Global unrest is fast becoming the norm in cyberspace, where cybercriminals operate with relative impunity and novel technologies allow nation-states to sharpen their espionage, influence operations, and breaches against enterprise and infrastructure. Today there is a near-constant rate of hacks against computer systems – by one recent count every 39 seconds on average for devices connected to the Internet.
If cybercrime is not better addressed, at risk is nothing less than trust in government’s ability to deliver on the promise of security. Consider that 61 % of Europeans worry that elections can be manipulated through cyberattacks and one in three Americans will find themselves a victim of some form of cybercrime this year alone, not to mention the risks of state interference.
Disinformation has consumed many news and policy cycles, no less now in the time of COVID-19. Russian disinformation campaigns have regularly pushed out propaganda about the virus through think-tanks and suspect news services. Cyberspace has emerged as a national security complex affecting, as it does, governments, corporations, and individuals alike.
Given this state of affairs, a universal cybercrime treaty would seem beneficial. Yet, under the guise of combating cybercrime, two radically different visions of cyberspace compete for attention on the international stage. The first may be broadly characterized as a free-flowing model of cyberspace and has been championed by democracies. It is challenged by the second, the so-called “sovereign model,” where the primary focus is state control over information and, ultimately, people.
On 18 November 2019, a United Nations committee passed a Russia-backed cybercrime resolution by a vote of 88 to 58, with 34 countries abstaining. Russia’s successful vote set up an “Open-Ended Working Group” to examine cybercrime and methods to prevent it. While this development might sound salutary, it has direct consequences for the Budapest Convention on Cybercrime and existing mechanisms for improving the fight against cybercrime, international and national legal efforts, as well as long-term foreign policy impacts in many areas beyond cyberspace.
Foreign policy observers are quick to note that the Budapest Convention is the world’s only convention on cybercrime. Despite its status and clear value, the Convention has come under sustained pressure from Russia and its foreign policy partners that argue its very existence is an effort to violate sovereignty. Note that the Budapest Convention is open to the accession of countries that are not parties to the Council of Europe and is the means for international cooperation to tackle cybercrime.
Russia has also been actively trying to physically move current discussions on cybercrime from their home in Vienna, Austria (where decisions are made through consensus) to New York, where a majority vote would seem to give Russia and China a significant advantage in future proceedings.
Moreover, Russia and China may parlay wins at the United Nations to further the overarching goals of challenging the existence of universal human rights and the ideals of an open, free, and indivisible Internet. Consider that Russia and China also actively challenge the post-World War II world order, which their governments regard as a construction benefiting Western states.
The Russian proposal for a global cybercrime convention as well as Russia’s eagerness to further the “Open-ended Working Group on Developments in the Field of information and telecommunications in the context of international security” are primarily political moves to strengthen the Russian goal of establishing “the system of international information security.” The system the Kremlin seeks to achieve would be based on a “Convention on International Information Security,” with the United Nations and the International Telecommunications Union assigned to play major roles. Moreover, this Russian conception leans on strong, even absolute, state sovereignty, which undermines and overrides international obligations the state may have or be interpreted to have.
Russian arguments for the purposes of a so-called sovereign internet (known as RuNet) stress several aspects of security by autonomy. The objective of a separate Russian internet was outlined in the 2017 information security doctrine as “developing a national system of the Russian Internet segment management.” The context of this ambition being “of ensuring information security in the field of strategic stability and equal strategic partnership” implicitly but effectively refers to the perceived information security threat from the United States. The purpose of the “national segment of the Internet,” as it is also called, was to protect information as such and secure Russian critical infrastructure in the event of threats to state stability, security, and functional integrity.
Some in Russian foreign policy justify the ostensible need to maintain Russian-to-Russian traffic within territorial borders through a questionable cost argument: in the future the cost of international routing may, they argue, become too expensive. Yet according to Kaspersky experts, currently only some 2 % of Russian-to-Russian traffic crosses its national borders.
The additional demand to pre-install Russian software to “track, filter, and reroute internet traffic” can be read in the contexts of information security, critical infrastructure protection, and boosting national research and development markets. Obviously, widening the coverage of federal (Roskomnadzor’s) enforcement mechanisms from routing traffic to all ITC devices also increases political and informational control over individuals.
It appears that these foreign policy moves are intended to create a cloud of uncertainty, serving to undermine past agreements and growing consensus on international norms in cyberspace while also subverting the core values of an open, free and accessible Internet. More acutely, Russia and China are working to enshrine what many experts maintain is a techno-dystopian, state-control view of cyberspace driven by technology that is exportable to other nations. Such digital authoritarian policies stand in stark contradiction with the stated goals of democratic states, ideals for cyberspace and people, and also threaten to undercut the modern global system of economy.
While the voting in the UN 3rd committee showed that there is little appetite to start negotiation or to establish a new legal instrument on cybercrime, it should be clear that such pressures will not recede. There is no also consensus on the legal scope that such a new treaty would have on this issue. In addition, many experts recognize that a new diplomatic process could serve to divert efforts from national legislative reforms on cybercrime. Worse still, a new international legal instrument on cybercrime would duplicate existing work and preempt the conclusions of the open-ended intergovernmental UN expert group (IEG) to conduct a comprehensive study of the problem of cybercrime and responses to it by member states. (Presently, the IEG is the main process at the level of the United Nations on the issue of cybercrime.)
Russia has not just maintained but has also developed and strengthened its call for an “international information security system.” Meanwhile, some experts argue that the U.S., Europe, and its allies have not been particularly successful in their efforts to convince and engage states. For the U.S. public attribution is becoming the norm, with name-and-shame for cyberattacks and espionage, such as with the SolarWinds breach. Meanwhile, the authority of like-minded Western countries has been affected by leaks of foreign espionage, news reports of mass surveillance, and weakening encryption.
Europe, the United States and its allies should prepare for future international negotiations that might not go according to plan, to include further gains by China and Russia to seek control over information and alter the course of cyberspace. It may also help to redouble efforts to identify shared national interests and objectives across camps and continents, such as through the Framework for Responsible State Behavior in Cyberspace and the Paris Call for Trust and Security in Cyberspace. For the time being, with Ukraine front and center, extended treaty negotiations on cybercrime seem unlikely.
In the meantime, to effectively push back on counter-democratic initiatives, the U.S., Europe, and its allies, need to undermine one of the three pillars in the Kremlin’s strategy: the general distrust toward information and communications technologies, the purported insufficiency of existing international law, or the narrative of existential external threat.