Since 2021, the CyberPeace Institute has consistently been expressing doubts and criticism over the proposed UN cybercrime treaty. As we enter the 4th year of negotiations, States are spending enormous resources on a treaty which will not address the real systemic issues of cybercrime fighting, but will create unacceptable risks to human rights and new harm. To ring the alarm once again, our CEO, Stephane Duguin, published an Op-Ed in Le Temps.
This is the English translation.
Every week brings news of yet another criminal cyber incident: attacks against French hospitals, Swiss parliamentarians, the German Social Democratic Party, the FBI, or Europol. The same question arises: what are states doing to stem this rising tide?
Almost three years ago, governments embarked on negotiations at the United Nations for an international convention against cybercrime. This draft treaty, initiated by the Russian Federation, is deeply concerning, generating a consensus from civil society to the private sector, on its futility and dangerousness. The CyberPeace Institute and its partners have been sounding the alarm for three years (e.g. Multistakeholder Manifesto published on 16 January 2024 and Joint Statement on the Proposed Cybercrime Treaty published on 23 January 2024), but to no avail. The negotiation rhetoric is fear mongering: existing instruments do not work, and the world needs a new convention to avoid succumbing to the grip of cybercriminals.
I was a police officer for twenty-five years in anti-cybercrime and anti-cyberterrorism units, and today I lead an NGO that investigates cyberattacks. If I compare my field expertise and the draft at hand, I fail to see how this treaty would provide solutions to effectively combat cybercrime. Worse, it has the potential to create fertile ground for criminals and generate more victims.
What is in it for the victims? What is in it for the investigators?
A good law is like a good idea: it is immediately recognisable. It is effective only if it facilitates victim’s access to repair and redress, strengthens investigative capacity, and upholds fundamental rights. A good law demonstrates a state’s ambition to protect its people, not its desire to protect itself from its citizens. This is not the case with this treaty.
In fact, this text proposes nothing that cannot already be accomplished by national legislation, whether in terms of prevention or prosecution. It lacks ambition in crucial areas such as widespread digital education, local cybersecurity, mandatory default security for technological tools, legal and psychological support for victims, public attribution of attacks, and measuring the harm of cyberattacks.
This treaty does not address the alarming lack of human, technological, and diplomatic capacities to counter criminals. Investigators and judicial authorities need training and tools: on evolving criminal models (e.g., ransomware 3.0), on collecting digital evidence in the age of cloud computing and deepfakes, and on upholding fundamental rights and data protection principles. They must also be equipped to strategically leverage disruptive technologies in investigations (e.g., AI), foster coordination between financial and cyber investigations, and ensure their own cybersecurity to prevent cyberattacks targeting investigative services.
Not a Solution to the Systemic Issues to Fight Cybercrime
So why this treaty? Legislating gives the illusion of action, a known bias, but here, the manoeuvre is more insidious. This treaty, under the cover of alarmist rhetoric, is a Trojan horse for censorship and authoritarianism. Throughout my professional career, I have used various international tools in operational contexts (e.g., the Budapest Convention, Interpol, Europol, Eurojust, joint investigation teams), and they meet the vast majority of cases. Their limitation is not in their scope but in the lack of human and financial investment for their implementation on the ground.
This treaty does not provide any solutions to the systemic problems of international cooperation, including the lack of resources for judicial assistance and the mistrust that exists between states. This treaty criminalises behaviours such as ethical hacking, freedom of expression, but does not provide for sanctioning states harbouring criminal groups. It is interesting to note that the Russian Federation, the instigator of this treaty, has systematically blocked for decades international cooperation against cybercrime, protecting criminals and their assets.
In twenty-five years as a criminal investigator, I have learned to always ask who benefits from the crime. Sometimes, it is useful to ask, who benefits from the law?