COMMISSION STAFF WORKING DOCUMENT

Ex-Ante Evaluation:

Resources needed to fulfil the tasks set forth in the Commission’s Communication on the establishment of a European Cybercrime Centre (EC3)

1.    Introduction

Cybercrime is an increasingly important concern for policy-makers, businesses and citizens. In many countries, societies have come to rely on cyberspace to do business, consume products and services or exchange information with others online.

According to a recent Eurobarometer Survey on Cybersecurity, around half the internet users in the EU say they buy goods or services online (53 %), use social networking sites (52 %), or do online banking (48 %), while 20 % sell goods or services.

Modes of connecting are growing ever more complex too. Smartphones can access high-speed data networks, enabling people to surf the internet while on the move, and developments such as cloud computing are helping to realise the possibilities of limitless data storage.

Cyberspace has a downside too. Criminals exploit citizens and organisations to steal money, to commit fraud or for other criminal activities, including identity theft. These can range from a type of fraud called ‘phishing’ that fools users into revealing passwords or sensitive data, to complex incidents involving breaking into computer networks to steal data such as business secrets or money.

Some misuses aim to destroy information or deny its availability to others, but the motivations behind such attacks may vary from malicious intent, to anger, ideology or political activism. Many cybercrimes target financial institutions or online entities where transactions take place, or revolve around activities that have a direct or indirect physical element of harm against the person — for example, the online exchange of child abuse material. There are crimes that exist only in cyberspace, such as online bullying or stalking via virtual communities.

There is evidence that the phenomenon of cybercrime is growing. A Commission Feasibility Study identified recent data on cybercrime from some EU Member States. These are recorded cybercrime figures, either from the cybercrime units’ own management information systems, or from official reports, and thus depend on the particular reporting and recording mechanisms in each country.

Both industry and criminal justice statistics show an increase in cybercrimes. Though neither of these sources provides a robust account of the absolute number of cybercrimes, they can provide an indication of trends over time, on the grounds that in each survey or industry report, data have been (with one or two exceptions) collected in a fairly consistent way over time.

Looking at these data, the phenomenon of cybercrime would appear to be on the rise.  However, there is large variance in the range identified and it is not possible to account for what is driving this. Both officially-reported statistics and data provided by industry may provide a skewed perspective. Official criminal justice statistics may under-report cybercrimes due to definition-related reasons, whereas industry figures may over-dramatise the situation, as they need to establish a link between a problem and the solution that might be offered.

The perceptions of EU citizens are, however, also in line with statistics. A July 2012 Eurobarometer Survey found that 74 % of EU citizens consider that cybercrime is on the rise and that internet users are very concerned about cyber security: 89 % avoid disclosing personal information online, and 74 % agree that the risk of becoming a victim of cybercrime has increased in the past year. For those using the internet for online banking or shopping, the two most common concerns are about someone taking or misusing personal data (40 % of users) and security of online payments (38 % of users).

2.    Policy context

The Commission’s March 2012 proposal to set up a European Cyber Crime Centre (EC3)was the culmination of a number of policy initiatives in the field of cybercrime that can be traced back to the JHA Council Conclusions in 2008.[1]

In its 2010 EU Internal Security Strategy (ISS),[2] the Commission stated that one of the five main objectives was to ‘raise levels of security for citizens and businesses in cyberspace’. The first action necessary to fulfil this objective was to ‘Build capacity in law enforcement and the judiciary’. It went on to state how this ought to be done:

‘By 2013, the EU will establish, within existing structures, a cybercrime centre, through which Member States and EU institutions will be able to build operational and analytical capacity for investigations and cooperation with international partners. The centre will improve evaluation and monitoring of existing preventive and investigative measures, support the development of training and awareness-raising for law enforcement and judiciary, establish cooperation with the European Network and Information Security Agency (ENISA) and interface with a network of national/governmental Computer Emergency Response Teams (CERTs). The cybercrime centre should become the focal point in Europe’s fight against cybercrime’. 

The Strategy recognised that ‘the High Tech Crime Centre at Europol already plays an important coordinating role for law enforcement, but further action is needed’. Subsequently, the European Commission followed up the request of the Council[3] and conducted a Feasibility Study[4] to assess and evaluate the current state of efforts to deal with cybercrime as well as to consider the feasibility of an EC3 across a range of different aspects such as mandate, resources, activities, risks, impact and interoperability with other organisations.

Drawing on the Feasibility Study, the Commission proposed setting up a European Cybercrime Centre ‘which will be part of Europol and act as the focal point in the fight against cybercrime in the EU’ in its March 2012 Communication to the Council and the European Parliament. The Commission Communication outlined the proposed core functions of the European Cybercrime Centre, explaining why it should be located in Europol, and how it could be established. However, the Commission noted that there would have to be further assessment of the implications for resources, and that these would have to be provided for before the EC3 could become fully operational. It also noted that the establishment of this Centre would be reflected, as appropriate, in the upcoming revision of Europol’s legal basis.

On 7-8 June 2012, the Council adopted Conclusions welcoming and supporting the setting up of the EC3. In its Conclusions, the Council also called upon the Commission, ‘in consultation with Europol, to further elaborate the scope of the specific tasks of the European Cybercrime Centre together with more detailed costings in order to estimate the resources that would be required to make the Centre operational in 2013, drawing on the feasibility study and the work carried out by the European Cybercrime Centre implementation team. On this basis the Commission shall report to the Council at the Law Enforcement Working Party and, if appropriate, other relevant Council fora, in order to enable the Council to follow up on and support the progress in the setting up and work of the European Cybercrime Centre’.

It is important to assess the role of actors and stakeholders in the cyber sphere, as this influences the work (and thus resources) of the EC3 and vice-versa. It also helps to determine the extent to which a truly comprehensive approach towards tackling cybercrime can be achieved.

Member States’ law enforcement authorities have the competence to investigate and prosecute crime. However, the landscape varies in terms of organisation within the national law enforcement system and mandate. Such divergence may hinder effective operational and strategic cooperation at EU level.

At EU level, Europol has a mandate to provide criminal intelligence analysis and operational support to Member States to tackle cybercrime. A high-tech crime unit evolved in a rather piecemeal approach since 2001 around three Analysis Work Files (AWFs): on credit-card fraud, child sexual abuse and cyber-attacks. Europol has links with Member States through Europol National Units within the law enforcement authorities (LEAs) of each Member State. 

From a judicial/prosecutorial angle, Eurojust supports judicial cooperation in cybercrime investigation, for instance, by facilitating coordination and providing advice on legal and regulatory frameworks issues of jurisdiction. CEPOL (European Police College) provides EU-wide police training. By developing specialised cybercrime investigation training, it can collate, share and expand the specialised knowledge and expertise law enforcement needs to prosecute cybercrime successfully. The EU Cybercrime Taskforce (EUCTF), made up of heads of high-tech crime units of the MS, is another rather loose structure that contributes to work on fighting cybercrime at EU level.

Within MS, national Computer Emergency Response Teams (CERTs) are important players in case of an attack on critical IT infrastructure to determine the problem and provide technical solutions to resolve a nation-wide crisis. Their relationships with law enforcement authorities are important to help in investigations and secure prosecutions.

The European Network and Information Security Agency (ENISA), established in 2004, has the task of providing support and advice to the Member States, the Commission and the business community in ensuring a high level of network and information security in the Union. ENISA provides an important interface with the CERT community, although it has no powers to address cybercrime operationally. Furthermore, the Commission recently set up its own CERT-EU to support the European Institutions in protecting themselves against intentional and malicious attacks that would hamper the integrity of their IT assets and harm the interests of the EU.

