While the U.N. General Assembly last week debated a resolution demanding Russia withdraw from Ukraine, in a nearby conference room countries began another attempt to put some teeth behind the fight against the criminal use of the internet.
It was the start of a scheduled three years of sessions on creating an internationally agreed-upon convention on cybercrime. The opening two-week session in New York had been scheduled to begin in January but was delayed because of the COVID-19 pandemic. Because of the pandemic, a hybrid format is now being used. The schedule anticipates at least six sessions alternating between New York and Vienna.
“It’s critical,” Eric Cole, a former U.S. cyber advisor to several presidents, said in an interview before the invasion. “To me this should have been started years ago.”
But Cole, who now runs a consulting firm called Secure Anchor, also doesn’t deny the challenges: Russia and China will be tough negotiators, and state-sponsored threat groups likely won’t be covered in any treaty.
If an agreement can be reached that deals with the amount of cybercrime that isn’t state-sponsored, he added, it will be “a huge win.”
Opening comments
In his opening remarks, John Brandolino, the director of treaty affairs for the UN’s Office of Drugs and Crime, noted it had taken years to get the UN to agree on an anti-corruption treaty. “Today, we stand at the starting point of another monumental effort relating to another area of great concern around the world: cybercrime,” he said. “As the chair has mentioned, the importance of this new convention cannot be underestimated. The use of ICTs (information and communications technologies) for criminal purposes has occupied international headlines in recent years. We have witnessed an increasing amount of malicious cyber operations undertaken by criminals. The COVID-19 pandemic has accelerated ICT-related criminal activity, forcing us to work remotely. And criminals have quickly adapted to the situation and exploited our increased dependency, making it even more paramount to effectively address this challenge as soon as possible.”
It isn’t clear if Russia’s willingness to compromise with the West will evaporate as sanctions increase over the invasion.
“I don’t see Russia feeling that they need to compromise or be more co-operative,” said Christopher Painter, a former cyber diplomat at the U.S. State Department, told ITWorldCanada. “I think instead they will dig in. The question is how the invasion will affect their ability to get other countries to follow their lead and views. Lots of competing dynamics there and too early to tell.”
Related content: Listen to Painter’s interview on Cyber Security Today, conducted in January just before the delay of the opening session
The invasion of Ukraine figured in some of the opening comments of delegates.
In addition to denouncing Russia’s military action, the delegate from the European Union said “the continued cyberattacks against Ukraine are not conducive to a constructive engagement with Russia on a legally binding convention.”
The Canadian government turned down a request for an interview on this country’s position going into the talks. Instead, Global Affairs Canada sent ITWorldCanada a statement saying the future treaty should focus on cybercrime. “Issues pertaining to cyber security, cyber governance, and international peace and security have no place in such a convention.
“There is also a need for the negotiations to be inclusive, transparent, constructive, and a consensus-based process that will lead to a fair outcome to the benefit of all. Understanding and addressing concerns, whether from member states, private sector, civil society organizations, or the perspectives of indigenous peoples is important to ensure a meaningful implementation of the future convention,” the statement added.
Canada also wants to ensure any obligations respect international human rights standards, “and that those standards be central to all elements of the convention. This is an important issue that will need to be addressed in the discussions pertaining in particular to substantive offences, procedural powers and international co-operation. Secondly, consistent with Canada’s gender equality policies, it will be important that gender perspectives are reflected, including in order to better understand how gender needs to be taken into account in implementing the convention.”
The first negotiation session will try to define and seek clarity on the general parameters for the scope, objectives, and the structure of the treaty.
Existing treaties
This is not the first effort at creating such a treaty. There are already international agreements on cybercrime including:
- the Budapest Convention, which came into effect on July 1, 2004, and has been signed or ratified by 66 countries, but not China or Russia;
- United Nations Convention against Transnational Organized Crime, which came into effect in 2003. The 147 nations that signed committed to taking a series of measures against transnational organized crime, including the creation of domestic criminal offences, such as participating in an organized criminal group, money laundering and corruption;
- In addition, last year the U.N.’s Open-Ended Working Group (OWEG) on security in information and telecommunications technologies (ICTs) issued a report that agreed by consensus for 193 countries to follow voluntary and non-binding norms for responsible behaviour in cyberspace. Countries that agreed included Russia and China.
But most of these don’t specifically deal with cybercrime. The Budapest Convention does, but it has been signed by fewer than half of the U.N. members.
Officially, the group that will be meeting is the “ad hoc committee of the U.N. to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes.” The committee’s draft text will be submitted to the General Assembly for approval.
In addition to national delegates, over 200 non-governmental, academic, and IT companies will participate, including Microsoft, the Cybersecurity Coalition, and Iran’s Cyberspace Research Lab.
Initial submissions
Twenty-nine nations made written submissions for the first session. Among those that did not were China and North Korea.
Canada’s submission said the convention should include provisions for substantive cybercrime offences and the investigation and prosecution of cybercrime and serious criminal offences that are frequently committed through the use of computer systems. It should establish a baseline for substantive criminal offences, procedural powers and international cooperation to fight cybercrime. It should also eliminate safe havens for cybercrime perpetrators;
The U.S. opening submission said an “anti-cybercrime instrument should be aimed at enhancing international cooperation and providing practical tools to equip national law enforcement authorities to tackle cybercrime, as other UN instruments have done for other forms of transnational crime, including corruption, narcotics trafficking, human trafficking, and migrant smuggling.”
Ad hoc committee members should not delve into wide-ranging cyber-governance or cybersecurity topics in a crime instrument dedicated to combating cybercrime, the submission adds.
Russia submitted a 69-page fully-proposed convention that includes the right of a nation to denounce the agreement. Any “regional economic integration organization” can cease to be a party to the convention if all states in that group denounce the pact, the proposal adds. Russia heads the Commonwealth of Independent States, which includes eight other nearby countries.
An ideal treaty would make individuals who allegedly commit cybercrime eligible for extradition for those crimes, something not covered in current extradition treaties, Cole said. That “would start to change everything,” he said. “I do a lot of work with (U.S.) federal state and local law enforcement and 90 per cent of the time we know who’s doing it [cybercrime], we know where they’re coming from.” But nations that don’t allow extradition for cybercrime impair prosecution.
A treaty should also include a clear definition of cybercriminal activity, he added.
Cole also admitted he’s skeptical a treaty can be negotiated in three or even four years. “Realistically, if we could get some basic boundaries over ‘these types of attacks are not tolerated’ and if they don’t want to extradite local governments will prosecute, that would be the best realistic scenario.”
Asked if Russia and China want a binding treaty, Cole said that behind closed doors they feel their countries are pretty well controlled — they can monitor traffic in and out and still get a lot of benefit from the existing internet. Publicly, for political reasons, “they’re probably going to have to play along because if they don’t there could be a lot pressures, potential sanctions. But I don’t think they’re going to be super-co-operative, especially when it comes to state-sponsored or anything that’s financially benefiting the countries. To me, China is more [involved in] the intellectual theft for competitive advantage. If you talk about [forbidding] basic data theft and stealing of personal and health care information I think China will get on board, but if you talk about trade secrets and critical data of U.S. companies I think China will fight that. Russia will push back on [forbidding] anything financial-driven or state-sponsored.
“The scope of what we’re going to be able to agree on will be narrow,” he said, but at this point anything is better than nothing. That’s why I think it’s still a good effort even though I don’t think it’s going to come even close to 100 per cent effectiveness.”