Europol's European Cybercrime Centre (EC3) is growing faster than expected. Doug Drinkwater visited its offices in The Hague, Netherlands, to find out how it is uniting law enforcement in the fight against cyber-criminals
The European Cybercrime Centre
is based in the distinctive four-tower Europol building in The Hague and is home to 850 people from law enforcement across 28 member states.
EC3 launched in January 2013 with the aim of going fully-operational in 2015. It comes under the ‘operations' division of Europol, along with the Info Hub, SOC and Counter Terrorism groups; the other two divisions are governance and capabilities.
EC3 has its own break-out divisions for strategy and operations. The latter encompasses cyber intelligence, ‘cyborg' (high-tech crimes), ‘twins' (online child sexual exploitation) and ‘terminal' (payment fraud).
SC Magazine met with EC3 director Troels Oerting and head of operations Paul Gillen, as well as several cyber-crime investigators based at the Europol HQ, to get an understanding of the unit's work so far and the challenges that lie ahead.
Oerting admits that he and his group have had to learn quickly to keep pace with cyber-criminals. “It's an extremely interesting environment, especially now because it's moving so fast. We're just trying to cope and the police are behind,” said Oerting.
“We have around 70 [people] now.” The plan was to several hundred before the economy and banking crisis took hold.
Nonetheless, Oerting adds that he has budget for more staff and extra resources from Europol in the coming year but is keen to point out that the unit has to be picky when it comes to employing the right staff. Investigating digital crime is not a straightforward process, with law enforcement arguably facing a bigger information security skills gap than any other sector
“The problem is, we can't just move a guy from people-trafficking and say, OK, now you are a computer expert,” Oerting tells SC
“We need to recruit experts; we'd rather grow slowly but with the right people.”
EC3's current remit sees the strategy division take a ‘helicopter' view, tasked with looking into cyber-crime prevention, protection, prosecution and governance.
Meanwhile, Oerting says that operations – lead by Gillen – undertakes and leads take-downs against cyber-criminal groups. It was the European hub for the takedown on Gameover Zeus and CryptoLocker botnets which were said to have infected some 500,000 PCs worldwide, and it also helped the NCA takedown of the infrastructure behind the Shylock malware.
The group is working closely with private industry, and has an ‘Outreach' public private partnership with Microsoft, Facebook
, Twitter, Google, Amazon and security companies such as MacAfee, Kaspersky and Symantec, plus the European Bank Federation and its 21 associated banks. A similar Outreach programme is currently being built for retail, a prime target for hackers seeking financial data.
For Oerting these relationships are essential because private industry is where most the expertise lies in cyber security. “We have to walk the talk in cyber, because we simply don't possess the information,” he said.
He added that this learning exercise would be vital if the EC3 was to provide the level of expertise required by member states with differing levels of skills in the cyber-crime field. “You need to have something to offer that they don't have, otherwise we are not relevant for them. This is key to have diversification.”
EC3 is thus not only bidding to keep up with private industry and high-tech member states but also with the burgeoning technology market and new attack vectors.
Oerting says that EC3 is looking into protecting firms from IP rights theft and he also highlights concerns around the Internet of Things, Big Data and wearable technology.
For now though the group is fixed on today's cyber-crime which – according to partner McAfee – costs the global economy £350 million each year. Oerting admits that the fight is not getting easier.
The main problem for law enforcement and legislators is the lack of geographical borders in cyber-crime – criminal groups will often conduct an attack on a company from hundreds of miles away, all the while using proxy servers to bounce their internet traffic via other jurisdictions.
Oerting says that this is creating a paradigm shift from the traditional methods of policing which sees investigators work with the likes of border controls, profiling, neighbour controls, and CCTV. Investigating cyber-crime is tough – some countries don't have the capabilities to forensically investigate such criminality so they come to EC3 instead.
When at the centre, they'll take part in operations and their cyber-crime chiefs will come together with Europol where they can voice their technology requirements. In accordance with EC guidelines, under EC3's tender process vendors are invited to bid for contracts in order to provide these solutions.
However the EU has a problem with some countries outside its jurisdiction who may refuse to deport suspected hackers.