The UN Cybercrime Convention is necessary, but the law still lags behind cybercriminals

In December 2024, the United Nations (UN) adopted the UN Convention against Cybercrime, the world’s first global cybercrime treaty. It concluded years of negotiations and aimed to enable cross-border investigations with a shared legal framework. It was a long-overdue legal milestone, but the speed of law-making and the Convention itself still lags behind the pace and scope of global cybercrime.

Cybercriminals move faster than consensus because they operate on time frames that law was never designed to match. Ransomware groups can launch, adapt, and dismantle operations in days or even hours, while international legal processes unfold over years. 

These groups cross borders, erase traces, and adapt more quickly than any formal process can respond. In 2023, over $1 trillion was stolen globally, according to Microsoft’s 2024 Digital Defense Report. In the United States alone, consumer losses hit $16 billion, a 33% rise from the previous year. Ransomware now routinely targets hospitals, local governments, and critical national infrastructure. Large-scale cybercrime is not new; these types of ransomware campaigns have been escalating for years, with a major rise in scale and scope since the 2010s.

Given the speed and global scale of this threat, international law faces a core limitation: it is not designed to move quickly. The convention is ambitious, but it relies on mechanisms such as mutual legal assistance, extradition requests, and national implementation of shared offences. These essential tools for legitimacy are operationally cumbersome. They depend on domestic laws, political will, and institutional capacity.

So the convention is a necessary legal foundation, but insufficient in isolation. Cybercrime operates simultaneously across multiple jurisdictions and exploits legal, technical, and enforcement gaps between states that no single national legal system, however sophisticated, can close. Effective responses therefore require a hybrid model combining formal legal frameworks with institutions capable of agile, real-time coordination.

The convention’s legal foundations 

The convention defines core cyber offences, encourages harmonised legal procedures, and offers tools for cooperation. Some provisions are promising, calling for 24/7 contact points to respond to urgent cross-border requests, data preservation and evidence sharing, and extradition using the treaty itself as the legal basis. There are, however, no deadlines for cooperation or consequences for inaction. Key articles on expedited data preservation and disclosure lack mandatory real-time intelligence sharing, meaning delays often turn coordination into cleanup after the damage is done.

In addition, convention provisions on law enforcement cooperation remain optional and depend on national discretion. Some of these limitations result from political caution. Several states, especially the US and European partners, as well as civil society groups, pushed for strict human rights safeguards, concerned that authoritarian governments could misuse vague offences, data requests, or expansive investigative powers. Although these  guardrails were necessary, they  introduced operational constraints.

Among the convention’s strongest features are the capacity-building commitments, yet these fall short, lacking clear funding mechanisms, benchmarks, or monitoring tools. Assistance remains contingent on political priorities and donor discretion. In sum, the convention offers a shared legal language and an aligned framework, but alone, it does not create a system capable of matching the speed and complexity of global cybercrime.

What law cannot do alone: the missing element of operational agility

The convention’s legal structure may work well for prosecution, but not for disruption. Cybercrime unfolds in real time; cooperation based solely on statute will necessarily lag. This gap extends beyond governments. Even academic cyber conflict research has been slow to treat ransomware as the strategic threat it has become. This analytical lag reflects the same problem facing the convention: traditional frameworks move far more slowly than the actors they seek to govern.

Disruption requires real-time access, technical capacity, and operational trust built through repeated cooperation, shared systems, and reliable information exchange among authorities. That is why a hybrid model that combines legal authority with fast-moving, operational response is necessary.

The Counter Ransomware Initiative as a prototype of fast-moving cooperation

If the convention represents the legislative path to global cooperation, the Counter Ransomware Initiative (CRI) shows what operational cooperation can look like. The initiative brings together over 60 governments, law enforcement agencies, national cybersecurity teams, and private companies to share threat intelligence, coordinate takedowns, and disrupt ransomware networks, often in near-real time.

Consider, for example Operation Cronos, the takedown of LockBit, in February 2024. It illustrates what agility can achieve: dark-web infrastructure dismantled, source code seized, and decryption tools released to victims globally. Beyond operations, the CRI supports capacity-building through technical workshops and mentoring. It also offers tools for real-time information sharing, like the Malware Information Sharing Platform     .

Despite its successes, the CRI has some flaws, such as selective membership and limited transparency mechanisms. Furthermore, its activities raise political sensitivity around inclusion and accountability. Still, the CRI highlights what law alone cannot provide: speed, adaptability, and trust-building cooperation. The lesson is not to replace law, but to complement it.  

Toward a hybrid model for governing cybercrime

Global threats require both legal clarity and real-time responsible disruption. Treaty-based frameworks provide the legal scaffolding to support agile cooperation, while platforms like the CRI provide the strength in operations, disrupting threats and responding faster than formal treaty procedures. Through repeated joint operations and shared technical platforms, cooperation can build trust among participating agencies and so facilitate deeper and more reliable legal collaboration.

In practice, this hybrid model does not require the convention and CRI to formally align. States can still connect the two by using the convention’s legal tools to support participation in CRI’s faster, more flexible operations. For example, countries might pass national laws based on the convention that authorise their agencies to join CRI task forces or share data through its platforms. This would still allow international law to support rapid cyber responses. 

From law to real-time defence

Looking ahead, three priorities are fundamental. First, states must codify operational agility within national legal frameworks, ensuring that domestic law authorises real-time disruption efforts, shared response platforms, and cross-border task forces within the legal framework. Second, governments should promote alignment between treaty-based cooperation and operational coordination mechanisms, ensuring that initiatives like the CRI can interoperate with the convention through shared standards and trusted channels. The convention’s impact will depend on how well states integrate its legal authority with operational agility. Third, states and donors must close the global capacity gap. Without scalable support, many countries will remain targets, not partners. 

These actions are not tweaks; they are structural requirements for a treaty that must adapt to an environment where threats move faster than diplomacy. A legal instrument alone cannot deliver security, but if embedded in a hybrid system, it can become the backbone of real-time global defence.

Disclaimer: The views expressed are solely those of the authors and do not reflect the views of any institution.