In an interesting turn of events, the Biden Administration has opted to back the UN Cybercrime Treaty despite intense criticism by technology and security firms that the treaty could be leveraged by some governments to ratchet control in their own countries and criminalize legitimate security research as well as expand law enforcement, and perhaps even intelligence, surveillance.  The Treaty is the first substantive international effort since the 2001 European-led Budapest Convention to combat an ecosystem is out of control, extremely profitable, and expected to reach as much as USD $12 trillion in 2025. Given the relatively minor and often temporary successes of law enforcement to disrupt cybercrime operations and arrest gang members or affiliates, a robust whole-of-world approach to combatting cybercrime seems to make sense if the proper mechanisms could be put into place so that the effort is meaningful rather than just a symbol.

The Treaty would be legally binding, which is critical for ensuring that signatories follow the letter of the treaty mandates and would hold them accountable for any failure to uphold their responsibilities as set forth.  This is important given the focus of the Treaty on facilitating international cooperation, a necessary component in trying to combat the type of activity that easily traverses geographic sovereign boundaries, and whose laws are rarely consistent with one another.  Moreover, it will harness the efforts of international stakeholders to address issues like child exploitation and international cyber and traditional criminal gangs that operate on the Internet.  When collaborating, international law enforcement has successfully taken down operational infrastructure and made arrests.  However, these operations have been few and far between to make any substantial impact long term.  A Treaty could vastly improve these operations with greater agility and speed necessary when it comes to cyberspace.

There are many prominent critics of the Treaty, particularly global tech companies, that believe that the Treaty will hurt not improve cybersecurity.  Notably, in a blog, Google highlighted its concerns that authoritarian regimes would use the parameters to reinforce control and influence over its citizens.  This is an interesting objection by the company given its own perceived monopolistic practices to consolidate market power and minimize free market competition, according to a Department of Justice complaint.  It certainly raises the question on whether Google’s – or any other private sector entity’s – protestations are genuine or are motivated by their own commercial interests (the status quo of rampant cybercrime certainly benefits those selling products and services to combat it) masked in altruism.

The fact that Biden supports the Treaty is certainly worthy of note, particularly coming on the heels of the presidential election that saw a change of political parties in the Executive Office.  According to recent reporting, the Biden Administration deliberated several months on the issue, weighing the concern over the potential human rights abuses against known consequences that have resulted because of rampant and unchecked cybercrime.  While it appears that the Biden Administration will look to develop a “risk management plan” to assuage the concerns that have been expressed by these nongovernmental organizations, like much of the Administration’s foreign policy, Biden fell in line with the general consensus of the international community.

But to say that the United States is just following the crowd is disingenuous.  International cooperation is essential if the global community wants to sincerely put a dent in cybercrime, and that is going to require getting all nations involved.  And that includes those countries that have been tied to or affiliated with prolific cybercrime and hacktivist gangs or are suspected of protecting them within their borders.  

Warning of potential human rights abuse is common criticism when it comes to the global community trying to wrap its hands around cyber-related issues such as surveillance technologies and disinformation.  And while concerns are always valid, they have done very little to curb authoritarian or even democratic governments from pushing the envelope when it comes to these issues.  To assuage these critics, the Administration promised to scrutinize any international request coming from treaty compliance to reduce the chances of abusing human rights.  After all, the United States cannot compel other governments to do the same and can only do what it promises to do.  This may not be enough for these critics but the potential progress that can be made from a binding treaty to proactively go after these punishing criminal and hacktivist organizations far outweighs the risks.

One thing is inherently clear: the status quo only benefits the perpetrators of cyber hostilities.  The last decade or so has taught us that the current mechanisms in place for going after cybercrime gangs is ineffective at imposing the types of costs that cripple organizations for the long term.  To keep pursuing that type of action and expect different results is foolish.  Therefore, it’s well worth trying a different approach.  And that means collaborating with all states – including those giving sanctuary to cybercrime gangs – to see how treaty obligations and responsibilities fare in the battle.  The Treaty would provide signatories with the ability to execute a combined effort in using the full extent of their statehoods (diplomatic, economic, law enforcement, etc.) in partnership against not only the gangs themselves, but the governments that continue to harbor them.  Applying diverse pressure from a multi-country bloc of countries would be more meaningful in scope and impact.  Successes can be steadily built, and operations can be ongoing and occurring on different fronts against different gangs simultaneously.

Cybercrime will never go away.  But the prolific gangs that have been dominating the last decade or so can be neutralized, and their ranks diminished via concerted worldwide cooperation attacking their ecosystems and reducing the online and physical territories of their safe havens.  That should be something that the United States can get behind.