Coming Soon: A Supreme Court Ruling on TikTok, China and National Security
EXPERT INTERVIEWS — Does Chinese ownership of the wildly popular TikTok app pose a national security risk to the United States? And if so, what should […] More
OPINION — Earlier this year, the United Nations Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (Ad Hoc Committee) met for two weeks in what was supposed to be its seventh and concluding session.
The good news is that the Committee failed to deliver. Lingering differences over the scope and substance of the proposed cybercrime convention proved too difficult to achieve consensus.
Why is this good news? Because from its inception, the initiative to adopt a UN cybercrime convention has been a not-so-veiled, Russian-sponsored effort to bolster an autocratic vision for the modern, digital information ecosystem.
The UN General Assembly stood up the Ad Hoc Committee in 2019 at the urging of Russia and seventeen co-sponsoring states including China, North Korea, Iran, Belarus, and Venezuela—a grouping of democratically-challenged States (to put it mildly). The bad news is that the effort lives on. The Ad Hoc Committee simply kicked the can down the road, suspending the apparently not-so-concluding session to reconvene later this year.
On its face, the General Assembly’s rationale for pursuing a UN cybercrime convention seems reasonable enough. Cybercrime, by any definition, is a massive problem globally with substantial national security implications. Just ask Costa Rica, which fell victim in 2022, to a crippling wave of Ransomware operations targeting not just the private sector, but the government as well, prompting President Rodrigo Robles Chaves to declare a national emergency and to declare “war” on the perpetrators. Ironically, it was the Russian Conti group that was behind the attacks.
Reports of significant cybercrimes and data breaches are a near daily occurrence, with names like Solar Winds, Colonial Pipeline, NotPetya, and Hafnium, to name a few, quickly entering mainstream consciousness.
According to statistics, the global cost of cybercrime is expected to climb to nearly $24 trillion in 2027; a three-fold increase from 2022 levels. Ransomware remains a multi-billion-dollar criminal industry, with trends moving in the wrong direction and States like North Korea, leveraging it as a tool of statecraft and illicit revenue generation. Given this year-over-year increase in cybercrime, there is, as the General Assembly noted when establishing the Ad Hoc Committee, a clear “need to enhance coordination and cooperation among States” to combat this problem. The question is not whether, but how.
Sign up for the Cyber Initiatives Group Sunday newsletter for a quick read on the biggest cyber and tech headlines. Sign up today.
Countering cybercrime, especially the scourge of ransomware, figures prominently in the U.S. National Cybersecurity Strategy, as does a commitment to the very coordination and cooperation among States that the General Assembly calls for.
The U.S.-led International Counter Ransomware Initiative, launched in 2021, now includes over 50 States, and is but one example. The U.S. is equally, if not more committed to doing so in ways that “promote and protect the exercise of human rights, democracy, and the rule of law…” When it comes to Russia’s push for a UN Cybercrime Convention, and how the U.S. and its allies should engage with the proposal, herein lies the rub.
Under the guise of creating needed mechanisms for greater international cooperation, Russia and its confederates seek to define cybercrime in overly broad terms that would legitimize – with the imprimatur of a UN-backed treaty – their authoritarian control of the information environment and censorship of on-line speech.
Couple this with an obligation on States that join the convention to criminalize the same conduct through the enactment of domestic legislation and frameworks, a nearly unfettered obligation to cooperate on cross-border investigations of those crimes, and an absence of meaningful provisions addressing risks to human rights, and you have a clear recipe for undermining if not rewriting a critical aspect of the international order.
And as some have pointed out, if Russia gets its version of the draft Convention to and through the General Assembly, it will actually undermine cybersecurity.
The Council of Europe’s Budapest Convention already addresses cybercrime and the need for cross-border investigative cooperation. Although not without its critics or flaws, the Budapest Convention is at least grounded in an acknowledged “need to ensure a proper balance between the interests of law enforcement and respect for fundamental human rights,” including freedom of expression and privacy, and has built in conditions and safeguards to protect those rights. Since coming into effect in 2004, over 70 States, including the U.S., have ratified the Budapest Convention and generally regard it as an effective tool for addressing cybercrime internationally.
