Russia’s UN cyber treaty is a warning for the future of the internet

The UN prepares to pass a controversial cybercrime treaty, signalling a shift toward authoritarian control of the internet and forcing democracies into difficult choices
Main Top Image
Image generated using Midjourney

On August 8, 2024, the United Nations General Assembly’s Third Committee adopted (by consensus) the draft text of a global cybercrime treaty that Russia put forward. The treaty text is likely to be approved by the full General Assembly before the end of 2024. Once it is approved and opened for signature, it will enter into force 90 days after the fortieth state deposits its formal instrument of ratification with the United Nations (UN).

Authoritarians are getting the upper hand

It may be tempting to dismiss this as another piece of paper at the UN, but it’s not.  Authoritarian countries are getting better at manipulating UN cyber processes to advance their interests. Even though Russia has had many failures at the UN recently, this cyber treaty is likely to be opened for signature with the approval of the UN General Assembly. Its entry into force could further crystallise the authoritarian vision of “cyber sovereignty” internationally.

Researchers and policymakers have long thought that bodies like the UN and the UN General Assembly — and related processes like the UN’s Open-Ended Working Group (OEWG) on cyber issues — had ‘liberal DNA’ and were inherently conducive to free-and-open internet positions from democracies. In other words, there was an assumption that while governments in Moscow and Beijing might seek to advance their own interests within the UN, they were fundamentally fighting a system that was more conducive to liberal democratic outcomes and successful coalition-building by the US, UK, Germany, South Korea, Japan, and other democracies.

The last few years have blown that assumption apart. In November 2018, the Third Committee of the UN General Assembly passed an authoritarian-led cybercrime resolution 85-55, with 29 abstentions. Departing from years of voting with the open-internet bloc, Brazil, India, Mongolia, Singapore, Jamaica, and other countries voted in favour of the cybercrime law. In November 2019, the same body passed a cybercrime resolution led by Russia 88-58, with 34 abstentions. Once again, countries that historically would have opposed the proposal, voting with countries such as France, Australia, and the US, supported it.

Russia’s current treaty draft is picking up steam despite years of coalition-building by democratic and like-minded countries. The treaty poses significant risks to human rights. It would go beyond online scams or ransomware attacks, and apply to circumventing internet restrictions, disseminating critical foreign media stories, and speaking out against the state. These human rights problems are features — in fact, value-adds — from the authoritarian viewpoint. Writing a carefully worded treaty about ‘cybercrime’ that excludes human rights protections is designed to increase transnational law enforcement cooperation in criminally pursuing authoritarian regimes’ domestic political opponents.

If Russia had proposed this treaty a decade ago, many in the West may have laughed it off. However, the recent authoritarian successes on UN cyber negotiations, such as the November 2018 vote, speak to authoritarian states’ increasing skill at exploiting the procedural rules and practices of international institutions. While broader trends of democratic backsliding around the world are relevant to these dynamics, effectively marshalling that potential coalition takes skill, and major authoritarian states have put in the work to build that expertise. Put simply, it’s no longer a long shot that such rights-violating documents are passed.

Shift to authoritarian values in the long term

One important example of a way that the draft treaty reflects these procedural tactics is its provision for the creation of a Conference of States Parties (A.57). A ‘conference of parties’ is a common practice for updating a treaty over time and overseeing issues arising from its implementation. However, in combination with the problematic human rights provisions in the draft treaty, the creation of a conference of parties presents a particular dilemma for democracies and other states that care about digital human rights. Democracies and their allies will have to choose whether to ratify a flawed treaty that could impair digital rights, or else, by refusing to join, enable authoritarian states to use the Conference of States Parties to amend the treaty over time to align more completely with their initial negotiating positions, which would have been even more destructive of digital rights.

The end result will be either that democracies are locked into an international order nudged toward what we have called ‘authoritarian multilateralism’, or that the international system is pushed toward parallel orders (liberal versus authoritarian). Crucially, if democracies opt not to join the treaty, over time the authoritarian order for cybercrime governance would be the one more closely associated institutionally with the UN itself.

‘A fork in chess’

Right now, this dilemma is somewhat akin to a fork in chess. The basic idea is to put two things the opponent values under simultaneous threat in the hope of forcing them to choose which to sacrifice. Authoritarian states may be hoping to put democracies in the position of choosing between saving as expansive as possible a range of digital rights on the one hand and a single rule-based liberal international order on the other.

The debate over cyber sovereignty

To better approach this international cyber problem, policymakers in the US, EU, Japan, and other open-internet democracies should stop thinking in terms that cede the field vis-a-vis cyber sovereignty. Often, diplomats and policymakers from both democratic and authoritarian countries will use ‘cyber sovereignty’ as the foil to the democratic vision of digital rights. Authoritarians, of course, do not call themselves that. It is likely that democracies avoid naming authoritarianism for what it is, especially when at least some of the key audience they are working to persuade includes regimes with authoritarian tendencies. But there are a couple of problems with this approach.

‘Sovereignty’ means many things to different countries. It can include governments that merely desire to crack down on harmful Big Tech practices or increase cybersecurity and privacy regulations. Growing support for ‘cyber sovereignty’ includes countries without more autocratic tendencies that are persuaded by this rhetoric of state regulation.

It is also not entirely true that the United States is opposed to the idea of cyber sovereignty. It’s hard to imagine any state truly opposing the idea that it could exercise jurisdiction or sovereignty over human conduct that involves internet connectivity. Any of the US Department of Justice’s indictments of non-US persons for espionage and cyber activities serve to make this point.

The more accurate and productive discussion is instead to talk about what cyber sovereignty means, and about how versions of cyber sovereignty can be developed that maintain key principles like free access to information, human rights protections, open markets, and internet innovation. Here, the European Union is a helpful guide. The EU has started to develop its own (human-rights-affirming) version of cyber sovereignty. The United States has generally been wary of this European effort, but such wariness pushes the discussion of ‘sovereignty’ in cyberspace to the margins of US policymaking and allows authoritarian countries to lead the debate. Instead, the United States should follow the European example and think carefully about what a democratic version of cyber sovereignty looks like.

Inevitably, American and European views on this question will likely differ at the margins. But that in itself is a demonstration of democracy in action. It can open up a more productive conversation with European allies and with states around the world that recognise the policy challenges arising from the global nature of the internet while simultaneously protecting human rights. It’s an essential reframing in light of Russia’s continued success — along with the success of the Chinese government and other authoritarians — in weaponising ‘sovereignty’ to advance rights-repressive views of cybercrime and the internet.

The approach we recommend may not let democracies escape this particular fork posed by the draft cybercrime treaty entirely unscathed. But it can help minimise the treaty’s potential damage to digital rights in the long run, to the extent that countries can be engaged in a healthier discussion about how to implement digital sovereignty in rights-respecting ways. Reframing the US approach can also help minimise damage to the broader rule-based international order posed by the increasing procedural sophistication of major authoritarian states in global governance processes. Increasingly, the future of global internet policymaking and norms-setting depends on it.

Terms & Conditions

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 15 December 2024, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.