The United Nations is set to vote on a treaty later this year intended to create norms for fighting cybercrime — and the Biden administration is fretting over whether to sign on.
The uncertainty over the treaty stems from fears that countries including Russia, Iran and China could use the text as a guise for U.N. approval of their widespread surveillance measures and suppression of the digital rights of their citizens.
If the United States chooses not to vote in favor of the treaty, it could become easier for these adversarial nations — named by the Cybersecurity and Infrastructure Security Agency as the biggest state sponsors of cybercrime — to take the lead on cyber issues in the future. And if the U.S. walks away from the negotiating table now, it could upset other nations that spent several years trying to nail down the global treaty with competing interests in mind.
While the treaty is not set for a vote during the U.N. General Assembly this week, it’s a key topic of debate on the sidelines, following meetings in New York City last week, and committee meetings set for next month once the world’s leaders depart.
“We want to affirmatively, definitely do things to drive international partnership on cybercrime,” said Anne Neuberger, deputy national security adviser for cyber and emerging technology. “On the other hand, if there are these elements raising concerns, we have to really put both sides on the scale and say, ‘what’s the right approach here?’”
The treaty was troubled from its inception. A cybercrime convention was originally proposed by Russia, and the U.N. voted in late 2019 to start the process to draft it — overruling objections by the U.S. and other Western nations. Those countries were worried Russia would use the agreement as an alternative to the Budapest Convention — an existing accord on cybercrime administered by the Council of Europe, which Russia, China and Iran have not joined.
The new U.N. effort comes as global ransomware attacks are on the rise, and it could give Russia, China and Iran a platform to rewrite a cybercrime convention on their own terms — something the U.S. and other Western countries are determined to prevent.
“It’s not a Trojan Horse, it’s a Russian horse, and it always was,” Nick Ashton-Hart said of the U.N. treaty. He is head of the U.N. cybercrime convention delegation from the Cybersecurity Tech Accord, which comprises more than 100 cyber and tech groups including Meta, Microsoft, Salesforce and Oracle.
As a result, the U.S. has gotten more involved in negotiating the treaty over a series of sessions in New York City and Vienna over the last three years — reluctantly dragged in to prevent Russia, China and others from dominating the process.
“It’s not whether it’s needed or not, it exists as a thing that was negotiated and countries are going to join it,” John Lynch, chief of the Justice Department’s Computer Crime and Intellectual Property Section and a key U.S. negotiator, said at a forum this week at American University’s Washington College of Law.
The U.S. joined a consensus vote approving a draft of the treaty finalized in August, with Neuberger noting this was due to the U.S. working to ensure civil liberties clauses made it in. However, few in the private sector and civil society space are happy about the text as it stands.
Among a litany of concerns is that a clause in the agreement could be misused or misinterpreted — allowing nations that sign on to request data on potential serious crimes in other nations; label work by journalists and security researchers as crimes; or make it easier to surveil people’s online activities.
Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation, said “weak” human rights safeguards in the proposed treaty “create a patchwork of protections” that are not enough. EFF was among almost two dozen groups that published an open letter in July raising serious concerns about the cybercrime convention prior to the committee’s passage, and the U.S. Chamber of Commerce and the International Chamber of Commerce have both described the current deal as “flawed.”
“This approach risks enabling abuses, as countries with weaker legal frameworks could misuse shared data for purposes beyond cybercrime, such as political repression, while undermining trust and slowing international cooperation,” Rodriguez said.
But those involved in crafting the treaty dispute these concerns. U.N. Ad Hoc Committee Vice Chair Claudio Peguero Castillo, cyber ambassador for the Dominican Republic, argued that the country would need a court order to spy on civilians, saying that “there is no single provision in the convention” that would explicitly allow for surveillance by member states.
“The aim of this cybercrime treaty is reducing the enemy. Our enemy is not the other state, our enemy is the criminal,” Peguero Castillo said. “We need to join forces in order to fight this crime.”
