A European Commission report, led by the nonprofit Information Security Forum with contribution from CC-Driver, a consortium of 13 partner organizations from nine European countries, issued a cybersecurity framework of five interrelated elements deemed critical to tackling cybercrime and bolstering cybersecurity defenses. Funded by a €5m European Commission Horizon 2020 research program, the report is compliant with the European Commission’s ethical, legal and security requirements.
1) Strategy
Strategy is defined here as the high-level plan consisting of objectives to be achieved and the organization’s direction to achieve said goals. Objectives can include bolstering cybersecurity capabilities, improving cybersecurity awareness or tackling cybersecurity-related offenses. For a strategy to be effective, it must consist of comprehensive and balanced guidance for all stakeholders and not just focus on a subset of individuals or groups. Strategy must also clearly define the key performance indicators (KPIs) alongside realistic timelines to provide all stakeholders with a more transparent review process and assurance. It is often the case that identification and prevention of cyber-threats receive more attention than the latter stages of the cybercrime lifecycle – conviction and punishment. CC-Driver recommends that all stages of the cybercrime lifecycle must receive an equal focus from lawmakers.
2) Legislation
Legislation is a fundamental element that governs the behavior of people in the cyber-sphere. Since the cyber-sphere has no physical boundaries, no single entity, government or individual control, it is extremely difficult to regulate. Therefore, legislative authorities and governments must come together and harmonize cybercrime definitions, penalties and fines. Cybercrime reforms should be performed regularly compared to other forms of legislation because the cyber-sphere is fast evolving and regulations can quickly become obsolete if not updated regularly. Lawmakers must maintain a web-based repository of cybercrime offenses that is globally accessible so that other countries can take benefit. Users can educate themselves on the different types of crime offenses, and perpetrators are made aware of the consequences of their actions. Legislation must also encourage victims to come forward and explore avenues of legal remedy. Cybercrime offenses have a low conviction rate, which can act as a deterrent for victims to come forward. Legislation should also include guidance for non-culpable actors like penetration testers, academics, researchers, journalists or even negligent members of the public as there have been cases of non-culpable individuals who’ve been prosecuted when, ideally, they shouldn’t have been.
3) Engagement
Engagement means initiatives or activities (such as training, programs, campaigns) that try to increase the reach and awareness of cybersecurity and cybercrime-related issues. If potential victims are made aware of cyber-threats and how they can mitigate cyber-risks and if potential criminals are made aware of the consequences of committing cybercrime offenses, then this can help reduce cybercrime to a great extent. Such engagement and education must start from a young age. Statistics show that cyber-criminals tend to be younger in comparison to traditional criminals in the physical world. Specific demographics should be engaged more than others; data shows adults under 25 and over 75 are most vulnerable to cyber fraud. As people spend more time online, legislators must leverage well-known online platforms and gamification techniques as a means to disseminate engagement activities.
4) Enforcement
Enforcement translates to efforts in policing the cyber-sphere and protecting its citizens online. Combating cybercrime is a shared responsibility between lawmakers and its citizens and therefore, enforcement agencies must announce incentives that encourage reporting of cybercrime. Enforcement authorities like police officers, judiciary and lawmakers should undertake cybersecurity training to be more effective in their responsibilities. Lawmakers must also provide meaningful data and metrics (in technical and non-technical terms) that aid in effective decision-making for budget holders. Enforcement actions must address root causes, not immediate incidents. For example, phishing is responsible for the majority of ransomware attacks, so the focus should ideally be on mitigating phishing.
5) Assessment
Assessment translates to collecting, managing and analyzing accurate and reliable cybercrime data. Our research found that various countries across Europe use different tools and technologies to analyze cybercrime data, limiting the ability to aggregate, compare and build robust datasets. Countries must therefore try to harmonize their metrics as much as possible to facilitate swift and efficient comparisons. International collaboration must be encouraged to facilitate a greater exchange of cybercrime information. For example, having an international platform for accessing cybercrime data and creating rapid response mechanisms and secure communication channels between governments. Finally, insights extracted from regular analysis and reporting of cybercrime data must be continuously fed into the engine to execute strategy, legislation, engagement and enforcement reforms.
It’s time the global anti-cybercrime ecosystem comes together, synchronizes its efforts and formulates global protocols that can benefit everyone. Cybercrime is an increasingly pervasive, international threat that cannot be tackled in isolation.