In the field of network and information security (NIS), the Commission launched two initiatives in 2009, the European Forum for the Member States (EFMS), a platform for discussion and exchange of best practices among the Member States, and the European Public-Private Partnership for Resilience (EP3R), a platform for discussion and exchange of best practices between the public and the private sector.

The objective of this Ex-Ante Evaluation is to show how setting up the EC3 addresses the problem and what resources are needed to deliver its tasks in the most effective, efficient and coherent way.

Apart from the Feasibility Study, the current assessment takes into account recent developments within Europol and work carried out by the Commission together with the EC3 Implementation Team (set up following the adoption of the Communication to prepare and the launch and roll-out of the EC3)..

3.    Problem definition

While the phenomenon of cybercrime is growing and becoming increasingly complex, there is no adequate capacity at EU level to tackle it. Two main factors may be identified as contributing to the problem.

2.1 Cybercrime is extremely complex, evolves very rapidly and requires high-level technical expertise to understand its characteristics and modus operandi

Cybercrime is a term that is used to refer to a broad range of different activities relating to the misuse of data, computer and information systems, and cyberspace for economic, personal or psychological gain. Policy-makers at the EU and at national levels, academics and law enforcement practitioners have put forward different definitions and systems classifying cybercrime. The following activities are commonly understood to be types of cybercrime:

· Hacking           / Intrusion

· Distributed Denial of Service

· Attacks against critical infrastructures

· Botnets           

· Malware and spam

· Scams and online frauds

· Phishing

· Identity theft and identity fraud

· Advance-fee fraud conducted Attacks (DDoS) over the Internet

· Online harassment

· Production, distribution and downloading of child abuse material

· Virtual cybercrimes

While some forms of cybercrime present totally new scenarios in view of the context in which they are committed, other forms have parallels in traditional forms of crime, but may include additional complexities due to their digital dimension.

Overall, the phenomenon of cybercrime defies simplistic understanding, evolves rapidly in line with ways in which society uses cyberspace and requires technical knowledge to understand it. The mapping of long-term trends and patterns is therefore complex.

The technical sophistication required to tackle cybercrime comprehensively means that traditional ways of investigating this kind of crime are inadequate.  Law enforcement services need to undergo a high level of IT training to understand the intricacies of the technology involved and keep up with its rapid changes, the new landscape of digital forensics and the  fast-changing modus operandi of cybercriminals. Unless they do so, the EU’s capacity to tackle cybercrime adequately will continue to lag behind and the gap could grow even wider than it is at present. Fast-changing technology has to be matched with fast-changing technological tools that can be deployed in the fight against cybercrime, with personnel capable of adapting and building on previous knowledge and expertise.

2.2 Insufficient flow of information

Highly-skilled expertise gained at national and EU level needs to be exchanged among all Member States so that the EU can improve its response to cybercrime, a phenomenon which is inherently of a cross-border nature and therefore requires cooperation. However, information does not flow efficiently enough at present. Various factors may account for this.

The first is of a cultural/sociological nature and manifests itself at both national and EU level (ie in relation to Europol). Member States have not been forthcoming in sharing cybercrime information with Europol,  though there are signs that this is slowly changing. Reticence to use Europol as a focal point for information exchange is probably due to factors such as a policing culture that is cautious about sharing information, has low awareness and lacks knowledge.

Lack of precision in the legal provisions and organisational factors can also explain the lack of use of Europol channels for exchanging information. Europol National Units are organised differently within different Member States’ law enforcement landscapes, and this has an impact on each Member State’s performance and effectiveness. This problem is not exclusive to the area of cybercrime and tends to arise in most areas in which Europol is active. The perverse effect is that the less information Member States share, the less relevant data Europol has within its databases that could be useful to Member States’ own investigations if it were shared.

The second reason hampering the flow of information is of a more structural nature. Until recently, most Member States did not have structural links with the private sector for the purposes of fighting cybercrime. This meant that few cybercrime incidents reports reached the national law enforcement agencies. This made the gathering of digital forensic evidence problematic. Since the private sector owns and runs most of the internet structures in the digital landscape where cybercrime takes place, it would be more effective to depend less on sporadic cooperation and more on solid structural collaboration. National/Governmental Computer Emergency Response Teams (often known as CERTs) have started to fill this gap and already provide an important interface between public authorities and private stakeholders at national level. However, this is not sufficient, as public-private partnerships should extend over a wide range of issues and not be restricted solely to emergency response situations.

A third factor is partly structural (for instance, inadequate channels in place for individuals to file reports), partly cultural (lack of awareness regarding sanctions against new forms of crime) or from incentives not to report (for instance, the scale of the loss suffered in relation to the complexity of informing the authorities, or an organisation’s legitimate fear that its reputation might be tarnished or its actions be put under the scrutiny of the data protection agencies who might investigate them for not securing clients’ data adequately).

The same problems are reflected at EU level. The current legal framework governing Europol does not allow it to share information directly with the private sector. A business has to go via a Member State LEA, which may report to the Europol National Unit set up in that Member State, that in turn reports to Europol. This clearly imposes unnecessary burdens on multi-national companies that have to inform various LEAs, with Europol depending on each of the intermediaries at Member State level for information. This structure is often a reason for substantial delays, or even loss of information, for all types of crime.

Having an efficient information-sharing system is even more critical in the area of cybercrime, where an immediate response e.g. to a cyber-attack or an exchange of information is vital. The two main factors that contribute to the problem defined earlier have a common end-result which is: less cybercrime resolved, resulting in more EU citizens becoming victims, and more losses to the economy. Eventually, this erodes public trust in the internet-mediated economy, damaging the EU’s growth in an economic sector where it is considered a leader.

If no action is taken, the consequences could be rather serious. It can be assumed that cybercrime would continue to increase, both in terms of volume of malicious activity and in complexity. With the current lack of adequate capacity to fight cybercrime, it would continue delivering significant blows to the EU’s economy and seriously prejudice the well-being of EU citizens, as more persons and businesses become victims or targets of cybercrime.

The Commission’s Feasibility Study revealed a general growing trend in cybercrime, based on data collected from specialised cyber units within the law enforcement agencies of a number of Member States. Failure to contain the threat that cybercrime poses to the EU’s internet-mediated economy in the current challenging economic situation could hamper the EU’s efforts to emerge from the crisis.

2.3 Added Value of EU involvement

The European Cybercrime Centre is being established to overcome the many obstacles to the effective investigation of cybercrime and prosecution of offenders at European level. It is a key step in the EU’s overall strategy to improve cyber-security and to render cyberspace an area of justice where human rights and fundamental freedoms are guaranteed through the cooperative efforts of all stakeholders. 

Because of the transnational nature of cybercrime, facilitated by the inherent borderless nature of the internet, the EU’s role in coordinating efforts, extracting best practices, pooling expertise, tapping synergies and avoiding duplication is indispensable.

The EC3 will significantly bolster the EU’s capacity to confront the growing, complex threat posed by cybercrime, with a view to supporting and complementing Member States’ efforts far better than current capability. It will provide better operational support capacity at EU level for cross-border cybercrime trend forecasts, threat assessments, as well as providing training and capacity  building for staff to tackle complex cybercrime cases.

Member States will benefit significantly from having a focal point equipped with state-of-the-art technology and a highly-qualified, specialised workforce offering a wide spectrum of services and products to complement Member States’ own efforts in fighting technologically-complex transnational crime.

