The European Council Approves Conclusions for a Unified Cyber Posture

The European Council has approved conclusions on the development of the European Union’s stance against cyber-attacks. The posture is intended to demonstrate the EU’s determination to provide immediate and long-term responses to threats that seek to deny the EU secure and open access to cyberspace and affect its strategic interests, including its partners’ security.

Ministers, among other things, call on the European Commission to propose common EU cybersecurity requirements for connected devices and associated processes and services. They also invite relevant authorities, such as the European Union Agency for Cybersecurity (ENISA), to make recommendations to strengthen the resilience of communication networks and infrastructures within the EU. The Council also stresses the importance of establishing regular cyber exercises to test and develop the EU’s internal and external response to large-scale cyber incidents.

Cyberspace has become an arena for geopolitical competition. The EU must therefore be able to respond swiftly and forcefully to cyber-attacks, such as malicious cyber-activities targeting the Union and its member states. It must also make full use of all the instruments at its disposal. Perpetrators should be aware that cyber-attacks against member states and EU institutions will rapidly be detected, identified and fought with all necessary tools and policies.

In the conclusions, the Council highlights the EU’s five roles in the cyber domain:

1. Strengthen resilience and protective capacities. Malicious behaviour in cyberspace has intensified in recent years and emanates from both state and non-state parties. This includes a sharp and steady increase in activities targeting critical infrastructure and supply chains.

2. Improve solidarity and comprehensive crisis management. In the current geopolitical climate, the Union’s strength lies in unity, solidarity and determination, and the implementation of the Strategic Compass. This should enhance the EU’s strategic autonomy and its ability to work with partners to safeguard them, while respecting their values and interests, including in the cyber domain.

3. Promote the EU vision of cyberspace. Consolidate peace and stability in cyberspace and in favour of an open, free, global, stable and secure cyberspace, and coordinate short-, medium- and long-term actions to prevent, identify and respond to cyber threats and attacks.

4. Improve cooperation with partner countries and international organisations. The overall level of EU cybersecurity needs to be raised and see a rapid adoption of the draft Directive on measures to achieve a high common level of cybersecurity across the Union (NIS), the draft Regulation on Digital Operational Resilience for the Financial Sector (DORA) and the draft Directive on Critical Entity Resilience (CER).

5. Prevent, defend and respond to cyber-attacks. Competent authorities, such as the Body of European Regulators for Electronic Communications (BEREC), the European Union Agency for Cybersecurity (ENISA) and the Network and Information Security (NIS) Cooperation Group, together with the Commission, will formulate recommendations based on risk assessment in the member states and the European Commission to strengthen the resilience of communications, networks and infrastructures within the European Union.

_____

Aquest apunt en català / Esta entrada en español / Post en français

The European Union Strengthens IT Security for Financial Institutions

Taking into account the ever-increasing risks in relation to cyberattacks, the European Union is reinforcing IT security in various sectors, in particular financial institutions such as banks, insurance companies and investment firms.

The European Council and Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which will ensure that Europe’s financial sector is prepared in the event of a severe operational disruption.

DORA establishes uniform security requirements for the network and information systems of companies and organizations operating in the financial sector. These also apply to third parties providing ICT (information and communication technology) related services, such as cloud platforms or data analysis services.

According to the regulatory framework on digital operational resilience that DORA has created, all companies have to ensure that they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are the same for all EU member states. The main objective is to prevent and mitigate cyber threats.

Under the provisional agreement, the new rules will provide a very robust framework for enhancing IT security in the financial sector. The extent financial institutions must go to in order to protect their information will be proportional to the potential risks.

Critical third country providers of ICT services to EU financial institutions will have to establish a subsidiary within the EU so that supervision can be properly implemented.

Regarding the supervision framework, the co-legislators agreed upon an additional joint supervision network that will strengthen coordination between European authorities on this cross-cutting issue.

