Lewis and others say that efforts to achieve further agreements with countries such as China and Russia will face numerous hurdles. One of the largest, according to some experts, is that such countries are less frequently victimized by cybercrimes and, thus, aren’t highly motivated to combat it. Rather, it is the United States and other Western countries that suffer a disproportionate amount of financial, intellectual property, and other losses from cybercrime.
To reach any effective agreement, the United States will need to provide countries such as Russia with incentives that appeal to their own self interests, according to Cybersecurity Treaties: A Skeptical View, a recent paper by Harvard Law Professor Jack Goldsmith. That might mean, for example, that the United States would offer not to pursue cyberattacks as a military strategy. But if that requires the other nations to forgo such options, it may not work, because many nations, such as China, may feel they have more to gain by continuing to use such capabilities against the United States, according to Goldsmith’s paper.
There has also been little discussion among U.S. government officials about “which cyber operations the United States might terminate in exchange for reciprocal concessions,” the paper states.
Other challenges to an effective agreement not to use cyberattacks in exchange for more cooperation on fighting cybercrime include the difficulty of verifying attack origins due to factors such as the Internet’s anonymity. Verifying any agreements would likely require surveillance by governments into private and public sector organizations, the paper adds, which could be controversial, expensive, and technologically challenging.
Goldsmith, like some other officials and experts, says it could be more effective to take a more limited approach, developing treaties with like-minded allies that have mutual interests and are more open to allowing verification.
Other government proposals appear to take a more heavy-handed approach. One example includes a bill, the International Cybercrime Reporting and Cooperation Act, introduced in the last session of Congress by Senators Kirsten Gillibrand (D-NY) and Orrin Hatch (R-UT). In addition to adding financing for foreign cybercrime assistance and creating new State Department cybersecurity positions, it would also have required an annual report from the President describing different nations’ efforts to combat cybercrime. If there was “significant, credible” evidence that a nation is threatening the United States with cybercrime and is taking inadequate steps to curtail the activity, the United States could have imposed economic sanctions under the legislation. Penalties could have included reducing export dollars, direct investment funds, and trade assistance grants. The bill did not pass but Senator Hatch recently said he planned to reintroduce the legislation in this session of Congress.