The centre will thus have an important coordinating role in terms of operational support, and will act as a hub within which information on cybercrime from numerous sources is processed 24/7. It will also be forward-thinking, anticipating trends, analysing threats and providing forensic support, training, and strategic guidance towards tackling cybercrime that will be of enormous value to Member States. 

EU agencies will see their capacity to address the challenges raised by cybercrime significantly bolstered.

Europol, as the pre-eminent organisation charged with addressing serious crime and terrorism at European level, will have a stronger mandate to conduct intelligence-gathering and analysis to support law enforcement personnel in the Member States.

Eurojust will benefit from the EC3, fostering inter-disciplinary expertise on cybercrime, better awareness and knowledge of investigative tools, as well as procedures and digital forensics for evidence purposes. Improving contacts between Europol and Eurojust should lead to aligning criminal investigation considerations with judicial/prosecutorial needs in an area that is new and technologically complex for practitioners.

There is scope for many synergies between the converging interests of cybersecurity and fighting cybercrime. The creation of the EC3 therefore benefits ENISA and the EUCTF in terms of identifying strategic priorities.

Finally, the EC3 will enable European cybercrime investigators on the international scene to have a collective voice, for instance, in discussions with the ICT industry (which is global in nature), Interpol’s cybercrime activities (a Digital Crime Centre in Singapore is planned for 2014), other international police cybercrime units and UN or other international organisations.

3.    Objectives

General Objective: To strengthen the EU’s capacity to tackle the complex and constantly-evolving nature of cybercrime with a view to avoiding significant harm to individuals and businesses which can result in major losses to the economy and erosion of EU citizens’ confidence in the internet.

Specific Objectives:

v To enable more extensive, faster information exchange among all stakeholders (Member States, third countries, LEAs, industry etc.) and more effective management of information flows (i.e data fusion, helpdesk and reporting mechanisms)

v To assist Member States’ investigations through more substantive operational support for trans-national organised cybercrime

v To provide extensive, specialised, tailored training to all stakeholders, particularly the law enforcement community within the EU and beyond, in cooperation with CEPOL, where appropriate; to collect, collate and disseminate best practices among stakeholders; stimulate R&D in the area that can translate into practical tools for fighting cybercrime

v To establish a collective voice for the cybercrime investigator community, internally within the EU and on the international scene, through outreach, policy support/strategic direction and regular cybercrime-related threat assessments and trend forecasts/analysis.

Operational Objectives:

Ensure that the EU has the necessary infrastructure to deliver its activities effectively with minimum costs for the EU budget. Such an infrastructure implies:

v sufficient human resources

v sustainable funding, particularly in view of the Multi-Annual Financial Framework discussions for the period 2014-2020

v necessary IT infrastructure and capacity and accompanying highly-skilled expertise required to carry out the tasks

v inclusive governance structure in relation to the EC3’s Programme Board, responsible to advise EC3 management (which ultimately answers to Europol’s Management Board).

4. Policy options and Risk Assessment

Five different options (including the status quo) were assessed in the light of the objectives identified and against the criteria of effectiveness, efficiency and coherence.

Ø Option 0: Maintaining the status quo

Ø Option 1A: The EC3 is set up within one of the existing EU agencies, ie:

· (a) Europol

i. owned by Europol

ii. hosted but not owned by Europol

· (b) Eurojust

· (c) ENISA

Ø Option 1B: The EC3 is set up through the creation of a new agency specifically for this purpose

Ø Option 2: EC3 is set up as virtual centre

Ø Option 3: One Member State runs the EC3 on behalf of the EU

Ø Option 4: EC3 is set up as a public-private partnership (PPP)

Option 0: Maintaining the status quo

No EC3 would be established and activities would continue as now, with various EU institutions currently addressing cybercrime. It is expected that efforts would continue towards integrating the High-Tech Crime Centre (HTCC) in Europol within its Operations Directorate, subject to the next administrative re-organisation associated with the new AWF structure and the upcoming new Europol Regulation. Eurojust would also continue to support the judiciary and public prosecutors and work with Europol on joint investigation teams (JITs). Furthermore, training efforts would continue as now, with CEPOL and ECTEG both delivering different types of training aimed at different customers. Finally, ENISA’s CERT coordination program would develop and refine its interpretation of how to establish cooperation with the CERT community, building on the first CERT–LEA workshop, held in October 2011.

Analysis

Under the status quo, the lack of adequate capacity to tackle the growing, complex problem of cybercrime would remain the same. Europol would continue registering sporadic successes, but the strain on its resources as Member States request more operational support would result in more rejections on Europol’s part, denting trust in Europol’s capacity to respond to transnational cybercrime and a general failure to respond to the cybercrime threat within the EU.

Option 1A: The EC3 is set up within one of the existing EU agencies, ie:

(a) (i) owned and run by Europol

In this option, the EC3 would be anchored within Europol’s legal framework and would be ultimately responsible to the Europol Management Board. Structurally, it would be identical to any specialised unit within Europol, such as the HTCC, but EC3 would have a Programme Board made up of a number of identified stakeholders to fulfil the comprehensive approach envisaged by EU institutions. The Board would be in charge of its general steer and strategic direction.

Given Europol’s current mobile forensic capabilities, network and links to Eurojust, Europol could provide operational investigative support apart from general collaborative support on cybercrime issues that Member States might require in their general work. Achieving the objective of intelligence-sharing would also be of an operational nature, since Europol already has a well-established intelligence apparatus in the form of the AWFs.

With regard to outreach, this would be envisaged as collaborative rather than operational in nature, given the current legal framework as to what can and cannot be shared with the private sector.

The role of Europol in being a point of strategic advice would necessarily be advisory in nature (as this would involve collecting and collating the views of different Heads of HTCUs across Europe). Similarly, contact development would be achieved in a collaborative way at Europol, via sharing information and working alongside national HTCUs and other partners (e.g. private sector). Running an internal ‘one-stop shop’ hotline could be an operational activity (in the same way as the current intelligence databases). Finally, to achieve the objective of training, it would work with other training partners (such as CEPOL, ECTEG, academia and industry), noting that Europol also provides some specific, targeted training of its own (e.g. in investigative techniques). Europol has also signed different types of cooperation agreements with third countries (permitting the exchange of personal data) and institutions (e.g. Interpol).

Analysis

As the EU’s only criminal intelligence agency, Europol has a clear mandate in this domain and is a well recognised ‘brand’ among Member States and other stakeholders (e.g. Interpol, non-EU countries and the private sector). In addition, Europol has for some time had a strategic intelligence and analytical capability in the domain of cybercrime, via its HTCC. This has taken some time to develop since 2009. This internal ‘centre of gravity’ is also bolstered by the skills, knowledge and capability of intelligence analysts from the Operations Directorate who work on the cybercrime-associated AWFs Cyborg, Twins and Terminal. The legal basis of the agency is tailored to its operational support role — it has an extensive and very robust data-protection regime and a complex set of rules governing participation in the AWFs.

This legal basis is currently under revision and might in future offer further flexibility on exchanges of data with external partners, including the private sector. From the perspective of infrastructure, Europol has a brand-new purpose-built physical headquarters and an extensive ICT establishment including a data centre, secured network and forensic facilities. Under this option, Europol needs to receive additional resources to set up and run the EC3 in addition to its existing appropriation. These resources would concern mainly staffing, since extensive physical and ICT infrastructure (as described above) is already in existence, making this option highly cost-effective.