In light of provisional agreement the, DORA interacted with the Network and Information Security (NIS) Directive in order to provide financial institutions with full clarity on the different digital operational resilience standards they have to comply with. This will also prepare financial institutions holding multiple authorisations and operating in different EU markets. The NIS policy will continue to apply. DORA is based on the NIS Directive and addresses possible overlapping through a lex specialis exemption.

The provisional agreement reached is subject to approval by the European Council and Parliament before going through the formal adoption procedure.

Once the DORA proposal is formally approved, each EU member state will also approve it. European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) will develop technical standards for all financial institutions, from banking to insurance and asset management. The respective competent national authorities will take on the task of compliance monitoring and will enforce the regulations when necessary.

This package fills a gap in existing EU legislation and ensures that the current legal framework does not pose barriers to the use of new digital financial instruments. It also ensures that the new technologies and products fall within the scope of financial regulation and operational risk management arrangements for companies active in the EU. Thus, the package aims to support innovation and the adoption of new financial technologies, while providing an adequate level of consumer and investor protection.

_____

Aquest apunt en català / Esta entrada en español / Post en français

Consolidating cybersecurity and resilience throughout the European Union

The European Union is working on improving resilience in the face of increasingly serious cyber threats so as to consolidate security in society at large and in the digital economy.

The European Council has reached a joint agreement on shared high-level cybersecurity measures throughout the European Union with a view to further improving resilience and the ability to react to incidents in both the public and private sectors and in the EU as a whole.

Once approved, the new directive, referred to as NIS2, will replace the current directive on the Security of Network and Information Systems (the NIS Directive).

NIS2 will establish the base line for measures to manage risks to cybersecurity and obligations to provide information in all the sectors covered by the Directive, such as energy, transport, health and digital infrastructure.

The revised directive is intended to eliminate divergences in cybersecurity requirements and the implementation of cybersecurity measures in different Member States. To this end, it establishes minimum standards for a regulatory framework and mechanisms for effective cooperation between the relevant authorities in each Member State. It also updates the list of sectors and activities subject to cybersecurity obligations, and provides for resources and sanctions to ensure their implementation.

The Directive will formally establish the European Union Cyber Crisis Liaison Organisation Network, EU-CyCLONe, which is intended to provide support for the coordinated management of large-scale cybersecurity incidents.

While according to the terms of the former NIS directive Member States were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 Directive introduces a rule to establish the limits of their scope. This means that all the large and medium-sized entities that operate within the sectors concerned or that provide services subject to regulation by the Directive will come under its scope of application.

Although the Council’s position maintains this general standard, it also includes additional provisions to ensure proportionality, a higher level of risk management and clear criteria for the definition of the entities to be covered.

The Council’s text also clarifies that the Directive will not apply to entities that develop activities in fields such as defence or national security, public security, the police and the courts. National parliaments and central banks are also excluded from the scope of the Directive.

Since public administrations are often also the targets of cyber attacks, NIS2 will apply to the public administrative organisms of Member States’ central governments. In addition, Member States can decide which regulations will apply to these entities at a regional and local scale.

The Council has aligned the text with specific sectoral legislation, particularly the Digital Operational Resilience Act (DORA) regulation for the financial sector and the Critical Entities Resilience (CER) Directive to provide legal clarification and ensure consistency between NIS2 and these new regulations.

A voluntary mechanism for peer learning will increase mutual confidence and the learning of good practices and experiences, and will thus contribute to achieving a high level of shared cybersecurity.

Member States will have two years starting from the date that the Directive comes into force within which to incorporate the provisions into their national legislations.

_____

Aquest apunt en català / Esta entrada en español / Post en français

Safe online shopping awareness campaign for the upcoming high consumer season

Europol is launching the #SellSafe awareness campaign in November as part of a series of consumer protection and e-commerce initiatives in the run-up to the peak shopping season.

Online shoppers need to be more vigilant than ever as organised crime groups continually adapt their online fraud methods to defraud both citizens and e-commerce companies.

