Strengthening Global Cooperation
Print Issue: July 2011
EFFORTS TO COMBAT cybercrime through diplomatic initiatives, treaties, and other means are growing, but it is still not a battle that all countries are equally committed to fighting.
In the United States, recent initiatives have included the creation of a new State Department cybersecurity coordinator position, which will direct the department’s diplomatic efforts on cyber issues. Other U.S. efforts include the introduction of new legislation and growing calls for bilateral and multilateral treaties.
The United States has taken steps to increase international law enforcement cooperation as well; the FBI now has legal attachés focusing on cybersecurity in 61 nations, for example.
White House Cybersecurity Coordinator Howard Schmidt and other Obama Administration officials have said in recent months that they plan to increase diplomatic pressure on other governments to take steps to address cybercrime, including urging more nations to sign the European Convention on Cybercrime, which aims to boost law enforcement cooperation in investigating and prosecuting cyber criminals. The treaty has been signed by the United States and 29 European nations, but it has yet to be signed by Russia and China. Russia has objected to the treaty on grounds that it would grant foreign law enforcement officials excessive power to investigate crimes in other nations.
If the United States is to continue to gain ground against cybercrime internationally, it needs new strategies and concepts, according to a recent report from the Center for Strategic and International Studies (CSIS).
Among other new strategies, the United States needs to develop “a foreign policy that uses all tools of U.S. power to create norms, new approaches to governance, and consequences for malicious actions in cyberspace,” the report asserts. Part of this would entail strengthening diplomatic efforts to assist ongoing international law enforcement cooperation, says James Lewis, CSIS senior fellow and project director on the report. Certain types of crime, such as intellectual property theft, will likely require more engagement either bilaterally or through existing structures such as the World Trade Organization, according to the report.
The report also mentions several examples of existing international platforms that could serve as models for greater cybercrime-related cooperation. One existing model is the Financial Action Task Force, a multilateral body that seeks to develop rules surrounding money laundering and terrorist financing.
Lewis and others say that efforts to achieve further agreements with countries such as China and Russia will face numerous hurdles. One of the largest, according to some experts, is that such countries are less frequently victimized by cybercrimes and, thus, aren’t highly motivated to combat it. Rather, it is the United States and other Western countries that suffer a disproportionate amount of financial, intellectual property, and other losses from cybercrime.
To reach any effective agreement, the United States will need to provide countries such as Russia with incentives that appeal to their own self interests, according to Cybersecurity Treaties: A Skeptical View, a recent paper by Harvard Law Professor Jack Goldsmith. That might mean, for example, that the United States would offer not to pursue cyberattacks as a military strategy. But if that requires the other nations to forgo such options, it may not work, because many nations, such as China, may feel they have more to gain by continuing to use such capabilities against the United States, according to Goldsmith’s paper.
There has also been little discussion among U.S. government officials about “which cyber operations the United States might terminate in exchange for reciprocal concessions,” the paper states.
Other challenges to an effective agreement not to use cyberattacks in exchange for more cooperation on fighting cybercrime include the difficulty of verifying attack origins due to factors such as the Internet’s anonymity. Verifying any agreements would likely require surveillance by governments into private and public sector organizations, the paper adds, which could be controversial, expensive, and technologically challenging.
Goldsmith, like some other officials and experts, says it could be more effective to take a more limited approach, developing treaties with like-minded allies that have mutual interests and are more open to allowing verification.
Other government proposals appear to take a more heavy-handed approach. One example includes a bill, the International Cybercrime Reporting and Cooperation Act, introduced in the last session of Congress by Senators Kirsten Gillibrand (DNY) and Orrin Hatch (R-UT). In addition to adding financing for foreign cybercrime assistance and creating new State Department cybersecurity positions, it would also have required an annual report from the President describing different nations’ efforts to combat cybercrime. If there was “significant, credible” evidence that a nation is threatening the United States with cybercrime and is taking inadequate steps to curtail the activity, the United States could have imposed economic sanctions under the legislation. Penalties could have included reducing export dollars, direct investment funds, and trade assistance grants. The bill did not pass but Senator Hatch recently said he planned to reintroduce the legislation in this session of Congress.
Some experts remain hopeful about the possibility of working on effective treaties with nontraditional allies. Although such treaties are likely to require a significant amount of negotiation, they could ultimately be effective as long as negotiators concentrate on “common ground,” says John Savage, a Brown University computer science professor. Savage recently spent a year serving as a fellow in the State Department working on cybersecurity issues.
People sometimes “speak about [the problem of cybercrime] as if it’s hopeless,” Savage says. But he says that as with other kinds of crime, new approaches, combined with best practices, can sometimes
prove effective. The United States “will get there” on cybercrime. “We just can’t get there alone.”