As Russia’s invasion of Ukraine rolls through its second week, a United Nations committee has begun hearings on a proposed new cybercrime treaty Russia has been pushing. The proposal has been heavily criticized by the United States, the European Union and other Western countries.
For several years, Russia has been vying for a new treaty to replace the Budapest Convention on Cybercrime agreement put into effect by the Council of Europe in 2004 and 67 signatories. Russia was not one of them, despite its role as a council member. Despite the broad pushback to the new treaty a 69-page draft was offered to the UN by Russian officials last year, and got enough support to move forward.
The UN’s Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes began two weeks of deliberations on February 28, four days after Russia began its long-threatened invasion of neighboring Ukraine. The hearing is scheduled to wrap up March 11.
The fact that Russia – a country that as long been accused of supporting cybercriminal gangs within its border, whose intelligence agencies have been suspected of working with some of these groups, that has used disinformation campaigns in other countries to sow divisions and has used its control over information and communications technologies (ICT) to limit the flow of information to its population – is proposing this new treaty is a significant point of contention for other countries and nongovernmental and human rights groups.
The attack on Ukraine and the cyberwarfare Russia undertook in the leadup to and since the invasion only heightens those concerns.
“The Ukraine crisis looms large over the talks, with many Member States voicing solidarity with Ukraine and questioning whether Russia (the initial driving force behind the adoption of this treaty) could debate in good faith and defend claims of sovereignty in formulating cybercrime provisions while invading Ukraine and unleashing cyberattacks,” Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation, and Karen Gullo, EFF senior media relations specialist, wrote in a blog post.
“Despite high levels of distrust, Member States are proceeding with the negotiations as planned.”
Mercedes Page, founder and CEO of Young Australians in International Affairs, wrote in a column for the think tank Lowy Institute, that the “hypocrisy of Russia in pushing for a global cybercrime treaty shouldn’t be lost on anyone,” these days.
“Russia has long turned not only a blind eye to cyber criminals operating in its borders, but has openly and actively support it. It’s hard to see how Russia could engage in negotiations for a legally-binding cybercrime treaty in good faith. It’s harder still to see how it can negotiate at the United Nations for a treaty based on upholding state sovereignty while simultaneously invading a sovereign nation state.”
Such high-profile cybercrime groups like REvil and Conti have been linked to Russia. Chainalysis, which offers a blockchain data platform, wrote in a report last month that about 74 per cent of the revenue derived from ransomware attacks – or about $400m in cryptocurrency – was connected to malware strains likely affiliated to Russia. In addition, most of the ransomware money collected by threat groups “are laundered through services primarily catering to Russian users.”
Russian sovereignty at stake! So is our data
Russia refused to sign onto the Budapest Convention, arguing that the language allowing law enforcement cybercrime operations to cross nation borders violated the idea of state sovereignty. Russia has since agitated for a new treaty.
The US and other countries, along with human rights groups and other organizations, said the time and resources would be better spent improving the Budapest Convention. More countries last year voted against moving forward with Russia’s treaty proposal, but enough sided with Russia, setting the stage for the hearings this month.
Among the key criticisms of Russia’s proposal is the expansion of definitions of cybercrime in a way that give enable nation-states wide leeway to designate many activities that happen online as a cybercrime, and thus giving them broader basis for cracking down on those activities, which many worry could lead to wide human rights abuses.
“Russia’s approach to cyberspace has been one of sovereignty and expanded state control,” Joyce Hakmeh, Senior Research Fellow at London-based think tank Chatham House, and Tatiana Tropina assistant professor of cybersecurity governance at the Institute of Security and Global Affairs at Leiden University in the Netherlands and Associate Fellow of The Hague Program for Cyber Norms, wrote in a column last year.
“The recent attempts to isolate the internet within its jurisdictions from the rest of the world are a natural progression of this trend, and the recent proposal is in harmony with this approach. … The Russian draft is both far-reaching in terms of crimes related to terrorism and extremism and selective in its inclusion of other kinds of cyber-enabled crime,” such as drug distribution and counterfeit medicines.
The Russian draft also puts less importance on safeguards for protecting individuals from nation-state overreach. Hakmeh and Tropina note as an example that regarding the interception of data. The Budapest Convention restricts it to serious crimes, but Russia wants to apply it to any crime outlined in the treaty.
The Budapest Convention also allows other parties to refuse mutual legal assistance if they see the request tied to a political offense, they wrote, adding that “the Russian proposal directly prohibits the refusal of mutual legal assistance and extradition on this ground, forcing parties to provide mutual legal assistance even if the requesting state uses a particular digital investigation as an instrument for political oppression.”
EFF’s Rodriguez and Gullo wrote that “cybercrime provisions have been used against whistleblowers, security researchers, human rights defenders, political dissidents and members of LGBTQ+ communities in ways that are inconsistent with human rights. Great care must be taken when enshrining these provisions in an international instrument.”
Page, writing for the Lowy Institute think tank, said a weak cybercrime treaty gives Russia and similar countries greater latitude designate anything online as a cybercrime.
“It seems Russia’s aim is to keep the international community busy and distracted negotiating a new cybercrime convention as a way to stall practical global cybercrime cooperation just at the time it’s needed most,” she wrote. ®