Under the current legal framework, private sector actors can transmit to Europol data regarding technical information on crimes actually suffered or anticipated. This data, in turn, can enable Europol to identify crime patterns or ‘modi operandi’ of criminals or new trends. As regards personal data, Europol can receive this from the private sector only indirectly, i.e. if transmitted by the competent Europol National Unit (ENU) or, if the private party is based in a third country with which Europol cooperates, via the designated contact point in that third country. Experience shows that this rule often causes delays in Europol receiving data, or even has a deterrent effect.

Risks

The fact that the current legal regime prevents direct cooperation between Europol and the private sector would be a potential stumbling block.

The proposed revision would allow Europol to share its strategic and technical data with private parties, including data from confidential sources. Such sources often attribute their low level of cooperation with LEAs to the one-way flow of information (from private parties to LEAs) and cite the lack of feedback from LEAs on interesting findings or assessments that would enable private parties to be more effective in preventing and handling cybercrime. This amendment would improve the effectiveness of the EC3 and improve the flow of information.

Focus on the intelligence and investigative organisational character of Europol could create barriers to the deeper cooperation with other stakeholders needed to achieve the broader strategic goal of building up a bigger picture of the extent of cybercrime. This risk could be neutralised through having a Programme Board with a broad membership that reflects the full spectrum of relevant stakeholders and through a management that takes into account the interests of all members and prioritises the cooperative approach.

(a) (ii) The EC3 hosted but not owned by Europol

Analysis Under this option, the EC3 would have its own mandate, though limited by Europol’s mandate on whose supporting infrastructure it would rely. The existing facilities, infrastructure and ‘brand name’ of Europol would be leveraged by the EC3. However, the EC3 would have a separate legal personality, budget and an explicit mandate to cover specific types of cybercrime, which may be different to that currently defined in Europol’s governing legal instrument. To a large extent, it would be able to conduct the same sort of activities as an EC3 owned by Europol. Additional oversight would be necessary, bringing in perspectives from other organisations (e.g. Eurojust, ENISA, CEPOL). This oversight might be a necessity if the EC3 were to process sensitive personal data (also known as nominal data) in the criminal intelligence aspect of activities supporting Member State level investigations. Such oversight would also need to extend to governance of the EC3 to act as a natural counterbalance to any possible institutional inertia and to help ensure that the EC3 delivers according to its mandate.

In terms of resources, an EC3 hosted by but not owned by Europol would not require  investment in significant capital-intensive items such as a data centre, secured network, information system or extended computer forensic network. These could be ‘hired’ by agreeing internal Service Level Agreements (SLAs) between the EC3 and Europol. The EC3 might pay a sum each year (a percentage of the capital investment in these infrastructures) in return for which it would be allowed to use the resources.

Risks

Such an option would entail the risk of developing an ‘agency within an agency’ and might have the perverse effect of the EC3 being seen as a law enforcement competitor to Europol. Separate operational agreements would have to be established — such as those Europol now has with other organisations, e.g. Interpol — to allow personal data to flow between the AWF infrastructure and the strategic intelligence activities of the EC3. Risks would include those of visibility and the perception of the EC3’s role within the broader criminal justice and private sector communities. This is particularly important in an area such as cybercrime,  where the engagement of the private sector is highly important. The end result might be sub-optimal for both Europol and the EC3, since it would take time for the EC3 to establish its credibility,  while Europol’s might be undermined.

The bureaucratic complexity required to separate Europol (with a possible future mandate to address many different types of serious and organised crime, except cybercrime) from the EC3 (focused solely on cybercrime) would undoubtedly be complex and would require further interaction through other governance mechanisms. The future Europol legal instrument would need to have cybercrime deleted as a type of serious crime. A legal instrument for an EC3 would thus need to define the types of cybercrime that would be within its competency.

(b) The EC3 hosted by Eurojust

Analysis

Many aspects analysed with respect to Europol are also relevant to Eurojust, which already operates Mutual Legal Assistance Treaties (MLAT) support functions and joint investigation teams so achieving this objective would have an operational nature. This option could present similar advantages to the ‘Europol as a host’ option, namely known brand-name, long-established agency with operational functions.

However, providing criminal intelligence functions would have to be collaborative, since Eurojust would need to rely either on the intelligence capabilities of Member States or of others such as Europol. Outreach would have to be collaborative in nature, leveraging the capabilities of stakeholders who have more public presence in the domain. The provision of strategic advice would need to be advisory, as above, as it would require the collation of views from Member States. Concerning the development of contact points, Eurojust would be able to achieve this in a collaborative or operational approach — either by building on its own network, or via linking to others (for example, the G8 24/7 network or the EU Working Group on High-Tech Crime at Interpol). An internal support hotline or one-stop shop could run through operational means, as is done now. Finally, as regards training, this would be necessarily of a collaborative or advisory nature (e.g. working alongside training providers or pointing Member States in the direction of other stakeholders who offer training) since Eurojust does not currently carry out any training activities.

Risks

As an agency with a judicial remit, Eurojust would be legally unable to represent the views of an operational police community, which would be a serious risk. Furthermore, Eurojust would have to rely heavily on MS and Europol to provide any intelligence functions.

(c) The EC3 hosted by ENISA

Analysis

As ENISA is the only ‘core’ EU-level stakeholder with a non-operational function, achieving many of the objectives identified from the empirical evidence base would take the form of collaborative or advisory activity rather than direct operational intervention. The one area in which ENISA could take an operational role is in delivering training (since the Agency has already delivered exercises and also delivers training for LEAs and CERTs). Outreach could be performed more collaboratively, since ENISA already has better links with many of the non-law enforcement stakeholders (especially private industry) than the other current EU-level stakeholders.

Risks

It would be highly unfeasible for ENISA to undertake direct investigative support or intelligence sharing, since these are tasks for which the agency has no competence and no mandate.

Option 1B: The EC3 is set up within a newly-created agency specifically for such purpose

Analysis

Under this option, a new structure, possibly with its own premises, staffing, budget, legal basis and infrastructure would need to be established.

Given this relative freedom, such an agency might be expected to 1) create or 2) lift out and assume the operational implementation of different measures regarded as being of importance. For example, addressing the objective of supporting Member State investigations into cybercrime would be done in a collaborative or advisory way, offering resources (e.g. mobile forensic labs) to Member States. Similarly, achieving the required intelligence capability would be best served in an operational or collaborative fashion, either running an intelligence database (as under the Europol model) or leveraging the intelligence capabilities of Member States. The remainder of the tasks could be undertaken on an operational basis since the mandate of a unit could be designed specifically around implementing measures to address these objectives. For example, the ‘on call’ facility of Eurojust could be housed within a new EU agency (which would require Eurojust surrendering the resources required to implement this). Similarly, a new EU agency could easily assume the functions of training as provided by CEPOL and ECTEG (and even implement measures to obtain certification from an independent academic institution).

Risks

The risks of this option are mainly financial (major costs of setting up a new agency), the length of time it would take for a legal instrument establishing a new agency to be adopted under EU decision-making rules, as well as the added hurdle a new agency would face in establishing itself within an already rather crowded landscape in the area of criminal justice and ICT-related matters.

Option 2: The EC3 is set up as virtual centre

Analysis

Given the differing competencies, perspectives and legal bases of each relevant organisation, a virtual EC3 would aim to link up the organisations to deliver an overall capability, without seeking to create a wholly new organisation. It would nonetheless require some modification to existing structures and might have additional administrative and bureaucratic implications (in establishing frameworks for interoperability between the existing stakeholders).

Such a virtual centre would leverage existing capabilities in each relevant stakeholder (for example, Europol’s intelligence capabilities, provision of investigative support, etc.) in an advisory capacity (e.g. directing queries to other, better-placed stakeholders).

