2024: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

Since 2001, the Federal Judicial Police has maintained a specialised section dedicated to serious online crime. The FCCU focuses on investigating attacks on critical infrastructure, organised international ICT crime and other cyber threats. “We work closely with the federal prosecutor and policy makers. And for ‘alpha cases’, where cyber criminals are testing a new modus operandi, we look into which investigation method is most appropriate,” Caroline Frère explains. 

In addition to the federal investigators, each judicial district has a Regional Computer Crime Unit (RCCU), which is also part of the Federal Police. “These colleagues focus mainly on hacking and ransomware at companies, in close cooperation with the local public prosecutors. We work hand-in-hand with the regional investigators. In principle, the investigation starts after a complaint is made to the local police. It is investigated by the RCCU; if it concerns a more widespread phenomenon, the FCCU will coordinate the investigation.” 

One major achievement has been the creation of a Quick Reaction Force (QRF) in 2019: a pool of regional and federal experts who can be deployed on an ad hoc basis. “In cases such as the wave of attacks on hospitals including CHWAPI and Vivalia, the RCCUs may not have sufficient personnel to investigate quickly enough. Then, the QRF can provide support on the ground in terms of analytical capacity, technical expertise and coordination.” 

Collecting traces and data is crucial 

Frère notes that companies often hesitate to file a complaint: “Understandably, this is not their first reflex. People are mainly concerned with getting their activities up and running again, and recovering as much data as possible. Some fear our actions will delay the reboot. But this is not the case: we do not seize servers and we work closely with incident response companies. Our goal is to collect the right traces, so that we have the data needed for further investigations. This is also very relevant for policy makers: what is not mentioned in the statistics, does not exist!” 

To ensure that the right information is collected for each report, the Federal Police has developed the CyberAid tool for the first-line police services. “Whether someone makes a report at the front desk of a police station or an officer documents a complaint during an intervention, we now have a structured method. We provide a manual and flowchart, as well as a form for the victims indicating what elements they need to collect to enable the investigation.” 

Because cyber crime is a significant cross-border phenomenon, the FCCU is in close contact with Europol and the Joint Cybercrime Action Taskforce (J-CAT), an international platform for exchanging information with countries inside and outside the EU. “We bring our intelligence to the table and receive relevant information from other countries, such as ransomware trends or impending attacks,” Frère explains. “We also participate in joint investigations. Last year, for example, Operation Magnus led to two data theft programmes being taken offline. A collaboration between the Belgian Federal Police, the Dutch police and the US FBI, it offers further proof that we are indeed achieving successes in the fight against organised cyber crime.” 

Belgium’s original computer crime law dates from 2001. At that time, Belgium was one of the first countries to implement the European Convention on Cybercrime. In 2015, under the initiative of Minister of Justice Koen Geens, the cyber legislation was rewritten. Philippe Van Linthout contributed to the drafting. “The law itself remains solid, but requires updating. We are being confronted by new online phenomena that cannot immediately be classified into an existing legislative box: banking, crypto and telecom claims, or claims based on the economic law code. That makes it difficult for us to draw up a good claim.” 

It's worthwhile to file a complaint 

Another challenge for the Justice Department is that too much remains hidden beneath the surface. “People sometimes report a fact to the Centre for Cybersecurity Belgium or to the FPS Economy, but a report is not an official complaint,” says Van Linthout. “We must therefore convince victims that it is worthwhile to file a formal complaint. In our Mechelen-Antwerp district, for example, there are judgments every week on bank card fraud. And if we are quick enough, we can sometimes recover money in the crypto world.” 

The investigating judge is all-too aware, however, that this is just the tip of the iceberg. “Perpetrators usually spend their profits very quickly, or the loot is immediately transferred to tax havens. We must be able to penetrate deeper and tackle the organisations behind all these cyber phenomena.” 

