Outlook dim for international cooperation to fight cyber attacks

Protecting sensitive computer systems and networks from cyberattack requires international standards, but limited experience with Internet crime in developing countries and a reluctance from some nations to participate have stalled cooperation, said a panel of security experts on Monday.

"It's one grid, one global network, and we're all stuck in the same boat," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "We need to establish some rules."

President Obama's cybersecurity plan, released in May, stated that "the United States needs to develop a strategy . . . to shape the international environment and bring like-minded nations together on a host of issues, including acceptable norms regarding territorial jurisdiction, sovereign responsibility and use of force." The plan also included among its 10 near-term priorities the development of a framework for international cybersecurity policy.

The obstacle, however, is convincing countries to cooperate with the international effort, including the prosecution of cybercriminals.

"We need stronger mutual assistance agreements with other countries so we can share data and then expect [prosecution]," said Sameer Bhalotra, lead staff member for cybersecurity for the Senate Select Committee on Intelligence. "There's major frustration on Capitol Hill that we're not able to go after people even when we know where they are. We need to do better."

The committee hopes the State Department will take a lead role in working with countries to establish agreements, Bhalotra said, but all efforts are in the early stages.

Another hurdle to establishing global cybersecurity policies is that foreign governments, particularly those that are not as advanced technologically, don't have experience dealing with issues of cybercrime, said Melissa Hathaway, former acting senior director for cyberspace at the National Security Council who resigned from that post in August.

"How do you teach countries how to investigate the crime, enhance their court systems to prosecute criminals and alleviate the criminal activity?" she asked. "We need to think about building broader capacities in other countries."

Hathaway said a start is the Convention on Cybercrime, established in 2001 as the first international treaty to address Internet crime through international cooperation. Twenty-six countries have ratified the treaty, and more nations need to be involved, she said.

Lack of cooperation from adversaries poses another challenge, according to Lewis. "The Russians and Chinese have capabilities to [launch cyberattacks], and when the time comes they'll use them," he said. Lewis has spoken twice to Russian officials about working together on cybercrime. "They're not interested in cooperation," he said. " It's going to take a long time to get them to change their tune."

In addition, the lack of an effective way to identify where cyberattacks originate makes it difficult for countries to be held accountable. "We don't have good attribution," Lewis said. "The rule of thumb is that if the trail of bread crumbs leads to Beijing, [the attack is] probably actually coming from Russia. The idea is to make it look like it's someone else."