UN General Assembly Resolution 74/247 (27 December 2019), established an open-ended ad hoc intergovernmental committee of experts and representative of all regions, to elaborate a comprehensive international Convention on countering the use of information and communications technologies for criminal purposes. Afterwards, UN General Assembly Resolution 75/282 (26 May 2021) decided, inter alia, that the ad hoc committee will convene at least six sessions and conclude its work in order to provide a draft Convention to the General Assembly at its seventy-eighth session (12-30 September 2023).
In this framework, on 29 June, Russia submitted to the first draft Convention.
Therefore, this piece provides a brief analysis of the proposed drat Convention that will be discussed in the first round of negotiations (New York, from 17 to 28 January 2022).
General content of the proposed Convention
The proposed Convention has several ambitious goals:
a. it asks each state party to adopt such legislative and other measures as are necessary to establish as an offence under its domestic cybercrime laws;
b. it defines new procedures for the legal cooperation on cybercrime; and
c. it establishes an International Technical Commission on Combating ICT Crime to assist states in the review of the implementation of the Convention.
One of the main features of the proposed Convention is its emphasis of the sovereignty principle. It is reflected in the preamble where it is stated “that each State has sovereignty and exercises jurisdiction over its territory with respect to information space in accordance with its domestic law”. As pointed out by the Russian government-owned news agency TASS, “it’s noteworthy that the [proposed] Convention bans cross-border operations carried out by the states’ computer networks without the approval by their authorities”. Russian emphasis on sovereignty in cyberspace, indeed, it is well-noted and it is also the main reason for Russia to not join the 2001 Budapest Convention on fighting cybercrimes, which authorizes cross-border cyber operations.
To safeguard the principle of sovereignty, Article 47(9) points out that “the requested State party may refuse extradition where such extradition may prejudice its sovereignty, security, public order or other essential public interests”. It also establishes a non bis in idem provision, potentially limiting the extradition of a person in respect of an offence established by the Convention (Article 48).
At first glance, the 23 cybercrime offences seem a significant step forward in tackling cybercrime, particularly when compared to the cybercrimes established under the Budapest Convention (Articles 2 to 10). However, considering the technical subject matter of proposed Convention, it casts some doubts the insertion of criminal offences that may be conducted by ICT means. Perhaps it would have been more logical, to limit the scope of the proposed Convention only to Cyber Dependent Crimes, where a digital system is the target as well as the means of attack. Additionally, one cannot help but notice that the draft fails to establish as an offence malicious cyber activities targeting foreign elections. In that regard, legal positions expressed by some States (including some Non-Westerns countries like Brazil and Singapore) consider as a wrongful act cyber operations aimed at altering votes as they were cast or disabling election infrastructure and technology, thereby depriving a country of the ability to hold an election. (see Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States submitted by participating governmental experts in the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security established pursuant to General Assembly resolution 73/266). This is a particular problem given that some others crimes envisaged in the proposed Convention, such as incitement to subversive or armed activities or extremist offences might fall into a political statement due to the different mindsets of China and Russia vs. Western countries. Therefore, rather that make reference to vague and too broad general terms, the proposed Convention should have try to define new criminal offences clearly and narrowly.
Political sides in a view of the first round of negotiation
At first, as pointed out in Joint Communication to the European Parliament and the Council on implementation of the EU’s Cybersecurity Strategy for the Digital Decade, “the modalities [of work for the ad hoc committee established by Resolution 74/247] as finally adopted include important elements to ensure inclusive decision-making procedures and stronger participation of civil society in the works of the ad hoc committee”. This imply that the ad hoc Committee will be guided by the rules of procedure of the General Assembly. Absent consensus, all decisions on substantive matters will be taken by a two-thirds majority of the representatives present and voting. So far, the EU (who does not have a role with regard to the proposed Convention, but provides a platform for its Member States to coordinate their views) has advocated a ‘wait and see’ approach to idea a new convention on countering the use of information and communications technologies for criminal purposes Unsurprising the EU’s confirmed support for the Budapest Convention on Cybercrime as a comprehensive multilateral legal framework for developing national legislation and international cooperation (See EU priorities at the United Nations during the 76th United Nations General Assembly, September 2021 – September 2022 – Council conclusions (12 July 2021).
Concerning the U.S., there is no definitive official position so far, but it is well-known the disagreement of the latter State to the Resolution 75/282 (See U.S. Mission to the United Nations – Statement on Agenda Item 107 ‘Countering the use of information and communications technologies for criminal purposes’ – November 18, 2019).
The UN coalition of developing countries (Group 77) and China, instead, “recognizes the complex nature of cybercrime and will continue to actively participate in the implementation of UN GA Resolution 74/247 on elaboration of a comprehensive international convention on countering the use of information and communication technologies for criminal purposes within the framework of the United Nations”. This suggests that Group 77 and China could be supportive towards the elaboration of the proposed Convention.
However, given this and the proposed Convention’s high level of ambition and related financial needs (mainly due to the establishment of the International Technical Commission), it is likely that the road will be long and rugged.
This proposed Convention is just the latest part of a deep and long-lasting discussion on cyberspace. According to Elaine Korzak in her ‘Russia’s Cyber Policy Efforts in the United Nations’, “like-minded states mainly from the Global North advocate an open, free and secure cyberspace that preserves the free flow of information globally, while another group led by Russia and China strive to establish a governance regime that would enable greater government control of cyberspace” (Tallinn Paper No. 11 2021).
The underlying problem of sovereignty in cyberspace is not limited to trans-border access to stored computer data without the consent of the territorial state (as already foreseen in some limited cases by Article 32 of the Budapest Convention), but it includes also how to allow law enforcement authorities to request e-evidence directly from a cloud service provider. The negotiations between the EU and US for an agreement on facilitating access to e-evidence is still ongoing. Additionally, it is doubtful whether Westerns and Non-Westerns countries will be ready to share the same idea of human rights standards and global, open, free, stable and secure cyberspace.
If approved, the proposed Convention should complement the already existing international instruments of cooperation. Thus – as long as the proposed Convention will not jeopardise the existing cooperation under the Budapest Convention, as well as the future accession of countries to the latter – the negotiation of the proposed Convention could be a good occasion enhance and improve the legal framework applicable to cyberspace. To that end, some kind of safeguarding clause in the preamble could be appropriate to highlight that the UN Convention is without prejudice to other instruments of regional cooperation on cybercrime, including the Budapest Convention.
Author: Cdr. IT-N Davide GIOVANNELLI, NATO CCDCOE Law Branch
This publication is a part of the INCYDER database, a research tool on International Cyber Developments (INCYDER), established by NATO CCDCOE to facilitate the work of researchers, lawyers, policy-makers and other cyber security-related practitioners. INCYDER offers up-to-date overviews and easy access to the most relevant legal and policy documents adopted by international organisations active in the cyber security domain along with practical summaries and analysis of recent trends within these organisations written by CCDCOE researchers.
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.