International cooperation and instruments such as the European search warrant have made it possible to track down international gangs. However, things can still be improved, notes Van Linthout: “A new European regulation should make it possible for me, as an investigating judge, to request information directly in other EU countries. Because the slowness of the administrative mill unfortunately often means that we are struggling to keep pace. For example, we are a popular target for Dutch cybercriminals. But the Netherlands is unable to meet our information requests, as our files are not a top priority for the police and judiciary there.” 

Justice needs tech profiles 

Over the past 25 years, Belgium has invested in capacity and expertise to detect and prosecute cybercrime. These efforts must continue unabated. “To give a simple example, as an investigating judge I am allowed to hack a computer or a mobile phone. But am I able to? We need the help of tech profiles if we want to keep up with developments. Recruiting additional competencies remains urgent,” says Van Linthout. “And we must certainly tap into the knowledge of Belgian researchers. Our country is top in cryptography; why can't we use that expertise more in our field?” 

The delicate balance with privacy 

There is also the delicate balance between privacy and cybercrime investigation. “The right to privacy is important, but it must be proportionate. We cannot build a file without data. Belgian legislation works to our disadvantage there. The 12-month retention period for terrorism crimes and 9 months for most other serious crimes is very short, while the limitation period for criminal offenses is much longer. So much evidence is thrown away, à charge and à décharge. I hear privacy lobbyists proclaim that the government is becoming too invasive in private life. But no one has a problem sharing their data online with giants like Google. If we want to tackle (cyber)crime, we must be able to access victims' data so that we can solve cases.” 

Finally, Van Linthout makes a passionate plea to increase awareness: “I am still amazed every day by the files that we receive and the amounts involved. We must make the population fully aware of the risks and prevent them from falling into the trap of phishing and hackers. Organisations such as the Cyber Security Coalition are doing a good job in this area, but we must scale up those efforts even further. After all, prevention yields the greatest benefits for all parties involved.” 

Mr. David Hickton, Founding Director of the Institute for Cyber Law, Policy, and Security University of Pittsburgh, delivered a keynote during this Coalition event, that brought together an eclectic mix of stakeholders. Joining him in a panel discussion were Mrs. Catherine Van de Heyning, public prosecutor, Mrs. Caroline Frère (FCCU), litigation lawyer Mr. Thomas Declerck (A&O Shearman) LLP) and assistant professor and researcher Mrs. Laura Drechsler (CITIP KU Leuven). This article wraps up the key takeaways from the panel discussion.

An ever-growing range of threats

Risks and attacks increase every year. In Belgium, corporate IT security audits reveal that 98% of companies report facing risks, 66% have suffered an attack in the last two years and, of these, 87% have suffered financial damage or loss of reputation due to cyberattacks. All this has consequences for both public and private companies.

There are even fears that a massive cyberattack could trigger a major global crisis on a scale comparable to the COVID pandemic - and we are not prepared for such an attack, leading to devastating consequences. What makes the situation even more challenging is that more and more objects are connected via the Internet of Things, meaning the risk of an exposure to attack multiplies. Also on the rise is the number of criminals with new strategies and technologies – for example, AI now allows voice recordings and images to be generated to create fake videos. 

The means to fight: institutions, laws, tools

In the event of such an attack affecting the internet and our systems, responsible governance in both private companies and public institutions means ensuring data integrity, service continuity and confidentiality.

Prevention remains the best defence, starting with the detection of vulnerabilities in systems. But it also means breaking down barriers: opening up a dialogue between public authorities and the business world. The Centre for Cybersecurity Belgium is the national authority responsible for supervising, coordinating and implementing solutions. But, in addition to national initiatives, we need European cooperation, which could take the form of a cyber defence agency.

Especially when it comes to AI and Quantum, because existing laws do not cover the use or consequences of these types of technologies. Above all, technologies evolve rapidly – and much faster than legislation. We need to anticipate, where possible, future technological developments so that an act identified as criminal today will also be criminal in the future.

Proportionate responses to the threat

The perpetrators of cybercrime, whatever form it takes, should go to prison for the damage caused. A theft, whether committed via the internet or in a physical shop, remains a theft and should be punishable. Therefore, it is necessary to gather a lot of evidence to accuse someone of criminal activity and it is important for companies to be able to report threats to authorities on an international level.

