Laws and standards around cybersecurity are plenty and to make matters worse they often vary within countries. When CISOs need to focus on cybersecurity across the borders of a country, international agreements and frameworks can bring some guidance on meeting compliance, which countries are more likely to collaborate when cybercrime happens, how to collaborate and when public and private collaboration may be the best choice.
The Budapest Convention, the first international treaty aimed at harmonizing international standards for cybersecurity compliance, currently has 68 parties and 21 observer countries that are signatories. It covers how best to comprehensively address issues related to cybercrimes, the extent with necessary consents and transparency to which the human rights of subjects and entities are protected, and the extent to which different legislations and legal systems are represented, Chinatu Uzuegbu, managing cyber security consultant at RoseTech CyberCrime Solutions, tells CSO.
International cooperation also comes through mutual legal assistance treaties, and organizations like INTERPOL and AFRIPOL, ASEANAPOL, EUROPO, the UN, World Bank as well as the International Organization for Standardization (ISO).
Data security laws on global data transfers
The lack of a global framework on data security laws and an outdated approach to cross-border data transfers is hampering the ability to strengthen protections, according to International Association of Privacy Professionals research and insights director Joe Jones.
“Regulatory mechanisms designed in the mid-1990s–grounded in patterns where data transfers were more discrete and more limited to transferring data from point A to point B–have proliferated around the world,” says Jones. “This has resulted in a complex and often fragmented regulatory landscape for privacy professionals and organizations to navigate,” he says.
At present, more than 70 countries have the regulatory ability, through a data privacy regulator or government authority, to qualify other countries as safely ‘adequate’ to receive data. Adequacy means a third country has been assessed as providing data privacy standards comparable to those of the assessing jurisdiction.
Navigating the complex array of regulations has fast risen to be a top issue for the privacy community. “Time spent navigating these issues from a compliance perspective is often time not spent on other issues, such as data and cyber security,” Jones says.
But it is happening and Jones says the OECD’s landmark agreement on a set of seminal principles regarding how government authorities access and use personal data for the purposes of national security and law enforcement is just one example of recent efforts to bolster global cooperation and a unified framework. “Policymakers have been doubling down on the need to scale up to a more multi-jurisdiction framework, leveraging common principles among the privacy like-minded and sharpening the collective focus on the risks associated with more mercantile approaches,” he says.
International frameworks benefits and limitations
Ideally, getting organizations plugged into the international cybercrime treaties and conventions would make issues, disputes, doctrines of law and other international bindings related to cybercrimes harmonized seamlessly and timely with sanctions, penalties and punishments that go with the related cybercrime leveraging on the worldwide legislature, Uzuegbu tells CSO.
A good practice when implementing such frameworks is using gap analysis to compare the security settings with the relevant industry and global frameworks to help identify and address areas that need uplift. “Addressing international frameworks in the organization’s security policy is the best way to obtain compliance with minimal bottlenecks and unnecessary repetitions across more than one framework,” she says.
However, they’re not a complete solution and stronger international cooperation and collaboration outside instruments such as the Budapest Convention is needed to counter the rise of certain jurisdictions becoming safe havens for cyber criminals. It’s important for organizations to address updated protocols and frameworks and for countries to review their cybercrime laws.
Even so, the reality is that certain countries and jurisdictions are likely to be safe havens for cybercriminals and being opt-in, instruments like the Budapest Convention can only go so far. Laws are only as valuable as to the degree they are applied.
“In many countries, the number of law enforcement staff that are focused on, and trained to, deal with cybercrime does not match the scale of the problem,” says Greg Day, VP and field CISO at Cybereason. “Likewise, it requires virtually every law enforcement officer to receive some basic training, otherwise what happens when they speak to someone that tells them they have had a ransomware attack? They won’t know what it means, who to escalate it to, and what steps need to be taken to protect evidence in the meantime,” he says.
What is missing, now there is a big enough membership, is potential penalties for those that don’t opt in. “Governments provide sanctions for so many key geo-political reasons and, as the digital world becomes such a key part of most people’s lives, when will this become the enforcement tool against those that don’t opt-in?” Day says.
He sees three main drawbacks with international frameworks like the Budapest Convention. First is a lack of evidence. “Many companies have good cyber defense tools, but are not good at gathering or keeping evidence, be that simple logs or more advanced forensics,” he says. “Crimes typically require proof of impact, and many businesses are still not willing to share the impact of repercussions on their brand. Lack of impact will typically mean a smaller, lighter sentence.”
And where cases go to trial, cybercrimes are typically technical and if the jury cannot understand the case, it becomes very hard for them to make a fair ruling. “I have seen cases fail simply because the jury could not grasp the scope of what had happened,” he adds.
The limits of data recovery and information sharing in crime investigations
International laws don’t necessarily help when it comes to prosecuting criminals because that requires evidence, warrants and other systems to go ahead. And they don’t include a legal obligation for countries to fully cooperate within a prosecution, including something like the Budapest Convention, explains Alana Maurushat, professor of cybersecurity and behavior at Western Sydney University.
