Last week, 27 countries—including the members of the international intelligence alliance Five Eyes—entered into a joint agreement outlining what is and is not acceptable behavior in cyberspace. But as it currently stands, such an endeavor may not carry much legal teeth.

While the agreement does mention that there should be consequences for "bad behavior in cyberspace" and even provides a few prime examples of what that kind of activity might look like, it's scarce on actual details of what a punishment might entail.

So is an enforceable international cybersecurity regulation entirely out of reach? Possibly not, but getting there most likely won't be as simple as bunch of delegates sitting in a room and hashing out terms over coffee.

"This is the arc of cybersecurity development and you see it taking place in pieces, so it's not always uniform, direct, as rational as it might otherwise be," said Mark Schreiber, a partner at McDermott Will & Emery.

Bringing the 27 countries who signed the agreement into alignment on what constitutes foul play in cyberspace may not be part of the problem. For example, the document specifies that while an intelligence organization hacking a military target is fair game, the same cannot be said for attacks on civilian infrastructure.

Schreiber thinks the number of countries that were able to come together on the agreement is impressive, and considers it a "seminal step" to something more substantial.

"Each step is advancement and somewhere, some way there probably will be both a uniform privacy and cybersecurity standard or standard of behavior," Schreiber said. 

However, nothing is guaranteed.

Elfin Noce, an associate at Sheppard Mullin, sees the agreement as more of a conversation starter, something that allows countries to begin thinking about what an appropriate response to a cyberattack might look like.

Actually getting an international set of expectations and consequences down on paper would come with a lot of moving parts.

"To do more substantive will require more than just signing onto a statement. They would have to agree on specific measures and then have each country obtain domestic approval for it. That would be very difficult to do, so I'm not sure that we're going to see anything with more substantive teeth anytime soon," Noce said.

But cyber criminals won't necessarily be going unpunished either.

Megan Brown, a partner at Wiley Rein and a former Department of Justice official in the George W. Bush administration, thinks the establishment of norms related to cyber crime consequences will be driven by prosecutions in individual countries rather than a treaty or consensus-based approach.

"If you look back at what, say, the criminal division at the Department of Justice of the United States is doing, they are bringing prosecutions and they're developing norms through indictments and things like that. And I just think that's probably how you're actually going to get meat on the bone for these expectations of consequences," Brown said.

It's possible that the norms developed in some of these countries could eventually become the basis for a more international standard, similar to how the EU's General Data Protection Regulation influenced the forthcoming California Consumer Privacy Act.

Schreiber pointed out there tends to be a "sequential gravitation to norms" on the world stage. But it's difficult to pinpoint what factors will determine who leads the charge on cybersecurity.

"It's not necessarily a matter of who is first. It's who has the political will to drive a process like this," Schreiber said.