Laws and standards around cybersecurity are plenty and to make matters worse they often vary within countries. When CISOs need to focus on cybersecurity across the borders of a country, international agreements and frameworks can bring some guidance on meeting compliance, which countries are more likely to collaborate when cybercrime happens, how to collaborate and when public and private collaboration may be the best choice.\n\nThe Budapest Convention, the first international treaty aimed at harmonizing international standards for cybersecurity compliance, currently has 68 parties and 21 observer countries that are signatories. It covers how best to comprehensively address issues related to cybercrimes, the extent with necessary consents and transparency to which the human rights of subjects and entities are protected, and the extent to which different legislations and legal systems are represented, Chinatu Uzuegbu, managing cyber security consultant at RoseTech CyberCrime Solutions, tells CSO.\n\nInternational cooperation also comes through mutual legal assistance treaties, and organizations like INTERPOL and AFRIPOL, ASEANAPOL, EUROPO, the UN, World Bank as well as the International Organization for Standardization (ISO).\n\nData security laws on global data transfers\n\nThe lack of a global framework on data security laws and an outdated approach to cross-border data transfers is hampering the ability to strengthen protections, according to International Association of Privacy Professionals research and insights director Joe Jones.\n\n\u201cRegulatory mechanisms designed in the mid-1990s\u2014grounded in patterns where data transfers were more discrete and more limited to transferring data from point A to point B\u2014have proliferated around the world,\u201d says Jones. \u201cThis has resulted in a complex and often fragmented regulatory landscape for privacy professionals and organizations to navigate,\u201d he says. \n\nAt present, more than 70 countries have the regulatory ability, through a data privacy regulator or government authority, to qualify other countries as safely \u2018adequate\u2019 to receive data. Adequacy means a third country has been assessed as providing data privacy standards comparable to those of the assessing jurisdiction.\n\nNavigating the complex array of regulations has fast risen to be a top issue for the privacy community. \u201cTime spent navigating these issues from a compliance perspective is often time not spent on other issues, such as data and cyber security,\u201d Jones says.\n\nBut it is happening and Jones says the OECD\u2019s landmark agreement on a set of seminal principles regarding how government authorities access and use personal data for the purposes of national security and law enforcement is just one example of recent efforts to bolster global cooperation and a unified framework. \u201cPolicymakers have been doubling down on the need to scale up to a more multi-jurisdiction framework, leveraging common principles among the privacy like-minded and sharpening the collective focus on the risks associated with more mercantile approaches,\u201d he says.\n\nInternational frameworks benefits and limitations\n\nIdeally, getting organizations plugged into the international cybercrime treaties and conventions would make issues, disputes, doctrines of law and other international bindings related to cybercrimes harmonized seamlessly and timely with sanctions, penalties and punishments that go with the related cybercrime leveraging on the worldwide legislature, Uzuegbu tells CSO.\n\nA good practice when implementing such frameworks is using gap analysis to compare the security settings with the relevant industry and global frameworks to help identify and address areas that need uplift. \u201cAddressing international frameworks in the organization\u2019s security policy is the best way to obtain compliance with minimal bottlenecks and unnecessary repetitions across more than one framework,\u201d she says.\n\nHowever, they\u2019re not a complete solution and stronger international cooperation and collaboration outside instruments such as the Budapest Convention is needed to counter the rise of certain jurisdictions becoming safe havens for cyber criminals. It\u2019s important for organizations to address updated protocols and frameworks and for countries to review their cybercrime laws.\n\nEven so, the reality is that certain countries and jurisdictions are likely to be safe havens for cybercriminals and being opt-in, instruments like the Budapest Convention can only go so far. Laws are only as valuable as to the degree they are applied. \n\n\u201cIn many countries, the number of law enforcement staff that are focused on, and trained to, deal with cybercrime does not match the scale of the problem,\u201d says Greg Day, VP and field CISO at Cybereason. \u201cLikewise, it requires virtually every law enforcement officer to receive some basic training, otherwise what happens when they speak to someone that tells them they have had a ransomware attack? They won't know what it means, who to escalate it to, and what steps need to be taken to protect evidence in the meantime,\u201d he says.\n\nWhat is missing, now there is a big enough membership, is potential penalties for those that don't opt in. \u201cGovernments provide sanctions for so many key geo-political reasons and, as the digital world becomes such a key part of most people's lives, when will this become the enforcement tool against those that don't opt-in?\u201d Day says.\n\nHe sees three main drawbacks with international frameworks like the Budapest Convention. First is a lack of evidence. \u201cMany companies have good cyber defense tools, but are not good at gathering or keeping evidence, be that simple logs or more advanced forensics,\u201d he says. \u201cCrimes typically require proof of impact, and many businesses are still not willing to share the impact of repercussions on their brand. Lack of impact will typically mean a smaller, lighter sentence.\u201d\n\nAnd where cases go to trial, cybercrimes are typically technical and if the jury cannot understand the case, it becomes very hard for them to make a fair ruling. \u201cI have seen cases fail simply because the jury could not grasp the scope of what had happened,\u201d he adds.\n\nThe limits of data recovery and information sharing in crime investigations\n\nInternational laws don\u2019t necessarily help when it comes to prosecuting criminals because that requires evidence, warrants and other systems to go ahead. And they don\u2019t include a legal obligation for countries to fully cooperate within a prosecution, including something like the Budapest Convention, explains Alana Maurushat, professor of cybersecurity and behavior at Western Sydney University.