Now, the U.S. faces a decision on how to vote when the treaty is brought up later in the year, likely between Thanksgiving and Christmas, according to those negotiating the treaty. Should the U.S. vote no or abstain, some argue that it could severely harm U.S. credibility and give hostile nations free reign to bend the text in their favor.
“If we walk away … we decide to just give up this process, the Russians, the Chinese will use this to amend the convention, the protocol,” said Lynch, who argues the U.S. should sign on.
Christopher Painter, the former cybersecurity coordinator at the State Department under both the Obama and Trump administrations, was present during the negotiations. He argued that while there are problems with the treaty, the Russians failed to add in language that would have made the text worse — though they could easily try again in updates to the treaty.
“If … only non-democratic countries who don’t have to go to their Congress and immediately ratify this thing — like Russia, like Cuba, like Syria, like Iran — if they’re the core group in the beginning, they get to shape what might be the second protocol, or the first protocol,” Painter said. “That means they get everything they couldn’t get in [the first time] or may try to go through the back door.”
Not all agree with calls to push through a treaty while serious concerns still exist. Raman Jit Singh Chima, director of Asia Pacific policy at digital rights group Access Now, was also involved in negotiations, and warned that “this is not a win by preventing an even worse treaty.”
“It will actually provide an excuse for many states to justify current repression and constitute a flawed global standard, poisoning the design of national cybercrime laws for decades to come,” he said.
The Russian and Chinese embassies in Washington, D.C., and the Iranian Mission to the U.N. did not respond to requests for comment on the cybercrime convention.
It’s an issue the White House has been wrestling with in recent weeks. Neuberger last week traveled to New York to discuss the convention, which included holding a call with around 20 groups that oppose the current treaty.
“We’ve been engaging key global tech companies as well to hear their concerns,” Neuberger said of the meeting. “We were really in listening mode, to hear them and to ask for specifics … we want to really look at this with an open mind.”
Ashton-Hart was on the call Neuberger hosted, and while he praised the administration for the outreach toward key tech players, he said this was “missing” during the negotiation process. He noted that non-governmental groups and multiple defense ministries for foreign nations have gotten involved to express strong concerns in recent weeks.
“The impression I’m getting is, they had no idea, and now are like, ‘what is this?’” Ashton-Hart said.
The White House is being tight-lipped about the administration’s final decision on how it plans to vote, and Neuberger declined to give details beyond noting the administration is weighing its options. Top cyber officials at the State Department declined to comment, though the agency said last month it “welcomes” the adoption by the committee of the treaty. Lynch stressed that while he believes the U.S. should vote yes, it is strictly his personal opinion.
A vote in favor would be only the first step for the U.S. in ratifying the treaty, as at least two thirds of the Senate would be required to approve it, a number increasingly difficult to achieve among polarized members.
Some lawmakers are already against it. Sen. Chris Van Hollen (D-Md.), chair of the Senate Foreign Affairs Committee’s subcommittee with oversight of cyber issues, said this week that he is weighing support for the treaty but “has concerns” about the current draft language being abused by Russia, China and Iran.
Sen. Ron Wyden (D-Ore.) said he is working with colleagues “to make clear that America must change course and begin listening to human rights activists who have been sounding the alarm about this convention for years,” describing the treaty as “helping China or Russia justify abusing surveillance to prop up their authoritarian states.”
The Biden administration has the next few weeks left to wrestle over the issue, but conversations are being had by diplomats on the sidelines of this week’s General Assembly in New York City and at the annual Counter Ransomware Initiative meeting in Washington next week. Regardless of how the U.S. and its allies vote, when the treaty comes up for consideration, the U.N. is almost certain to vote yes, given that the majority of nations already approved the treaty’s creation in 2019.
“It’s going to get passed in the U.N., so how do you mitigate the potential harms you see there,” Painter said. “The U.S. government can play a real role here in working to mitigate the potential harms by helping countries implement this.”
But, he acknowledged, “there is a lot of heat around this right now.”