Progress and Barriers in the International Fight Against Cybercrime

By Ilia Sotnikov, Security Strategist and VP of User Experience at Netwrix

Cybercrime is a global issue. We all depend on information flows, communications and production supply chains than span continents — and we are all vulnerable to the threats that can disrupt them.

The need for global action against cybercrime has been recognized for decades. Work on the first international treaty in this space, the Budapest Convention on Cybercrime, was initiated by the European Council in the 1990s. It was signed in 2001 and has been ratified by over 60 countries, including the USA, Canada, Japan and Australia. And in March 2023, the White House published the National Cybersecurity Strategy, which states that no country can efficiently counter cyber threats on its own and makes international partnerships one of its five core pillars.

This article explores the success and challenges of recent international collaboration efforts, with particular attention to the work of the United Nations in preparing its new global Cybercrime Treaty.

Recent Successes in the Global Fight Against Cybercrime

International collaboration is already enabling law enforcement agencies to work together, making the internet a safer space for everyone. For instance, one of the most powerful “cybercrime as a service” operations, Emotet, was taken down in January 2021 in a coordinated effort by the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine.

More recently, law enforcement agencies from the United States, Germany, Netherlands, Canada, France, Lithuania, Norway, Portugal, Romania, Spain, Sweden and the United Kingdom all participated in a months-long operation to disrupt the Hive ransomware network.

Challenges

Given these successes, why is the United Nations putting so much effort into drafting a new treaty? Simply put, there are still difficult issues that are slowing down or even blocking cybersecurity efforts.

One key challenge is the lack of a common international legal framework that would allow prosecution of cybercrime in all jurisdictions. While 80% of countries have adopted their own cybercrime legislation, definitions and laws vary greatly from country to country. And some major countries, such as Brazil, India and Russia, have refused to join the Budapest Convention. As a result, ransomware operators and other cybercriminals can still find safe havens.

Another issue is that many countries lack the skills and resources required to defend against cybercrime. This has resulted in cyberattacks against entire countries, which are seeking help from more developed economies. A common framework for international cooperation could set norms and enforce consequences for violating them.

The United Nations Cybercrime Treaty: A Long Journey

To tackle cybercrime at an international level, an ad hoc committee of the United Nations was formed in 2019. After significant preparation work, it began talks regarding a UN Cybercrime Treaty in 2022. This treaty is still in its early stages; four of six formal sessions have taken place to date. Since it’s not easy to have almost 200 member states come to agreement on every detail of a legal document, this will undoubtedly be a lengthy process. The final draft of the new treaty is expected in early 2024.

The proposed treaty aims to establish common understanding of cybercrimes across multiple jurisdictions and facilitate international cooperation. A key goal is to make it more difficult for cybercriminals to both conduct illegal activities and get away with them by reducing safe havens where they can operate and hide.

The treaty is somewhat similar to other international treaties, such as those for fighting corruption or human trafficking. It seeks to establish common grounds on cybercrime so that national legislatures criminalize the same set of activities. The treaty will also set boundaries that give necessary powers to law enforcement without creating potential for human rights abuses.

The treaty will also establish a common legal vocabulary, which currently doesn’t exist internationally, so that law enforcement agencies around the globe can better cooperate during investigation and prosecution of cybercrimes. Definitions are expected to cover many types of cybercrime, such as data theft, malicious data destruction, child pornography, financial fraud and malicious use of systems.

Larger businesses and industries that are the top targets of cybercrime will likely benefit most from the treaty, but it is really the entire international society that the UN aims to protect with the agreement.

Barriers to Treaty Development and Acceptance

While most UN member states agree that cybercrime is a vital issue to be addressed, we are likely years away from the treaty being accepted. The draft document will continue to undergo reviews and both public and non-public consultations, and legal teams from various UN member states will continue working through disagreements on descriptions and classifications.

Moreover, in most member states, the treaty must be ratified by local governmental bodies before it takes full effect. After that, countries will start implementing changes to align local legislation with the treaty, which can take years.

It’s important to note that the draft UN Cybercrime Treaty does not address complex questions around cyberattacks backed by nation states. Trying to achieve agreement on this topic would probably lead to a deadlock in the process. Even with this topic left out of scope, however, there will likely still be barriers for some countries to accept and sign the new treaty.

Still, it is critically important to push for the common understanding of the cybercrimes across as many jurisdictions as possible. Even if the final treaty is reduced in scope and includes multiple trade-offs, it still gives the international community the leverage it needs to complicate the life of cybercriminals. Even countries known to be reluctant to prosecute cybercriminals will have to adjust their local laws after ratifying the treaty.

The Global Effort Is Significant

Arguably, the willingness of governments to acknowledge the problem of cybercrime and collaborate to find a solution is much more important than the treaty itself. This effort sends signals downstream and could result in more open sharing of information and tools even before the committee’s work on the UN treaty comes to fruition.

In the future, adoption of common definitions of cybercrime will make international cooperation simpler and remove bureaucratic barriers to reducing cybercrime risks and holding cybercriminals accountable, so that businesses and the consumers they serve can all operate with greater confidence.

About the Author

Ilia Sotnikov is Security Strategist & Vice President of User Experience at Netwrix. He is responsible for technical enablement, UX design, and product vision and strategy. His 20 years of experience in cybersecurity and IT management include helping Netwrix build its product management function and managing SharePoint solutions at Quest Software.

Ilia can be reached at www.netwrix.com.