnerships in tackling cybercrime not only with the competent services but also with other public and private bodies.
The Council in its conclusions, “EMPHASISES the importance of ensuring that the European Cybercrime Centre cooperates closely with other relevant agencies and actors such as Eurojust, CEPOL, Interpol, ENISA, the wider computer emergency response team (CERT) community and not least the private sector, to broaden in practice the information picture and exchange of best practices on cybercrime in Europe;
EMPHASISES the need to ensure that the European Cybercrime Centre cooperates closely with the existing Union’s fora dealing with cybercrime, and that the Centre supports the activities and makes use of the expertise within these fora;”
3. R&D, FORENSIC AND TRAINING Definition R&D-Forensic-Training is devoted to research on technical threat analysis and vulnerability scanning, static forensics, best practice and training, and tool development. It coordinates a cost effective approach to take advantage of synergies with other players like the EU’s JRC.
It develops high-level digital forensic and related capabilities for the purposes of deployment in support of Member States’ investigations.
It designs and manages the delivery of cyber related training in close cooperation with CEPOL and ECTEG as well as with private companies and research bodies.
EN EN Services The set of services provided by R&D-Forensic-Training can be clustered as follows. For each one of them, it is indicated if it is a new task for Europol or the improvement of an existing
1. NEW - A central gathering of MS requirements for forensic tools, in order to make best use of EU funds (e.g. FP7 programme) to develop these much needed tools and distribute them to MS competent authorities.
2. IMPROVEMENT - An accredited forensic capability providing state-of-the-art solutions such as a high-end decryption, recovery and analysis of operational information extracted from computers, digital devices or digitally-stored media. It comprises a dedicated ICT network, specialised hardware and software tools, and supports information processing under the AWF regime. It will comply with ISO standards to maximise the reliability of the processes and their outcomes;
3. IMPROVEMENT - A uniform process for training and capacity building in MS, with the scope to upgrade both basic and advanced knowledge of investigative tools, procedures and trends in order for all MS to be able to address the increasing challenge in this crime area which develops rapidly;
4. NEW - identification of good practice related to online investigative techniques and establishment of standards for the gathering and provision of digital evidence, in cooperation with EUROJUST and other relevant partners.
Resources 2014 (+ 1 AD5 and 3 AD6) = 7 TA Forensic: + 3 senior specialists AD6 The forensic support to the competent services will be one of the most important functionalities of EC3. All competent services have forensic laboratories but for some most complex analysis Europol experience is often requested but the majority of cases are seeking external support from specialised laboratories outside law enforcement. With adequate resourcing the EC3 can provide these services. On top of this, MS laboratories face an explosion in digital evidence analysis up to the point where some labs have more then 2 years of backlog. Through centralisation the EC3 laboratory will deliver techniques and reports in advance forensics, in-house and on-the spot that would support the MS digital evidence collection in a fast manner. This team will use advanced techniques found by European R&D to provide more efficient tools to investigators. To staff the laboratory envisaged for the EC3, 3 Senior Specialists are required in 2014 to cover the basic areas of expertise, digital forensics, mobile forensics, network forensics and Malware reserve engineering.
Training: + 1 specialist AD5 In its communication, the Council confirms that “the European Cybercrime Centre should serve as the European cybercrime information focal point, that it should pool cybercrime expertise to support Member States in capacity building and that it should provide support to cybercrime investigations in Member States” Although training and capacity building will be carried out in cooperation with CEPOL and other partners, 1 specialist training coordinator will be needed to carry out these activities. It is the minimum staffing level to ensure coordinated development and delivery of training and awareness-raising initiatives of Law Enforcement, judicial authorities and the private sector.
EN EN This staff will also be responsible to propose harmonisation of procedures in cyber law enforcement, to make sure that all collected evidence in a MS is recognised in another MS and accepted by all courts.
2015 (+ 1 AD5 and 1 AD7) = 9 TA R&D: + 1 specialist AD5 The number of potential EU projects will continue to grow. This will trigger the need for one additional specialist to identify initiatives of interest for EC3 and the MS. The coordination of demand for research and development activities in the EU regarding cyber crime in liaison with ENLETS will be essential for law enforcement to benefit from research in a sound, cost effective and fast tools and knowledge to fight the ever growing demand. EC3 will then be able to propose sound and useful project to the Horizon 2020 program. The growing demand to participate in R&D consortia as advisory will be fulfilled by this staff.
Forensic: + 1 senior specialist AD7 The recruitment of a highly skilled staff member will allow for the growing of the quality of forensic analysis. By 2015 it will be necessary to ensure that all forensic activities conducted in the lab would continue. It will ensure the delivery of accredited high level forensic solutions as soon as possible in 2015 (setting up a decryption platform, ISO 17020 accreditation for the Cyber lab). This person will coordinate forensic activities and be digital forensic crime scene coordinator for important cyber operations where decisions have to be made encompassing different forensic work streams.
2016-2019: (+1AD6 +2AD5) = 12 TA The additional staff will ensure proper coordination of new training activities, in depth forensic activities and larger scope for support of EU R&D projects.
4. STRATEGY-PREVENTION-OUTREACHDefinition Strategy-Prevention-Outreach conducts trend analysis, early warning and horizon scanning, crime prevention and policy work, strategic planning and stakeholder management.
As the vast majority of relevant information is held outside of the Law Enforcement’s remit, it engages in building trust and confidence between the private sector and Law Enforcement authorities, benefiting from key partnerships with the CERTs and ENISA, military and security services, civil society organisations and other stakeholders in the areas of cybercrime, online child sexual exploitation and online fraud.