The potentials of digital interconnectedness are enormous, but so is its vulnerability to attacks by cybercriminals. Find out more about the various faces of cybercrime and about approaches to counter cybercrime.
What is cybercrime?
Cybercrime is one of the crime phenomena most strongly subjected to dynamic changes. Perpetrators flexibly adapt to developments in technology and society; they act globally and attack targets that, in their view, are financially worth it.
Cybercrime today is a professional field of business. There are many market places in the underground economy offering illegal goods such as drugs, weapons or child abuse material, stolen data and identities, but also services to commit cybercrime (cybercrime-as-a-service).
The police distinguish between "cybercrime in the narrower sense" (offences targeted against the Internet, data networks, IT systems or their data) and "cybercrime in the broader sense" (offences committed by means of information technology). Simply put, cybercrime in the broader sense thus includes offences that can also be committed in the analogue world, such as drug trafficking. Cybercrime in the narrower sense includes offences that are highly sophisticated in terms of technology and therefore, in turn, require the police to conduct technologically highly complex investigations.
Cybercrime – and this must be emphasised – is a highly complex, criminal industry with its own value chains.
Central cybercrime phenomena
Below, you will find information about central forms of cybercrime in the narrower sense.
Malware – A central element of cybercrime offences
Hardly any act of cybercrime is committed without malware or misused tools. They are used to spy out and intercept data, manipulate data traffic (e.g. in online banking) or extort money (ransomware). There are countless malware families, and they are continuously adapted by perpetrators.
Spam and phishing – Access to the victims' data
Frequently, stolen digital identities such as passwords, e-mail addresses or bank details are the starting point for further offences. To obtain such digital identities, cybercriminals often send spam or phishing e-mails with malicious content, that is, with attachments containing malware. The e-mails are intended to make the victims download or click on the malware. To make their campaigns particularly effective, cybercriminals use current topics as a narrative or pretend that the e-mail originates from an authority or even an e-mail contact known to the recipient.
Ransomware – Digital extortion by encryption of systems
Of all modi operandi employed in cybercrime, ransomware is the one with the highest potential to cause damage.
Victim systems infected with ransomware are encrypted. The perpetrators then demand a ransom for decrypting the systems. Simultaneously, data are spied out as well more and more often. Perpetrators are thus in a position to also threaten to disclose such data. This is referred to as double extortion, and it is becoming the standard modus operandi.
A ransomware attack can lead to massive and expensive interruptions of business and functioning, resulting in significant consequences for the affected companies. In some situations, a ransomware infection may even threaten the very existence of the company attacked. Attacks on critical infrastructures such as hospitals or waterworks show that successful ransomware attacks can entail drastic consequences for the general public.
DDoS attacks – System overload
Denial of service (DDoS) attacks basically aim at overloading the target system, thus causing damage specifically to the individuals, organisations or companies attacked.
Current trends in cybercrime
Cyberattacks have an enormous potential to cause damage. They can threaten the existence of business enterprises and quickly have dramatic effects on the population in case of attacks on critical infrastructures such as hospitals or utility companies. Such cyberattacks with, for example, ransomware and DDoS have increased considerably in frequency and intensity over the past years. The risk of cyberattacks committed by highly professional, globally interconnected perpetrators is growing.
Once a year, the Bundeskriminalamt publishes the National Situation Report on Cybercrime. The report contains current intelligence on cybercrime in Germany, including trends related to this phenomenon, representations of case trends as well as practical examples of cases. Moreover, it presents the results of law enforcement activities by the police.
In addition, the Bundeskriminalamt publishes warnings and special analyses whenever there are current threats.
Combatting cybercrime
The police forces of the Länder
It is, first of all, the police forces of the German Länder that are responsible for the prosecution and suppression of cybercrime in Germany. An overview of specialised police services that are available in case of a cyberattack and offer advice, in particular to business enterprises, can be found under this link: https://www.polizei.de/zac
The Bundeskriminalamt
As the central agency of the German police, the Bundeskriminalamt performs coordinating tasks also in the field of cybercrime suppression; it provides information and tools and serves as a hub of international cooperation. Furthermore, the BKA conducts investigations in the field of cybercrime within the framework of its original jurisdiction, for example where federal authorities or facilities or sensitive parts of critical infrastructures are affected or where the Bundeskriminalamt has been requested or ordered to conduct investigations (section 4 of the Act on the Bundeskriminalamt – BKA Act).
