Can A Cybercrime Convention For All Be Achieved?

Uploaded on 2022-05-30 in INTELLIGENCE--International, GOVERNMENT-Law Enforcement, FREE TO VIEW

A new UN cybercrime treaty process is raising strong awareness about one of the biggest global challenges and the complexities of addressing it. 

At the end of February, negotiations for a UN treaty to counter cybercrime began. This is significant for many reasons.

Firstly, while there are several instruments that address cybercrime, this is not only the first time states are negotiating a binding UN instrument on cybercrime, but also the first time states are negotiating a binding instrument on any cyber issue.

Secondly, the convention has the potential of reducing impunity of cybercriminals by harmonizing national approaches to criminalization. Relatedly, the convention could play a crucial role in improving international cooperation by providing effective investigatory frameworks and facilitating cross-border data exchange.

Moreover, the convention  could help build the capacity of countries with less experience in tackling cybercrime and provide the basis for technical assistance.

Challenges Lie Ahead

Despite such potential, the process of negotiation will not be straightforward. This became glaringly evident during the first of six rounds of negotiations, held between the 28th of February and the 11th of March, when several areas of divergence but also convergence emerged.

Cybercrime causes significant harm to developing countries’ societies and economies, which has only been exacerbated by the pandemic.

Over the course of the first ten days of negotiations, many delegations from developing countries expressed their urgent need for a practical legal tool that could help them tackle cybercrime. This issue causes significant harm to their societies and economies, which has only been exacerbated by the COVID-19 pandemic.

Many developing countries – including those represented by CARICOM – are optimistic about the role this convention could play in fighting cybercrime, bridging the digital divide, and harnessing the potential of ICTs. 

But to get there, there are key points that states need to agree on. One of which is what is cybercrime and what should be included in the scope of the treaty?

Narrow Scope of Cybercrimes

Countries have varied objectives of what they want this treaty to achieve. Western countries, for example, want to see a convention which includes a narrow scope of crimes. ‘Pure cybercrimes’ are known as cyber-dependent crimes, which refers to crimes that cannot happen without the use of ICTs.

These are often ones where a computer or data is the target of the criminal activity, such as malware, denial of service attacks, ransomware, etc. and include crimes that do not predate the existence of ICTs. Cyber-dependent offences have definitions broadly recognized by all countries.

They also advocate for including certain cyber-enabled crimes. These are traditional crimes where ICTs were used as an instrument, rather than as a target of the offence. The concept of cyber-enabled crimes applies to a very broad range of offences given how ICTs have infiltrated almost every aspect of our lives. So the offences that they have argued to be included are the ones where the use of ICTs significantly increase the scope, speed, scale of the crime but also the anonymity of the perpetrator.

For these offences, two main examples are often given: online child sexual exploitation, and computer fraud. They call for strong human rights safeguards to be embedded throughout the treaty.

Expanded Scope Of Cybercrimes

Other countries, such as India for example, have stated that a limited convention may create more problems than solutions as technology evolves. They call for an expanded scope in the convention which, in addition to the pure cybercrimes, would include a longer list of cyber-enabled crimes.

The lists of offences vary between countries but include offences such as the use of ICTs for terrorist reasons, the distribution of narcotic drugs, and arms trafficking, in addition to content-related offences such disinformation, coercion to suicide, hate speech, extremism and others.

This expanded scope entails risks. First, several of those suggested traditional crimes are addressed in other instruments. Including them in this convention risks not only duplication of efforts but contradiction with other treaties, as well as with national approaches to these issues.

Second, some of the suggested content offences, such as extremist content, are treated differently in national jurisdictions. While some content is considered a criminal offence in one jurisdiction, it might be subject to civil liability in other jurisdictions or entail no liability at all.

The UN Human Rights Office highlighted how cybercrime laws have been used to impose overly broad restrictions on free expression.

In its submission to the process, the UN Human Rights Office stated that a future convention should focus on core cybercrimes and should avoid including content offences. It highlighted how cybercrime laws have been used to impose overly broad restrictions on free expression by criminalizing various online content related to extremism, terrorism, public morals or hate speech. The OHCHR stressed the importance of a future international instrument on cybercrime not to be interpreted as justification for such steps.

The Risk Of No Consensus

But it is very important to note that this debate on trying to define what should and should not be considered cybercrime is at least a decade old. This debate has happened in several contexts including at the UN, where an agreement on a single definition of cybercrime was not possible.

There is nothing to suggest that this might change in the context of this process. Ultimately, this means there is a risk of not achieving consensus, and not having a convention at the end of this rather short process. If this was to happen, the countries who will probably be most affected are the developing countries.

Most developed countries have systems, resources, expertise and capabilities in place which enable them to tackle cybercrime. Western countries, for example, have a long history of working on cybercrime issues nationally but also regionally and internationally. They are state parties to the Budapest Convention and have good cooperation mechanisms within regional bodies such as Europol.

However, the same cannot be said about developing countries. As some delegations have highlighted during the negotiations, often international cooperation on cybercrime does not fail due to lack of will but rather lack of capacity. And whilst some of these countries have also ratified the Budapest Convention, their resources and capabilities tend to be unsurprisingly significantly less than those of developed countries.

