Can A Cybercrime Convention For All Be Achieved?

A new UN cybercrime treaty process is raising strong awareness about one of the biggest global challenges and the complexities of addressing it. 

At the end of February, negotiations for a UN treaty to counter cybercrime began. This is significant for many reasons.

Firstly, while there are several instruments that address cybercrime, this is not only the first time states are negotiating a binding UN instrument on cybercrime, but also the first time states are negotiating a binding instrument on any cyber issue.

Secondly, the convention has the potential of reducing impunity of cybercriminals by harmonizing national approaches to criminalization. Relatedly, the convention could play a crucial role in improving international cooperation by providing effective investigatory frameworks and facilitating cross-border data exchange.

Moreover, the convention  could help build the capacity of countries with less experience in tackling cybercrime and provide the basis for technical assistance.

Challenges Lie Ahead

Despite such potential, the process of negotiation will not be straightforward. This became glaringly evident during the first of six rounds of negotiations, held between the 28th of February and the 11th of March, when several areas of divergence but also convergence emerged.

Cybercrime causes significant harm to developing countries’ societies and economies, which has only been exacerbated by the pandemic.

Over the course of the first ten days of negotiations, many delegations from developing countries expressed their urgent need for a practical legal tool that could help them tackle cybercrime. This issue causes significant harm to their societies and economies, which has only been exacerbated by the COVID-19 pandemic.

Many developing countries – including those represented by CARICOM – are optimistic about the role this convention could play in fighting cybercrime, bridging the digital divide, and harnessing the potential of ICTs. 

But to get there, there are key points that states need to agree on. One of which is what is cybercrime and what should be included in the scope of the treaty?

Narrow Scope of Cybercrimes

Countries have varied objectives of what they want this treaty to achieve. Western countries, for example, want to see a convention which includes a narrow scope of crimes. ‘Pure cybercrimes’ are known as cyber-dependent crimes, which refers to crimes that cannot happen without the use of ICTs.

These are often ones where a computer or data is the target of the criminal activity, such as malware, denial of service attacks, ransomware, etc. and include crimes that do not predate the existence of ICTs. Cyber-dependent offences have definitions broadly recognized by all countries.

They also advocate for including certain cyber-enabled crimes. These are traditional crimes where ICTs were used as an instrument, rather than as a target of the offence. The concept of cyber-enabled crimes applies to a very broad range of offences given how ICTs have infiltrated almost every aspect of our lives. So the offences that they have argued to be included are the ones where the use of ICTs significantly increase the scope, speed, scale of the crime but also the anonymity of the perpetrator.

For these offences, two main examples are often given: online child sexual exploitation, and computer fraud. They call for strong human rights safeguards to be embedded throughout the treaty.

Expanded Scope Of Cybercrimes

Other countries, such as India for example, have stated that a limited convention may create more problems than solutions as technology evolves. They call for an expanded scope in the convention which, in addition to the pure cybercrimes, would include a longer list of cyber-enabled crimes.

The lists of offences vary between countries but include offences such as the use of ICTs for terrorist reasons, the distribution of narcotic drugs, and arms trafficking, in addition to content-related offences such disinformation, coercion to suicide, hate speech, extremism and others.

This expanded scope entails risks. First, several of those suggested traditional crimes are addressed in other instruments. Including them in this convention risks not only duplication of efforts but contradiction with other treaties, as well as with national approaches to these issues.

Second, some of the suggested content offences, such as extremist content, are treated differently in national jurisdictions. While some content is considered a criminal offence in one jurisdiction, it might be subject to civil liability in other jurisdictions or entail no liability at all.

The UN Human Rights Office highlighted how cybercrime laws have been used to impose overly broad restrictions on free expression.

In its submission to the process, the UN Human Rights Office stated that a future convention should focus on core cybercrimes and should avoid including content offences. It highlighted how cybercrime laws have been used to impose overly broad restrictions on free expression by criminalizing various online content related to extremism, terrorism, public morals or hate speech. The OHCHR stressed the importance of a future international instrument on cybercrime not to be interpreted as justification for such steps.

The Risk Of No Consensus

But it is very important to note that this debate on trying to define what should and should not be considered cybercrime is at least a decade old. This debate has happened in several contexts including at the UN, where an agreement on a single definition of cybercrime was not possible.

There is nothing to suggest that this might change in the context of this process. Ultimately, this means there is a risk of not achieving consensus, and not having a convention at the end of this rather short process. If this was to happen, the countries who will probably be most affected are the developing countries.

Most developed countries have systems, resources, expertise and capabilities in place which enable them to tackle cybercrime. Western countries, for example, have a long history of working on cybercrime issues nationally but also regionally and internationally. They are state parties to the Budapest Convention and have good cooperation mechanisms within regional bodies such as Europol.

However, the same cannot be said about developing countries. As some delegations have highlighted during the negotiations, often international cooperation on cybercrime does not fail due to lack of will but rather lack of capacity. And whilst some of these countries have also ratified the Budapest Convention, their resources and capabilities tend to be unsurprisingly significantly less than those of developed countries.