This would be immediately practicable since it would require fewer legal amendments. It might also secure political acceptability, as it would not require setting up new structures or a new agency. A virtual ECC would also be much less resource-intensive to establish compared to the high set-up costs of a new data centre, intelligence machinery and forensic suite. This option goes slightly further than the option of maintaining the status quo.

Links and relationships with other stakeholders would need to be modified, for example by drawing up operational cooperation agreements between ENISA and Europol — which might require amendments to ENISA’s governing regulation, allowing it to process personal data. This would entail less work than creating the legal basis for an entirely new organisation.

Given the broad nature of the activities envisaged for an EC3 (as discussed above), a virtual EC3 is attractive because it leverages the expertise and competency of each organisation without requiring additional capacity or capability.

Risks

There are some significant operational drawbacks to setting up a virtual centre. In general terms, if the EC3 does not have a centre of gravity by virtue of being hosted within a specific organisation, many stakeholders may view it as similar to the ‘status quo’ option. This would not necessarily be the case, as despite being a virtual EC3, it would need a small governance team that would have to be located somewhere, with possible resource implications. A virtual centre would therefore still incur some costs and might also be expected to sign SLAs for use of certain capital-intensive resources owned by Europol (subject to specific rules governing sensitivity and security, for example). Furthermore, the lack of a single institution or organisational host would mean that the positions or perspectives of each stakeholder would not be challenged and existing institutional inertia may conflict with any attempt to work collectively for a common goal.

The main difficulty with this option would lie in the overall guidance needed, which would imply some form of collective board or decision-making authority to ensure that each stakeholder is incited to accept responsibilities, contributes fairly and works collectively and collaboratively, drawing on capabilities within their respective organisations to address problems jointly. This would also suggest that an independent non-partisan and expert chair would be required to marshal the efforts of these organisations.

The mandate of a virtual ECC would be similarly complex and broad. Unlike a mandate for an EC3 hosted by Europol, for a virtual ECC, this would require negotiation between the four main stakeholders to establish where there was enough overlap and consistency between the governing rules of each, to draw up a new mandate that would be compatible and enable each relevant organisation to play its part. ENISA has been focusing on best practice concerning Critical Information Infrastructure Protection (CIIP) through its role in the EP3R (European Public Private Partnership for Resilience) and its CERT cooperation team helps to facilitate best practice across all types of CERT.

Option 3: One Member State running the EC3 on behalf of the EU

Analysis

Under this option, a single Member State would be responsible for the operational running of a new agency, on behalf of the Union. In view of the specific legal, contextual and administrative structures that would be required, the only pragmatic solution would be that to achieve certain objectives. A collaborative or advisory approach might need to be taken — for example, running an intelligence database or providing investigative support. However, in other less controversial domains (for example, outreach to different stakeholders — members of the public, industry, etc.) a Member State could take a much more operational role on behalf of others.

Risks

The precedent for this option is the management agency for the second generation Schengen Information System (SIS), run by the French government (and staffed by French law enforcement officials) on behalf of the rest of the Union. This option would be suited to an EC3 with a clearly defined technical role — for example, specifically for the running of an online reporting platform, rather than the type of EC3 set-up that has been discussed in detail above.

Option 4: The EC3 set up as a public-private partnership (PPP)

Analysis

In this option, a PPP would be set up which would potentially require the establishment of a new administrative structure.

A PPP would include measures already undertaken to achieve objectives as described earlier (such as intelligence provision, investigative support and coordination) which could be either undertaken in-house or via leveraging existing strong capabilities. A PPP would also (by its nature) be able to engage more closely with non-law enforcement players (such as the private sector, academic training partners) to meet some of the requirements identified from  fieldwork.

Risks

Although surmounting the incentive structures to obtain engagement from the private sector (particularly with respect to intelligence exchange) is clearly not a trivial task, the ‘clean sheet’ approach of a PPP could support such interaction.

It is notoriously difficult to establish public-private partnerships due to the diverging interests of private authorities and public authorities, and they are heavily dependent on the willingness of the private sector collaborating effectively.

5.    Comparative analysis of the Options

The detailed analysis above has shown that some of the proposed options would fail the effectiveness test in terms of meeting the key objectives of setting up the EC3.

Options 1A (b) and 1A (c) (the EC3 hosted and/or run by Eurojust or ENISA) are not likely to be feasible in view of the existing mandate of these two agencies. Eurojust’s strict judicial remit would mean a big hurdle to overcome to enable criminal intelligence gathering, while ENISA lacks any operational responsibilities and does not possess a mandate in the field of cybercrime.

Option 1B, (setting up a new agency) has many drawbacks, such as the length of time it would take to set up, the crowded landscape of agencies in the criminal justice area at EU level and the very high cost involved in setting up a new EU agency.

Option 3 (one Member State running the EC3 on behalf of the EU) has in the past only worked in the case of a limited technical role and is not suitable for the EC3 set-up envisaged.

As regards Option 4 (setting up a public private partnership), while PPP is a laudable goal to pursue in terms of general policy, the possibility is also discarded in view of its high risk of failure.

We are thus left with the following three options to compare with the baseline scenario, options 1A (a) (i), 1A (a) (ii) and 2.

These shortlisted options have been assessed against the following six criteria (more details on the comparison are provided in Annex 1):

ü Mandate

ü Resources

ü Activities

ü Risks

ü Cooperation

ü Impact

Assessment / Options || Effectiveness || Efficiency || Risks ||

Human Resources || Sustainable funding || IT Capacity || Governance || Time Needed || Costs of setting up the Centre || Mitigation of exposure to data protection infringements || ||

Option 0 || 0 || 0 || 0 || 0 || 0 || 0 || 0 || 0 ||

Option 1A(a)(i) || + || - || ++ || + || ++ || 3.5 million eur || ++ || ++ ||

Option 1A(a)(ii) || - || - || - - || + || - || 10 million eur || + || - ||

Option 2 || + || - || 0 || - || + || 1.5 million eur || - || - ||

Magnitude of effectiveness and efficiency: ++ strongly positive; + positive; 0 neutral; — negative; — — strongly negative N/A not applicable Figures included in the column on costs cover one-off expenditure and not the running costs of the Centre. ||

The table shows that Option 1A(a) (i) (EC3 hosted and owned by Europol) is the strongest option, particularly due to readily available human resources, physical and IT infrastructure and a very robust data protection system already built-in, absolutely crucial to achieving the objective of a more efficient information flow.

Option 2, which appears as equally strong in terms of available human resources and the time needed to set up the EC3, would imply setting up a new data protection system, with all the difficulties and risks attached to that in terms of ensuring sources of data have confidence in the system, and, subsequently, its effectiveness in terms of data sharing. This is a serious flaw in the effectiveness of this option.

An EC3 owned and run by Europol is therefore the most effective and feasible option. Nevertheless, a more detailed cost evaluation is necessary, considering that the level of resources dedicated to the EC3 will strongly influence its capacity to deliver and match the objectives set out in the Commission’s Communication.

6.    Evaluation of the costs implied by the chosen option

The following table categorises and lists the type of resources to be considered:

Item || Description

Labour || Costs to employ personnel for one year, including salary, pension, social security contributions etc.[5]

Non-Labour || ICT desktop equipment Training Travel and expenses Co-funding Services Software development Software maintenance Studies and research Translation Research & Design and communication

Since Europol has its own physical structure and an existing ICT infrastructure, there are no costs arising from rental facilities or capital-intensive investment on ICT infrastructure. These are in fact huge savings that were considered when comparing the options available.