The division primarily responsible for performing the above-mentioned tasks at the Bundeskriminalamt is Division CC – Cybercrime.
The National Cyber Defence Centre as a central platform
Cooperation platform of the relevant German authorities
The National Cyber Defence Centre is the central cooperation, communication and coordination platform of German (security) authorities where, in various forms of meetings, situation-related intelligence is exchanged, threat potentials are assessed or needs for action to be taken by politicians, authorities, society or the business sector are identified.
International cooperation
It is in the very nature of cybercrime (which, simply put, requires only a computer and an Internet connection) that perpetrators do not act locally but globally. Cyberthreats or threat situations often cannot be narrowed down in terms of location, let alone be attributed to a specific location or region. International cooperation is therefore central to the successful suppression of cybercrime.
The Bundeskriminalamt is part of a global 24/7 network of all major cybercrime units and involved in a great number of joint operational measures aimed against cybercriminals. To support and intensify their cooperation, the countries involved exchange liaison officers, so-called embedded agents. At European level, there is a close and institutionalised cooperation with Europol. At international level, the cooperation with INTERPOL is an important component of cybercrime suppression. In addition, there is a constant bilateral exchange with various countries on identified cyberthreats and best practices.
Cooperation with the business community
Apart from the cooperation among the authorities, cooperation with the business community is also an important part of successfully combatting cybercrime. Goals include a common understanding of the threat situation, mutual exchange and a cooperation that is characterised by trust – also in the event of a cyberattack. The BKA therefore cooperates with nonprofit organisations such as the "German Competence Centre against Cybercrime e.V. (G4C)" to promote regular exchange with the business community.
Furthermore, with the Cybercrime Conference C³, the BKA has created a platform of regular exchange between authorities, the business and science communities and politicians.
Division CC – Cybercrime
Division CC is an integral part of the cybersecurity architecture in Germany and one of the world's leading units dealing with this area of crime. The focus is on the suppression of cybercrime in the narrower sense. This includes offences that are targeted against the Internet, further data networks, IT systems or their data.
Division CC
- investigates criminals who are active in cyberspace and dismantles criminal networks and structures responsible for cyberattacks on prominent targets in Germany;
- ensures the collection, processing and analysis of relevant information as the basis of investigations conducted by the police forces of the Federation and the Länder in an environment of highly complex cybertechnologies;
- prosecutes cyberattacks on federal institutions and critical infrastructures in Germany;
- advises the management of the Bundeskriminalamt on crime policy issues involving cybercrime in the narrower sense; and
- actively contributes to the further development of relevant legal provisions, for example by providing advisory services.
CC1 – Strategy and service
The areas of the Division dealing with general affairs, analysis and reporting, service as well as investigative support are centralised in this subdivision. One core element is strategic analysis and situation assessment. The objective is to identify new developments in the field of cybercrime at an early stage and to draw conclusions and take necessary police countermeasures more quickly. In addition, this subdivision provides services in support of investigations to the specialised departments of the BKA. Apart from this, the central knowledge management of Division CC can be found here; this knowledge is, for instance, passed on to stakeholders within the BKA by way of in-house training. And finally, it is the task of the subdivision to deal with specialist legal issues in this still young and dynamically growing field of cybercrime.
National and international cooperation
The National Point of Contact for Anti-Cybercrime Cooperation (Nationale Kooperationsstelle Cybercrime – NKC), which is part of Division CC, is responsible for cooperating with the authorities and with companies in the private sector on issues relating to this field of crime. Moreover, the NKC seconds the coordinator and Division CC's liaison officer to the National Cyber Defence Centre, which, in addition to the Federal Office for Information Security, the Federal Office for the Protection of the Constitution, the Federal Office of Civil Protection and Disaster Assistance, the Federal Police, the Bundeswehr (German Armed Forces), the Military Counterintelligence Service and the Zollkriminalamt (central office of the German customs investigation service) also includes Division ST – State Security to represent the BKA. This group collects and jointly assesses security-relevant cyberincidents on a workday basis.
Furthermore, Division CC is responsible for managing the network of central points of contact for cybercrime (Zentrale Ansprechstellen Cybercrime – ZACs) of the federal and Länder police forces. The ZAC network was established to enable companies affected by cybercrime to contact the cybercrime units of the federal and Länder police forces directly.