Since the start of the pandemic, many businesses have had to go online to continue their activities. At the same time, with people now using online services several times a week and increasingly shopping online, there is a much greater opportunity for attack by cybercriminals.

Even when online shopping has been made secure through the implementation of new technologies, such as secure customer authentication or two-factor authentication, cybercriminals still find ways to steal money from online shoppers.

Europol, together with the Merchant Risk Council and participating countries, has launched the #SellSafe, campaign, following the success of last year’s campaign, to highlight key tactics to combat online fraud. The aim of the campaign is to make e-commerce safer by promoting secure online shopping methods and helping new vendors to open their first online shop by minimising the risk of cyber-attacks.

Participating countries will promote the campaign through their social media channels using the hashtag #SellSafe to help consumers understand the risks of e-commerce fraud.

To protect consumers, Europol has provided a number of useful tips to try to keep them one step ahead of fraudsters and ensure they do not steal money.

Tips for protecting an e-business:

• Make sure all employees are aware of fraud issues affecting online shops.

• Stay up to date on the types of payment fraud that affect businesses and have the tools to prevent them. Your payments organisation will have details on the types of payment fraud.

• Get to know your customers so you can verify their payments.

Tips for online shoppers:

• Never send your card number, PIN or any other card information to anyone by email.

• Never send money to anyone you do not know.

• Always keep all documents related to your online purchases.

• If you don’t buy anything, never send your card details to anyone.

_____

Aquest apunt en català / Esta entrada en español / Post en français

Is technology efficient in the fight against domestic violence?

Domestic violence affects approximately one in three adults in the United States at some point in their lives. It represents more than 40% of all women’s murders: 856 women died in 2017, according to the latest official figures.

Law enforcement has an inefficient history of responding to the problem. According to a Justice Department report, domestic violence, as a category, generates the largest number of calls to police, but advocates for victims of domestic violence have long criticized police for not taking allegations of abuse seriously enough, or they respond with a narrow approach, focused on protection orders, arrests and trials, which do not always help the victims.

However, when one of the world’s largest technology companies, Ring, offers free cameras to help solve the problem, this can be an attractive proposition. Police believe that this could be an ever-available sentry guarding the homes of victims of repeated crimes.

When Ring’s pilot programs began in 2019, these were small in size. Bexar County set aside 50 cameras to protect victims of domestic violence and anyone with a protection order. San Antonio assigned 171 devices to victims of domestic violence and sexual assault who had filed police reports. And in Cape Coral, where this program for fighting domestic violence was supposed to last a year, 100 devices were assigned to victims of domestic violence.

Former Cape Coral police chief David Newlan had the idea to implement the program in that city after a 2017 case in which a case of domestic violence turned into a murder-suicide. The perpetrator had been banned from approaching the victim by a restraining order and was required to wear an ankle bracelet controlled by a third party. On the day of the murder, the monitoring company did not notify the police when he violated the protection order when approaching the victim’s home.

Police departments want to know everything they legally can. But is growing surveillance technology in the public interest?

At least today, more than 1,800 U.S. law enforcement agencies use the Neighbours app, along with more than 360 fire departments. Ring associations, with many police forces using it, give the participating departments a much broader surveillance system than the police themselves could build legally.

The popularity of these programs is unclear. The San Antonio program distributed 158 of its 171 cameras. However, in the first year of the Bexar County program, no more than 15 victims opted for one of the 50 cameras, according to Rosalinda Hibron-Pineda, a victim services specialist at the sheriff’s office. And in Cape Coral, where there were 100 cameras available, only 24 had been given out.

Unless they give law enforcement the tools to arrest and imprison the assailants, the cameras would not be effective.

_____

Aquest apunt en català / Esta entrada en español / Post en français

Council adopts conclusions on sports-related violence ahead of the European football championship

The Council has adopted a series of conclusions on sports-related violence. In these conclusions the Council emphasises the unique challenge to security posed by the UEFA EURO championship, given that the competition will take place in 11 European cities simultaneously.

