Recently, Russia signed a joint “International Cooperation in the Field of Information Security” agreement with several authoritarian governments to include but not limited to Belarus, Cuba, Iran, North Korea, and Venezuela. The agreement asserts that the motivation behind this agreement is to sustain “transparent and equitable system of international information security based on the principles of the United Nations (UN) Charter, respect for the sovereignty of states and non-interference in their internal affairs.” Notably, one government absent as a signatory is China, though Beijing has long supported and campaigned for these issues at the UN along with Russia. Still, news of this agreement is important as it shows that support for the China/Russia position is gaining ground, albeit, among more traditionally stringent regimes often viewed as leveraging control over technology to maintain control over their populaces.

The International Agreement also asserted that the group of nations supported the adoption of the Convention against Cybercrime  at the 79th session of the UN General Assembly.  That document is historic in the fact that it was the first universal agreement at the UN that was drawn up to counter the use of information and communications technologies (ICTs) for criminal purposes. It also created a path forward where governments could collect and share electronic evidence of cyber-enabled crimes. Reporting suggests that signatories of the recent multi-state agreement will lobby for other governments to sign the Convention in Hanoi, Vietnam, in October. The Convention provides a comprehensive approach to addressing cybercrime, including safeguards to ensure human rights are protected. Its main focus will be to settle the technical and legal challenges that have plagued such efforts in the past by updating traditional criminal investigation methods for the digital world and by enhancing international cooperation.

The International Agreement will likely receive pushback from the United States and the West, which has been a standard response when these issues are brought forward to a global audience.  One big criticism levied against China/Russian efforts in this area is that these collaborations tend to focus on technology as the main target rather than the user behind it.  For example, the International Agreement does not address the threat actors or types of cyber criminal activities that inflict financial damage but the technologies that enable them.  This would allow governments to use their discretion in determining if an individual behind the activity is a criminal based on what types of activities he’s using the technology for.  Framed in this perspective, it’s easy to see how authoritarian regimes could use such an interpretation to target individuals and groups both domestically and internationally. More disconcerting is the fact that like with many of these types of agreements, specifics were not revealed to the extent of what this cooperation entails raising alarm of what could happen.

But it appears that the appetite for state’s cyber sovereignty is growing, particularly in the absence of a larger consensus on a state’s role in maintaining the Internet as opposed to a multistakeholder option preferred by the United States and other Western interests. It is unsurprising that the governments that have signed onto this International Agreement are those aligned with China/Russian interests.  But they have also been the most active in lobbying governments to their cause.  The United States has preferred adopting a consensus-based treaty that focuses on “a limited set of crimes that advances international cooperation,” as opposed to broader disputed topics currently within the text of the UN Convention on Cybercrime. Given that it will take approximately 40 nations to ratify the UN Convention for it to come into full force, so garnering support is imperative to China/Russia’s goals for state influence on what transpires on the Internet.

Granted, should the United States not succeed in ensuring that some of the disputed topics of concern are not addressed or at least modified to its preference, it doesn’t have to be a signatory to the Convention, and therefore, not be compelled to adhere to it.  But if the majority of UN members sign and ratify it, the U.S.  runs the risk of being perceived as being unwilling to compromise for the greater good.  It’s been nearly 20 years since there has been any meaningful treaty addressing cybercrime and the criminal activities taking place in cyberspace, a disappointing truth in an era of advanced technology implementation, an ever-evolving cyber threat ecosystem, and hybrid attacks coming from both state and nonstate actors.  To keep kicking an imperfect cybercrime treaty down the road seems counterproductive, particularly as it could make a meaningful impact on the volume of cybercrime occurring globally.  True, authoritarian states may twist language to suit their interests, but aren’t they already doing that without consequential repercussion?  If this treaty drastically reduces the volume of ransomware activity, business email compromise attacks, hacktivist operations, and cybercrime forum presence it would put the globe in a better position than it currently is with the potential of more success being built on collaborative experiences. 

Additionally, not participating in a potentially landmark treaty such as this would provide fuel for foreign influence campaigns that use such material to paint the United States as hegemonic, untrustworthy, and preserving its own interestsover those of the global community when it comes to cybersecurity. These types of campaigns may not necessarily sway the U.S.’ stalwart allies, but it could keep those not fully committed to the United States on the fence with respect to aligning with it on geopolitical issues.  U.S. adversaries may not need these states to be in their corner necessarily; just not in the United States’ corner.

So, the recent International Agreement from these authoritarian regimes should raise concern as it shows a united front, and championing state sovereignty in an interconnected world, a sentiment that is gaining appeal.  Furthermore, by failing to get involved in the treaty ratification, the United States may lose influencing how it turns out.  What’s desperately needed is a radical update on the Budapest Convention, a historic treaty that is now drastically outdated and ill-suited to address the cyber challenges of today.  That needs to change, and it starts where it should – at the UN where international stakeholders can have a voice and speak their experience in combatting cybercrime and help shape what a treaty of this magnitude should look like.  Perfection should not be the enemy of the good, or at least when it comes to trying to wrangle the global community under a single treaty, the acceptable.  The only way the United States loses ground against its adversaries is not being a part of that conversation.