A new treaty between the United States and more than two dozen other nations will help multinational companies stop cybercriminals but this help will come at a cost. Corporate IS departments will have to spend more money on network surveillance technology for evidence gathering and on support staff to assist foreign governments chasing international hackers. Also, the treaty does nothing to guarantee companies that any confidential data they give foreign officials in the course of an investigation will be kept private.
The Convention on Cybercrime calls for law enforcement officials in 29 participating countries to establish uniform rules for cooperating on international cases, such as when a U.S. company’s servers in another country are used to commit a crime or are hacked by an overseas criminal. Jeffrey Pryce, an attorney at Steptoe & Johnson LLP in Washington, D.C., says that to solve such cases, law enforcement officials need help from the corporate victims.
When a company helps investigators, it can end up spending tens of thousands of dollars on tools for gathering evidence and on dedicating staff for the inquiry, says Pryce. At home, the U.S. government helps companies defray these costs, but that’s not always going to be the case when a foreign government investigates, says Bruce McConnell, president of McConnell International Inc., a business and technology consultancy in Washington, D.C.
Also missing from the treaty is a guarantee that companies sharing information with foreign governments to solve cybercrimes will have their privacy protected, as it is in the United States. That means CIOs need to think ahead about how a foreign country’s privacy laws affect how much they’ll cooperate with investigations.
The U.S. Senate needs to ratify the treaty, but the Senate Foreign Relations Committee headed by Sen. Joseph Biden (D-Del.) had not announced any action on it at press time. However, many countries, including the United States, will start cooperating on computer crime investigations based on the treaty even before it’s officially ratified, says McConnell.
Under a law passed by Congress last fall, the government will make its future reviews of information security products available to the public, and CIOs can use these assessments to make purchasing decisions.
The law, sponsored by Rep. Connie Morella (R-Md.), orders the U.S. Commerce Department to set information security standards for the government’s civilian agencies and list hardware and software products that meet those standards. Product tests conducted by independent labs will be rigorous, says Tony Stanco, senior policy analyst at George Washington University’s Cyberspace Policy Institute, because government agencies are tired of being embarrassed by security breaches.
CIOs in the private sector have a hard time getting neutral information about the capabilities of security products because analysts and consultants haven’t succeeded in deflating vendors’ marketing hype. The competition for a good rating from the government will keep security vendors honest, says Stanco.
The law doesn’t give the government a deadline for getting its product reviews out to the public, but an aide to Morella, who asked not to be named, expects the information to be available within six months to a year.
CIO (US) Editorial Assistant Stephanie Viscasillas can be reached at[email protected].