Why we need global rules to crack down on cybercrime

Cybercrime is high on the agenda of nation states, corporations and international organizations everywhere. As the forthcoming 2023 Global Risk Report will show, deepening geopolitical tensions have increased the prevalence of so-called advanced persistent threats (APTs), which are becoming as sophisticated as they are pervasive.

New technology is scaling up the reach and impact of cybercrime: malware and ransomware attacks (the latter threaten to publish data or permanently block it unless a ransom is paid) soared by over 350 percent and 430 per cent respectively in 2020. Next generation tools are bypassing antivirus programs, which is why living off the land (LOtL) attacks, in which attackers use legitimate software and functions to perpetrate malicious actions, accounted for almost two thirds of all reported incidents in 2021.

These problems are compounded by a scarcity of security experts, poor reporting habits and a lack of global agreements about how to regulate cyber threats.

Cybercrime is big business. One industry group estimated that the damages incurred by all forms of cyber crime, including the cost of recovery and remediation, totalled $3 trillion in 2015, $6 trillion in 2021, and could reach $10.5 trillion annually by 2025. But the impact of cybercrime extends far beyond the economic costs. It also degrades trust among internet users, and damages the reputations of public and private service providers. Online attacks ratchet up tensions between nations, since governments and critical infrastructure are increasingly the targets. Yet despite all this, there are still few clear global norms, standards and rules to mitigate and prevent cybercrime.

A big part of the problem is that many of the public authorities, corporations and civil society groups that are targeted are not mandated to report data breaches and cyber theft. Many are reluctant to do so, fearing reputational damage. This is starting to change: the US’s 2022 Cyber Incident Reporting for Critical Infrastructure Act provides industry-specific guidance for voluntary disclosures, and the European Union’s 2018 Directive on Security Network and Information Systems and a host of other regulations mandate telecom payment services, medical device manufacturers, and critical infrastructure providers to also report breaches. Until global rules are strengthened and reporting of breaches is mandatory across most sectors, it will be impossible to understand the true magnitude of the challenge, much less develop targeted solutions.

Cyber criminals are making fortunes not just in black-mailing targets with ransomware, but also in selling-off their data assets, including credit card information, login credentials of financial accounts, subscription credentials, social security numbers and usernames and passwords. The perpetrators of cybercrime range from powerful intelligence agencies to teenage hackers. Cybercrime is hard to stop precisely because of its distributed nature. Consider the Cobalt CyberCrime gang that in 2018 breached 100 financial institutions in over 40 countries, reaping some $11 million per attack. Although its leader was captured in Spain in 2018, three members arrested by the US in 2018, and three more convicted in Kazakhstan and Ukraine in 2021, experts believe this will do little to dent its operations.

Without global cooperation or a major structural change to the internet, there is not much that victims can do to defend themselves. Cyber insurance is not only increasingly out of reach to most buyers, but it's potentially making a bad problem even worse. We urgently need international rules that are enforced as well as a more expansive approach that fosters cyber resilience.

The United Nations is discussing precisely this, having voted to set-up a cybercrime treaty in 2019. The first meeting of the treaty was held in 2022 amid concerns that it could also expand government regulation of online content, criminalize free expression and undermine privacy. For now, states are negotiating over the parameters of a treaty - called the Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes - with most western governments determined that it upholds individual data protection and privacy rights.