The Quixotic Quest to Tackle Global Cybercrime

Some countries want a global cybercrime treaty—they just can’t agree what “cybercrime” is.

By , the Global Initiative Against Transnational Organized Crime’s New York representative and senior analyst covering international crime and criminal justice agendas.
Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore, Maryland, on May 10, 2021.
Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore, Maryland, on May 10, 2021.
Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore, Maryland, on May 10, 2021. JIM WATSON/AFP via Getty Images

In mid-January, the United Nations was formally set to begin a process to develop a global treaty on cybercrime. Given the numerous headlines in 2021 about ransomware attacks on infrastructure, from health care systems in Ireland to fuel lines in the United States, one might assume this process is being driven by the United States and its Western allies.

It isn’t. It was pushed by Russia and approved by vote in the U.N. General Assembly in 2019, with Western countries voting against the process.

The meeting in January was delayed due to the omicron coronavirus variant, but political maneuvering around the delay reveals that the process continues to advance without a shared sense of cooperation.

In mid-January, the United Nations was formally set to begin a process to develop a global treaty on cybercrime. Given the numerous headlines in 2021 about ransomware attacks on infrastructure, from health care systems in Ireland to fuel lines in the United States, one might assume this process is being driven by the United States and its Western allies.

It isn’t. It was pushed by Russia and approved by vote in the U.N. General Assembly in 2019, with Western countries voting against the process.

The meeting in January was delayed due to the omicron coronavirus variant, but political maneuvering around the delay reveals that the process continues to advance without a shared sense of cooperation.

In late January, Russia submitted a resolution in the General Assembly to hold the meeting the following week in New York. This was met with resistance by a number of states; the Dominican Republic, with mostly European and Central American co-sponsors alongside Australia, Japan, New Zealand, and the United States, then submitted an amendment proposing an entirely different plan. Russia’s preference lost out during the voting process.

This was the second time in a year that Russia has tried to vote its preferences through for this agenda and lost. While Russia clearly sees itself as the leader of this initiative, it is being met with increasing resistance when it tries to impose its preferences.

With a fresh delay in substantive negotiations, the truth is that nothing has been decided about this treaty so far—not the scope, preamble, or structure, let alone definitions of what acts would even constitute cybercrimes under this treaty. This first ad hoc committee meeting was supposed to begin debate on the basic outlines of a potential instrument to counter cybercrime, and some governments have submitted position papers that offer insights into their expectations.

But governments are coming to the negotiating table amid mistrust of motivations, a rocky start in setting up the process, and foundational disagreements that will have to be overcome to create a universally supported treaty.


The treaty process will get underway amid two competing perspectives. The first is a near universal view that something should be done to increase global cooperation on cybercrime and create a shared understanding of the issues.

Since early 2001, when the first regional cybercrime convention—the Council of Europe’s Budapest Convention—was adopted, the internet and the scope of its use have changed beyond recognition.

Ransomware attacks have devastated businesses and government institutions. Crimes like online child sexual exploitation have ballooned to alarming levels. COVID-19 lockdowns, which saw people, from children to the elderly, more isolated and living online, exacerbated online crimes. This has including malicious domains, phishing scams and fraud, and sales of counterfeit coronavirus-related products online—including the alleged blood of recovered COVID-19 patients on the darknet.

Many countries feel a treaty will help increase their ability to respond to these types of threats by including technical capacity support. Others feel it could leverage better legal cooperation.

The second outlook is mistrust among states around the motivations for a global treaty, which colors the entire process. From the outset, Western states—including European Union member states, the United States, the United Kingdom, and Canada—resisted a U.N. process to develop a cybercrime instrument. All members of the Budapest Convention, they did not want a competing treaty and felt that with its additional protocols, the convention is functional and open to accession by any government.

But another group of states, including China and Russia, argue that the Budapest Convention doesn’t reflect their concerns—in particular, the view that transborder access to data and electronic evidence impinges on national sovereignty. Data is stored across jurisdictions and often by private companies, including content held in the cloud, web searches, or text messages. Governments such as Russia’s and China’s have worked to bring their citizens’ data under government jurisdiction and are wary of clauses that force access to data by other governments.

The impetus for the treaty should be to increase international cooperation, as cross-border investigations today are plagued by political power struggles, bilateral disputes, a lack of transparency in responses, and differences on human rights issues.

For instance, following the 2021 attack on Kaseya, a tech management software company, by ransomware group REvil, the company announced that a universal decryption key to restore information had been developed by a security firm. The firm said it had not paid REvil, leading some to speculate that either the Russian state had stepped in to help or that the United States had hacked REvil.

At the same time, U.S. President Joe Biden has warned Russian President Vladimir Putin to cooperate in ransomware investigations and said the United States would now treat the issue as a national security threat.

Cooperation within regions may be growing, but global cooperation has been hard to attain.


Though there were rumblings from some states that they may just exit the process altogether, now that the meetings are getting underway, all political blocs appear committed to the process and ready to advocate for their priorities. Key unresolved substantive issues include defining criminal offenses (including content-related offenses); digital sovereignty; international cooperation and access to data; and technical cooperation and capacity building.

Perhaps the thorniest is how states will define cybercrime. There is currently no shared definition, and governments have vastly different perspectives on what it should encompass. While governments are more likely to agree on including cyber-dependent crimes like malware and ransomware that threaten the confidentiality, integrity, and availability of data and systems, there is much less agreement on cyber-enabled crimes, which are offenses that also occur offline but in which criminals may deploy technology to achieve their ends, such as the online trade of illegal wildlife.

