Cybersecurity: EC3’s Burgersdijk on tackling a relatively unknown and constantly changing threat

11 Nov 2013

Olivier Burgersdijk, head of Strategy and Outreach at the European Cybercrime Centre (EC3)

Ahead of a major cybersecurity conference hosted by the IIEA in Dublin this Friday, we spoke to one of the contributors, Olivier Burgersdijk, head of Strategy and Outreach at the European Cybercrime Centre (EC3).

Olivier Burgersdijk is well versed in the language of cybersecurity. Having completed his university studies in criminology he joined the Rotterdam-Rijnmond police force in The Netherlands back in 1988. Since 2006, he has been active within Europol in various roles, overseeing information exchange and information management. In November 2012, he became head of Strategy within the European Cybercrime Centre (EC3), with responsibility for strategic analysis, outreach, expertise, R&D, and specialised forensic tools and techniques.

The EC3 was established to strengthen the response in the EU against cybercrime and related threats. “Cybercrime is by default a crime phenomenon that calls for international co-ordination and co-operation,” said Burgersdijk. “EC3 is intended to leverage the efforts of member states by offering a number of services that maximise their effectiveness in fighting cybercrime.

“The strategic products and services, such as training and capacity building, strategic analysis, R&D, forensic tools and prevention, fall under my responsibility,” he said. “The operational activities, like operational analysis and the co-ordination and facilitation of international operations are under the responsibility of my counterpart Paul Gillen, the head of Operations in EC3.” Both men in turn report to the head of EC3.

Level of threat

According to Burgersdijk, it can be difficult to assess the level of threat there is of cybercrime when it comes to both governments and business.

“Private industry, providers of critical infrastructure and even governments do not systematically report attacks,” he said. “As a consequence, it is difficult to get a reliable picture. The incidents reported in the press are on the rise, but that could also result from an increased interest from the media.”

He said there is still work to be done to collect comparable statistics that would truly allow us to quantify the incidence of cybercrime.

However, one thing is clear. The level of attacks on governments and businesses growing beyond the nuisance level of a single headline-grabbing incident is increasing.

“Awareness has picked up speed and so has the level of response,” said Burgersdijk. “At EU level and for several national governments, cybersecurity and cybercrime have risen on the agenda, leading to the development of several national and EU policy measures, as well as the adoption of cybersecurity strategies.”

When it comes to business, some of the smaller players may be getting left behind, according to Burgersdijk. “For businesses, the response is centred around the major enterprises, whereas small and mid-sized companies appear to be lagging a bit behind.”

Attacking with ease

Meanwhile, the ability for criminals to launch attacks grows easier, he said.

“The ease with which attacks can be launched is incredible. A full range of criminal services is offered at competitive prices on the internet. Without any technical knowledge it is possible to launch a successful attack by simply procuring the cybercrime expertise, infrastructure, malware and even operating services.

“Considering the increasing access to the internet at global level and the irrelevance of the whereabouts of the criminal, attacks launched against citizens, businesses and governments in the EU are most likely to grow rapidly in the coming years.”

These areas of cybercrime, said Burgersdijk, combined with the kind of crimes they deliver, such as DDoS attacks, intrusion, malware development, stealing of or phishing for financial credentials, trade in credit-card details, ransomware (blocking of victim’s computer to obtain a ransom), fraud, and money laundering using virtual, anonymous payment systems.

“In addition, there is a range of traditional crimes that have found their way to the internet. Online child sexual exploitation benefits from the swift and anonymous exchange possibilities,” he said. “Furthermore, there is a growth of the illegal online marketplaces that criminals use for trading drugs, weapons, stolen goods and other commodities.”

Strategy for security

Has the time come that all European countries have a robust cybersecurity strategy in place?

“This would indeed be helpful, preferably if those strategies are also aligned to each other and to the EU Cyber Security Strategy that was presented by the European Commission in February of this year.”

When it comes to businesses, he recognises that investments have been made to strengthen protection and step up cyber resilience, but said it is difficult to assess if those measures are adequate.

“This will vary from one company to another,” he said. “Besides, it is difficult to protect against a relatively unknown and constantly innovating threat.” The only way forward is continuous efforts to keep the protection level at par with the evolution of cybercrime.

So just how sophisticated are these cyber-criminals?

“There are obviously different levels of competence among cyber-criminals,” said Burgersdijk. “The most proficient hackers that constantly improve their methods are sometimes years ahead of their competitors that float along with the mainstream development of malware and intrusion.

“The top league is difficult to catch, whereas their followers are easier to deal with, thanks to the adjustment of protection, targeted prevention and investigation.”

Proposed directive

Regarding the proposed directive on network and information security adopted by the European Commission in early 2013, Burgersdijk said the NIS (network and information security) Directive is not yet adopted by the European Parliament and the Council of the EU.

“There is still work to be done to be specific enough as to what constitutes ‘critical infrastructure’, as well as on the definition of the seriousness of incidents to qualify under this proposed directive.

“From the perspective of cybersecurity and the combating of cybercrime, the NIS Directive would be very welcome. Whereas law enforcement in most crime areas has the best view on developments, this does not apply to cybercrime due to the under-reporting by citizens and businesses.

“In particular, for companies there is a fear for reputational damage. As a consequence, law-enforcement services are not in a position to take informed decisions on resource allocation to address the issues most effectively.

“The reporting of incidents in accordance with the draft NIS Directive can improve the prevention because it allows for more targeted measures, whereas the use of the crime-related data of suspicious incidents can be used to disrupt criminal activities, to investigate and prosecute the perpetrators and to dismantle their criminal infrastructures,” he said.

Olivier Burgersdijk is just one of the speakers at this Friday’s IIEA Cybersecurity Conference in the Mansion House, Dublin.

Ann O’Dea is the CEO and co-founder of Silicon Republic and the founder of Future Human