Allocation of costs

Against the types of activities that are envisaged for the EC3, costs can be allocated as follows:

Activity || Labour || Non-Labour

Governance — general management of the EC3, liaising with Programme Board members, identifying and setting priorities, relations with Europol’s Management Board || Cost of staff to fulfill the governance function of running the EC3, the EC3 Programme Board, liaising with members of the Programme Board and providing general administrative support || ICT desktop equipment, travel and expenses; services; studies and research; design and communications

Data Fusion– synthesise public and private information flows, respond to incoming requests and to coordinate action by the relevant team(s) || Costs of staff to handle vast flows of information from a variety of sources; Costs of staff to develop and manage a cybercrime reporting software application || ICT desktop equipment; research and design; IP software rights

Operational support for investigations — operational analysis and coordination, cyber-attack response, intelligence development, financial investigation and forensic support || Costs for trained analysts to analyse criminal intelligence data and provide ongoing operational and forensic support to MS LEAs || ICT desktop equipment; services

Training  — including identification, together with CEPOL of gaps in knowledge and needs assessment, developing (in cooperation with CEPOL and ECTEG where appropriate) specialised and tailored training programs and tools, collecting and disseminating best practice || Costs of staff to identify training needs, develop training programs and tools, identify best practice, collate and disseminate it || Training, travel and subsistence; studies and research; translation

Outreach and policy support Public Private Partnerships, outreach towards the research community, centres of excellence, CERTs, crime prevention, policy work and strategic planning, trend analysis, early warning and horizon scanning, trend forecasts || Costs of staff for conducting general outreach, strategic and policy work || Travel expenses; cost of necessary ad hoc infrastructure/platform within which cooperation can take place

6.1 Human resources

The Commission’s Communication on the Establishment of a European Cybercrime Centre (28 March 2012) noted that when assessing estimated resource needs, the Commission would be guided by the following three considerations:

1. the increase in the total cybercrime caseload would be moderate

2. Member States would enhance their own capability to fight cybercrime

3. The EC3 would only deal with a certain set of cybercrimes

The above assumptions imply that some form of prioritisation will always have to take place. At present, Europol responds to almost 10 000 requests for operational assistance on cybercrime a year. Such assistance may vary from a mere request to cross-check information with investigations in other MS, to requests for information pertaining to joint investigations, to requests for specialist technical and forensic support. This significant range has an important impact on the resources required. A distinction is thus drawn between:

•      High profile operations: Operational work providing substantial support to at least two Member States but often involving several Member States and/or third countries (sometimes more than 20), with a continuous exchange of information for a prolonged period through the delivery of at least one of Europol’s products and services, but often involving a range of services such as exchange of operational data, analysis and technical support, operational meetings and the exchange of many SIENA messages. Such complex cases involve the work of at least one Europol officer for 6 months/1 year and sometimes even 1.5/2 years.

•      Standard operations/cases: Operational work providing support to MS through the delivery of at least one of Europol’s products or services. A standard operation may comprise one SIENA message involving only a cross-match report.

It is useful to bear this distinction in mind when considering ‘cybercrime case handled’. While the importance of standard operations is not to be underestimated, it is clear that the EC3’s success will be measured to a far greater extent by the number of high-profile operations involving transnational organised cybercrime groups operating within and beyond the EU,  similar to Europol’s crucial operational support in Operation Icarus in which 273 child sexual abuse suspects were identified and 113 of those suspects spread across 23 countries were arrested.

 The analysis below is based on work done by the Commission that draws on the Feasibility Study, as well as on Europol’s needs assessment. The calculation is meant to meet the objectives set out in the Commission’s Communication. An analysis of the tasks of each of the EC3’s five sub-units should help to explain the rationale behind resources needed.  

Operations: Operations performs the coordination of large cybercrime operations (or investigations), operational analysis and support, technical and digital forensic examinations (including on-the-spot). It specifically coordinates complex transnational cases to avoid the overlapping and duplication of efforts among cybercrime units in Member States and partner countries.

Personnel working on each of the three former Analytical Working Files[6] (now called ‘focal points’) are currently distributed evenly, with staff working on each. Europol presented statistics to the Commission that show the low ratio of personnel per high-profile operation. These explain the current limited delivery in operational support (including having to reject or delay support to online child sexual abuse cases). The Commission thus agrees that boosting the capacity of operational support is fundamental to enable Europol to handle more high-profile operations.

Data Fusion: This refers to collecting and synthesising information from various sources to provide a comprehensive cybercrime picture to all other teams in accordance with the relevance of that information to their work. Apart from a fully-fledged one-stop-shop for processing of all cybercrime-related information coming through, the data fusion function could also involve a 24/7 support function, malware analysis, attack monitoring, alert, internal security monitoring, helpdesk, operational coordination, etc.

The data fusion function is also fundamental to the success of the EC3. In terms of data handling, pro-active scanning of the cyber environment and logistical support to all other teams, this will mark a relevant change from the way Europol has been tackling cybercrime thus far. The 24/7 support function which Europol proposed to roll-out in 2013 (and which would require 7-8 personnel to manage) can be delayed until the EC3 achieves cruising speed.

Outreach: The Outreach and Communication teams manage relationships with stakeholders in the Private Sector, Academia and Third Parties. This activity will be vital to create sustainable public-private partnerships and dialogue and is crucial to the concept of the EC3 bringing various communities (law enforcement, computer emergency response teams, industry etc.) together.

The first priority is to ensure the EC3 virtual platform SPACE (Shared Platform for Accredited Cyber Experts) functions efficiently and that any exchange or personal data is framed by sound data protection safeguards. This enables easier exchange and sharing of strategic and technical knowledge and expertise among all interested stakeholders. With time, the EC3 will increasingly become the collective voice of cybercrime investigators in the EU. It will communicate EU views, positions and results in the area of cybercrime; become the EU Central Office for Cybercrime; coordinate EU Member States and EU agencies’ inputs to internet governance and promote standardisation of approaches and adoption of good practice in the field of cybercrime. The EC3 will also deliver tailored newsfeeds on emerging criminal trends, technological developments and other relevant information as it develops. These will be informed by active partnership with research institutes, academia and industry partners.

R&D and Training: This team is devoted to research on technical threat analysis and vulnerability scanning, static forensics, best practice and training and the development of tools, including tools for digital forensics. In cooperation with CEPOL and ECTEG (European Cybercrime Training and Education Group) as well as with Eurojust, private companies and research bodies it will contribute to the design and delivery of cyber-related training.

A cost-effective approach must take advantage of synergies with other players such as the EU’s Joint Research Centre (JRC), CEPOL and ECTEG (for training). The EC3’s primary role is to streamline training, provide valuable input and align it with its strategic products. An important leap from the current status quo is offering key services in cyber forensics. Most Member States view the EC3 as a crucial point of reference on digital forensics, since only a few large ones have developed any capacity in the field. Digital forensic evidence is essential for the successful prosecution of cybercrime cases, so activities to enhance this capacity to support Member States require more resources.

Strategy and Prevention: The Strategy team conducts trend analysis, early warning and horizon scanning, crime prevention, policy work and strategic planning. The analytical level of this unit aims to help partners and stakeholders improve their understanding of  cybercriminal activity and methods, and to anticipate developments.

Delivery of strategic products to enhance the knowledge-base on cybercrime within the EU criminal justice landscape is a very important function. Additional personnel should contribute to providing a forward-thinking Centre that forecasts trends and assesses threats so as to improve the EU’s overall capacity to prevent and respond to cybercrime and feed into the Commission’s policy-making. Through its outreach work towards civil society, preventive work can be achieved through, for instance, awareness-raising campaigns. The Commission can also play an important role in this and supplement such work through its funding programmes and by ensuring proper alignment with the work of the EC3.