Whilst some developing countries have also ratified the Budapest Convention, their resources and capabilities to tackle cybercrime tend to be unsurprisingly significantly less than those of developed countries.

Whether or not a UN convention on cybercrime is needed is also an old debate. However, the process currently underway presents an opportunity for many delegations from the developing countries to have a tool that would facilitate international cooperation on cybercrime and help them tackle the challenge. But can this be achieved in this process?

A Legal Basis For Gathering Data

Despite the differences between countries on how to define cybercrime for the purpose of the treaty and what to include in the scope, most countries acknowledge that the convention should include criminal activities committed that are broadly recognized by the international community.

Some delegations have suggested that the convention could act as a legal basis for the gathering of electronic evidence without linking cooperation to the investigation of certain offences that the convention sets out.

As put in the Chinese submission to the UN process, ‘regarding other crimes committed by using ICTs, member states could prevent and combat relevant crimes, which are not listed in this convention, and carry out international cooperation in accordance with this convention, other international conventions and their respective domestic laws.’

This approach has been successfully used in the context of the United Nations Convention against Transnational Organized Crime (UNTOC) where the convention criminalized a specific set of core types of organized crime activity but included broad international cooperation provisions that can be applied to other types of serious crime committed.

There is palpable eagerness amongst many countries about having an instrument that can help them address the problem of cybercrime that is impeding them from harnessing the potential of ICTs.

Several states have argued for a similar approach to be followed in this process which would mean that defining the different types of criminal behaviour becomes less important as states will have a legal basis for gathering and exchanging data, irrespective of the criminal offences covered in the convention.

There is palpable eagerness amongst many countries about having an instrument that can help them address the problem of cybercrime that they have been grappling with for several years, a problem that is impeding them from harnessing the potential of ICTs in their own countries.

Countries realize that this convention can give them the tools they need to leapfrog into a place where they have a better grip of the situation. How likely it is that this will happen is difficult to say, but what is clear is that this process is raising strong awareness about one of the biggest global challenges and the complexities of addressing it.

Joyce Hakmeh is Senior Research Fellow, International Security Programme  at Chatham House and  Co-Editor of the Journal of Cyber Policy.

You Might Also Read: 

Tackling Cybercrime: Time For The Regional Gulf Cooperation Council To Join Global Efforts:

 

« US Banks Hit By Russian Cyber Attacks
No future For IoT Security Without Secure Access Service Edge (SASE) »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Ascentor

Ascentor

Ascentor specialises in independent information and cyber security consultancy. We’re experienced industry experts, providing cyber security services since 2004.

IOActive

IOActive

IOActive serves as a trusted security advisor to the Global 500 and other progressive enterprises, helping to safeguard their most important assets and improve their overall security posture.

Kramer Levin

Kramer Levin

Kramer Levin is a full-service law firm with offices in New York and Paris. Practice areas include Cybersecurity, Privacy and Data Protection.

Gate 15

Gate 15

Gate 15 provide risk management services focusing primarily on information, intelligence and threat analysis, operational support and preparedness.

Lynx Technology Partners

Lynx Technology Partners

Lynx Technology Partners is a full service, full life-cycle risk-based security consulting firm.

VU Security

VU Security

VU is a specialist in Cybersecurity software development with a focus on the prevention of fraud and identity theft.

Civic Technologies

Civic Technologies

Civic’s Secure Identity Platform (SIP) uses a verified identity for multi-factor authentication on web and mobile apps without the need for usernames or passwords.

OAS Chain

OAS Chain

OAS Blockchain Renaissance Project presents three platforms that address the major challenges of public blockchain, private blockchain, and IoT security.

KBR

KBR

To help governments and other agencies to combat cyber threats, KBR is safeguarding their most valuable systems with sophisticated tools, hardware and training.

Global Accelerator Network (GAN)

Global Accelerator Network (GAN)

Global Accelerator Network are a highly curated community of independent Accelerators, Partners and Investors.

Cybeta

Cybeta

Cybeta's actionable cybersecurity intelligence keeps your business safe with strategic and operational security recommendations that prevent breaches.

Securosys

Securosys

Securosys is a technology company dedicated to securing data and communications. We develop, produce, and distribute hardware, software and services that protect and verify data and their transmission

QuantiCor Security

QuantiCor Security

QuantiCor Security is one of the world’s leading developers and manufacturers of quantum computer resistant security solutions for IT infrastructures and the Internet of Things (IoT).

Cybernatics

Cybernatics

Cybernatics is inspired by bringing together best-in-class innovations around Cybersecurity and Analytics. We offer tailored enterprise solutions to safeguard your organisations best interests.

Professional Labs

Professional Labs

Professional Labs specialize in simplifying complex problems for our customers with Cloud Services, Managed Services and Cyber Security.

Fingerprints

Fingerprints

Fingerprints is the world-leading biometrics company. Our solutions are found in millions of devices providing safe and convenient identification and authentication with a human touch.