The first international treaty on fighting cyber crime went into effect six years ago. Called the European Convention on Cybercrime, it aims to make different country's laws compatible and promote investigative coöperation. But progress has stalled.

Just 30 nations, including the United States, have ratified the treaty. China and Brazil haven't even signed it. Most troubling is that Russia--which the Internet infrastructure company Akamai identifies as the leading source of computer attacks as of late 2009--has also refused to sign. Russia objects to a provision that would let foreign investigators bypass governments and work directly with network operators.

In the face of all these delays, criminal threats continue to evolve. Cloud computing, in particular, makes it easy to move data across borders and obscure the true origin of attacks. Some European politicians say that the European Union should create a cyber security czar. Other experts think countries should just work out agreements one on one. "We need to cut deals with countries we have problems with, not pursue a general convention which requires ratification in many countries," says Veni Markovski, who ran an Internet service provider in Bulgaria and is the representative to Russia from ICANN, the organization that assigns Internet domain names.

Representatives from the major nations have gathered several times recently for talks that could lead to bilateral agreements. Without one we're all less secure, because cyber criminals know they can wage attacks without getting caught, says Charles Barry, senior research fellow at the Center for Technology and National Security Policy at the National Defense University in Washington, DC. "Agreement among at least the major cyber players on what constitutes illicit behavior should be a high priority," he says.