That grouping of States does not include Russia, despite being a member of the Council of Europe (until its withdrawal in 2022) or China. The reason? Because Russia, ironically, views the Budapest Convention as violative of its sovereignty insomuch as it creates obligations to cooperate on cross-border investigations. The duplicity of this position should not be lost. It is well recognized that among U.S. adversaries, Russia in particular, provides safe haven to ransomware and other cyber criminals, not only routinely failing to “cooperate with law enforcement [but often] encourag[ing], direct[ing], sanction[ing], or tolerat[ing]” these criminals’ activities.
In a clear stroke of diplomatic sophistry, Russia’s push for adoption of the Convention is, from its perspective, a win-win proposition. Failure to move the Convention forward bolsters its self-serving argument that international law does not currently regulate cybercrime, nor by extension, Russia’s symbiotic relationship with it. On the other hand, adoption of the version of the Convention Russia has promoted would, as noted, notch a significant win toward achieving its authoritarian goals.
It’s not just for the President anymore. Are you getting your daily national security briefing? Subscriber+Members have exclusive access to the Open Source Collection Daily Brief, keeping you up to date on global events impacting national security. It pays to be a Subscriber+Member.
Russia’s efforts should not be viewed in isolation. This is just one part of a broader effort to coopt facially legitimate UN processes to shape cyberspace in favor of digital authoritarianism.
Russia has consistently played the disruptor card in other UN fora focused on affirming and advancing international law’s applicability to States’ use of cyberspace, such as the UN Group of Governmental Experts and the Open Ended Working Group, while pushing the narrative that new treaties are needed to fill an international law vacuum in cyberspace. Russia’s latest move, submitting to the OEWG its concept for a Convention of the UN on Ensuring International Information Security, looks to build on its momentum with the Cybercrime Convention and open negotiations on an instrument that, according to some, “could undermine accountability of state actions in cyberspace and severely harm digital human rights.”
Russia’s play here is clear and calls for a concerted effort to defeat it. In essence, the negotiations over the UN Cybercrime Convention are an under-the-radar battle playing out along a critical fault line of strategic competition. What is at stake is whether the U.S. and its allies’ goal of “[p]reserving and extending the open, free, global, interoperable, reliable, and secure Internet” will succumb to what the U.S. has called the “dark vision for the future of the Internet” that Russia, China, and their allies are promoting.
The U.S. Department of State’s recently released International Cyberspace and Digital Policy Strategy: Towards and Innovative, Secure, and Rights-Respecting Digital Future, is about to be put to the test.
When the Ad Hoc Committee reconvenes in late July of this year, will the U.S. build the “digital solidarity” among partners to thwart Russia’s efforts? Whether it can achieve its “affirmative vision for cyberspace and digital technologies…grounded in international commitments and international law, including international human rights law” may depend on it.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to [email protected] for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
Related Articles
EXPERT INTERVIEWS — Does Chinese ownership of the wildly popular TikTok app pose a national security risk to the United States? And if so, what should […] More
EXPERT INTERVIEW — The race between China and the U.S. for tech supremacy gets fiercer by the day. In the latest salvo, the U.S. this […] More
EXPERT INTERVIEW — The U.S. starts the new year with a daunting set of challenges in the national security space – from global conflicts to terrorism […] More
EXPERT INTERVIEW — The U.S. Treasury Department closed 2024 with the announcement that state-sponsored hackers from China had breached its systems in a “major incident.” The hackers […] More
SPECIAL REPORT — In 2025, technological advances will continue to reshape industries, transform national security strategies, and fuel global competition. Artificial Intelligence (AI) will expand its […] More
EXPERT VIEW — 2024 has brought multiple reminders of the threats – real and potential – posed by the People’s Republic of China (PRC). Over the […] More
Search