The Quixotic Quest to Tackle Global Cybercrime

In mid-January, the United Nations was formally set to begin a process to develop a global treaty on cybercrime. Given the numerous headlines in 2021 about ransomware attacks on infrastructure, from health care systems in Ireland to fuel lines in the United States, one might assume this process is being driven by the United States and its Western allies.

It isn’t. It was pushed by Russia and approved by vote in the U.N. General Assembly in 2019, with Western countries voting against the process.

The meeting in January was delayed due to the omicron coronavirus variant, but political maneuvering around the delay reveals that the process continues to advance without a shared sense of cooperation.

In late January, Russia submitted a resolution in the General Assembly to hold the meeting the following week in New York. This was met with resistance by a number of states; the Dominican Republic, with mostly European and Central American co-sponsors alongside Australia, Japan, New Zealand, and the United States, then submitted an amendment proposing an entirely different plan. Russia’s preference lost out during the voting process.

This was the second time in a year that Russia has tried to vote its preferences through for this agenda and lost. While Russia clearly sees itself as the leader of this initiative, it is being met with increasing resistance when it tries to impose its preferences.

With a fresh delay in substantive negotiations, the truth is that nothing has been decided about this treaty so far—not the scope, preamble, or structure, let alone definitions of what acts would even constitute cybercrimes under this treaty. This first ad hoc committee meeting was supposed to begin debate on the basic outlines of a potential instrument to counter cybercrime, and some governments have submitted position papers that offer insights into their expectations.

But governments are coming to the negotiating table amid mistrust of motivations, a rocky start in setting up the process, and foundational disagreements that will have to be overcome to create a universally supported treaty.

Since early 2001, when the first regional cybercrime convention—the Council of Europe’s Budapest Convention—was adopted, the internet and the scope of its use have changed beyond recognition.

Ransomware attacks have devastated businesses and government institutions. Crimes like online child sexual exploitation have ballooned to alarming levels. COVID-19 lockdowns, which saw people, from children to the elderly, more isolated and living online, exacerbated online crimes. This has including malicious domains, phishing scams and fraud, and sales of counterfeit coronavirus-related products online—including the alleged blood of recovered COVID-19 patients on the darknet.

Many countries feel a treaty will help increase their ability to respond to these types of threats by including technical capacity support. Others feel it could leverage better legal cooperation.

The second outlook is mistrust among states around the motivations for a global treaty, which colors the entire process. From the outset, Western states—including European Union member states, the United States, the United Kingdom, and Canada—resisted a U.N. process to develop a cybercrime instrument. All members of the Budapest Convention, they did not want a competing treaty and felt that with its additional protocols, the convention is functional and open to accession by any government.

But another group of states, including China and Russia, argue that the Budapest Convention doesn’t reflect their concerns—in particular, the view that transborder access to data and electronic evidence impinges on national sovereignty. Data is stored across jurisdictions and often by private companies, including content held in the cloud, web searches, or text messages. Governments such as Russia’s and China’s have worked to bring their citizens’ data under government jurisdiction and are wary of clauses that force access to data by other governments.

The impetus for the treaty should be to increase international cooperation, as cross-border investigations today are plagued by political power struggles, bilateral disputes, a lack of transparency in responses, and differences on human rights issues.

For instance, following the 2021 attack on Kaseya, a tech management software company, by ransomware group REvil, the company announced that a universal decryption key to restore information had been developed by a security firm. The firm said it had not paid REvil, leading some to speculate that either the Russian state had stepped in to help or that the United States had hacked REvil.

At the same time, U.S. President Joe Biden has warned Russian President Vladimir Putin to cooperate in ransomware investigations and said the United States would now treat the issue as a national security threat.

Cooperation within regions may be growing, but global cooperation has been hard to attain.

Perhaps the thorniest is how states will define cybercrime. There is currently no shared definition, and governments have vastly different perspectives on what it should encompass. While governments are more likely to agree on including cyber-dependent crimes like malware and ransomware that threaten the confidentiality, integrity, and availability of data and systems, there is much less agreement on cyber-enabled crimes, which are offenses that also occur offline but in which criminals may deploy technology to achieve their ends, such as the online trade of illegal wildlife.

The disagreements stem from differing views on the importance of safeguarding human rights norms and concerns about criminalizing personal communications, online political speech, and freedom of expression and association.

The EU has expressed interest in limiting this treaty to high-tech crimes and cyber-dependent crimes, possibly anticipating the Pandora’s box of articulating a list of criminal actions.

China, on the other hand, has suggested a wider approach that would include cyber-dependent crimes as well as content-related offenses including the “use of Internet to incite, commit acts of terrorism, disseminate harmful information” as well as the “development, sale and dissemination of [information and communications technology] and data for crime,” which it calls the “dark ‘product chain.’”

Russia submitted a draft treaty for consideration in July 2021 that called for criminalizing “unlawful acts motivated by political, ideological, social, racial, ethnic, or religious hatred or enmity, advocacy and justification of such actions or the provision of access to them”—which would enable the criminalization of most speech and the platforms that publish it.

Read More

Make Russia Take Responsibility for Its Cybercriminals

The United States needs a new legal doctrine to handle state-tolerated attacks.

Argument

|

Michael John Williams

One area where governments have grown closer together in recent years—albeit for different reasons—is on the so-called digital sovereignty agenda, under which countries aim to control and regulate digital data and the associated infrastructure within their own territories. On this, companies have lost ground to governments across the board.

Since 2018, tech companies operating in the EU have had to comply with the bloc’s General Data Protection Regulation, which sets guidelines for collecting and processing EU citizens’ personal information.

In China, Apple now stores customers’ personal data on Chinese government servers and does not use Apple’s encryption technology in the country. TikTok, owned by Beijing-based ByteDance, claims it stores all U.S.-generated data within the United States, although it has been reported that ByteDance still has access to the data. Governments also have greater capabilities to implement measures such as internet shutdowns, regardless of compliance by tech companies.

Yet while states may be more assertively in favor of government intervention, the underlying reasons continue to differ, and this will impact negotiations. Objectives for stricter oversight and regulation of tech companies exist along a continuum ranging from prioritizing citizen protection to state control and surveillance. The language of the treaty will be heavily scrutinized by both governments and global tech companies (which will in turn lobby their governments) to assess opportunities to justify controlling or surveilling private data and infrastructure.

States tend to agree that the new instrument should address needs for training and capacity building. The need to train law enforcement officials, judiciary members, investigators, and others involved in combating cybercrime has been raised by those seeking capacity building, such as Jamaica, as well as those with more advanced tech capacity, such as the United States and United Kingdom, that could provide that support.

Access to capacity building and technical assistance may in fact be a priority for a number of governments and may increase their willingness to negotiate in other areas to achieve firm commitments of support. In this way, offers of capacity building could become a bargaining chip for the harder negotiations around definitions and scope.

It remains to be seen if governments will find a way to produce an instrument that bridges competing interests, or if a lack of consensus and trust will be too difficult to overcome. Consensus could bring stronger responses to cybercrime globally, but perhaps around a smaller set of issues given the current political climate. A new instrument would help define the rules for a range of stakeholders from corporations to governments—and ideally safeguard human rights, improve transparency, set norms of cooperation, and enhance responses to cross-border, cross-regional crime.

If the effort fails, cooperation on combating cybercrime will remain regionally fragmented and ad hoc, and will lack transparency across jurisdictions. And, most fundamentally, it will leave responses to crimes that impact everyday citizens and businesses vulnerable to geopolitical whims.