In calculating the needs for human resources, the underlying rationale is that a significant surge is needed in the first years, until the EC3 achieves cruising speed in 2015. After 2015, provided there are no major and unforeseen changes in the nature of cybercrime, the increase in personnel could level off. Below is a detailed table of anticipated human resources needs between 2014-2020:  

Table: Commission projections for the number of human resources required each year for each of the EC3 teams until 2019:

|| Strategy and prevention || Outreach and communication || R&D and training || Operations || Data fusion || Management || TOTAL

2012 || 4 || 2 || 1 || 22 || 1 || 1 || 31

2013 || 4 || 3[7] || 4 || 26 || 3 || 4 || 44

2014 || 5 || 5 || 8 || 33 || 4 || 6 || 61

2015 || 6 || 6 || 10 || 43 || 11 || 6 || 82

2016 || 7 || 6 || 11 || 45 || 11 || 6 || 86

2017 || 7 || 7 || 11 || 48 || 11 || 6 || 90

2018 || 7 || 7 || 12 || 51 || 11 || 6 || 94

2019 || 7 || 7 || 13 || 53 || 12 || 6 || 98

The need for more non-human resources

Although Europol’s physical infrastructure is sufficiently equipped for the EC3 to start operating immediately, certain costs that are specific to creating it will still be incurred and need to be factored into the cost-calculation assessment. For this purpose, a difference is drawn between administrative expenditure and operational costs. The former relates to building-related costs, facility and IT equipment, while the latter refers to the day-to-day running costs for missions, meetings, consultancy, training, software upgrades and IT maintenance.

The table in Annex 2 shows the financial resources needed for the EC3 between 2014 and 2019.  

It is important to note that this calculation has been made using the simplified method proposed by DG BUDG — average costs of an official = 127.000/year. Furthermore, the assumption is that staff will be recruited in July each year.

It must further be noted that for the purposes of this calculation, the current 31 staff working on cybercrime within Europol and the extra 12 positions (5 posts + 7 new vacancies) that Europol will reallocate during the course of 2013 are already covered by the current Europol budget. In other words, the salaries of the 43 personnel (existing 31 + reallocated 12) expected to work within EC3 in 2013 are not factored into the calculation. However, all additional staff from 2014 onwards are factored in.

7.    Planning future monitoring and evaluation

Indicators

Below is a table that establishes a format for assessing the success or otherwise of a European Cybercrime Centre:

Field of Intervention || Output Indicators || Result Indicators || Outcome / Impact Indicators

OPERATIONS Identification / disruption / dismantling of cybercrime networks and cybercrimals || No. of operations supported (distinguishing between high-profile and standard operations) No. Joint Investigations Teams (JITs)supported by EC3 || No. of suspects identified, arrested, prosecuted in MS in cybercrime / no. of victims identified No. of cases handled by JITs || EC3 impact on disrupting cybercrime networks and helping MS arrest cybercriminals / MS satisfaction rate of EC3 operational support

Information Sharing || No. of contributions received (from MS, third parties academia, CERT, private sector) Volume of data received No. of helpdesk requests / on-the-spot assistance No. of critical incident reporting from CERTs || No. of different stakeholders requesting support or providing content to EC3 / No. of active users on EC3 space Awareness among EU MS of critical incidents || Extent to which EC3 (Europol) becomes the cybercrime information hub Comprehensiveness of critical incident overview

R&D and TRAINING EU technical capacity for tackling cybercrime || No. of research projects developed/coordinated by EC3 No. of requests (including on-the-spot) on technical and/or forensic issues made No. of training programmes supported by the EC3 || No. of research projects resulting in tools for fighting cybercrime No. of support given on technical and/or forensic issues (incl. on-the-spot) No. of staff trained staff || Extent of use of new tools by MS and satisfaction rate Stakeholders’ reliance on the ‘helpdesk function’ of the EC3 Increase in volume ratio of trained staff over the total amount of staff

Strategy || Portfolio of EC3 strategic products delivered || Quality of strategic products (detail, scope, analytical method) || Extent to which EC3 strategic guidance is reflected at political level

Outreach to stakeholders || No. of contributions received from non-LE stakeholders / No. of collaborative projects between LE and third parties supported by EC3 No. of public awareness campaigns coordinated || No. of data exchanges/ No. of Memoranda of Understanding / No. of PPP agreements / No. of non-LE active users in EC3 Space Delivery and dissemination of campaigns within the MS || Extent to which MoUs and PPPs facilitated general EC3 work Level of public awareness on cybercrime-related issues

The EC3’s work will be monitored, measured and evaluated to ensure the decision has achieved its intended objectives. To this end, the Commission will prepare an evaluation report three years after the start of operations, and send it to the European Parliament and to the Council for review. The report would be based on:

ü an assessment of the results that will be published by the EC3 in its annual report, based on comprehensive objective data similar to those outlined above on performance indicators.

ü any audit reports carried out by the Commission or on behalf of the Commission on the work of Europol, as well as any audits carried out by Europol itself.

ü a survey of public and private stakeholders on their perceptions of the EC3’s work in terms of supporting Member States’ fight against cybercrime in general, technical capacity, research and training, outreach towards third parties, strategic direction and its role as a centre managing huge quantities of information flows.

The criteria that will be used to assess the effect and impact of the creation of the launch of the EC3 will be:

ü progress made in the development of the EC3’s activities

ü success of the EC3’s strategy in fighting cybercrime, in particular the extent to which each of the outcomes outlined in the Table of Indicators above materialise

ü efficient and effective use of resources

ü impact and implications for public and private stakeholders

The following will act as the main monitoring indices:

ü high-profile and standard operations in cross-border cybercrime cases with actual suspects identified, arrested and prosecuted/victims identified

ü accuracy/usefulness/timeliness of threat assessment reports and trend forecasts

ü development of tools (including forensic) and their impact on law enforcement capability to detect and respond to cybercrime more effectively

ü maintenance of databases and use of software tools for managing information flows

ü quality and impact of strategies developed to anticipate and respond to threats

ü quality of training (including the number of persons trained and the spread across the criminal justice landscape)

ü quality and impact of platforms for collaborative action with third parties

ü information exchange and data protection' (i.e. deficits, impacts, infringements, complaints, cooperation with the EDPS and MS, recommendations, etc)

Annex 1 — Comparison of Options according to six criteria

(source: RAND Europe, Feasibility study for a European Cybercrime Centre: Final report)

Comparison overview

Table 7.17 below provides an overview of how each of the feasible options compares in addressing the specific factors relating to the feasibility of establishing an ECC.

Table 7.17 Overall comparison of the options in addressing specific factors

Maintain status quo

ECC owned by Europol

ECC hosted by Europol

Virtual ECC

Mandate

Serious and organised crime as per Art. 4(1) of the ECD

Europol and Eurojust would be governed by existing arrangements which would evolve naturally (e.g. the revised Europol regulation)

ENISA’s activities in cybercrime would continue to evolve in the context of the new ENISA Regulation due 2012

Mandate would stem from existing Europol (serious and organised crime) governing instrument. ECD currently defines this as ‘computer-related crime’ and this is taken to include: hacking (AWF Cyborg); CEM (AWF Twins); credit card fraud (AWF Terminal), mass-marketing fraud

Oversight of the ECC would be within Europol’s existing arrangements (Europol Management Board; EP and Council)

This option would require a separate governing instrument

Mandate might be different from that foreseen in current Europol governing instruments requiring further agreement and negotiation — however this would present complications in terms of the use of Europol’s criminal intelligence gathering apparatus.

