CIVICUS speaks with Stéphane Duguin about the weaponisation of technology and progress being made towards a United Nations (UN) Cybercrime Treaty.
Stéphane is an expert on the use of disruptive technologies such as cyberattacks, disinformation campaigns and online terrorism and the Chief Executive Officer of the CyberPeace Institute, a civil society organisation (CSO) founded in 2019 to help humanitarian CSOs and vulnerable communities limit the harm of cyberattacks and promote responsible behaviour in cyberspace. It conducts research and advocacy and provides legal and policy expertise in diplomatic negotiations, including the UN Ad Hoc Committee elaborating the Cybercrime Convention.
Why is there need for a new UN treaty dealing with cybercrime?
Several legal instruments dealing with cybercrime already exist, including the 2001 Council of Europe Budapest Convention on Cybercrime, the first international treaty aimed at addressing cybercrimes and harmonising legislations to enhance cooperation in the area of cybersecurity, ratified by 68 states around the world as of April 2023. This was followed by regional tools such as the 2014 African Union Convention on Cyber Security and Personal Data Protection, among others.
But the problem behind these instruments is that they aren’t enforced properly. The Budapest Convention has not even been ratified by most states, although it is open to all. And even when they’ve been signed and ratified, these instruments aren’t operationalised. This means that data is not accessible across borders, international cooperation is complicated to achieve and requests for extradition are not followed up on.
There is urgent need to reshape cross-border cooperation to prevent and counter crimes, especially from a practical point of view. States with more experience fighting cybercrimes could help less resourced ones by providing technical assistance and helping build capacity.
This is why the fact that the UN is currently negotiating a major global Cybercrime Convention is so important. In 2019, to coordinate the efforts of member states, CSOs, including CyberPeace Institute, academic institutions and other stakeholders, the UN General Assembly established the Ad Hoc Committee to elaborate a ‘Comprehensive International Convention on Countering the Use of Information and Communication Technologies for Criminal Purpose’ – a Cybercrime Convention in short. This will be the first international legally binding framework for cyberspace.
The aims of the new treaty are to reduce the likelihood of attacks, and when these happen, to limit the harm and ensure victims have access to justice and redress. This is not about protecting states but about protecting people.
What were the initial steps in negotiating the treaty?
The first step was to take stock of what already existed and, most importantly, what was missing in the existing instruments in order to understand what needed to be done. It was also important to measure the efficacy of existing tools and determine whether they weren’t working due to their design or because they weren’t being properly implemented. Measuring the human harm of cybercrime was also key to define a baseline for the problem we’re trying to address with the new treaty.
Another step, which interestingly has not been part of the discussion, would be an agreement among all state parties to stop engaging in cybercrimes themselves. It’s strange, to say the least, to be sitting at the table discussing definitions of cyber-enabled and cyber-dependent crimes with states that are conducting or facilitating cyberattacks. Spyware and targeted surveillance, for instance, are being mostly financed and deployed by states, which are also financing the private sector by buying these technologies with taxpayers’ money.
What are the main challenges?
The main challenge has been to define the scope of the new treaty, that is, the list of offences to be criminalised. Crimes committed with the use of information and communication technologies (ICTs) generally belong to two distinct categories: cyber-dependent crimes and cyber-enabled crimes. States generally agree that the treaty should include cyber-dependent crimes: offences that can only be committed using computers and ICTs, such as illegally accessing computers, performing denial-of-service attacks and creating and spreading malware. If these crimes weren’t part of the treaty, there wouldn’t be a treaty to speak of.
The inclusion of cyber-enabled crimes, however, is more controversial. These are offences that are carried out online but could be committed without ICTs, such as banking fraud and data theft. There’s no internationally agreed definition of cyber-enabled crimes. Some states consider offences related to online content, such as disinformation, incitement to extremism and terrorism, as cyber-enabled crimes. These are speech-based offences, the criminalisation of which can lead to the criminalisation of online speech or expression, with negative impacts on human rights and fundamental freedoms.
Many states that are likely to be future signatories to the treaty use this kind of language to strike down dissent. However, there is general support for the inclusion of limited exceptions on cyber-enabled crimes, such as online child sexual exploitation and abuse, and computer-related fraud.
There is no way we can reach a wide definition of cyber-enabled crimes unless it’s accompanied with very strict human rights safeguards. In the absence of safeguards, the treaty should encompass a limited scope of crimes. But there’s no agreement on a definition of safeguards and how to put them in place, particularly when it comes to personal data protection.