That said, Maurushat says cybercrime investigations are done as much by private organizations as they are by law enforcement organizations. A private entity can’t use the Budapest Convention to preserve data; it can only be done by a designated entity such as the police. “But law enforcement agencies are recognizing this and getting better at cooperating,” Maurushat says.
Prosecuting cyber criminals operates in a different framework and requires mutual assistance treaties. “But these can take 10 years to negotiate and they’re done country to country,” Maurushat says. Even so, prosecution isn’t even the end goal for organizations. It’s typically data recovery and funds retrieval.
And with some investigations, if a case leads back to a certain jurisdiction, it’s just a no go. “You’re never going to get anywhere because the corruption is so bad in those countries, you’re not going to get cooperation. And that’s the case whether it’s a government-to-government or a private investigation,” she says.
And even with cyber-crime laws, certain jurisdictions can operate as havens for cyber criminals and launching pads for cybercrime. Such as criminal syndicates that ‘specialize’ in certain kinds of cybersecurity attacks from some countries with the right conditions.
Launching sophisticated ransomware attacks or other cybercrime activities to net significant targets requires a certain level of infrastructure, technical sophistication and a sizeable amount of funds. Something like this can cost as much as $100 million to build, Maurushat estimates.
At this level, it is the sophistication of the country’s technical infrastructure more than cyber-crime laws that determines if they become safe havens for launching cyber-attacks.
International frameworks can’t solve attribution
In general, criminals take advantage of the right conditions in targeting victims and operating in nation-state where officials may be less than willing to cooperate with cybercrime investigations. And international agreements like the Budapest Convention and others can’t solve one of the hardest parts of recovering from a cyberattack–identifying the culprit.
Maurushat says finding out who’s responsible for cybersecurity attack can be incredibly difficult. “It’s the attribution,” she says. But the old maxim applies: follow the money to find those responsible. “There are some jurisdictions where the money flows from each and every time. That never changes and never will change. Look at tax havens, chances are good illicit funds are flowing through those regions,” she says.
“Criminals always go for either the ripest target, or the easiest target. As long as you’re not the easiest or the ripest, you’re probably going to be okay. That means thinking about how you spend your budget and your planning is important. The problem is that often you run out of money for the things that matter in terms of training and behavior. So, you can get all the tools in the world, if you don’t have the people who can learn the tools, it’s kind of useless.”
Day agrees, noting that attribution is hard for several reasons. “All too often, the victim hasn’t either gathered or maintained the evidence required,” he says.
In addition, adversaries have built several techniques to obscure their identities, using publicly compromised systems as middle points, having communication points (command and control) that re-configure themselves on a regular basis, or leverage middle-wear digital mules just to name a couple of techniques.
They will also often use secure communications between themselves to make it very tricky to truly find the source. “All too often, attribution comes when criminals, like all humans, make mistakes. Either they leave markers they didn’t intend to leave, brag, or make simple mistakes such as using the same alias in a completely different, more public and open forum,” he says.
Cyber laws are more than just the actual statutes themselves. It’s the sum of all that a robust cyber-policy framework facilitates. This includes cybersecurity and cybercrime legislation, workforce development strategies, cyber information-sharing (threat intelligence), digital forensics, computer emergency response teams (CERTs), cyber diplomacy, and bilateral agreements, among other facets. “These cyber capabilities along with technology advancements have made us much better at cyber-incident attribution,” says Niel Harper, who’s part of the professional standards working group with the UK Cyber Security Council, member of the board of directors at ISACA, and World Economic Forum Cyber risk working group.
CISO’s playbook: Using frameworks to develop cyber policies
Organizations need to adopt and ‘live’ the right cybersecurity frameworks. “Policies and cyber insurance alone won’t cut it. Executive management and boards need to get smarter so they can ask the right questions about cyber risks and associated economic drivers, business leadership must encourage systemic resilience and collaboration, and ensure that organizational design and resource allocation supports cybersecurity,” Harper says.
For CISOs, everything needs to be framed around cyber-risk management and business strategy alignment, but external collaboration is critical. Public-private partnerships, especially as it pertains to critical national infrastructure protection, are crucial in the fight against cybercrime and so are sectoral and cross-sectoral CERTs and information-sharing mechanisms. “Collaboration allows for organizations to stay ahead of emerging threats and be more proactive on their cyber resilience,” he says.
Cybereason’s Day believes that for each CISO, there should be three key goals. “Make sure you keep your cyber hygiene and prevention capabilities current. Cyber security is evolving as fast as the threats it’s aiming to mitigate,” he says. “Have a resilience plan for when you are compromised. How do you contain the blast radius of the attack? How do you ensure the business keeps functioning? Test these plans regularly!”
And get better at being able to capture and analyze forensic data. “Most are good at being able to see what the attack did, but many are not nearly as strong in being able to see what the human adversary did once they had successfully breached the business,” he says.