The disagreements stem from differing views on the importance of safeguarding human rights norms and concerns about criminalizing personal communications, online political speech, and freedom of expression and association.

The EU has expressed interest in limiting this treaty to high-tech crimes and cyber-dependent crimes, possibly anticipating the Pandora’s box of articulating a list of criminal actions.

China, on the other hand, has suggested a wider approach that would include cyber-dependent crimes as well as content-related offenses including the “use of Internet to incite, commit acts of terrorism, disseminate harmful information” as well as the “development, sale and dissemination of [information and communications technology] and data for crime,” which it calls the “dark ‘product chain.’”

Russia submitted a draft treaty for consideration in July 2021 that called for criminalizing “unlawful acts motivated by political, ideological, social, racial, ethnic, or religious hatred or enmity, advocacy and justification of such actions or the provision of access to them”—which would enable the criminalization of most speech and the platforms that publish it.

One area where governments have grown closer together in recent years—albeit for different reasons—is on the so-called digital sovereignty agenda, under which countries aim to control and regulate digital data and the associated infrastructure within their own territories. On this, companies have lost ground to governments across the board.

Since 2018, tech companies operating in the EU have had to comply with the bloc’s General Data Protection Regulation, which sets guidelines for collecting and processing EU citizens’ personal information.

In China, Apple now stores customers’ personal data on Chinese government servers and does not use Apple’s encryption technology in the country. TikTok, owned by Beijing-based ByteDance, claims it stores all U.S.-generated data within the United States, although it has been reported that ByteDance still has access to the data. Governments also have greater capabilities to implement measures such as internet shutdowns, regardless of compliance by tech companies.

Yet while states may be more assertively in favor of government intervention, the underlying reasons continue to differ, and this will impact negotiations. Objectives for stricter oversight and regulation of tech companies exist along a continuum ranging from prioritizing citizen protection to state control and surveillance. The language of the treaty will be heavily scrutinized by both governments and global tech companies (which will in turn lobby their governments) to assess opportunities to justify controlling or surveilling private data and infrastructure.

States tend to agree that the new instrument should address needs for training and capacity building. The need to train law enforcement officials, judiciary members, investigators, and others involved in combating cybercrime has been raised by those seeking capacity building, such as Jamaica, as well as those with more advanced tech capacity, such as the United States and United Kingdom, that could provide that support.

Access to capacity building and technical assistance may in fact be a priority for a number of governments and may increase their willingness to negotiate in other areas to achieve firm commitments of support. In this way, offers of capacity building could become a bargaining chip for the harder negotiations around definitions and scope.


Many questions remain, though. Meetings over procedure in 2021 continued to display deep dissatisfaction with the process from a range of states that felt excluded from the decision-making process, such as Caribbean countries, and from others wary of a winner-take-all approach to negotiations through voting rather than consensus. Although governments arrived at a compromise by vote in May 2021, they by no means resolved their underlying differences on scope, intent, and the ultimate purpose of this proposed international treaty.

It remains to be seen if governments will find a way to produce an instrument that bridges competing interests, or if a lack of consensus and trust will be too difficult to overcome. Consensus could bring stronger responses to cybercrime globally, but perhaps around a smaller set of issues given the current political climate. A new instrument would help define the rules for a range of stakeholders from corporations to governments—and ideally safeguard human rights, improve transparency, set norms of cooperation, and enhance responses to cross-border, cross-regional crime.

If the effort fails, cooperation on combating cybercrime will remain regionally fragmented and ad hoc, and will lack transparency across jurisdictions. And, most fundamentally, it will leave responses to crimes that impact everyday citizens and businesses vulnerable to geopolitical whims.

Summer Walker is the Global Initiative Against Transnational Organized Crime’s New York representative and senior analyst covering international crime and criminal justice agendas.

Join the Conversation

Commenting on this and other recent articles is just one benefit of a Foreign Policy subscription.

Already a subscriber? .

Join the Conversation

Join the conversation on this and other recent Foreign Policy articles when you subscribe now.

Not your account?

Join the Conversation

Please follow our comment guidelines, stay on topic, and be civil, courteous, and respectful of others’ beliefs. Comments are closed automatically seven days after articles are published.

You are commenting as .

More from Foreign Policy

Oleg Salyukov salutes to soldiers during Russia’s Victory Day parade.
Oleg Salyukov salutes to soldiers during Russia’s Victory Day parade.

Stop Falling for Russia’s Delusions of Perpetual Victory

The best sources on the war are the Ukrainians on the ground.

A fire rages at the Central Research Institute of the Aerospace Defense Forces in Tver, Russia
A fire rages at the Central Research Institute of the Aerospace Defense Forces in Tver, Russia

Could Sabotage Stop Putin From Using the Nuclear Option?

If the West is behind mysterious fires in Russia, the ongoing—but deniable—threat could deter Putin from escalating.

China's Foreign Minister Wang Yi is received by his Kenyan counterpart, Raychelle Omamo, in Mombasa, Kenya.
China's Foreign Minister Wang Yi is received by his Kenyan counterpart, Raychelle Omamo, in Mombasa, Kenya.

While America Slept, China Became Indispensable

Washington has long ignored much of the world. Beijing hasn’t.

A bulldozer demolishes an illegal structure during a joint anti-encroachment drive conducted by North Delhi Municipal Corporation
A bulldozer demolishes an illegal structure during a joint anti-encroachment drive conducted by North Delhi Municipal Corporation

The World Ignored Russia’s Delusions. It Shouldn’t Make the Same Mistake With India.

Hindu nationalist ideologues in New Delhi are flirting with a dangerous revisionist history of South Asia.