For victims as well as perpetrators, there’s absolutely no difference between cyber-enabled and cyber-dependent crimes. If you are a victim, you are a victim of both. A lot of criminal groups – and state actors – are using the same tools, infrastructure and processes to perform both types of attacks.
Even though there’s a need to include more cyber-enabled crimes, the way it’s being done is wrong, as there are no safeguards or clear definitions. Most states that are pushing for this have abundantly demonstrated that they don’t respect or protect human rights, and some – including China, Egypt, India, Iran, Russia and Syria – have even proposed to delete all references to international human rights obligations.
Another challenge is the lack of agreement on how international cooperation mechanisms should follow up to guarantee the practical implementation of the treaty. The ways in which states are going to cooperate and the types of activities they will perform together to combat these crimes remain unclear.
To prevent misuse of the treaty by repressive regimes we should focus both on the scope of criminalisation and the conditions for international cooperation. For instance, provisions on extradition should include the principle of dual criminality, which means an act should not be extraditable unless it constitutes a crime in both the countries making and receiving the request. This is crucial to prevent its use by authoritarian states to persecute dissent and commit other human rights violations.
What is civil society bringing to the negotiations?
The drafting of the treaty should be a collective effort aimed at preventing and decreasing the amount of cyberattacks. As independent bodies, CSOs are contributing to it by providing knowledge on the human rights impacts and potential threats and advocating for guarantees for fundamental rights.
For example, the CyberPeace Institute has been analysing disruptive cyberattacks against healthcare institutions amid COVID-19 for two years. We found at least 500 cyberattacks leading to the theft of data of more than 20 million patients. And this is just the tip of the iceberg.
The CyberPeace Institute also submits recommendations to the Committee based on a victim-centric approach, involving preventive measures, evidence-led accountability for perpetrators, access to justice and redress for victims and prevention of re-victimisation.
We also advocate for a human-rights-by-design approach, which would ensure full respect for human rights and fundamental freedoms through robust protections and safeguards. The language of the Convention should refer to specific human rights frameworks such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. It is important that the fight against cybercrime should not pit national security against human rights.
This framing is especially significant because governments have long exploited anti-cybercrime measures to expand state control, broaden surveillance powers, restrict or criminalise freedoms of expression and assembly and target human rights defenders, journalists and political opposition in the name of national security or fighting terrorism.
In sum, the goal of civil society is to demonstrate the human impact of cybercrimes and make sure states take this into consideration when negotiating the framework and the regulations – which must be created to protect citizens. We bring in the voices of victims, the most vulnerable ones, whose daily cybersecurity is not properly protected by the current international framework. And, as far as the CyberPeace Institute is concerned, we advocate for the inclusion of a limited scope of cybercrimes with clear and narrow definitions to prevent the criminalisation of behaviours that constitute the exercise of fundamental freedoms and human rights.
At what point in the treaty process are we now?
A consolidated negotiating document was the basis for the second reading done in the fourth and fifth sessions held in January and April 2023. The next step is to release a zero draft in late June, which will be negotiated in the sixth session that will take place in New York between August and September 2023.
The process normally culminates with a consolidation by states, which is going to be difficult since there’s a lot of divergence and a tight deadline: the treaty should be taken to a vote at the 78th UN General Assembly session in September 2024.
There’s a bloc of states looking for a treaty with the widest possible scope, and another bloc leaning towards a convention with a very limited scope and strong safeguards. But even within this bloc there is still disagreement when it comes to data protection, the approach to security and the ethics of specific technologies such as artificial intelligence.
What are the chances that the final version of the treaty will meet international human rights standards while fulfilling its purpose?
Considering how the process has been going so far, I’m not very optimistic, especially on the issue of upholding human rights standards, because of the crucial lack of definition of human rights safeguards. We shouldn’t forget negotiations are happening in a context of tense geopolitical confrontation. The CyberPeace Institute has been tracing the attacks deployed since the start of Russia’s full-scale invasion of Ukraine. We’ve witnessed over 1,500 campaigns of attacks with close to 100 actors involved, many of them states, and impacts on more than 45 countries. This geopolitical reality further complicates the negotiations.
By looking at the text that’s on the table right now, it is falling short of its potential to improve the lives of victims in cyberspace. This is why the CyberPeace Institute remains committed to the drafting process – to inform and sensitise the discussions toward a more positive outcome.