ENISA 「CSIRTと法執行機関の協力」を強化するための報告書

こんにちは、丸山満彦です。

ENISAが「ROADMAP ON THE COOPERATION BETWEEN CSIRTS AND LE」を公開していますね。

● ENISA

・2020.04.02 Supporting the fight against cybercrime - The map to the road less traveled: CSIRTs & Law Enforcement cooperation

サイバー犯罪への対応は、被害にあった組織で技術的に対応をしたものと法執行機関の連携（役割分担とコミュニケーション等）も重要ですよね。。。もちろん、技術面だけではないですし、法執行機関の国際連携も重要なわけで、いろいろと示唆に富んでいますね。

-----

Reccomandations:

Core areas of further analysis and ENISA recommendations in an effort to improve cooperation between CSIRTs, LEAs and their interaction with the judiciary include:

• Promoting the use of ‘Segregation of duties’ matrix for avoiding conflicting roles and responsibilities of CSIRTs, LE and the judiciary throughout the cybercrime investigation lifecycle.
• Developing a competency framework for cybersecurity workforce and education and training policies.
• Promoting knowledge of digital forensics rules.
• Promoting interoperability of cooperation tools deployed and conceived considering future technologies.
• Assessing the suitability of cybersecurity certification for common tools and procedures.
• Simplifying arrangements by creating internal cooperation procedures to streamline exchanges.

-----

・Roadmap on the cooperation between CSIRTS and LE

ロードマップの目的は国や政府機関の法執行機関や司法機関とのコンピュータセキュリティインシデント対応チーム（CSIRT）間の協力関係をさらに深めることのようですね。そのために、協力のために必要な情報を提供し、今、何が足りていないかを明らかにすることが重要ということで、そういうところにも言及されていますね。。。

-----

The purpose of this roadmap is to further explore the cooperation across computer security incident response teams (CSIRTs) in particular with national and governmental - law enforcement (LE) and the Judiciary (prosecutors and judges). This roadmap aims to support the cooperation between CSIRTs and LE, as well as their interaction with the Judiciary in their fight against cybercrime, by providing information on the aforementioned cooperation aspects and by identifying current shortcomings and making recommendations to further enhance cooperation. The geographical coverage of this roadmap is mainly the EU and European Free Trade Association (EFTA).

----

・[PDF] Roadmap on the cooperation between CSIRTS and LE

 

目次

-----

1. INTRODUCTION
1.1 PURPOSE
1.2 BACKGROUND OF THE REPORT
1.3 ROADMAP OBJECTIVES AND SCOPE
 1.3.1 Roadmap objectives
 1.3.2 Roadmap scope
1.4 TARGET AUDIENCE

2. METHODOLOGY
2.1 INFORMATION COLLECTION INSTRUMENTS USED
 2.1.1 Desk research
 2.1.2 Interviews and written replies to the questionnaire
 2.1.3 Online survey
2.2 DATA USED TO DEVELOP THE RECOMMENDATIONS
2.3 SELECTION AND CLASSIFICATION OF THE STAKEHOLDERS
2.4 CONTRIBUTION BY SUBJECT-MATTER EXPERTS

3. CSIRTS, LE AND THE JUDICIARY: STATE OF PLAY
3.1 LACK OF COOPERATION
3.2 EXAMPLES OF CYBERCRIME CASES WHERE COOPERATION IS REQUIRED

4. COOPERATION ASPECTS
4.1 ORGANISATIONAL ASPECTS
 4.1.1 Organisational structure
 4.1.2 Governance framework and compliance
 4.1.3 Training needs
4.2 TECHNICAL ASPECTS
 4.2.1 Use of (common) tools to facilitate cooperation and interaction
 4.2.2 Tools and their key functionalities
 4.2.3 How the investigations are carried out – forensic methods?
 4.2.4 Future technology and cybercrime attribution (Carrier Grade NAT (CGN), AI, IoT)
 4.2.5 Technical knowledge used by the judiciary
4.3 HUMAN ASPECTS ASSOCIATED WITH ORGANISATIONAL CULTURE
 4.3.1 Mind-set differences
 4.3.2 Assessing personnel skills and qualities
 4.3.3 Competency-based framework
4.4 LEGAL AND POLICY ASPECTS
 4.4.1 Legal framework in EU
 4.4.2 Admissibility of digital evidence
 4.4.3 Major cross-border cyber-attacks