The Council emphasises that the organisers of major events taking place during the COVID-19 pandemic should continue to adopt measures and procedures that prevent the spread of the virus among all actors involved.

The Council also stresses the relevance of international police cooperation and information exchange to ensure a safe and secure competition. Acknowledging that monitoring the movement of risk supporters may be vital to prevent public disorder and associated criminal activity, it encourages effective international cooperation through the deployment of specialised law enforcement officers as well as other liaison officers, even if a sports event takes place without general public attending.

The Council recognises that, in view of several recent incidents of sports-related violence, it is crucial to address this issue beyond the sports venues themselves. The scope of preventive measures should be enlarged to cover locations such as public transport, hotels, training centres, night-life areas and other public spaces.

The Council stresses the importance of protecting public spaces and private spaces open to the public, namely through the implementation of security-by-design concepts and the use of surveillance and detection systems that incorporate artificial intelligence, while respecting fundamental rights. It also calls on member states to continue to monitor online content, with a view to preventing and mitigating the dissemination of messages that incite violence, extremism, radicalisation and xenophobia.

Lastly, the Council stresses the need for member states to increase the risk assessment of risk supporters, especially those with extremist ideologies, so as to identify, prevent and limit possible hostile and criminal activity during international sporting events.

_____

Aquest apunt en català / Esta entrada en español / Post en français

Crime prevention through environmental design gains popularity. The new ISO 22341 and other news

For years, criminology and other disciplines have raised the need for a cross-cutting, multi-actor approach to dealing with security.

One of the more structured cross-cutting approaches is Crime Prevention through Environmental Design (CPTED) which, in essence, responds to the questions raised by environmental criminology through knowledge of how our surroundings (environment) condition security (and crime) and the methodologies that need to be designed and used to work in this field effectively. Although initially focused on the design of physical spaces, CPTED has since been extended to include social aspects relating to the movements and activities of the population within those spaces, a critical factor when considering security-related issues.

The approaches proposed by CPTED have been adopted, more or less implicitly, by influential organisations such as the European Forum for Urban Security (EFUS), the Spanish Forum for Prevention and Urban Security (FEPSU), and by several urban regeneration projects in various cities around us.

Recent developments have confirmed the growing influence of this perspective and increased recognition of its effectiveness. A long standardisation process finally resulted in the approval of technical recommendations (CEN/TR 14383-2) in 2007, and this year, an ISO has been approved globally, ISO 22341, demonstrating the consolidation of the approach. The ISO constitutes an agreement on the minimum standards required to ensure environmental design principles are respected in specific spaces and areas. While the standards may still be more centred on the more physical aspects of spaces, they confirm the movement’s widespread acceptance.

The European Cutting Crime Impact (CCI) project, of which the Ministry of Home Affairs is a member, has also included this approach to prevention among its four fundamental lines of work as an effective and reliable way to reduce insecurity and limit its impact.

In Catalonia, multiple security, criminology and police professionals have recognised the need for a structured approach to promoting this type of prevention, creating the Catalan Association for the Prevention of Insecurity through Environmental Design (ACPIDA), which will be launched publicly and begin its activities in the coming months. Integrated within the framework of the International Association for the Prevention of Crime through Environmental Design (ICA), it will provide training, information and advice in the field.

Finally, on a state level, a new Spanish publication called A guide to crime prevention. Security, urban design, citizen participation and police action, provides a clear and practical guide on how to apply the CPTED principles to public spaces. César San Juan and Laura Vozmediano, professors at the University of the Basque Country and prestigious authors in the field of environmental criminology, have made an effort to translate the principles into concrete actions that can act as a practical guide for a range of public security managers and actors when planning, renovating and organising public spaces. The work offers the considerable benefit of clarity and exemplification by specifying how public spaces should be designed and how the various actors involved must adopt CPTED principles in order to ensure the resulting spaces facilitate security and quality of life for all who use them.

