One of the biggest reasons why cybercrime is so bad — and is increasing each year —is that so much of it is committed by foreign nationals who are not physically located in the country they are attacking.
This makes it far harder for law enforcement to identify, stop and arrest cybercriminals, as often the victim country’s legal jurisdictions, warrants and courts do not apply in the criminal’s country.
It is rare that a country without an international legal agreement will agree to identify, arrest or block a hacker located in its country when they are only attacking another country. Russia and China, for example, certainly are not going to arrest and detain hackers in their country for things that the U.S. reports. And let me be clear, vice versa. The U.S. is not going to arrest and put in jail anyone just because Russia and China ask them to.
Many times, the crime the criminal is committing is not even clearly defined as a crime in their home country. Many times, it appears the country with the cybercriminal tolerates or does not want to stop the cybercriminals as long as they are not attacking domestic targets. And there have been many cases where the source country actively supports the cybercrime. Some countries are taking a direct cut of the proceeds or taking possession of stolen proprietary information. Even if they are not, they welcome the incoming ill-gotten dollars and information in supporting their economies.
The lack of international cooperation on cybercrime has been a problem for decades. And for decades, the United Nations (UN) has been trying to reach a global agreement on what constitutes cybercrime, secure pledges from all countries to stop it and to cooperate in international investigations and arrests.
One of the biggest roadblocks to an international agreement on cybercrime was between three adversaries: the United States, Russia and China. Whatever Russia and China signed onto, the U.S. and its allies did not; and vice versa. Trying to get those three countries to completely agree on anything is nearly impossible.
Enter the UN Convention Against Cybercrime
It is being signed by all the signatories on October 25th in Hanoi, Vietnam (called the Hanoi Convention), and then each signatory has to get it ratified in their own home country.
In a historic first, China, Russia and the U.S. have agreed to sign the same international cybercrime agreement. Albeit not without years of back-and-forth negotiations. China and Russia (which host more cybercriminals than any of the other countries) wanted less stringent protections against actual malicious hacking and wanted more stringent language against things most other countries would put under freedom of speech, political protests and religion. So, language was softened overall, and Russia and China are likely to sign the (weakened) UN Convention and then implement even more stringent versions domestically.
Note the full name of the resolution is: United Nations Convention against Cybercrime; Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes. That is a mouthful. The extended full name resulted from China’s and Russia’s overreach concerns.
Here are some of my top observations of the Convention:
It begins strongly, stating it was created to “Promote, facilitate and strengthen international cooperation in preventing and combating cybercrime.” It makes all the normal cybercriminal activity illegal that most people would think should be illegal: social engineering, unauthorized access, stealing of information, ransomware, password stealing, financial crimes, cryptocurrency scams, denial of service attacks, etc.
It even makes AI deepfake content illegal when the intent is intentional deception. I like this. You can do deepfakes, but not if you are intentionally trying to trick someone. That sounds good.
Much of the Convention addresses international cooperation in not only stopping cybercrime, but also in helping foreign countries collect and preserve evidence. The host country must take steps to collect and preserve evidence for at least 90 days.
It makes creating or using a device for intentional cybercriminal activity illegal. I like that as long as it is only applied to malicious criminals and not well-meaning researchers who do not harm others.
It protects against child exploitation, revenge porn and the sharing of non-consensual intimate images. If you share nudity without someone’s permission, be warned. It does make an exception for children who share consensual images and content. I think that is probably more right than wrong because I am not sure I want two young lovers being arrested for sharing photos of themselves with each other (with the normal limitations applied).
It does not make the creation, distribution and viewing of consensual pornography illegal. This was a hotly debated topic as many of the signatories made it illegal, sometimes punishable by harsh penalties, including death. The UN Convention does not outlaw it, but it will still be illegal where it is domestically illegal. You just will not see people in other countries arrested for it if it is not prohibited in their home countries.
Money laundering is illegal. Besides being right to do, it does make cryptocurrency operations that automatically launder cryptocurrencies illegal under international law. This will shut down a ton of illegal operations and, overall, simply make it harder to turn ill-gotten cryptocurrency into normal currency. It also ends the debate over whether automated money laundering operations are legal. They are not.
Protections, investigations, arrests, prosecutions and evidence collection are ultimately controlled by local law, but should support the resolutions in the Convention. The Convention discusses the freezing, seizure and confiscation of proceeds from a crime. That is good.
The Convention covers the extradition of cybercriminals to foreign victim countries. This is great news. No longer can cybercriminals hide in their home country and not be worried about arrest and extradition to the country of the victim.
And I love this one part (i.e., Article) in particular: “Each State Party shall designate a point of contact available 24 hours a day, seven days a week, in order to ensure the provision of immediate assistance for the purpose of specific criminal investigations, prosecutions or judicial proceedings concerning offences established in accordance with this Convention…”
Each participating country will have an available contact 24/7. That is great. No waiting around.
Article 53 covers preventative measures that each signatory country should take to prevent cybercrime in its own country and against other countries. The list reads a little old school and is missing a lot of things I would recommend, but it is a start.
Lastly, the Convention allows amendments (after five years) if passed by a two-thirds majority vote. This is great. You never know what ends up happening or what you missed until you enact a global Convention.
After the signing ceremony in Hanoi on October 25th and 26th, it will require domestic ratification by each signatory country. That will likely take years, but it is the way all global cooperation agreements happen. Most countries will need to pass and update existing laws to meet the Convention’s obligations.
Critics are rightly worried about the Convention being used to cause human rights abuses and violate people’s privacy in the name of the Convention. Countries, like China and Russia, with less support for freedom of speech, have made (or tried to make) changes that seemed aimed at protesters and religious practitioners.
Others are (again, rightly) worried it may be used to arrest researchers and journalists who are discovering and reporting on new vulnerabilities. This is not an imaginary worry, even in countries considered to have strong protections for freedom of speech. For example, in the U.S., journalists have been sued by companies and states for publicly revealing existing vulnerabilities in public websites and services.
I do think that we do need to worry about the Convention being used to threaten, abuse, and arrest people who are not engaged in malicious hacking. But warts and all, I will take the Convention. We have needed it for decades. It took decades to get it.
Will It Work To Reduce Cybercrime?
Who knows. My gut instinct says it will not help much, but if cooperating nations go after the largest targets causing the most damage, it cannot hurt. That is the answer. It cannot hurt.
I welcome what the UN and signatories have done. We have been trying to get something like this agreed upon and implemented for decades. So, flaws and all, I welcome it. For a long time, cybercriminals were granted the ultimate protection by simply attacking victims in foreign countries. That guaranteed protection will soon be gone and that is a great thing.