5. CONCLUSIONS AND RECOMMENDATIONS
5.1 Conclusions
 5.1.1 The importance of cooperation
 5.1.2 Effectiveness of cooperation
 5.1.3 Strengthening of cooperation
5.2 Recommendations
 5.2.1 Organisational
 5.2.2 Technical
 5.2.3 Cultural
 5.2.4 Legal

6. BIBLIOGRAPHY/REFERENCES
A ANNEX: ABBREVIATIONS
B EU LEGAL INSTRUMENTS RELEVANT IN THE AREA OF FIGHTING AGAINST CYBERCRIME
C ANNEX: QUESTIONNAIRE TO SUPPORT THE SUBJECTMATTER EXPERT INTERVIEWS
D ANNEX: QUESTIONS OF THE ONLINE SURVEY

-----

概要

-----

EXECUTIVE SUMMARY
The purpose of this roadmap is to further explore the cooperation across computer security incident response teams (CSIRTs) – in particular with national and governmental – law enforcement (LE) and the judiciary (prosecutors and judges).

This roadmap follows the reports that ENISA has published throughout 2017 and 2018 on this subject-matter: Cooperation between CSIRTs and Law Enforcement: interaction with the Judiciary (ENISA, 2018), which focused on the aspects of the cooperation across the three communities; Review of Behavioural Sciences Research in the Field of Cybersecurity (ENISA, 2018a), which focused on human aspects of cybersecurity; Tools and Methodologies to Support Cooperation between CSIRTs and Law Enforcement (ENISA, 2017), which focused on technical aspects; and Improving Cooperation between CSIRTs and Law Enforcement: Legal and Organisational Aspects (ENISA, 2017a), which focused on the legal and organizational issues of cooperation. All these reports are available on the ENISA website.

When these entities – CSIRTs, LE and the judiciary – cooperate, they face challenges that have been categorised as being technical, legal, organizational and/or human behaviour as they associate with organisational culture. Understanding these challenges is essential to tackle them, further enhance the cooperation and thus better fight against cybercrime. This roadmap aims to support the cooperation between CSIRTs and LE, as well as their interaction with the judiciary in their fight against cybercrime, by providing information on the aforementioned cooperation aspects and by identifying current shortcomings and making recommendations to further enhance cooperation. The geographical coverage of this roadmap is mainly limited tv the EU and European Free Trade Association (EFTA) countries.

The data for this roadmap was collected via desk research, interviews with subject-matter experts and an online survey. The data collected has demonstrated that CSIRTs, LE and the judiciary mainly face a range of cooperation challenges. The legal framework is one of the most frequently mentioned ones that acts as impeding data exchange; discrepancies in technical or legal knowledge is another one, as it may make communication challenging; the chain of custody in evidence collection might also be an issue when using methods that might make evidence likely inadmissible to a criminal trial. Incident notifications and cybercrime reporting differ from one Member State to another as different legal obligations might have been set by their national laws.

The core recommendations identified to improve cooperation between CSIRTs and LE and their interaction with the judiciary are as follows.

ENISA:
· to promote the use of ‘Segregation of duties’ matrix for avoiding conflicting roles throughout the cybercrime investigation lifecycle
· to provide guidance for building a competency framework for cybersecurity workforce
· to promote knowledge of digital forensics rules
· to promote interoperability of cooperation tools deployed and conceived considering future technologies
· to assess the suitability of cybersecurity certification for common tools and processes

Member States:
· to define and implement a national framework for cooperation having all the communities involved
· to use the ‘Segregation of duties’ matrix for assigning roles and responsibilities throughout the cybercrime investigation lifecycle aiming to get all involved
· to develop national competency framework and education and training policies
· to promote joint trainings, common inter-community technical and table-top exercises carried out by competent people
· to take into account interoperability requirements when conceiving tools