Whilst some developing countries have also ratified the Budapest Convention, their resources and capabilities to tackle cybercrime tend to be unsurprisingly significantly less than those of developed countries.

Whether or not a UN convention on cybercrime is needed is also an old debate. However, the process currently underway presents an opportunity for many delegations from the developing countries to have a tool that would facilitate international cooperation on cybercrime and help them tackle the challenge. But can this be achieved in this process?

A Legal Basis For Gathering Data

Despite the differences between countries on how to define cybercrime for the purpose of the treaty and what to include in the scope, most countries acknowledge that the convention should include criminal activities committed that are broadly recognized by the international community.

Some delegations have suggested that the convention could act as a legal basis for the gathering of electronic evidence without linking cooperation to the investigation of certain offences that the convention sets out.

As put in the Chinese submission to the UN process, ‘regarding other crimes committed by using ICTs, member states could prevent and combat relevant crimes, which are not listed in this convention, and carry out international cooperation in accordance with this convention, other international conventions and their respective domestic laws.’

This approach has been successfully used in the context of the United Nations Convention against Transnational Organized Crime (UNTOC) where the convention criminalized a specific set of core types of organized crime activity but included broad international cooperation provisions that can be applied to other types of serious crime committed.

There is palpable eagerness amongst many countries about having an instrument that can help them address the problem of cybercrime that is impeding them from harnessing the potential of ICTs.

Several states have argued for a similar approach to be followed in this process which would mean that defining the different types of criminal behaviour becomes less important as states will have a legal basis for gathering and exchanging data, irrespective of the criminal offences covered in the convention.

There is palpable eagerness amongst many countries about having an instrument that can help them address the problem of cybercrime that they have been grappling with for several years, a problem that is impeding them from harnessing the potential of ICTs in their own countries.

Countries realize that this convention can give them the tools they need to leapfrog into a place where they have a better grip of the situation. How likely it is that this will happen is difficult to say, but what is clear is that this process is raising strong awareness about one of the biggest global challenges and the complexities of addressing it.

Joyce Hakmeh is Senior Research Fellow, International Security Programme  at Chatham House and  Co-Editor of the Journal of Cyber Policy.

You Might Also Read: 

Tackling Cybercrime: Time For The Regional Gulf Cooperation Council To Join Global Efforts:

 

« US Banks Hit By Russian Cyber Attacks
No future For IoT Security Without Secure Access Service Edge (SASE) »

Quartz Conference
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Becrypt

Becrypt

Becrypt is a trusted provider of endpoint cybersecurity software solutions. We help the most security conscious organisations to protect their customer, employee and intellectual property data.

Reblaze Technologies

Reblaze Technologies

Reblaze provides the world’s best security technologies in a cloud-based website security platform.

Secardeo

Secardeo

Secardeo is a provider of corporate solutions using digital signatures and certificates. Our solutions enable the user transparent end-to-end encryption of e-mails between organizations.

Reason Cybersecurity

Reason Cybersecurity

Reason Cybersecurity is a powerful cloud-based security software that detects, blocks and destroys malware, adware and PUPs in real-time.

XTN Cognitive Security

XTN Cognitive Security

XTN is focused on the development of security, Fraud and Mobile Threat Prevention advanced behaviour-based solutions.

Cyber Intelligence (CI)

Cyber Intelligence (CI)

Cyber Intelligence is an award winning 'MSC status' cyber security education and training company.

Quadible

Quadible

Quadible BehavAuth is an AI-platform that continuously authenticates the users, without the need of any input, by learning their behavioural patterns.

IAR Systems

IAR Systems

IAR Systems are a frontrunner in a changing industry, and a future-proof software supplier enabling the IoT.

CyberCube

CyberCube

CyberCube provide world-leading cyber risk analytics for the cyber insurance market.

Q6 Cyber

Q6 Cyber

Q6 Cyber is an innovative threat intelligence company collecting targeted and actionable threat intelligence related to cyber attacks, fraud activity, and existing data breaches.

Isovalent

Isovalent

Isovalent deliver the most advanced Kubernetes networking & security capabilities to the most demanding of enterprise users.

HMS Networks

HMS Networks

HMS stands for Hardware meets Software. Our technology enables industrial hardware to communicate and share information with software and systems.

Two Six Technologies

Two Six Technologies

Two Six Technologies delivers R&D, innovation, productization and implementation expertise in cyber, data science, mobile, microelectronics and information operations.

Cyber Ireland

Cyber Ireland

Cyber Ireland brings together Industry, Academia and Government to represent the needs of the Cyber Security Ecosystem in Ireland.

FortifyIQ

FortifyIQ

FortifyIQ's mission is to advance maximum security against side-channel attacks across the entire computing spectrum.

Gridware

Gridware

Gridware is a specialised cybersecurity consultancy firm and an emerging global player in the cybersecurity intelligence and advisory field.