Today sees the official opening ceremony of the European Cybercrime Centre (EC3) at Europol, the European criminal intelligence agency in The Hague. The Centre was set up following an announcement by the EU Commissioner for Home Affairs, Cecilia Malmström, in March 2012. The intent is that the EC3 will act as a focal point for European efforts to tackle the phenomenon of cybercrime.
Cybercrime is increasingly seen as a problem endemic to the digital era, given that more than half of the EU's population is online, social networking sites can boast 1 billion-plus users, and business leaders view personal data as the new oil of the global economy. However, unless Europe can truly join up efforts to address the problem, a number of challenges could undermine efforts to deliver progress in this area.
This became all too apparent to me as I led a RAND Europe feasibility study of the model and location for a new Centre. The team learned about current practices across Europe through face-to-face meetings at 16 national police organizations dedicated to tackling cybercrime. We also analyzed a number of options for the establishment of the EC3, from “doing nothing” to setting up a wholly new agency.
While the opening of the EC3 at Europol, in line with our first-choice scenario, is very welcome, our study uncovered a range of risks that the EC3 will need to confront if it is to tackle cybercrime in a more coordinated and effective manner.
To begin with, there is little agreement on how to define and measure what constitutes cybercrime. Academia and cyber security companies have variously tried to put a figure on its total cost. These estimates range from £2 billion in the UK to global figures topping many hundreds of billions of pounds. The lack of good objective data on the extent of cybercrime doesn't stop politicians arguing that “something must be done.”
Another oft-heard refrain paradoxically states: “It's impossible to measure the true extent of cybercrime … but we know it is increasing.” However, without understanding the extent of the problem, and without robust ways to evaluate the success of efforts to tackle cybercrime, it is extremely difficult to apply resources in an efficient manner. In our interviews we found that allocation of resources was rarely based on evidence of the scale of the problem. Instead, heads of specialized police units argued for as many resources as possible on an annual basis. Even at Europol, the number of intelligence analysts providing its key service appears to be politically driven more than based on robust evidence of need.
Next, the sheer diversity in national approaches to policing cybercrime poses many challenges for the EC3, which needs to provide a common platform to drive consistency. Our visits to the specialist police units revealed a surprisingly broad range of approaches, capabilities, and maturities. For example, while some cybercrime units were in the early stages of development, others had very sophisticated strategic approaches to tackling the most serious types of cybercrime. Some had no in-house intelligence gathering capability, and the provision of training was inconsistent. We didn't see much in the way of evaluation efforts.
More worryingly, there was some ambivalence towards the value of Europol, and instead the global organisation Interpol was often mentioned as the exemplar in this area. It will be important for the EC3 and Interpol to build a form of mutually supportive collaboration to deal with cybercrime beyond the EU.
Another challenge will be tackling the institutional complexities at the EU level to ensure the independence and viability of the EC3. The Centre has been set up within the existing institutional structures of Europol, an arrangement that could result in the Centre being subsumed into Europol's organisation. In our study's analysis of the options, we concluded this to be the lesser of two evils. The second-choice option was to create an entirely new legal entity to be hosted, but not owned, by Europol. Nonetheless, this organization-within-an-organization would still need to leverage Europol's extensive criminal intelligence infrastructure (which is too costly to recreate), leading to more bureaucratic tensions and possibly greater confusion across Europe. Our proposed solution seeks to minimise these tensions.
A related issue is how to engage other types of organisation to address cybercrime, particularly the private sector (especially technology giants and companies who deliver products and services via cyberspace) and the EU's own cyber security agency, the European Network and Information Security Agency. Taking into account initiatives such as the 2CENTRE project (which aims to set up joint public-private training and education centers) will be important, as will leveraging research investment. The latter is especially important as in January 2012 the EU agreed to spend €8 million on a cyber-security initiative (based on the German model called Botfrei) aimed at tackling botnets, which are networks of compromised computers that can be used by criminals to perpetrate a host of cybercrimes including Distributed Denial of Service (DDoS) and e-banking attacks.
Our study proposed the idea of a Capability Board to regularly air and address such concerns. Such a board could also help counterbalance the institutional inertia that might result if the EC3 were to end up as another directorate in Europol. A range of other concerns were identified by our study, including what the legal arrangements should be for the EC3, how to work within existing funding constraints (especially given current austerity), the fragmented situation regarding training provision, and the need to build a common European intelligence model.
Cybercrime pays little respect for national borders. If the EC3 can facilitate better coordination, this should bring incremental progress, provided the other challenges outlined above are not ignored.
Neil Robinson is a research leader at RAND Europe, a division of the nonprofit, nonpartisan RAND Corporation. He conducts research in areas such as cyber security, privacy, and the socioeconomic implications of the information society.
Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.