Even though that potential continues to approach because there is no 9/11 event yet to drive change, enough change hasn't been forthcoming. One additional concern, given the overreaction to the 9/11 attack, is that a response after a successful catastrophic attack would also be overreacting by using a military option resulting in massive avoidable casualties.
Bureaucracy in Action
McAfee reports that the reasons states aren't cooperating is that they disagree on what a crime is, who should have jurisdiction and they really don't like the idea of a foreign state enforcing foreign laws on domestic turf. For instance, the rules around free speech vary country to country. In some countries, speaking out against the state is allowed if not encouraged; in others it is treated as a cyber attack by insurgents wishing to overthrow the government. Can you imagine China or Russia entering the U.S. to go after people who were speaking out against the Chinese or Russian government? Yet, under their laws, the government would be well within its rights. Conversely, the laws regarding malware are vastly different. It is illegal in the U.S., but legal in places like Russia, similar to the way we protect gun manufacturers from being prosecuted criminally when their guns are used in a crime.
To make this work globally, you need a core set of laws that everyone agrees to and we appear to be rather far away from that, let alone have any agreement on jurisdiction or enforcement methods. In addition, some states feel that any cooperation reduces their own sovereignty, that they become part of something bigger with jurisdiction over them and few want to be held accountable for the activities of their citizens. And finally, some clearly want to be able to maintain the freedom to act militarily with hostile code with impunity should the need arise.
Of course, this last kind of sounds like "we want the option to go in and rob your banks if we decide we are entitled to your money."
The researchers recommend a series of actions - all of which fall short of the ideal treaty because there was agreement that such a treaty would be "unverifiable, unenforceable, and impractical."
Most came about to make sure people are aware of the threat and know what to do in case of a crisis, continue to work on tools that mitigate the danger and put in place a system of milestones that will showcase improvement over time. You can sense an apparent frustration in working with a political structure that clearly values control over keeping their citizens safe.
However, until and unless there is a centralized independent law enforcement body with both the jurisdiction and authority to take action across states, it is unlikely this threat will do anymore than continue to grow at an increasing rate with eventual corrective action only when real damage goes beyond a state's tolerance for it and reprisals reach a point that is in itself intolerable. The report clearly showcases that we are on the edge of a crisis and that the solution may be to let the crisis occur so that an agency to prevent a future like crisis can be created with the powers it needs to assure it never happens again.
To address problems like this between U.S. states, the FBI was created, and a similar agency is needed with similar authority to act between world states, but the UN is too weak to host it and until that changes, it is likely states will act unilaterally and that the collateral damage will be vastly higher. Eventually, I expect that will be the outcome, but only after the alternatives clearly become too painful for the major powers, or the citizens that support them, to tolerate.
This means that expecting adequate help from any government is likely foolish and you'll need to make sure your contingency plans address what would likely happen in a major successful attack. This would be similar to a large-scale natural disaster and it means anticipating significant infrastructure outages, including traditional communications.