News Item

Supporting the fight against cybercrime

The map to the road less traveled: CSIRTs & Law Enforcement cooperation

Published on April 02, 2020

In an effort to further enhance the cooperation between the CSIRTs, especially national and governmental, and law enforcement agencies (LEAs), ENISA has carried out a survey and analysis of significant issues at hand that are likely to inhibit cooperation. As ENISA usually takes a holistic view of the policy area of CSIRT and LEA cooperation, interactions with the judiciary have also been taken into consideration to the extent possible.

The result of this study is a Roadmap on the cooperation between CSIRTS and LE.

The fight against cybercrime requires the involvement of Law Enforcement Agencies (LEAs), which supported by CSIRTs are likely to be better positioned to investigate complex criminal structures. This picture is incomplete though, unless interactions with the judiciary are equally taken into account due to the pre-eminent role it plays across the Member States in terms of directing criminal investigations.

When CSIRTs, LEAs and the judiciary cooperate, they face challenges that previously, have been categorized, by ENISA as being technical, legal, organizational and/or human behaviour as they associate with organisational culture. Understanding these challenges is essential in an effort to tackle them, further enhance the cooperation and thus stand a better chance in the fight against cybercrime.

Fighting agains Cybercrime: Roles and duties of CSIRTs, LE and Judiciary

Roadmap on the cooperation between CSIRTS and LE image

In 2018, ENISA confirmed that CSIRTs, LEAs and the judiciary have complementary roles and that incident handling varies across Member States. The data CSIRTs and LEAs have access to varies, and it affects information sharing between them when they seek to respond to cybercrime. While CSIRTs interact frequently with LEAs rather than with public prosecutors, CSIRTs when collecting and analysing different types of evidence, they are called upon rarely as witness in court, even though material they collect during the incident handling typically supports an investigation and prosecution of a crime.

The data supporting this roadmap was collected via desk research, interviews with subject-matter experts and an online survey. The data collected has demonstrated that CSIRTs, LEAs and the Judiciary come across a range of challenges that are likely to impact their ability to cooperate effectively. The legal framework has been quoted as an impeding factor when seeking to exchange data. Discrepancies in the levels of technical or legal knowledge is another one, as it may make communication challenging. The chain of custody in evidence collection might also be an issue when using methods that might make evidence likely inadmissible in Court. Incident notifications and cybercrime reporting differ across Member States as different legal obligations might have been laid out by national law.

Recommendations:

Core areas of further analysis and ENISA recommendations in an effort to improve cooperation between CSIRTs, LEAs and their interaction with the judiciary include:

  • Promoting the use of ‘Segregation of duties’ matrix for avoiding conflicting roles and responsibilities of CSIRTs, LE and the judiciary throughout the cybercrime investigation lifecycle.
  • Developing a competency framework for cybersecurity workforce and education and training policies.
  • Promoting knowledge of digital forensics rules.
  • Promoting interoperability of cooperation tools deployed and conceived considering future technologies.
  • Assessing the suitability of cybersecurity certification for common tools and procedures.
  • Simplifying arrangements by creating internal cooperation procedures to streamline exchanges.
The target audience of this roadmap includes mainly, but it is not limited to CSIRTs, LEAs, prosecutors, and judges. This roadmap builds on past ENISA work and it contributes to the implementation of the ENISA programming document 2019-2021, Output O.4.2.2

 

Further Information:

ENISA Roadmap on the cooperation between CSIRTS and LE

ENISA website section on CSIRTs and communities cooperation

For more information on these reports, please contact: [email protected]

For interviews, please contact [email protected]

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies