Cooperation between CSIRTs and Law Enforcement: interaction with the Judiciary

Abstract

The purpose of this report is to further explore the cooperation between computer security incident response teams (CSIRTs) (in particular national and governmental CSIRTs) and law enforcement (LE) by adding the important dimension of their interaction with the judiciary (prosecutors and judges). This report follows two reports that ENISA published in 2017: Tools and methodologies to support cooperation between CSIRTs and law enforcement (ENISA, 2017), which focused on technical aspects and Improving cooperation between CSIRTs and law enforcement: Legal and organisational aspects (ENISA, 2017a), which focused on the legal and organisational issues of cooperation; both are available on the ENISA website. This report aims to support the cooperation between CSIRTs and LE, as well as their interaction with the judiciary in their fight against cybercrime, by providing information on the legal, organisational, technical and cultural aspects, identifying current shortcomings and making recommendations to further enhance cooperation. The geographical coverage is mainly the EU and European Free Trade Association (EFTA). The data for this report was collected via desk research, interviews with subject-matter experts and an online survey. The data showed that CSIRTs, LE and the judiciary are characterised by significant differences in roles and structure. The kind of information to which CSIRTs and LE have access is different, this is one of the primary reasons why sharing information between them is paramount to respond to cybercrime. Across Member States different models/frameworks of interaction exist among the three communities (CSIRTs, LE and the judiciary). Overall CSIRTs interact more with LE rather than with the judiciary. CSIRTs offer support to LE to collect and analyse different types of evidence. CSIRTs are rarely called as witnesses in courts but the material they collect during the incident handling might be used to decide on (cyber) crime cases. Although the cooperation and interaction across the CSIRT, LE and judiciary communities work well in principle, there are still some challenges to be faced. In particular, some legal aspects are seen as the biggest challenge with issues such the diversity of the legal frameworks, data retention, the sharing of personal data (including internet protocol (IP) addresses) and the confidentiality around criminal investigations as well as evidential admissibility of digital evidence.