International Cybersecurity: Workshop on Promises and Pitfalls of a Global Cybercrime Convention

 

The harmful effects of cross-border criminal cyber-attacks were made abundantly clear as hospitals, energy providers, and other infrastructure services were indiscriminately hit or even directly targeted last year. Meanwhile, UN member states embarked on a new negotiation process with the goal of creating a global convention against the criminal misuse of information and communication technology. Are we on the way to an effective global legal framework, or will yet further fragmentation weaken existing cooperation mechanisms? André Dornbusch (German Federal Criminal Police Office), Louise Marie Hurel (Igarapé Institute), and Nnenna Ifeanyi-Ajufo (Swansea University) discussed these and related questions at the third interdisciplinary workshop organised by IFSH’s "International Cybersecurity" team in cooperation with the German Federal Foreign Office. Mischa Hansel (IFSH) moderated the event attended by more than 100 academia, business, diplomacy, politics, civil society and media representatives.

Some workshop participants were sceptical whether the Russian initiative, overshadowed by geopolitical tensions, could actually lead to a global agreement. While the Russian draft includes content-related offences such as aiding terrorism and separatism, the United States, the EU member states, and other partners want to limit an agreement to cybercrime in the narrower sense. This includes, for example, the sabotage of digital systems and data. Furthermore, the extent to which non-state actors are allowed to participate in the negotiations has caused a fundamental dispute. Yet their participation is crucial to prevent cybercrime legislation being used as a pretext for curbing free speech and jailing political dissidents in autocratic regimes.

Another challenge is not to undermine existing standards and commitments. Many examples in the discussion focussed on the practical benefits of having a uniform definition of criminal offences, such as in the Council of Europe's Budapest Convention. Rapid cross-border preservation of evidence and the possibility of requesting traffic data directly from foreign internet providers is equally important. Again, the Budapest Convention is widely regarded as a model of such provisions. Signatory states could become subject to conflicting obligations if a new legally binding agreement with divergent terminology comes into force, limiting cross-border cooperation.

Against this backdrop, a preferable strategy might be to focus on implementing existing standards and making them universal instead of reinforcing legal and political fragmentation. Yet, the discussion showed that the situation is far more complex, citing for example the various positions of African states and the very small number that have ratified the Budapest Convention. Negotiating a new agreement would offer countries in the Global South the chance to shape the future of international cybercrime governance. International capacity building could also be strengthened in this way, focussing on local problems and on ways to effectively address structural inequalities. Overall, the participants were hopeful that a UN agreement based on practical experience could contribute to global cyber security. However, great care has to be taken not to create a treaty that – from the onset – is followed in letter but not spirit: implementation pitfalls have to be considered and international capacity building efforts need to be realigned.