Joyce Hakmeh is a senior research fellow with the International Security program at Chatham House and co-editor of the Journal of Cyber Policy.
Allison Peters is the Deputy Director of the National Security Program at Third Way.
Last month, governments gathered at the United Nations to vote on a Russian-led resolution on cybercrime that could result in irreversible consequences for how countries deal with and cooperate in cybercrime investigations. While the resolution was strongly opposed by a number of major Western powers and human rights groups, it managed to pass in a final vote on December 27, 2019. With this passage, supporters of an open, free, and secure model of the internet—championed for years by the United States, Europe, and other like-minded states—should now change their global engagement strategy on cybercrime and develop more inclusive approaches and clearer narratives to bring more countries to their side.
When it comes to cybercrime, there have always been wide divisions in views on how it should be addressed and investigated. These divisions have largely mirrored fights on cyber norms in the United Nations that pit those who have historically supported an open, free, and secure internet against countries like Russia and China who advance a more authoritarian model with expanded state control. During last year’s General Assembly, a cybercrime resolution pushed by Russia to require the UN Secretary-General to collect countries’ views about cybercrime passed and successfully placed discussions of a possible cybercrime treaty on the United Nations’ agenda.
And indeed, on December 27, Russia moved the ball forward once again with its latest resolution to establish a committee of experts to consider a new UN cybercrime treaty. This resolution advances Russia’s long-standing goal to replace the Council of Europe’s Budapest Convention, which is the only international instrument addressing this issue. Russia, which has proposed an alternative UN draft convention of its own in the past, has consistently argued that the 2004 Budapest Convention is outdated, a regional treaty (although Russia is a Council of Europe member state and convention observer state), and violates principles of state sovereignty and non-interference. Russia’s current resolution passed by a final vote of 79 to 60 with 33 abstentions. The vote was largely along the same dividing lines highlighted above.
While one may argue that any global diplomatic negotiations on a threat as massive as cybercrime are positive, the Russian resolution and their draft convention raise serious human rights concerns that require urgent attention. Perhaps most critically, the language in the resolution regarding what constitutes the use of information and communications technologies (ICTs) for criminal purposes is extremely vague and the Russian draft convention is similarly as vague. Any discussion by a committee of experts on a new treaty based on vague guidelines of what is criminal behavior is likely to provide cover to authoritarian governments to persecute their political opponents.
Further, a new treaty may distract and stall progress on international cybercrime cooperation at a time when the threat is at an all-time high. The Budapest Convention has now been ratified or acceded to by sixty-four countries from different regions. While imperfect and in need of improvement, the Budapest Convention at least requires governments to demonstrate that they meet several standards in order to join. And, many of those that have not joined have still used it as the basis for their national cybercrime legislation. A new UN treaty may only confuse and hinder this progress. Additionally, little evidence was presented by Russia as to why an entirely new treaty is even needed.
So, what now? Before the intergovernmental committee of experts meets in August 2020 to discuss the proposed convention, like-minded governments that have historically been supportive of an open, free, and secure internet model should put the political will and resources into working with “swing states,” or those that have not made up their minds about which model they will adopt, to advocate for and provide clearer narratives that support their open internet model. This would include clarifying misconceptions around it and adopting an evidence-based approach to how ICTs should be governed. Proponents of an open internet model can start by focusing on the following points:
First, issues involving ICTs are multi-faceted and the debates about them should be better linked. According to the UN Secretary General, many decision-makers still lack the technical expertise to engage in these debates, and at the UN General Assembly, ICT issues are being negotiated in three different committees with discussions on cyber norm development and cybercrime occurring separately. For countries who are relatively new to this debate and may lack the needed expertise, this fragmentation can be confusing, even if the separation is justified, due to the nature of the issues or the preference of the United Nations for keeping the different debates separate. Addressing cybercrime is inherently tied to the debates on norms of state behavior in cyberspace—bringing cybercriminals to justice, regardless if they are state-backed, is an important component of enforcing norms. In order to reduce the negative impacts of this fragmentation, supporters of an open internet governance model should better link the various debates in their narratives and work to provide support, particularly through capacity building programming, to these swing states to help them form a more well-rounded understanding of these issues and make informed decisions during UN negotiations. The connection between all of these debates is often missing in the narratives pushed by global powers that support an open internet model, and this should change.
Second, countries would be wise not to just focus on giving the same arguments against a new UN convention and instead address the concerns raised regarding the Budapest Convention, as well as the incentives for joining it. The Budapest Convention is an operational treaty that continues to be reviewed and updated. It sets out common procedures for law enforcement cooperation in cybercrime cases and its members include some of the countries with the world’s largest ICT service providers who hold critical electronic evidence. Importantly, the second additional protocol currently under negotiation by the convention could help make the sharing of certain cross-border electronic evidence in criminal investigations more efficient among its member countries (although there were concerns expressed about it). Demonstrating the importance and benefits of the Budapest Convention and this possible protocol to swing states is critical in gaining their support for it. Despite its limitations, the Budapest Convention has been acting as a confidence-building mechanism for over a decade between the countries who have joined it. This, in an area like cybercrime, is very important.
The cybercrime threat continues to grow and governments are largely failing to bring perpetrators to justice. More cooperation among states is needed. With the Russian resolution passing, supporters of an open, free, and secure internet should dedicate greater efforts to win over the undecided countries. Failing to do so is a win for cybercriminals and the governments that support them.