"And as long as there are any countries that aren't cooperating, hackers around the world will use that country's infrastructure to launch attacks," he added.
For cybercrime, the area of the world where the cyber criminals can easily operate have been shrinking, said Lance James, chief scientist at security research firm Flashpoint.
"And it's also not been shrinking," he added. "What happens is that when it shrinks, it creates market demand, so they'll invest in more pipes into Russia or other places we can't get at. So it's shrinking, but they've adapted. It's literally whack-a-mole."
What doesn't help is that many countries have different definitions of what actually counts as a crime.
For example, when Mark Weatherford, senior vice president and chief cybersecurity strategist at vArmour, was working for the Department of Homeland Security, where he was the deputy under secretary for cybersecurity, one of his challenges was working with other countries to establish lines of communication about how to deal with cyber issues.
"I was at one institute three or four years ago, and there were 174 countries at the meeting, and we were challenged on just coming up and agreeing on terms," he said. "What does cybersecurity mean? What does cybercrime mean?"
The U.S. might say that a cybercrime occurred because there was a data breach, or cyber espionage.
"But another country may say, depending on the circumstances, 'We don't think a crime was committed, so we're not going to comply with extradition,'" he said.
Then there's the thorny question of state-sponsored actions, he added. "We go to other countries and say, 'We want you to extradite.' But what if Russia came to us, and said, 'We know there were people in your government responsible for some activity, and we want you to extradite a government official or a general to Russia to face trial for this crime'?"
"I don't know how we would feel about that," he said.
This is an area that requires the international community to come together and create some norms, he said, that everyone could agree to.
The new European Union General Data Protection Regulation, which goes into effect next year, will help set some standards, he said.
And the Tallinn 2.0 cybersecurity manual was released earlier this month, he added, which should lead to more organizations talking about the issue.
"It was led by NATO and there were 19 different countries that participating in its drafting," he said.
The European Union has seen great success in its cybercrime prosecution efforts with the establishment of Europol and its cyber-capabilities, said Eddie Schwartz, member of the ISACA Board of Directors and executive vice president of cyber-services at Dark Matter. Previously, he was global vice president of cybersecurity services for Verizon, and vice president and CISO for RSA.