- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Type of Threat or Opportunity >
- Trend snippet: The roles and duties of CSIRTs and LEAs in Europe in 2021
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
The roles and duties of CSIRTs and LEAs in Europe in 2021
-
All countries analysed have signed the 2001 Council of Europe Convention on Cybercrime and almost all of them have ratified it and the Additional Protocol on the criminalisation of acts of a racist and xenophobic nature committed through computer systems. A Second Additional Protocol to the Cybercrime Convention, on enhanced co-operation and disclosure of electronic evidence adopted by the Committee of Ministers of the Council of Europe in November 2021 ‘should be opened for signature in May 2022’ (Council of Europe, n.d.f). Each country, however, has specific legislation on cybercrime, which is mandated through many different national laws and different criminal procedural law that governs investigations and the prosecution of (cyber)crime.
-
All countries analysed have a NCSS, which sets up the general framework for the coordination and cooperation of all authorities and defines their roles and responsibilities.
-
In terms of incident response, in line with the NIS Directive, all countries analysed have established national CSIRTs. However, although there are similarities, the way they are organised and the position they have in the national institutional framework vary from country to country.
-
The way LEAs’ activities related to cybercrime are organised also varies from country to country: some countries have specialised central cybercrime units, whereas others have decentralised specialised units or both.
-
The structure and organisation of the Judiciary also vary by country: in some countries there are ‘specialised prosecutors or specialised structures within the Prosecution Services dealing with cybercrime offences’, while in other countries ‘the responsibility for dealing with such crimes usually lies “de facto” with specialised public prosecutors and judges, who have been trained or have experience in the area of cybercrime’ (Council of the European Union, 2017c).
-
Among the three communities – CSIRTs, LE and Judiciary – different approaches and different levels of cooperation exist. While operational cooperation, especially in daily interactions and informal communication, seems to be well established, sometimes it appears that more structured cooperation would be useful in order to achieve a less fragmented information flow between the three communities. In addition, there is a bigger gap in the interaction between CSIRTs and the Judiciary than in the cooperation established between LE and the Judiciary and between LE and CSIRTs.
-
Normally LEAs are not solely involved in the detection and investigation of cybercrimes. A key component of their role is the preventive aspects of cybercrime, and it is here that cooperation with other communities, particularly the CSIRT community, is very important to support preventive strategies. In particular, the responsibility of cybercrime prevention is shared with CSIRTs since in most of the cases they are the first of the three members detecting cyber incidents of criminal nature within their constituents.
-
CSIRTs and LEAs need to cooperate to decrease the risk of evidence being compromised or destroyed.
-
CSIRTs and LE may also cooperate during the analysis of evidence.
-
CSIRTs play an important role in informing (potential) victims of cybercrime and in providing them with information on how to report a crime to the Police and how to enhance protection against future cybercrimes.
-
CSIRTs may be called as witnesses in court, although this is not practised in all the countries analysed. Moreover, when it happens, CSIRTs often provide written reports and are rarely physically called to court.
-
Several competences are required for incident handling and cybercrime investigation; while each community has developed its own set of skills and knowledge, each could benefit from the competences of the other communities.
-
Some initiatives are in place to facilitate trainings within each community. Most of the
joint trainings involve two of the communities (e.g. CSIRTs and LE, or LE and the Judiciary); however, there is a need for further initiatives and for trainings and exercises that involve the three communities together.
-
Secondment opportunities between the CSIRTs and the LE are rare. The reason why varies depending on the country (e.g. lack of resources, organisational aspects, and/or level of maturity of the CSIRTs).
-
The COVID-19 pandemic has changed the way CSIRTs, LE and the Judiciary work together and interact. The greatest impact has been on training and workshop events, as well as face-to-face meetings, which were cancelled in the early stages of the pandemic and later delivered online. As the COVID-19 pandemic has continued, the use of online tools to facilitate meetings and events has become in some instance the norm and the communities adapted to the new way of working. Establishing trust with new members of the communities in a merely virtual environment can be challenging, but alternating virtual and physical meetings and/or organise hybrid meetings (meetings with some participants in person and some participating remotely), when possible, might help. Overall, there does not appear to have been a significant impact of the pandemic on the ability of the three communities to cooperate. In some instances, the level of vigilance and interaction among the communities has actually increased, with even daily interaction taking place, to ensure that each community is kept up to date.