\n\nThat said, Maurushat says cybercrime investigations are done as much by private organizations as they are by law enforcement organizations. A private entity can't use the Budapest Convention to preserve data; it can only be done by a designated entity such as the police. \u201cBut law enforcement agencies are recognizing this and getting better at cooperating,\u201d Maurushat says.\n\nProsecuting cyber criminals operates in a different framework and requires mutual assistance treaties. "But these can take 10 years to negotiate and they\u2019re done country to country," Maurushat says. Even so, prosecution isn\u2019t even the end goal for organizations. It\u2019s typically data recovery and funds retrieval.\n\nAnd with some investigations, if a case leads back to a certain jurisdiction, it\u2019s just a no go. \u201cYou're never going to get anywhere because the corruption is so bad in those countries, you're not going to get cooperation. And that's the case whether it's a government-to-government or a private investigation,\u201d she says.\n\nAnd even with cyber-crime laws, certain jurisdictions can operate as havens for cyber criminals and launching pads for cybercrime. Such as criminal syndicates that \u2018specialize\u2019 in certain kinds of cybersecurity attacks from some countries with the right conditions.\n\nLaunching sophisticated ransomware attacks or other cybercrime activities to net significant targets requires a certain level of infrastructure, technical sophistication and a sizeable amount of funds. Something like this can cost as much as $100 million to build, Maurushat estimates.\n\nAt this level, it is the sophistication of the country\u2019s technical infrastructure more than cyber-crime laws that determines if they become safe havens for launching cyber-attacks.\n\nInternational frameworks can\u2019t solve attribution\n\nIn general, criminals take advantage of the right conditions in targeting victims and operating in nation-state where officials may be less than willing to cooperate with cybercrime investigations. And international agreements like the Budapest Convention and others can\u2019t solve one of the hardest parts of recovering from a cyberattack\u2014identifying the culprit.\n\nMaurushat says finding out who's responsible for cybersecurity attack can be incredibly difficult. \u201cIt's the attribution,\u201d she says. But the old maxim applies: follow the money to find those responsible. \u201cThere are some jurisdictions where the money flows from each and every time. That never changes and never will change. Look at tax havens, chances are good illicit funds are flowing through those regions,\u201d she says.\n\n\u201cCriminals always go for either the ripest target, or the easiest target. As long as you're not the easiest or the ripest, you're probably going to be okay. That means thinking about how you spend your budget and your planning is important. The problem is that often you run out of money for the things that matter in terms of training and behavior. So, you can get all the tools in the world, if you don't have the people who can learn the tools, it's kind of useless.\u201d\n\nDay agrees, noting that attribution is hard for several reasons. \u201cAll too often, the victim hasn't either gathered or maintained the evidence required,\u201d he says. \n\nIn addition, adversaries have built several techniques to obscure their identities, using publicly compromised systems as middle points, having communication points (command and control) that re-configure themselves on a regular basis, or leverage middle-wear digital mules just to name a couple of techniques. \n\nThey will also often use secure communications between themselves to make it very tricky to truly find the source. \u201cAll too often, attribution comes when criminals, like all humans, make mistakes. Either they leave markers they didn\u2019t intend to leave, brag, or make simple mistakes such as using the same alias in a completely different, more public and open forum,\u201d he says.\n\nCyber laws are more than just the actual statutes themselves. It\u2019s the sum of all that a robust cyber-policy framework facilitates. This includes cybersecurity and cybercrime legislation, workforce development strategies, cyber information-sharing (threat intelligence), digital forensics, computer emergency response teams (CERTs), cyber diplomacy, and bilateral agreements, among other facets. \u201cThese cyber capabilities along with technology advancements have made us much better at cyber-incident attribution,\u201d says Niel Harper, who\u2019s part of the professional standards working group with the UK Cyber Security Council, member of the board of directors at ISACA, and World Economic Forum Cyber risk working group.\n\nCISO's playbook: Using frameworks to develop cyber policies\n\nOrganizations need to adopt and \u2018live\u2019 the right cybersecurity frameworks. \u201cPolicies and cyber insurance alone won\u2019t cut it. Executive management and boards need to get smarter so they can ask the right questions about cyber risks and associated economic drivers, business leadership must encourage systemic resilience and collaboration, and ensure that organizational design and resource allocation supports cybersecurity,\u201d Harper says.\n\nFor CISOs, everything needs to be framed around cyber-risk management and business strategy alignment, but external collaboration is critical. Public-private partnerships, especially as it pertains to critical national infrastructure protection, are crucial in the fight against cybercrime and so are sectoral and cross-sectoral CERTs and information-sharing mechanisms. \u201cCollaboration allows for organizations to stay ahead of emerging threats and be more proactive on their cyber resilience,\u201d he says.\n\nCybereason\u2019s Day believes that for each CISO, there should be three key goals. \u201cMake sure you keep your cyber hygiene and prevention capabilities current. Cyber security is evolving as fast as the threats it's aiming to mitigate,\u201d he says. \u201cHave a resilience plan for when you are compromised. How do you contain the blast radius of the attack? How do you ensure the business keeps functioning? Test these plans regularly!\u201d\n\nAnd get better at being able to capture and analyze forensic data. \u201cMost are good at being able to see what the attack did, but many are not nearly as strong in being able to see what the human adversary did once they had successfully breached the business,\u201d he says.