New EU Body Opens to Fight Internet Organized Crime While U.K. Lawmakers Push For Better Cybersecurity

Establishment of EC3 signals a shift in focus from protection against cybercrimes to chasing cybercriminals, Oerting said at the briefing. The new body will concentrate on gangsters and criminal networks, and be a platform for the national law enforcement agencies of EU members, the U.S., Australia, Canada and other partners, he said. The center will pool expertise and information, support criminal investigations and promote EU-wide solutions, the European Commission said.

EC3 will first establish a “fusion function” to get a grip on how big the cybercrime problem is in the EU, Oerting said. It will determine what’s going on in the criminal environment and online now and over the next five years, he said. The center will focus on child abuse; intrusions, identity theft and malware; and frauds involving such things as mobile payments, he said. EC3 will help raise awareness of how to act and react on the Internet, he said. It will consider Europe’s “forensic health” in determining whether to pool law enforcement efforts, and will interact with other players, such as the private sector, he said. The center will also engage with Internet governance issues, which need a stronger law enforcement voice, he said.

EC3 already has on board the European Network and Information Security Agency, Eurojust and other relevant bodies, Oerting said. But because cybercrime is a global problem, he has teamed up with the new director of Interpol’s cybercrime center in Singapore and is reaching out to others as well, he said. Oerting is also already on the boards of organizations of private companies and has boosted cooperation with Google, Microsoft, Twitter and others, he said.

The center’s first year will be funded by Europol, and talks about future funding are ongoing, said Malmström. EC3 is something EU governments want and support, she said. Asked if assets confiscated during investigations can be used to fund EC3, Oerting said asset seizures are up to individual countries, not Europol.

Governments will be asked what forensic tools they need for investigations, Oerting said. Those will cost a fortune to develop, so he will look into pooling resources or funding them with EU money, which will then return added value to member countries, he said. Police agencies traditionally don’t share information but in EU cybersecurity centers they want to, he said. The more work the center gets, the more funding is likely from national administrations, he said. But “we're not over-selling this,” he said. EC3 will first gauge what it needs and then look for the money.

Oerting was asked if he'll consider hiring “reformed” hackers to help fight cybercriminals. The center is trying to get management approval to hire people who don’t have a law enforcement background, but not hackers, he said.

Separately, the U.K. Commons Defense Committee said Wednesday it’s concerned “that with the Armed Forces now so dependent on information and communications technology, should such systems suffer a sustained cyber attack, their ability to operate could be fatally compromised.” It’s not enough for the military to do its best to prevent an effective attack, the report (http://xrl.us/bn93ep) said. “In its response to this report the Government should set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so -- and urgently create some."

The Ministry of Defense’s (MoD’s) most important cybersecurity responsibility is to manage and protect the systems and networks on which the military depends, the report said. Lawmakers appreciated MoD witnesses’ “frank assessment” of the work still to be done on securing its supply chain and industrial base, it said. Despite that frankness, the witnesses “gave the impression that they believe that an admission of the problem took them close to resolving the problem. It does not.” Parliament wants evidence of more urgent and concrete action by suppliers to address this “serious vulnerability,” it said. The government should be exploiting the opportunity created by cyber tools and techniques to enhance the military capability of the armed forces, it said. In addition, the MoD should be looking at how to draw upon the capabilities of strategic partners such as the U.S., it said.

The MoD’s thinking on the best internal structures for cybersecurity “appears to us to be still developing,” the committee said. “Getting this right must be a top priority.” Moreover, because events in cyberspace happen at great speed, there won’t be time, in the middle of a major international incident, to develop doctrine, rules of engagement or internationally accepted norms of behavior, it said. Much work still needs to be done to determine what kind or extent of cyberattack would warrant a military response, it said. Development of capabilities needs to be accompanied by the fast development of supporting concepts, it said. “We are concerned that the then Minister’s responses to us betray complacency on this point and a failure to think through some extremely complicated and important issues.” That refers to Cabinet Office Minister Francis Maude.

Cybersecurity warrants increased governmental action, and funding, at the highest level, the report said. “The Government needs to put in place -- as it has not yet done -- mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyber presents.” It’s “time the government approached the subject with vigour,” lawmakers said.