Russia’s UN cyber treaty is a warning for the future of the internet
On August 8, 2024, the United Nations General Assembly’s Third Committee adopted (by consensus) the draft text of a global cybercrime treaty that Russia put forward. The treaty text is likely to be approved by the full General Assembly before the end of 2024. Once it is approved and opened for signature, it will enter into force 90 days after the fortieth state deposits its formal instrument of ratification with the United Nations (UN).
Authoritarians are getting the upper hand
It may be tempting to dismiss this as another piece of paper at the UN, but it’s not. Authoritarian countries are getting better at manipulating UN cyber processes to advance their interests. Even though Russia has had many failures at the UN recently, this cyber treaty is likely to be opened for signature with the approval of the UN General Assembly. Its entry into force could further crystallise the authoritarian vision of “cyber sovereignty” internationally.
Researchers and policymakers have long thought that bodies like the UN and the UN General Assembly — and related processes like the UN’s Open-Ended Working Group (OEWG) on cyber issues — had ‘liberal DNA’ and were inherently conducive to free-and-open internet positions from democracies. In other words, there was an assumption that while governments in Moscow and Beijing might seek to advance their own interests within the UN, they were fundamentally fighting a system that was more conducive to liberal democratic outcomes and successful coalition-building by the US, UK, Germany, South Korea, Japan, and other democracies.
The last few years have blown that assumption apart. In November 2018, the Third Committee of the UN General Assembly passed an authoritarian-led cybercrime resolution 85-55, with 29 abstentions. Departing from years of voting with the open-internet bloc, Brazil, India, Mongolia, Singapore, Jamaica, and other countries voted in favour of the cybercrime law. In November 2019, the same body passed a cybercrime resolution led by Russia 88-58, with 34 abstentions. Once again, countries that historically would have opposed the proposal, voting with countries such as France, Australia, and the US, supported it.
Russia’s current treaty draft is picking up steam despite years of coalition-building by democratic and like-minded countries. The treaty poses significant risks to human rights. It would go beyond online scams or ransomware attacks, and apply to circumventing internet restrictions, disseminating critical foreign media stories, and speaking out against the state. These human rights problems are features — in fact, value-adds — from the authoritarian viewpoint. Writing a carefully worded treaty about ‘cybercrime’ that excludes human rights protections is designed to increase transnational law enforcement cooperation in criminally pursuing authoritarian regimes’ domestic political opponents.
If Russia had proposed this treaty a decade ago, many in the West may have laughed it off. However, the recent authoritarian successes on UN cyber negotiations, such as the November 2018 vote, speak to authoritarian states’ increasing skill at exploiting the procedural rules and practices of international institutions. While broader trends of democratic backsliding around the world are relevant to these dynamics, effectively marshalling that potential coalition takes skill, and major authoritarian states have put in the work to build that expertise. Put simply, it’s no longer a long shot that such rights-violating documents are passed.
Shift to authoritarian values in the long term
One important example of a way that the draft treaty reflects these procedural tactics is its provision for the creation of a Conference of States Parties (A.57). A ‘conference of parties’ is a common practice for updating a treaty over time and overseeing issues arising from its implementation. However, in combination with the problematic human rights provisions in the draft treaty, the creation of a conference of parties presents a particular dilemma for democracies and other states that care about digital human rights. Democracies and their allies will have to choose whether to ratify a flawed treaty that could impair digital rights, or else, by refusing to join, enable authoritarian states to use the Conference of States Parties to amend the treaty over time to align more completely with their initial negotiating positions, which would have been even more destructive of digital rights.
The end result will be either that democracies are locked into an international order nudged toward what we have called ‘authoritarian multilateralism’, or that the international system is pushed toward parallel orders (liberal versus authoritarian). Crucially, if democracies opt not to join the treaty, over time the authoritarian order for cybercrime governance would be the one more closely associated institutionally with the UN itself.
‘A fork in chess’
Right now, this dilemma is somewhat akin to a fork in chess. The basic idea is to put two things the opponent values under simultaneous threat in the hope of forcing them to choose which to sacrifice. Authoritarian states may be hoping to put democracies in the position of choosing between saving as expansive as possible a range of digital rights on the one hand and a single rule-based liberal international order on the other.
The debate over cyber sovereignty
To better approach this international cyber problem, policymakers in the US, EU, Japan, and other open-internet democracies should stop thinking in terms that cede the field vis-a-vis cyber sovereignty. Often, diplomats and policymakers from both democratic and authoritarian countries will use ‘cyber sovereignty’ as the foil to the democratic vision of digital rights. Authoritarians, of course, do not call themselves that. It is likely that democracies avoid naming authoritarianism for what it is, especially when at least some of the key audience they are working to persuade includes regimes with authoritarian tendencies. But there are a couple of problems with this approach.
‘Sovereignty’ means many things to different countries. It can include governments that merely desire to crack down on harmful Big Tech practices or increase cybersecurity and privacy regulations. Growing support for ‘cyber sovereignty’ includes countries without more autocratic tendencies that are persuaded by this rhetoric of state regulation.
It is also not entirely true that the United States is opposed to the idea of cyber sovereignty. It’s hard to imagine any state truly opposing the idea that it could exercise jurisdiction or sovereignty over human conduct that involves internet connectivity. Any of the US Department of Justice’s indictments of non-US persons for espionage and cyber activities serve to make this point.
The more accurate and productive discussion is instead to talk about what cyber sovereignty means, and about how versions of cyber sovereignty can be developed that maintain key principles like free access to information, human rights protections, open markets, and internet innovation. Here, the European Union is a helpful guide. The EU has started to develop its own (human-rights-affirming) version of cyber sovereignty. The United States has generally been wary of this European effort, but such wariness pushes the discussion of ‘sovereignty’ in cyberspace to the margins of US policymaking and allows authoritarian countries to lead the debate. Instead, the United States should follow the European example and think carefully about what a democratic version of cyber sovereignty looks like.
Inevitably, American and European views on this question will likely differ at the margins. But that in itself is a demonstration of democracy in action. It can open up a more productive conversation with European allies and with states around the world that recognise the policy challenges arising from the global nature of the internet while simultaneously protecting human rights. It’s an essential reframing in light of Russia’s continued success — along with the success of the Chinese government and other authoritarians — in weaponising ‘sovereignty’ to advance rights-repressive views of cybercrime and the internet.
The approach we recommend may not let democracies escape this particular fork posed by the draft cybercrime treaty entirely unscathed. But it can help minimise the treaty’s potential damage to digital rights in the long run, to the extent that countries can be engaged in a healthier discussion about how to implement digital sovereignty in rights-respecting ways. Reframing the US approach can also help minimise damage to the broader rule-based international order posed by the increasing procedural sophistication of major authoritarian states in global governance processes. Increasingly, the future of global internet policymaking and norms-setting depends on it.