Europol Cybercrime Chief Says CGN a Challenge for Identifying Criminals
Along with more malware, phishing, ransomware and mobile platform malware, cybercops can look forward to more infiltration of large corporations by criminals hacking into the law, accounting and other firms serving them, said Europol Assistant Director Troels Oerting in an interview Monday. The center is also seeing a hike in the volume of mainstream crime by average people who can now easily buy hacking tools, he said. Carrier grade network translation (CGN) on IPv4 networks is one of several challenges to tracking cybercriminals, said Oerting, who heads Europol’s European Cybercrime Centre (EC3). Other experts have said CGN may hamper investigations (CD June 11 p5).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
It’s possible that large criminal organizations, rather than attacking well-protected companies, are seeking backdoor entry into them through less-secure law and accounting firms and other service providers, Oerting said. EC3 has also noticed a rise in organized theft by malware and other tools made possible by companies that sell crime as a service, he said. The volume of cybercrime is rising because it’s no longer just hackers and “nerds” committing it, but average people who have access to the tools, he said. This distracts the police from going after more organized gangs, allowing the latter to boost their activities through social media, he said.
Europol leads Project 2020, a strategic initiative for the International Cyber Security Protection Alliance that’s studying the future of cybercrime, Oerting said. A series of workshops and exercises with private companies, academics and law enforcement bodies on how they think cybercrime will develop led to a report that will be delivered via nine movies, he said. The films are expected to be unveiled at a September Europol/EC3 conference and then made public on YouTube, he said.
CGN, a version of the network translation used to cope with exhaustion of IPv4 addresses, has implications for Europol because it involves many people sharing the same Internet Protocol address, Oerting said. There have been cases where CGN has hampered Europol investigations, though if a case is serious enough, there may be other ways of identifying the perpetrator, he said. CGN isn’t the only challenge, he said. Europol believes most cybercrime affecting the EU will come from criminals outside Europe who use cloud services and other systems that make it hard to identify who is behind them beyond a reasonable doubt, he said. Europol is working with EU governments to find ways to amass the evidence needed for courts, he said. The main challenge is that EC3 has to work with countries it doesn’t usually coordinate with, particularly those in Asia, South America and Africa, he said.
U.S. spying via Prism and the National Security Agency is still very much on the minds of European policymakers. In a Monday speech to an American Chamber of Commerce EU conference in Brussels, Digital Agenda Commissioner Neelie Kroes said the U.S., as a trusted partner, should be more transparent with Europeans about what has been going on and allow American companies to be more open with customers and potential customers. “If the U.S. government doesn’t choose this course, it will undermine trust in new digital services, with the risk that users will abandon them or never join the digital ranks,” her written remarks said. The Prism debate “will definitely increase calls for a European cloud,” with a variety of potential consequences for U.S. companies, she said.
Europol doesn’t benefit from Prism or NSA surveillance information, Oerting told us. EC3 works with the FBI, U.S. Secret Service and Department of Homeland Security on child sexual exploitation, payment card fraud and other cybercrime, but doesn’t deal with terrorism, he said.
European Data Protection Supervisor Peter Hustinx said Monday that he’s pleased the European Commission-proposed cybersecurity policy and directive go “beyond the traditional approach” of pitting security against privacy, but they fail to fully ensure that any obligations arising from the directive complement data protection requirements and don’t contradict them. Hustinx wrote (http://bit.ly/11sKv23) that because the strategy doesn’t take into account other EC initiatives and legislative procedures, such as data protection reform, and the proposed regulation on electronic identification and trust services, it doesn’t offer a truly comprehensive, holistic view of cybersecurity and risks, perpetuating “a fragmented and compartmentalised approach.” Cybersecurity isn’t an excuse for unlimited monitoring and analysis of people’s personal information, Hustinx said. It’s not clear how privacy principles will be applied in practice in the context of the strategy and legislation, he said.
Hustinx called for clear definitions of cyber-resilience, cybercrime and cyber-defense since they're used to justify certain special measures that could interfere with privacy and data protection rights. He urged the EC to narrow the definition of cybercrime and to resist over-reaching. He also said data protection law should apply to all actions of the strategy whenever they involve processing personal data. National data protection authorities must play a significant role in ensuring that data processed in cybersecurity matters are handled properly, Hustinx said. Agencies such as Europol should liaise with them, he said. Hustinx last week told us the reports on U.S. eavesdropping on European Internet and telecom users are “mind blowing” (CD June 13 p3).
Europol has a “very strong data protection machine,” Oerting said. It has a data protection officer and is regularly inspected by its independent data protection supervisor, the Joint Supervisory Body, he said. Europol’s strict rules will continue under the proposed data protection reform regulation and new cybersecurity strategy, he said.