1. Prepared by the Cybercrime Programme Office of the Council of Europe
Արևելյան Գործընկերություն
Східне партнерство Eastern Partnership აღმოსავლეთ პარტნიორობა Parteneriatul Estic Şərq tərəfdaşlığı Partenariat Oriental Усходняе Партнёрства
Project III
Public-private cooperation in the protection of critical infrastructure
Draft Memorandum of Cooperation between Law Enforcement and Internet service providers of Ukraine
Prepared by the Cybercrime Programme Office
of the Council of Europe

2. Cybersecurity Cybercrime vs. Cybersecurity Non-intentional incidents
Typically defined as:
the protection of the confidentiality, integrity and availability of computer data and systems in order to enhance security, resilience, reliability and trust in ICT
Motivated by:
Reliance on ICT -> national interest
Economic potential of ICT
CIIP -> National security
Protection against:
Non-intentional incidents
Intentional attacks by state and non- state actors against ICT (c-i-a attacks)
Measures:
Protection, mitigation, recovery through technical, procedural, institutional measures (vulnerability analyses, early warning/response, CERT/CSIRTs, etc)
Cybercrime legislation, investigation, international cooperation 2

3. Cybercrime Cybercrime vs. Cybersecurity
Defined as:
Offences against computer data and systems (c-i-a offences) (Articles 2-6 Budapest Convention)
Offences by means of computers (such as Articles 7-10 Budapest Convention)
Motivated by:
Crime prevention and criminal justice
Protection against:
Intentional attacks against and by means of computers
Any crime involving electronic evidence on a computer system
Measures:
Investigation, prosecution, adjudication
Conditions and safeguards
Prevention
Technical and other measures 3

4. Cybercrime vs. Cybersecurity
Cyber-/information security strategies
Cybercrime strategies
Security/trust/resilience/reliability of ICT
Rule of law/ criminal justice and human rights
Non-intentional ICT security incidents
Intentional attacks against ICT by
Offences by means of ICT
Offences involving ICT
Disasters
State actors
Non-state actors
Terror-ists
Crimin-als
Technical failure
Human failure
Fraud
Child expl.
Terrorist use of ICT
IPR-offences
Extortion, etc
Any offence involving electronic evidence
Critical infrastructure attacks
Other attacks on confiden-tiality, integrity and availability of ICT 4

5. Cybercrime vs. Cybersecurity
Human rights and
rule of law
Human development and democratic governance
Security, confidence and trust in ICT
Rule of law in cyberspace
Cybercrime strategy
Cybersecurity
Offences against confidentiality, integrity and availability of computer data and systems
Offences by means of computers
Electronic evidence 5

6. Measures against Cybercrime
Council of Europe and cybercrime: rationale
democracy
rule of law
human rights
in order to promote
Measures against Cybercrime
Established in 1949
Currently 47 member States

7. Need for public-private cooperation
Need to respond to challenges of cyberspace in terms of criminal justice action, including protection of infrastructure;
Electronic evidence is volatile and hard to get and preserve, and is prone to travel beyond the reach of criminal justice officials;
More often than not, data/evidence is held by private sector entities in the form of subscriber, traffic or content data;
Therefore, a central issue to the discussion of the public / private cooperation against cybercrime and on electronic evidence is:
Access by the criminal justice officials to data held by private sector 7

8. Cooperation indicators
Some of the common benchmarks used for verifying whether a working public- private cooperation process exists in relation to cybercrime/e-evidence:
Law
Criminal laws/procedure in place (e-evidence, definitions, powers, cooperation, etc.)
ISP liability regime present (mere conduit, etc)
Stakeholder readiness/information exchange
Defined and active communities (LEA, CSIRT, DPA, etc.)
Knowledge, expertise and specialization
Regular operational meetings
Compliance
Issues of trust / general compliance / voluntary co-operation level
Cooperation agreements
International cooperation
Level of co-operation with multinational companies (Microsoft Google FB Twitter etc) 8

9. Law: applicable standards
Laws must be: precise, balanced and predictable;
The following have been devised as applicable sets of legal regulation:
Necessary definitions and categories of data and evidence;
Conditions on storage of and access to data as electronic evidence;
Implementation of procedural powers under the Cybercrime Convention; and
Safeguards and guarantees applicable to exercise of such procedural powers.
The Budapest Convention on Cybercrime provides for concepts and definitions of electronic evidence, types of data, sanctions, etc.
Procedural powers under the Convention:
Data preservation/limited disclosure
Production orders
Search and seizure
Monitoring and interception of data
subject to safeguards and guarantees that relate to exercise of all of these powers.