_____

Aquest apunt en català / Esta entrada en español / Post en français

EU steps up support in the fight against the illicit arms trade

The EU will provide new funding for the effective implementation of the Arms Trade Treaty (ATT).

At the end of April, the European Council adopted a decision allowing the EU to support three projects of the ATT Secretariat in Geneva with a contribution of EUR 1.37 million.  The aim is to help the states party to the treaty to strengthen their national arms export control systems. Export control systems are key instruments for preventing the illicit trade and diversion of arms and contribute to more responsible trade in military equipment and technology.

More specifically, the EU’s support will enable the following actions:

– Training local and regional ATT experts to deliver implementation assistance and reduce reliance on external consultants.

– Creating a database to match treaty implementation needs and resources.

– Building IT and communications mechanisms to enable more effective cooperation between states and the ATT Secretariat.

The project also strengthens the ATT Secretariatʼs institutional capacity to provide sustainable support to the states party to the treaty. It fits within the recently adopted strategy to strengthen the EUʼs contribution to rules-based multilateralism by promoting global peace and security.

This decision is also part of the EUʼs long-standing support of the ATT.  In addition to facilitating early negotiations on the treaty, the EU has provided approx. EUR 15 million for numerous projects aimed at promoting its universal adoption and implementation.

The ATTʼs universal adoption and implementation are crucial to the reduction of violence and human suffering in conflict-affected regions. In force since December 2014, the Arms Trade Treaty regulates international trade in conventional arms, their parts and ammunition, with the goal of eradicating the illicit sale and diversion thereof. All EU Member States are parties to the Treaty.

The ATT Secretariat manages the reporting by states, their national points of contact, and national control lists. In addition to organising the conferences of states and work sessions, it also administers the ATT Voluntary Trust Fund, which assists states’ implementation of the Treaty.

_____

Aquest apunt en català / Esta entrada en español / Post en français

“Perception Matters”: a guide to managing outbreaks of insecurity

The Cutting Crime Impact project (CCI), funded by the European Union’s Horizon 2020 Programme, aims to prevent ordinary crime (non-organised crime) where possible and, should it occur, reduce its impact. To this end, the project will address four focus areas: predictive policing, community policing, crime prevention through urban design & planning and citizens’ perceptions of insecurity. The project will develop tailored “tool kits” for each of the four focus areas that law enforcement agencies can use to achieve the project’s goals.

Regarding the perception of security or subjective security, the Ministry of Home Affairs, as a partner in the project, was tasked with designing a tool that can help to enhance citizens’ feelings of security. The chosen formula for the tool was a guide called “Perception matters”, which provides practical and useful advice to security managers dealing with the public’s response to outbreaks of insecurity in specific areas of the city. Manifestations of feelings of insecurity are often linked to particular neighbourhoods and even certain times of the day. A standard, generic response is doomed to failure; an at least somewhat in-depth (and, if possible, quick) analysis is needed to identify the reasons behind that particular outbreak of insecurity (rather than insecurity in general) in order to adopt measures that specifically address those causes.

Security officials come under a lot of pressure when there is a public manifestation of insecurity or fear of crime. This pressure often prevents them from having enough time and space to analyse the situation properly, leading them to fall back on routine and highly visible actions that may reduce public and political pressure but do nothing to solve the problem. The “Perception Matters” guide contains simple and practical criteria that those tasked with responding to public manifestations of insecurity can use to identify which urgent measures, if any, they should take. Once those urgent measures have been implemented, security managers should conduct an in-depth analysis of the situation to inform a more comprehensive response with short, medium and long-term measures, rather than relying on actions that may “divert” attention away from the problem but, in the end, often help to entrench it further.

“Perception Matters” comprises five documents that make up a single strategy. They can be used in conjunction with one another or separately. Booklet 1 constitutes the guide, in the strictest sense of the word. It covers the key questions that anyone with security management responsibilities should ask in the event of an insecurity incident. It also lists the sources that security officials can refer to for more information. At the end of the booklet, some of the concepts to be considered when managing subjective insecurity crises are clarified to improve understanding of the dynamics involved in these types of situations.