This includes ransomware cases. As a rule, companies should not pay ransomware. But if a company chooses to pay, the attack should still be reported. Also their contacts must be informed. This allows the company’s business circle to be on guard.

It is worth noting that while we are seeing more and more attacks, cybercriminal networks are also being dismantled more often. Certainly, because there is no shortage of tools to fight or punish cybercriminals or non-cooperating countries.

Do too many laws kill business?

The question is whether the law stands in the way of economic progress. Companies must now consider a range of legislation. Behind every piece of legislation, there are issues to understand. The purpose is to find the right balance between overabundance of laws and entrepreneurial freedom. At the same time, the business (customers, suppliers…) demands more security. Laws are therefore a necessary evil.

Faced with cybercrime that knows no borders, the authorities are fighting it without always having an appropriate and legal response that takes into account the borders and the right to sovereignty of each country.

Furthermore, in an era where companies become more powerful than governments, there is a way to enhance public-private cooperation. Yet there remains reluctance on the part of the private sector to be transparent regarding the cyberattacks.

In conclusion

There is no shortage of legal avenues in the fight against cybercrime - the question is how best to navigate them? Clearly, there is currently a lack of resources to effectively investigate and combat all threats and attacks. There is also a challenge in terms of implementing effective prevention in a democracy so that individual rights, such as privacy, are also safeguarded.

“Customers usually come to us after they have been hacked and it becomes clear that there is no solution via their cyber insurance,” Geert Baudewijns begins. “In an ideal scenario, a company has recent backups and can avoid paying a ransom. But our experience shows that 7 out of 10 victims end up paying for the keys to become operational again. Many feel they have no choice but to negotiate and make a payment in order to quickly resume their activities in full.”

Geert and his teams have led more than 450 negotiations. “Over the years, we have built up a lot of experience. This enables us to quickly assess the seriousness of the case and provide the affected organisation an indication of their options. For most customers, this is already reassuring. A cyber incident can always be solved, but the big question remains what the appropriate solution is…”

Paying cyber criminals remains controversial

Secutec is a Belgian company with 100 employees spread across offices in Europe, Canada and Australia. “As a negotiator for clients worldwide, we establish contact with the hackers and we investigate: what do they expect? Is it realistic? And then we negotiate how a deal can be reached. If we can close the case – usually with a payment – then we facilitate that, too. We trace the payment and follow up the release of the affected systems or data.”

Paying cyber criminals remains controversial, and many people find it unethical. “But if the customer is up against the wall, they have no choice but to negotiate. Of course, we proceed with caution: we check, double-check, triple-check… because there are also ‘fixers’ who have nothing to do with the incident but who follow the communication of hackers on the darknet and then approach victims themselves,” Geert knows. “That is precisely why you need negotiators who know their way around, who can quickly determine whether you are talking to the right person. Negotiating with hackers is a profession in itself.”

Full control is virtually impossible

Protecting IT systems from intrusion is more and more difficult, especially as networks become increasingly complex. “It is virtually impossible to fully control your network today. As soon as there is a vulnerability in the firewall, hackers start to exploit it. They have a kind of ‘bible' with IP addresses and technologies used, which allows them to strike quickly. Their goal is to obtain admin data that they can use at a later time. Once they have that data, they can penetrate the network weeks or months later. We therefore recommend that you always have an up-to-date XDR solution within your network, so that inappropriate activities can be detected immediately.”

One of the challenges Geert experiences is that business leaders often have limited knowledge of IT and cyber security. “That is why the Cyber Security Coalition is a valuable ecosystem. The more cyber security is discussed at a high level, the more it reaches the CEO and stays on the company’s radar. It is also crucial that we exchange experiences and work together, even with competitors. In cyber security you are never the best, you can never win the battle alone. Thanks to the Coalition, we can talk to each other in confidence,” concludes Geert Baudewijns.