The Quick Reaction Force (QRF) was set up as a 24/7 standby unit taking initial response measures as regards criminal prosecution. In the event of cyberattacks on critical infrastructures or federal institutions, the QRF launches the initial criminal procedural measures that must not be delayed.
An integrated approach to cybercrime suppression requires strong cooperation at international level. The international exchange of operational information plays an essential role in this context. In collaboration with international partners and stakeholders, Division CC is actively involved in a number of projects and initiatives and provides support in terms of both expertise and staff.
Central Office 4.0
Division CC is the BKA's central office for the analysis of information held at the Division and the provision of such information to external stakeholders, notably the Länder. Furthermore, it is the BKA's central office for task analysis in the area of cybercrime. The "Central Office 4.0" ensures that the Länder and foreign cooperation partners are constantly supplied with phenomenon-related information held at the BKA. As far as possible, correspondence as well as combining investigations conducted by federal and Länder authorities is handled by Division CC in an automated form.
CC2 – Operational tasks
Phenomenon-related investigations, including structural investigations and investigations serving as pilot projects, are conducted by Division CC's investigation sections. Darknet investigations focus on the operators and administrators of criminal sales platforms. These sections have, moreover, original jurisdiction to investigate all offences committed in the field of cybercrime in the narrower sense. In addition, they conduct investigations relating to digital flows of payment and mobile payment systems.
Operational analysis
The phenomenon-related operational analysis in the fields of cybercrime in the narrower sense, Darknet trading platforms and attacks on digital flows of payment serves to generate new and support ongoing investigations conducted by Division CC. Core tasks moreover include coordinating federal/Länder-level investigations ("Central Investigations") and carrying out analysis projects.
Operational information gathering and data warehousing
Suspect communication and data, their links and their phenomenological content as well as an intelligent, rule-based analysis and provision of this information have for years been forming the basis of successful investigations and analyses in the field of cybercrime in the narrower sense. Therefore, a dedicated central office for operational information gathering and data warehousing was set up at Division CC that provides information to the Division's operational units. The office focuses on the gathering and analysis of cybercrime-related suspect big data and the devising of police-specific strategies and technical solutions for a machine-assisted evaluation, enrichment and structuring of such data. High-level technical understanding and knowledge are pooled here so that, based on the analysed data, technical tools can be developed that may be used by the operational units of the BKA and the federal and Länder police forces in their fight against cybercrime.
The nine pillars of cybercrime suppression
The term "crime-as-a-service" (CaaS) describes the increasing fragmentation into and specialisation of individual "partial contributions" relevant to the commission of offences in the field of cybercrime in the narrower sense.
Such fragmentation, on the one hand, results in an increasing specialisation of individual CaaS providers. On the other hand, it also allows less cyber-savvy perpetrators to carry out technically more complex offences and attack schemes.
In recent years, the CaaS model has become a fixed part of cybercrime, mainly due to the highly dynamic and comparatively short-lived modi operandi employed in this field of crime, their ever-growing technical complexity and the increasing investigative and prosecutorial pressure resulting from adapted legislation, the establishment of special units or offices and, most of all, significant gains in terms of experience and methods.
The results of current analyses conducted by the BKA show that CaaS is based on nine pillars, each representing the different services offered or requested.
The National Cyber Defence Centre
The National Cyber Defence Centre, which is seated in Bonn, is not an independent authority but a joint, inter-authority and inter-institutional platform. It was created in 2011 within the framework of the implementation of the Federal Government's cybersecurity strategy (CSS).
Aims of the National Cyber Defence Centre
The National Cyber Defence Centre has been set up to exchange relevant information quickly between the participating authorities and partners and to coordinate protection measures in order to ensure cybersecurity in Germany.
Mission statement
The National Cyber Defence Centre is THE cooperation, communication and coordination platform of the relevant (security) authorities of the different ministries and levels which, in particular through a joint, up-to-date and comprehensive cybersecurity situation report for Germany, strategic reporting and the coordinating operational and interdisciplinary case management, provides indispensable contributions to Germany's national cybersecurity and thus – also in the event of a crisis – to the Federal Government's capacity to act.
Authorities participating in the National Cyber Defence Centre
Currently, the following eight core authorities and partners collaborate in the National Cyber Defence Centre:
Core authorities
- Military Counterintelligence Service
- Bundeskriminalamt
- Federal Office for Information Security
- Federal Office for the Protection of the Constitution
- Federal Office of Civil Protection and Disaster Assistance
- Bundeswehr Cyber and Information Domain Service Command
- Federal Police
- Federal Intelligence Service
Partners
- Cyberabwehr Bayern (Bavarian cyber defence platform)
- Hessen CyberCompetenceCenter (Hessen3C)
- Bamberg and Cologne public prosecutors' offices specialising in cybercrime investigations
- Federal Financial Supervisory Authority
How do authorities work in the National Cyber Defence Centre?
