European Cybercrime Centre feasibility study

A feasibility study by RAND of the proposal for a European Cybercrime Centre (ECC) suggests that the result risks becoming a bit lopsided. The proposal made in 2010 as part of the the Commission’s Internal Security Strategy seemed to be for a small organisation – perhaps a dozen people or so – to help Member States improve their own provisions against cyber-crime:

By 2013, the EU will establish, within existing structures, a cybercrime centre, through which Member States and EU institutions will be able to build operational and analytical capacity for investigations and cooperation with international partners. The centre will
improve evaluation and monitoring of existing preventive and investigative measures, support the development of training and awareness-raising for law enforcement and judiciary, establish cooperation with the European Network and Information Security Agency (ENISA) and interface with a network of national/governmental Computer Emergency Response Teams (CERTs). The cybercrime centre should become the focal point in Europe's fight against cybercrime.

As I said in Janet's response to the House of Lords Select Committee at the time, this would be well worth doing; but is already quite a challenge as the RAND study found that different countries have given widely varying remits to the national cybercrime activities that the Centre would work with. For example the UK’s Serious Organised Crime Agency, and several others, aim to reduce harm from serious organised crime; in Sweden the central agency is said to take on novel crimes where it can learn things; in other countries the cyber-crime centre must apparently investigate all crimes of which it becomes aware.

However since 2010 a couple of other problems seem to have been added to the ECC’s remit: first that because there is no consistent reporting of cybercrime across Europe no one actually knows how big the problem is; and second that the police don't have sufficient technical support for existing investigations. So as well as the original activities the RAND report discusses the ECC designing and commissioning (but not running) software that will allow Member States to create their own websites where members of the public can report cybercrimes, and also providing technical support (mostly expected to involve forensic examinations and analysis) for Member State investigations where local skills are not available. Even in the report’s “low-demand” scenario this technical work is expected to require an additional 23 staff; in the “high-demand” scenario it would be 240. Although “cooperation and collaboration is regarded as one of the most important aspects and where the ECC could add the most value” it seems that at least the majority, and possibly a vast majority, of its staff will actually be doing something else.

The report concludes that

...the aspects related to the phenomenon of cybercrime defy simplistic understanding; evolve rapidly in line with how society uses cyberspace; require technical knowledge to understand and the mapping of long term trends and patterns is fraught with complexity. In order to have any chance of success, a future ECC will need to conduct its activities in the context of these characteristics

This seems to require a flexible organisation that can identify new issues in the area of cybercrime, work in collaboration with a “broad-based capability within member states” to identify and disseminate good practice in dealing with them, and then move on to the next of those rapid evolutions. An organisation with up to 90% of its staff dedicated to addressing current skill and resourcing problems may struggle to achieve the required flexibility.

The European Commission has now announced that it will be setting up the ECC within Europol, but it's not clear from the announcement whether the activities of the organisation have been re-balanced.