Preserving evidence at a digital crime scene
The debate opened with a focus on one of the most delicate issues after a cyberattack: the conflict between a victim’s urgent need to restore operations and the investigative need to preserve volatile digital traces. The moderator first invited Kris Derkoningen to reflect on how police handle this tension.
She acknowledged the dilemma. While law enforcement’s priority is always to secure traces for investigation, she explained that teams “try to collaborate with victims by requesting copies of servers rather than seizing them on site.” Robrecht De Keersmaecker, representing the judiciary, reinforced the point by stressing how fragile evidence can be. If the chain of custody is not secured from the start, he warned, “we risk admissibility problems in the end,” and defence experts may later argue that the entire investigation is flawed.
Moderator Frank Verbruggen then raised the issue of capacity. Cybercrime is pervasive, yet first responders are not always equipped to secure digital evidence. Kris Derkoningen conceded that while training exists, she is not convinced that they are truly prepared for what is coming. Robrecht De Keersmaecker added that preparation and protocols are essential, especially since police are sometimes informed only days after an incident, when key traces may already be gone.
The discussion then shifted to victim’s perspective. Representing a critical facility operator, Fabrice Clément emphasised that business continuity is undeniably crucial. Still, he noted that evidence preservation is never ignored. “Well-prepared organisations maintain dedicated incident response teams that document every step and manage chain-of-custody procedures. Clear cooperation agreements established before a crisis, help avoid confusion when an attack happens,” he added.
When the moderator asked whether the situation differs for SMEs – who often rely on private consultants – Geert Baudewijns responded that fear and uncertainty affect organisations of all sizes. He pointed out that legislation lags behind reality. Companies are required to report data breaches, but not necessarily cyberattacks themselves, which complicates systematic cooperation. Baudewijns insists a framework is needed to align expectations between victims and authorities.
The dilemma of ransom payments
The debate then moved to one of the most contentious topics in cybercrime response: whether victims should ever pay ransom. Ransomware can bring even well-prepared organisations to a standstill, yet payments are likely to fuel criminal networks.
The moderator introduced the topic with a provocative statement: in some situations, especially when law enforcement lacks technical solutions, victims may feel they must pay. “Paying ransom”, Fabrice Clément swiftly responded, “only strengthens organised crime”. True resilience lies in preparation – robust continuity planning, reliable offline backups, strong detection and response, and increasingly, support from cyber insurance for recovery and legal guidance. “Collaboration with law enforcement must be established before a crisis,” he added.
Geert Baudewijns, who works as a negotiator in ransom cases, presented a more pragmatic stance. He explained that clients often face difficult choices, and while paying is never good, financial survival sometimes weighs heavily. “If payment were outlawed tomorrow,” he said, “people would find a way to pay.” His role is to help victims assess their options, but ultimately the decision lies with the customer.
Moderator Frank Verbruggen then asked whether cybercriminals can be trusted at all. According to Geert Baudewijns, his extensive experience shows that professional criminal groups typically deliver what they promise because their “business model” depends on credibility. Kris Derkoningen warned against drawing general conclusions from these cases, emphasising that payment still fuels a criminal ecosystem and does not guarantee recovery. She added that law enforcement would greatly benefit from being informed about negotiations, yet “generally, those who pay ransom do not call the police.”
Echoing Geert Baudewijns’s earlier comments, Robrecht De Keersmaecker stressed the need for a legal framework governing negotiations. He suggested mechanisms such as a “foureyes principle” requiring negotiators to involve specialised police to avoid accusations of complicity later. Geert Baudewijns responded that official negotiators would welcome legislation compelling them to share information, as transparency today depends entirely on the client’s willingness and clients are often ashamed or reluctant. Despite this, he noted, “we try to share as much as we can,” though police do not always proactively request it.
Capacity, dependency, and the future of enforcement
The third part of the debate addressed the evolving relationship between public authorities and private companies, particularly regarding digital tools, expertise, and access to data. Frank Verbruggen asked whether law enforcement risks becoming “hostage” to private sector capabilities.
According to Kris Derkoningen, this concern is not exaggerated. Law enforcement often cannot afford the specialised tools used in cyber investigations. Robrecht De Keersmaecker added that the issue extends beyond cost: data obtained through private actors must comply with strict legality and due-process standards. Sensitive data cannot be handled without agreements on disclosure; otherwise, it risks misuse.
Fabrice Clément took a more optimistic view, noting that many other domains -including healthcare -use private expertise. The real challenge, he argued, lies in handling encrypted data within a sound legal framework. His organisation already supplies decrypted information to authorities “within a very specific and strict legal framework,” and he expects such cooperation to remain essential. International collaboration, however, may prove to be more complex.
Geert Baudewijns predicted that as more companies share data, the cost barrier may decrease. Still, the fundamental investigative challenge remains: law enforcement needs access to metadata held by global service providers like Google and Microsoft to pursue cybercrime effectively.
The panel then considered some strategic priorities in prosecuting cybercrime. Robrecht De Keersmaecker advocated targeting the “cybercrime-as-a-service” infrastructure – criminal clusters enabling large-scale operations. Yet he cautioned that intelligence from smaller cases is equally valuable for mapping these networks. Kris Derkoningen reinforced the international dimension: cybercrime is global, and major cases require multinational cooperation.
In turn, Geert Baudewijns stressed the role of online platforms, criticising companies like Meta for allowing large volumes of fraudulent advertisements. He cited a Belgian initiative to detect such ads automatically, with the goal of enabling immediate takedowns. Fabrice Clément supported more offensive actions – such as dismantling criminal organisations or disabling infrastructure – provided these measures operate within clear legal boundaries.
As the discussion closed, the moderator asked the panellists for final reflections. Geert Baudewijns urged all stakeholders to “work together,” arguing that egos and siloed threat intelligence weaken collective defences. Kris Derkoningen echoed this, stressing the importance of victims filing complaints to enable proper investigations. Robrecht De Keersmaecker concluded the debate by highlighting the importance of legal certainty in cooperation and cross-border intelligence sharing.
Picture 1 – Kris Derkoningen & Geert Baudewijns
Picture 2 – Fabrice Clément