The eight core authorities and the partners second liaison officers to the National Cyber Defence Centre. They carry out their respective tasks in accordance with their statutory powers.
The coordinator at the National Cyber Defence Centre acts as a moderator between the representatives of the participating authorities and may, moreover, initiate necessary decisions. Currently, the BKA provides the coordinator while the Federal Office for the Protection of the Constitution and the Bundeswehr Cyber and Information Domain Service Command provide the deputy coordinators. The authorities take turns in appointing the coordinator and deputy coordinators at regular intervals.
There are different formats of collaboration within the National Cyber Defence Centre:
Daily briefing
In the daily briefings, the liaison officers provide current intelligence on cyber-related matters held by their seconding authorities, share information on such matters and, based on that, decide on whether there is a need for clarification or action. In this manner, cyber-related incidents can be detected and dealt with more rapidly, and the competent authorities can coordinate their action in the matter.
Working groups
The liaison officers of the different authorities represented in the National Cyber Defence Centre work together in various permanent or temporary working groups or subgroups to assess cyberthreat potentials, for example in relation to the individual critical infrastructure sectors, in a topic-related and inter-authority manner and to implement necessary measures or suggest their implementation to the respective authorities.
Steering group
The steering group, in which all core authorities and, as an exception, also the partner authorities are represented, decides on thematic priorities at its meetings and sets up working groups. However, only the core authorities, not the partners, are eligible to vote.
A vision for the future of the National Cyber Defence Centre
With its "Vision for the Future Working Group", the National Cyber Defence Centre in 2020 started a process of further development, which, based on the experience gained since 2011, identifies potential for optimisation. Some key issues include: strengthening the capability of the National Cyber Defence Centre to respond to specific situations, intensifying interdisciplinary operational case management, pushing ahead with operational and strategic reporting, optimising workflows and processes, including controlling and evaluation of effectiveness, establishing new formats of cooperation, further strengthening the crisis response capability of the National Cyber Defence Centre and involving further authorities.
As a first outcome, some organisational changes were made: in April 2021, Cyberabwehr Bayern became part of the National Cyber Defence Centre as a first Länder-level representative, and so did the public prosecutors of Bamberg Public Prosecutor General's Office (Bavarian Central Office for the Prosecution of Cybercrime) and Cologne Public Prosecutor's Office (ZAC NRW – cybercrime centre and contact point for the Land of North Rhine-Westphalia) in June 2021.
Cybercrime Conference 2021 - "European Strategies to Address a Global Challenge"
At the Cybercrime Conference C³, experts exchange knowledge and ideas on current developments in cybercrime and on the strategic and operational challenges arising from those developments.
Due to the Coronavirus pandemic, last year's Cybercrime Conference (C³) was held as a virtual event on 10 and 11 May 2021. It was hosted by the Bundeskriminalamt and the DSI (Digital Society Institute at the European School of Management and Technology GmbH – ESMT) under the motto:
European Strategies to Address a Global Challenge
In our digitally interconnected world, cybercrime is one of the crime phenomena most strongly subjected to dynamic changes. And cybercrime hardly knows any geographical boundaries. Perpetrators can commit their crimes from any place in the world and attack almost any target anywhere. They adapt flexibly to developments in technology and society.
To enable the same degree of flexibility in the fight against cybercrime, cooperation between the appropriate German authorities as well as with actors from the political, business and science communities plays an essential role. In addition, an intensive exchange between and a trusting cooperation with international partners are important in fighting cybercrime successfully.
C³ was created in 2015 to enable participants to maintain existing contacts, but also to expand their networks. Moreover, C³ offers a platform for professional exchange regarding experience, know-how and digital trends.
At C³, international experts speak on different topics surrounding cybercrime and other digital-related issues. Participants have the opportunity to ask the speakers – who hail from the fields of criminal prosecution, IT security, business, science and politics – questions about developments, insights and ideas.
In addition to the interesting presentations given at C³, the conference was also the platform where BKA Vice-President Martina Link presented the 2020 National Situation Report on Cybercrime to the audience and the media.