Advancing Global Cyber Defence: The Impact and Implications of the UN Cybercrime Convention

After over three years of deliberation, the UN member states released a draft text for the United Nations Convention against Cybercrime, which was unanimously adopted. The proposed draft details the amendments and suggestions enabling member countries to counter cyber threats domestically and internationally effectively. The draft convention, which will be adopted in the later part of 2024, proposes robust laws and systems to be enacted to define and combat various types of cybercrimes, enhance international cooperation, protect personal data and privacy, and promote public awareness and education. However, several rights groups are concerned about the proposed draft resolutions; we will analyse both sides of the draft resolution.

            In the words of UNODC Executive Director Ghada Waly

“The finalization of this Convention is a landmark step as the first multilateral anti-crime treaty in over 20 years and the first UN Convention against Cybercrime at a time when threats in cyberspace are growing rapidly”

The draft thoroughly examines critical concerns about the current cybercrime landscape, addressing general issues and specific instances. Some notable ones would be

1. Article 5 & 6 – Protection of Sovereignty & Respect for Human Rights
2. Ensures that the implementation of these measures respects state sovereignty and is consistent with international human rights law.
3. Article 7 & 8 – illegal access & Interception of ICT Systems
4. Criminalizes the unauthorized access or interception of non-public electronic data transmissions and ICT systems
5. Articles 9 & 10 – Interference with Electronic Data and ICT Systems
6. Criminalizes the intentional damage, deletion, alteration, or suppression of electronic data and the severe hindering of ICT systems.
7. Article 11, 12 & 13 – Misuse of Devices ICT System-Related Fraud & Forgery
8. Criminalizes the production, sale, or distribution of devices or data as well as the creation of inauthentic data with the intent to deceive and commit fraud.
9. Article 14 & 15 – Offenses Related to Online Child Sexual Abuse
10. Criminalizes activities related to the production, distribution, and possession of child sexual abuse material & soliciting and grooming done through ICT systems.
11. Article 23 – Procedural Measures and Law Enforcement
12. Outlines the scope of procedural measures to be adopted by States for criminal investigations related to ICT offences.

The United Nations Convention on Cybercrime can potentially be a powerful global tool in the fight against cybercrime. However, its success hinges on the practical implementation of its proposed measures. While the convention offers clear definitions and bylaws aimed at fostering international cooperation and safeguarding personal data and privacy, there is a risk that over-regulation of online activities could infringe on human rights and data privacy, ultimately limiting its scope. Preventing cybercrime requires continuous surveillance and precise monitoring. Even with the creation of new institutions or the coordination of existing organizations for cross-border information sharing, a significant challenge remains in determining what information should be or can be shared.

As cyberspace and Artificial Intelligence become increasingly interconnected, the influence of “Threat Actors” grows more pronounced. State-sponsored threat actors have become more widespread in recent years, and cyberspace has emerged as a crucial battleground in the era of hybrid warfare, as seen in the conflicts between Russia and Ukraine and Israel and Hamas. In this context, developing strategies that monitor and combat cybercrimes and protect citizens’ privacy rights is essential.

Cause for Concern

The concern about the proposed convention was raised well before the release of the existing draft. In January 2024, several human rights organizations issued a joint statement highlighting the dangers of the proposed convention. They warned that it would not only legalize widespread surveillance of citizens but also empower repressive regimes to collect information and incarcerate individuals under these regulations. The statement argues that the current draft is overly broad, potentially criminalizing legitimate online expression and exacerbating gender inequality. It lacks sufficient protections for security researchers, journalists, and activists and fails to incorporate strong human rights safeguards, risking abuse under the guise of fighting cybercrime. The signatories call for significant revisions to the convention, including narrowing its scope, ensuring robust data protection, integrating gender considerations, and avoiding excessive surveillance measures. If these concerns are not addressed, they have recommended rejecting the draft to prevent human rights violations and safeguard global cybersecurity.

Although the joint statement was released in January, the current draft has sections that are a cause for concern regarding surveillance and data collection. The following articles explain in detail the measures to be taken by signatories.

1. Article 28 Search and seizure of stored electronic data
2. Article 29 Real-time collection of traffic data
3. Article 30 Interception of content data

To comply with these provisions, countries would need to implement legislation similar to the U.S. laws, such as the Foreign Intelligence Surveillance Act of 1978 (FISA) or National Security Directive 42 (NSD-42), and potentially establish organizations like the NSA to oversee these tasks. These legislations grant the government substantial authority to monitor and respond to perceived threats domestically and internationally. However, the adaptability of data privacy laws concerning each country will play a significant role in determining how effectively these measures can be implemented. This raises concerns about whether all countries will fully adopt and enforce such measures. While human rights organizations are understandably alarmed by the potential for misuse of these provisions, it is also essential to consider the benefits they could bring to enhance the global Cyber threat landscape.

Where should India Stand

            If India adopted the regulation, it could significantly impact the country’s legal and technological landscape, particularly regarding surveillance and data privacy. While it could enhance India’s ability to combat cybercrime through international cooperation and real-time data collection, it also raises concerns about the potential overreach of surveillance powers, conflicts with existing laws like the “IT Act” and the “Digital Personal Data Protection Act” and challenges to India’s data localization policies. Balancing these aspects with constitutional protections for privacy and ensuring judicial oversight will be crucial to avoid infringing on human rights while maintaining national security.

Regarding defence, India could significantly benefit from signing the Cybercrime Convention. While the initial implementation phase may pose challenges, the long-term benefits would be substantial. The convention has the potential to enhance India’s military and defence sectors by improving cybersecurity and intelligence capabilities, aligning with global standards, safeguarding critical military assets, and fostering international cooperation among India’s National Technical Research Organisation (NTRO) and Defence Intelligence Agency (DIA).

Given India’s geographical proximity to China and Pakistan both of which are allegedly involved in hostile cyber activities against India, such as the Pakistan linked “Side Copy” threat actor targeting Indian defence and government entities since at least 2019, as reported by Seqrite the need for robust cybersecurity measures is evident. Additionally, there are concerns that the People’s Republic of China may be sponsoring threat actors that had targeted Indian power grids in Ladakh in 2021 according to Record Future. In terms of India’s defence infrastructure being party to this signatory will be beneficial in the long run.

Conclusion

In conclusion, while the concerns raised by human rights groups and privacy advocates are well-founded, the convention represents a critical advancement in our global approach to combating cyber threats. Striking a core balance between addressing cyber threats and protecting citizen’s privacy and human rights. Although the convention might increase state surveillance, it also promises to bolster international cooperation and provide a robust framework to counteract malicious activities by threat actors. Since the existing mechanisms for tackling cross-border cybercrime, such as ransomware attacks and online scams, are often inadequate, the convention aims to address these shortcomings by establishing stronger international legal and procedural frameworks. If effectively implemented, it will not only safeguard national sovereignty but also represent a significant milestone in global cybersecurity efforts. The successful adoption and execution of this convention could be recognized as a major achievement for the United Nations, setting a new standard for international collaboration and cybercrime prevention.