As the West braces for a possible escalation of Russian ransomware attacks in retaliation for support to Ukraine, the first meeting to negotiate a new global cybercrime treaty began quietly last week at the United Nations in New York – a new treaty ironically pushed on the international community by Russia.
For the past decade Russia has strongly advocated for a new global cybercrime treaty despite the existence of the Budapest Convention on Cybercrime, an international cybercrime treaty negotiated by the Council of Europe in 2001 which came into effect in 2004. Since then, 66 countries around the world (including Australia) have ratified the Convention, with more in the process of doing so.
Despite being a member of the Council of Europe, Russia never joined the Budapest Convention, claiming the treaty violates principles of state sovereignty by allowing cross-border cybercrime operations. Yes, the same Russia that launched the invasion of a sovereign state that has horrified the world.
Russia has instead fought tooth and nail for a new, separate international cybercrime treaty. In 2019, with the support of China, Cambodia, Belarus, North Korea, Myanmar, Iran, Venezuela and Nicaragua – hardly bastions for protecting rights online – Russia presented a resolution for such a treaty to the UN General Assembly.
It’s hard to see how Russia could engage in negotiations for a legally-binding cybercrime treaty in good faith.
The resolution sparked strong opposition from Europe, the United States, Australia, civil society and human rights groups. Why negotiate a new treaty when one already exists? Why divert time and limited resources to negotiating a new treaty when those energies could be better directed to enhancing the existing Budapest Convention? Several additional protocols have already been added. Moreover, writing the entire treaty seems to distract from the importance of building national capacities to detect, prosecute and counter cybercrime.
In the end, while more countries voted against or abstained from the resolution than voted in favour of it, Russia’s resolution ultimately managed to pass and preparations for a new cybercrime treaty began.
So last week the first session of negotiations for the treaty finally kicked off. The UN Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes will run in New York until 11 March. The first negotiating session aims to address the scope, objectives, and structure for the new treaty.
Russia has, helpfully, already provided a full draft for consideration, proposing it form the basis of the new treaty. Unsurprisingly, there are a number of concerns with the Russian draft.
Rather than enhancing and building on the Budapest Convention, Russia’s draft treaty significantly expands the definition of a cybercrime – giving nation state the power to designate almost anything that happens online as a cybercrime. The draft also erodes human rights protections and duplicates other processes underway at the United Nations. It introduces new text and language, deviating from consensus-agreed text in other international agreements, and includes deliberately vague terms and definitions, which pave the way for wide interpretation and abuse in the future.
The hypocrisy of Russia in pushing for a global cybercrime treaty shouldn’t be lost on anyone. Russia has long turned not only a blind eye to cyber criminals operating in its borders, but has openly and actively supported it. It’s hard to see how Russia could engage in negotiations for a legally-binding cybercrime treaty in good faith. It’s harder still to see how it can negotiate at the United Nations for a treaty based on upholding state sovereignty while simultaneously invading a sovereign nation state.
So why is Russia pushing for a legally-binding cybercrime treaty, when it demonstrates time and time again that it has no intention of upholding its responsibilities under international law?
There are many advantages for Russia in a watered-down cybercrime treaty that gives governments the freedom to designate anything online as a cybercrime. Russia’s broader multilateral efforts, including at the International Telecommunication Union, are also focussed on strengthening nation states’ control over the internet.
It seems Russia’s aim is to keep the international community busy and distracted negotiating a new cybercrime convention as a way to stall practical global cybercrime cooperation just at the time it’s needed most.