Booklet 2 helps us assess whether we are dealing with an incident that requires urgent, immediate action, while continuing with a more comprehensive analysis of the problem. The document includes indicators that can be used to decide whether urgent measures are required or not and recommendations for the type of measures that can be employed.

Booklet 3 provides a straightforward account of the various research methodologies used in social science and practical advice on how they should be managed to obtain the required information without resorting to long-winded reflection procedures. Rather than being a methodology manual, the booklet aims to offer advice on how some methodologies can be used as a simple and effective tool for improving our diagnosis of insecurity.

Booklet 4 offers the reader a set of criteria that can be used to design targeted measures that address the specific contributing factors behind an outbreak of insecurity so that it can be contained and reversed. Various types of cross-cutting short, medium and long-term measures are suggested. It also includes a link to documents that compile good practices in this field.

Booklet 5 offers, on the one hand, guidelines to understanding the importance of communicating with the public in matters of subjective security, and on the other, the criteria that should be followed to ensure that communication leads to an improvement in the public’s perception of security or, at the very least, does not aggravate it further in times of crisis.

In short, rather than attempting to offer new insight into the matter, the guide intends to set out the existing knowledge in a simple and, we hope, efficient way to facilitate the orderly and agile management of outbreaks of insecurity in our cities and public spaces. You can access the guide from the Ministry of Home Affairs website http://interior.gencat.cat/ca/el_departament/publicacions/seguretat/projecte-europeu-toolkit-la-percepcio-importa/

_____

Aquest apunt en català / Esta entrada en español / Post en français

How to prevent scams in online shopping

Europol has designed a programme, launched this November, that seeks to prevent scams in online shopping over the upcoming high-consumption dates. The biggest retail season of the year is almost here, and you do not even need to leave the comfort of your home to participate. However, neither do cyber criminals.

Easy website design, increased social media traffic and convenience have made buying and selling online products a mainstay of the modern shopping experience. The COVID-19 pandemic has further driven consumers to do their shopping online. For companies, this trend poses both challenges and significant opportunities.  More sales and more traffic mean more revenue. But it also means more fraud, as criminals have even more opportunities to steal from both consumers and merchants. So, how should retailers prepare?

Through an awareness campaign launched in mid-November, law enforcement agencies from 16 countries have teamed up with Europol’s European Cybercrime Centre (EC3) and the Merchant Risk Council to share practical tips on how to outwit criminals trying to abuse the online shopping experience.

This awareness campaign is being carried out under the umbrella of the 2020 e-Commerce Action (eComm 2020) led by Europol. This year’s campaign has a special focus on e-merchants, helping them to better identify fraud on their platforms and allowing them to take steps to protect their business and customers against such attacks.

Law enforcement agencies and key retail partners will share the messages of the campaign using the #SellSafe hashtag to reach the widest possible audience.

The threat posed by these criminals is very real: in the lead-up to this campaign, several countries carried out operational actions which resulted in the arrest of 22 cyber criminals in the month of October alone. The awareness campaign launched in November is based on the experience of investigations carried out by law enforcement agencies against fraudulent orders of various kinds, and seeks to help traders better recognise and address the security shortcomings of their platforms.

Europol’s European Cybercrime Centre has produced some guidelines for traders:

Know your product: a greater risk is entailed by the sale of some items than others. For example, selling small items that can be easily re-sold, and for which there is already a high demand, is riskier than selling personal customised items.

Know your customer: if you accept card payments and send valuable products to your customers, you’d like to know who you are sending them to, right?

Establish a safe payment method: your card administrator can advise you on this. By choosing a safe payment method, you will limit the risk of fraud.

• Use a reliable delivery service: choose a delivery method to ensure professional handling of your goods and possible claims of non-delivery.

_____

Aquest apunt en català / Esta entrada en español / Post en français