Oversight would require new arrangements with the Council and Parliament

This option would require a separate governing instrument

Mandate would need to be an amalgamation of those contained in the other agencies

Bringing together a broader range of agencies might afford the possibility of a broader consideration of preventative measures with respect to cybersecurity

Resources                  Resourcing is most closely tied to the

strategy and mandate of the ECC

No additional resources would be required save the annual year-on-year increase in resources for Europol

The level of resourcing would remain broadly similar as each other option (apart from the Do Nothing option) except for the source of the budget

Could leverage existing Capex infrastructure on ICT platforms; Data Centre and SIENA.

The level of resourcing would remain broadly similar to each other option (apart from the Do Nothing option) except for the source of the budget

Arrangements would need to be found (e.g. via service level agreements) to obtain use of Europol owned resources (e.g. data centre; SIENA)

The level of resourcing would remain broadly similar as each other option (apart from the option of maintaining the status quo) except for the source of the budget and a governance layer

RAND Europe

Analysis of the four candidate options

Activities

Criminal intelligence and limited multi-source intelligence

Operational support

Training and education aimed at the law enforcement community

Criminal intelligence

Operational support

Broad training and capacity-building aimed at all members of the criminal justice community

Criminal intelligence

Operational support

Broad training and capacity-building aimed at all members of the criminal justice community

Criminal intelligence

Operational support

Broad training and capacity-building aimed at all members of the criminal justice community

Coordination and cooperation (including fusion of non-criminal strategic intelligence)

Coordination and cooperation (including fusion of non-criminal strategic intelligence)

Coordination and cooperation (including fusion of non-criminal strategic intelligence)

Risks

Although the status quo option would not be exposed to any of the risks associated with the options involving the establishment of an ECC, the chief risk would be that activities continue to take place in a fragmented and piecemeal fashion leading to worse outcomes in tackling cybercrime

The risks under this option are that it might be difficult to establish effective governance of funding for an ECC since this would not be separate from Europol’s overall budget

Institution within an institution would require complex governing instrument

Complexity would also affect visibility by non-law enforcement stakeholders

Recreating the complex data protection regime would be complex, further hindering immediate results

Perception that its not doing anything

Institutional complexity (how to link each institution or tie them together)

Poor visibility/acceptability by other stakeholders

Recreating the complex data protection regime would be complex, further hindering immediate results

Cooperation                Existing fragmented and ad-hoc co-

operation would continue

Would possibly require further amendments to the ECD (Article governing information exchange with non-law enforcement stakeholders) since as scoped this excludes deeper cooperation with private sector — at present Europol cooperation with the private sector is via liaison and limited to strategic cooperation because of data protection requirements

An ECC hosted at but not owned by Europol would be able to create deeper and more substantive cooperative links with the private sector than might be possible under the first option (due to the possibilities to tailor-make a specific governance structure to address this)

Opportunities for cooperation would be broader giving consideration to the existing relationships established by Europol (with the law enforcement and criminal justice community) and ENISA (with the national/governmental CERT community and the private sector)

Impacts

Impacts would continue to evolve from existing activities such as criminal intelligence analysis (more cases being solved) training (more law enforcement officers being trained) and those Member States collecting more data from a public reporting system

ECC within Europol would allow better cross fertilisation and linking between different crime types.

The hosting of the ECC in Europol would be beneficial in future proofing cybercrime responses as being a facet of criminality rather than a specific and ‘bounded’ crime type in and of itself known as mainstreaming.

Whilst an ECC hosted by but not at Europol would have a focus on law enforcement impacts it would perhaps have more flexibility in consideration of other impacts (for example, prevention)

The impacts of a virtual ECC would be difficult to judge and separate out from those that might already occur under the status quo

Annex 2 — EC3 costs 2014 – 2020

For 2014: The foreseen budget for EC3 comes to € 6.4M. An amount of € 1.7M facilitates the additional staff resources (17 new posts). The remaining non-staff related budget of € 4.7M will cover the main operational activities to be delivered (Data Fusion, Operations, Research & Development and Training, Strategy and Management). It includes the ongoing operational activities (missions, training, financial support for operational meetings, operational equipment, etc.), expansion of the existing building facilities for the lab, building a 24/7 command centre and ICT expenditure. A significant amount of € 2.9M is planned for ICT investments (screens for the command centre, forensic software, laptops, workstations, network expansion, ICT support, service and licences).

2015 – 2020

Commitment appropriations in EUR million (to three decimal places)

Indicate objectives and outputs ò || || || Year 2015 || Year 2016 || Year 2017 || Year 2018 || Year 2019 || Year 2020 || TOTAL

Type[8] || Average cost || Number || Cost || Number || Cost || Number || Cost || Number || Cost || Number || Cost || Number || Cost || Total number || Total cost ||

SPECIFIC OBJECTIVE NO 4 Strengthen EU capacity to tackle cybercrime to avoid harm to EU citizens. businesses and losses to the EU economy || ||

- Output || Supporting MS investigations to dismantle cybercrime networks operations ||           1.237 || 2 ||           2.474 || 2 ||          2.850 || 3 ||          3.112 || 3 ||          3.450 || 3 ||          3.674 || 3 ||          3.674 || 16 ||        19.234 ||

- Output || Information exchange between all stakeholders and fusion of data ||           0.516 || 4 ||           2.063 || 5 ||          2.375 || 5 ||          2.594 || 6 ||          2.875 || 6 ||          3.063 || 6 ||          3.063 || 32 ||        16.033 ||

- Output || Provide EU-wide strategic assessments. develop forensic tools. PPP. training ||           0.344 || 6 ||           2.063 || 7 ||          2.375 || 8 ||          2.594 || 8 ||          2.875 || 9 ||          3.063 || 9 ||          3.063 || 47 ||        16.033 ||

Subtotal for specific objective No 4 || ||           6.600 || ||          7.600 || ||          8.300 || ||          9.200 || ||          9.800 || ||          9.800 || ||        51.300 ||

[1] JHA Council Conclusions 2899th JHA meeting (2008).

[2] European Commission, COM(2010) 673 final.

[3] Council Conclusions concerning an Action Plan to implement the concerted strategy to combat cybercrime, 3010th General Affairs Council Meeting, Luxembourg, 26 April 2010.

[4] RAND Europe, Feasibility study for a European Cybercrime Centre, Final Report, 2012 .

[5] It should be noted that staff occupying restricted posts in Europol are only allowed to serve a maximum of 9 years without possibility of extension. This limitation is due to Europol’s specific legal framework and is unique when compared to other EU agencies. Thus, future liability in relation to indefinite contracts and subsequent pensions does not arise. .

[6] Analysis Work Files are intelligence databases that Member States can submit information to, and request information from. The objective of these databases is to support on-going investigations or initiate new cross-border cases. This is accomplished via building a cross-border picture on active groups including information on their modus operandi, routes for money and sequence of events. In the field of cybercrime 3 AWFs are of relevance: TWINS (child sexual abuse online), TERMINAL (credit card fraud), CYBORG (intrusion). The AWF structure will disappear in view of the creation of a single database on organised crime, but the EC3 will maintain these 3 work-streams, to be re-labelled Focal Points..

[7] EC3 may get an extra SNE but this is not ascertained yet. It is provisionally calculated however. .

[8]           Outputs are products and services to be supplied (e.g.: number of student exchanges financed, number of km of roads built, etc.).