10. Criminal justice authorities
Stakeholders:
Criminal justice authorities
Law enforcement:
cybercrime/high-tech/computer crime units + operatives at the national police forces
cybercrime investigation powers within security services
financial investigators
internal or external expert capacity in both securing and processing electronic evidence.
Prosecutors / specialized units: guidance and focus on evidence;
Judiciary authorities: oversight and rules of evidence;
Examples of issues:
Use of special and less transparent powers in operative/security environment;
Information exchange seen as more of a one-way street;
Different/inadequate competences;
Cooperation in exceptional/exigent mode becomes the norm;
Excessive use of more intrusive options.

11. Internet service providers
Stakeholders:
Internet service providers
Hold most often sought electronic evidence:
Subscriber information
Traffic data
Content data (very rarely)
Key principles: liability for data stored/accessed to
Cooperation with law enforcement increasing: more resources needed;
Examples of issues:
Lack of clarity and coherence in terms of data retention;
Issues of cost of access to data / data retention vs. preservation;
Limited and disjointed systems of oversight (both internal and external);
General mistrust toward the law enforcement;
Ownership issues/ size and business model;
Delays in responses;
Etc.

12. Stakeholders: Other communities Financial investigations/intelligence
Regulation toward private vendors/banking/critical infrastructure
Focus on crime proceeds
Virtual currencies/electronic money
State security agencies
Blocking of websites/resources in expedited manner
Terrorism prevention
Hate speech
Information/cybersecurity/CSIRT
Private ownership of critical infrastructure – applicable regulations
Crime reporting and chain of custody for potential evidence/data in incident handling

13. Stakeholders: Other communities Communications regulators
Licensing / regulations;
Adjudication of disputes between industry players,
Focus on the protection of subscriber to the service of the Internet service providers
Data protection
Mass processing of personal data through data retention regulations / oversight;
Oversight of law enforcement access to such data / data protection principles.
Non-governmental sector
Monitoring of the child sexual abuse material online
Facilitating voluntary compliance
… Sky is the limit?

14. Developments in Ukraine
Series of Council of Europe workshops and meetings since September 2016
Reports in November 2016 and May 2017
Overview of the situation
Recommendations to government authorities
Draft amendments to legislation 14

15. The need for a MoU Memorandum of Understanding
One of the recommendations to restore trust between public and private sector and to facilitate cooperation
To involve major stakeholders in Ukraine and agree on detailed cooperation principles 15

16. The main elements of the draft MoU
Promote the use of the ICT
Recognise the need to cooperate and exchange of information
Ensure protection of fundamental rights and freedoms
To fight crime, in particular cybercrime 16

17. Draft MoU – areas covered
Cooperation based on the rule of law and human rights
Rule of law
Cooperation based on law
Conditions and safeguards
Procedural powers – principle of proportionality 17

18. Draft MoU – areas covered
Procedures and practices of communications
Cooperation – exchange of information, access to electronic evidence
Procedures for sending and receiving requests
Contact points between parties, rights and responsibilities 18

19. Draft MoU – areas covered
Adequate level of knowledge and capacity building
Personnel having professional level of knowledge and expertise
Develop a system for capacity building and training in the areas of handling cybercrime, cyber-related incidents and electronic evidence
Joint trainings including practical exercises for cybercrime and cybersecurity incidents 19

20. Draft MoU – areas covered
Cooperation for prevention of Internet-related crime
Identification of resources available
Awareness raising measures to prevent crime, including guidelines on safe behaviour on the Internet
Support to the Internet resources and Critical Information Infrastructure to ensure safer cyberspace in Ukraine 20

21. Draft MoU – expected outcome
Joint working group to organise and participate in meetings to exchange practical experience and identify issues for improving the cooperation and exchange of information
Additional guidelines if necessary
Good practice guidance for lawful removal of electronic data, computer systems inspection and seizure of computer systems
To facilitate better understanding
To increase trust 21

22. Thank you for your attention
Giorgi Jokhadze
Project Manager
Cybercrime Programme Office Council of Europe - Conseil de l'Europe Bucharest, Romania 22