“No single tool can be responsible for bolstering
cybersecurity capabilities and tackling cybercrime”
The global pandemic has resulted in a sharp increase in cybercrime, on top of the existing trend already observed in recent years. This can be attributed to a variety of reasons, including the shift from offices to work-from-home (WFH) environments meaning corporate devices are employed for personal uses, and the negligence of cyber hygiene due to health and financial stresses associated with the pandemic. With higher levels of cybercrime likely to become the norm, a variety of actors need to develop new, more effective methods and tools to prevent, investigate and mitigate cybercriminal behaviour.
This was the approach of partners producing the CC-DRIVER research report: A Review and Gap Analysis of Cybersecurity Legislation and Cybercriminality Policies in Eight European Countries. The eight-country scope included France, Germany, Italy, the Netherlands, Romania, Spain, Sweden and the United Kingdom. The report produces findings and recommendations that build upon desktop research, partner-completed questionnaires, roundtables and workshops. These activities were performed by a diverse set of partner organisations from industry, academia and law enforcement backgrounds.
There are a number of elements partners believe are critical when trying to bolster cybersecurity capabilities and tackle cybercrime, five of which are examined in this report: strategy, legislation, engagement, enforcement and assessment. While this is not an exhaustive list, with potential exclusions being regional or sector-specific standards and school curriculums, it does provide a pragmatic analytical framework for a variety of stakeholders to take a holistic view of cybercrime and consider the interdependencies between the various elements when making critical decisions.
Strategy concerns the overarching direction and target objectives set for cybersecurity and cybercrime. Although strategies can be set at various levels, from organisational cybersecurity strategies to the EU Cybersecurity Strategy for the Digital Decade, partners decided to review and analyse National Cyber Security Strategies (NCSSs), or equivalent, in the eight countries under review. Each country in the European Union (EU) is required to produce an NCSS, and so partners looked for commonalities and differences across the eight documents.
Legislation concerns the legal framework governing the behaviour of people in cyberspace in each jurisdiction. Partners reviewed and analysed the Criminal Code, where available, for the countries under review. This was not possible in the case of the United Kingdom, where partners instead reviewed different items of legislation pertaining to cybercrime. The aim was to assess the level of harmonisation across the eight countries in terms of coverage of cybercrimes, definitions, sentences and fines.
Engagement refers to the activities aimed at increasing the reach and awareness for cybersecurity and cybercrime related issues. Partners reviewed and analysed a variety of initiatives and programmes which ranged from targeting the population at large, to smaller, more focussed demographics who were deemed at higher risk of falling victim to cybercrime, such as those with learning difficulties, mental health conditions, from under-privileged backgrounds and the elderly. While young people were observed as a critical demographic, partners ensured the other groups mentioned were not neglected.
Enforcement concerns the actions of law enforcement agencies (LEAs) and regulators to ensure the compliance of citizens and organisations with laws, regulations and standards. The authors of the report leveraged LEA organisations within the CC-DRIVER consortium to provide first-hand insights into the observations they make and challenges they face in practice, such as being restricted by both a lack of resourcing and bureaucracy, and difficult relationships they face with other LEAs outside of Europe.
The final element, assessment, is different to the other four because it should be performed by all of the relevant stakeholders. Metrics for each element should be collected, analysed and compared against a previously defined set of key performance indicators (KPIs) for a given period. The insights and outcomes from this data analysis should support future decision making in all four elements. However, it was noted that data analysis may be limited to some extent due to cybercrime data being in its relative infancy, the range of metrics different countries use to collect to evaluate cybercrime, and the significant underreporting of cybercrime offences by both individuals and organisations.
The table below provides a summary of the recommendations proposed by partners for each element:
To view the complete list of common observations, differences and explanations for the recommendations, click through to the full report here.
The partners have also written a five-page policy brief, which summarises the key findings of the report, which can be found here.