March 4, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

For the past two weeks we have been documenting the enormous costs, and total lack of effective action to address cyber-crime.  Without repeating the staggering statistics, the evidence shows demonstrably that cyber criminals are getting filthy rich, their businesses expanding and innovating and there is virtually no chance that virtually any of the criminals are  going to be held responsible.

            For all the preaching about industry not stepping up to responsible for cybercity – some of which is justified – the far larger responsibility gap is government’s abysmal record in upholding their responsibility to provide adequate protection against the cyber-crime criminal empire.

            We have already offered some structural solutions.  For example, many financial institutions have restructured their cybercrime operations resulting in far greater efficiency and effectiveness. 

However, the growth in cyber-attacks sector justify the need for comprehensive policy countermeasures including greater law enforcement cooperation, public-private partnership, and stronger policies to eliminate the incentive of criminals to attack.   

The World Economic Forum recently highlighted a “stunning enforcement gap  for cybercrime, citing that even in the US, the likelihood of successfully prosecuting a cybercrime is estimated at 0.05%, far below the 46% rate of prosecution for violent crime.”[i]

Following its November 2019 meeting on cybersecurity in Geneva, the WEF pointed out the many barriers to cooperation in fighting cybercrime.  They included: “privacy challenges, cultural differences, a lack of shared standards around evidence collection, fear of losing competitive advantage, lack of clear frameworks or standards for public-private cooperation and liability and anti-trust concerns.

Surely these barriers are imposing, but their recommendations are encouraging – for governments and industry to consider leveraging platforms such as those provided by WEF and the Cyber Threat Alliance “to create a neutral and impartial environment in which to foster public-private cooperation on cyber investigations” has merit.  Those recommendations make sense and should be explored.  However, the time and impetus to expedite this cooperation needs government leadership.

As we discussed in our most recent post on this subject (see isalliance.org) the major international agreements on cybercrime are decades old and not targeted at all to the cybercriminal environment of the 21st century. It is time for aggressive new action in this space.

To that end, the U.S. government has an opportunity to take a global leadership role in proposing an international standard and cooperation agreement for civil cyber defense including investigations and prosecution. The model already exists in military defense – the North Atlantic Treaty Organization. Borne from the need for nation to collective defend against the threat posed by the former Soviet Union. 

A new treaty is needed for cooperation that sets the standards and policy for synchronization of global law against cybercrime and the mechanisms for cyber law enforcement investigation and cooperation.  This cyber-NATO defense agreement could not be more needed or timely.

            The human factor is also a key element in the success of an attack. The government should incentivize the private sector to offer cutting-edge training and capacity-building programs to counter emerging threats in cybersecurity. The incentive need not be cash-based. For instance, a company which trains all its employees to a particular curriculum or certification standard may receive a presumption that it took reasonable employee training initiatives in relation to any legal claims that may result.

Alternatively, companies investing in cybersecurity training and awareness should be permitted to deduct some of their costs or be provided a tax credit. After all, the benefits of improvements to cyber hygiene are systemic and far-reaching.

            Internationally, the United States must redouble diplomatic efforts to iron out legal and practical obstacles that impede the investigation and prosecution of transnational cyber-crime. The United States should devote additional resources towards bringing states like Russia and China into global regimes aimed at countering cyber-crime.[ii] Similarly, mutual legal assistance treaties and arrangements must be renegotiated to ensure adequate coverage of emerging issues in cyber-crime. Where foreign states are non-cooperative, the Administration – with support from Congress – should consider evolving new and effective means including the prospect of economic and sanctions.[iii] This includes raising cyber-crime issues as a key part of new or renegotiated trade agreements where many other digital trade topics are already being raised. Only with the application of new ideas to an age-old problem, can transnational cyber-crime be effectively countered.

[i] “Partnerships are our best weapon in the fight against cybercrime. Here’s why” World Economic Forum, January 21, 2020; https://www.weforum.org/agenda/2020/01/partnerships-are-our-best-weapon-in-the-fight-against-cybercrime-heres-why/

[ii] Joyce Hakmeh, “Building a Stronger International Legal Framework on Cybercrime”, Chatham House, June 6, 2017, https://www.chathamhouse.org/expert/comment/building-stronger-international-legal-framework-cybercrime.

[iii] Laurens Cerulus, “Europe nears tipping point on Russian Hacking”, Politico, June 3, 2020, https://www.politico.com/news/2020/06/03/europe-russian-hackers-sanctions-300124.

XXII IBM’s 2020 X-Force Incident and Intelligence Index Report

XXIII Crowdstrike and Palo Alto Networks

Join the Rethink Cybersecurity Community click here