The United Nations is holding its first ever global cybercrime treaty this week. The 4th round of this hearing is scheduled this January from 9 – 20 January. The focus of the hearing is “state response to cybercrime ” and coordinated intelligence sharing. Nevertheless, this is a much waited treaty, looking into the increasing cybercrimes in cyberspace. The objective of the proposed cybercrime treaty is to classify and categorize various cybercrimes and define a unified international response. A legal reaction regulated internationally is need of the hour to cater all the increasing cybercrimes throughout the world.
According to Paul Brucciani, a Cyber Security Advisor at WithSecure, “My immediate thoughts are that it is a step in the right direction although in the current geopolitical climate it’s impact will be limited. Libertarians will be closely scrutinising the surveillance powers of the treaty.”
The co-facilitated informal negotiations are divided into four groups:
A. Criminalization – Group 1
Focusing on cluster 3 (related to violation of personal information identity thefts and offences), cluster 4 (related to infringement of copy-right) and cluster 6 (related to offences performed by minors and encouragement of or coercion to suicide)
B. Criminalization – Group 2
It is related to extremism-related offences, denial, approval of genocide or crime against peace.
C. General provisions
This will focus on article 2 on use of terms.
D. Procedural measures and law enforcement
This will focus on articles 40, 47, 48 and 49.
The backstory of cybercrime treaty
The first negotiating session of The Ad Hoc committee was held last year in February 2022. Earlier than that, in 2019, the United Nations General Assembly, passed an important negotiated settlement on the use of information and communications technologies for malicious purposes with the intent of harming people or organizations.
Cybercrime is a growing concern of countries all over the world. It effects buyers and sellers of all levels of development in a country. According to UN, An average of 80% countries have enacted cybercrime legislation in coherence with their national policies. As of now, the lowest adoption rate of cybercrime is recorded in Africa with a 72% adoption rate. Whereas the highest adoption rate of cybercrime Laws is recorded in Europe that is 91%. Throughout the world, there are 13% countries having absolutely no legislation for cybercrimes.
A major reason of cybercriminals making to to the landscape so successfully is the recent advancement in technology. Throughout the world, there is a skill gaps to cater the ever increasing attacks. For cross-border enforcement of cybercrime laws, the skills gap produces a significant challenge. The Laws on Cybercrime generally cover three types of Laws:
- E-transaction Laws
- Data Protection Privacy Laws
- Cybercrime Laws
Ever since the trend of online transactions has been initiated, e-transaction laws have become a pre-requisite for carrying out online financial transactions. These laws recognize the legal equivalence between the traditional paper based and electronic forms of transactions. These laws include ensuring the non-repudiation of either parties who are taking part in an online transaction. An excerpt from Modern Law on Electronic transactions, published for the commonwealth, states:
“Information shall not be denied legal effect, validity or enforcement solely on the ground that it is in electronic form.”
The time and place of from where the transaction is initiated and processed is also recorded. Such details are important if there is a cybercrime. The forensics team requires basic information of the transaction under debate. To provide evidence and to ensure a person has initiated or processed a transaction sometime E-signatures are also required. The same document, on its signature requirement, states:
“If a rule of law requires the signature of a person, that requirement is met by an electronic signature. Parties may agree to use a particular method of electronic signature, unless otherwise provided by law.”
Data Protection Privacy Laws
Just like E-transactions, Data privacy and protection also needs laws and regulations. Data protection requires a holistic approach to designing of the system that includes a combination of technical, legal and administrative constructs. Data collection is the prime role of almost every company these days. The use of personal data must be done on lawful basis. Most of the time, cybercrimes are a result of a data breach. Such incidents happen when companies do not safeguard the data and lack technical security. All data that is collected must involve consent of the person whose data is collected.
All over the world data privacy and security is given prime importance. There are many data privacy laws and regulations in different countries The American Data Privacy Protection Act (ADPP), California Privacy Rights Act (CPRA), the very famous The General Data Protection Regulation (GDPR) and many others.
Apart from data privacy and protection, there are many cybercrime laws.
- The Personal Information Protection and Electronic Documents Act, SC 2000 c 5 (‘PIPEDA)
One such Act prevalent in Canada that envisages cybercrime laws is The Personal Information Protection and Electronic Documents Act, SC 2000 c 5 (‘PIPEDA). It requires organizations to enforce proper security safeguards. In case of any cybercrime, It enforces organizations to notify the general public and the affected individuals about a data breech or any other cyberattack.
- Cybersecurity Law of the People’s Republic of China
This law includes regulations for many cyberattacks like Denial of service attack, Phishing, infection of IT systems with Malware like ransomware, spyware, Trojans, worms and other type of viruses. In extreme cases, the law imposes imprisonment up to five years in extreme cases. The law also provides regulations for distribution of hardware or software tools to carryout cyberattacks, electronic theft, unsolicited penetration testing, etc.
The Role of United Nations in uplifting the cyber security landscape
The United Nations has been consistently considerate about information security and the laws that govern this domain. Since 1998, it has been on United Nations’ agenda. The proposed treaty that is being going on these days defines cybercrimes as “criminal offenses committed purposefully and illegally” more specifically stated as “over information technology devices”. A list of cybercrimes is generated for open discussion
According to Tim West, a cybersecurity analyst at WeSecure,
It will be interesting to understand what the perception of deterrence will arise from this – as we saw with colonial pipeline (and some “bad publicity” attacks such as the recent children’s hospital), ransomware actors generally do also prefer operating “under the line” of what warrants severe action against them from bodies with offensive mandates. I’ll be watching to see whether the ‘line’ is lowered.
The critics response to United Nations Cybercrime Treaty
The international Chamber of Commerce suggested that the offences listed in the criminal list must be treated as criminal activities and not just merely unlawful activities as suggested in the United Nations agenda. Many critics respond to the draught treaty, as it is of now with their view points. The international police suggested that better coordination is needed amongst the cyber defense agencies globally. To ensure Global Cybersecurity must be a common objective of these agencies and should work on international level, not just local or national level. According to the agency, it is important that cybercrimes must be reported in the first place. The proposal from the international police also aims to address the issue of underreporting of cybercrimes. This requires improving communication channels.
The international Chamber of commerce, UK, also suggested that once the definition for network attacks is broadened, it will have an equal impact for security researchers since their work involves compromising systems, performing cyberattacks with good intention and retrieving data by unauthorized access. This is done merely for research purpose. However, the draught treaty must state this explicitly, that network attacks that are done for the betterment and for legitimate purposes with good conscience must not be a part of the convention.
Cybercrime is not a new phenomenon. We have seen over the years that how regulations and Cybersecurity Acts have been passed by different nations regulatory bodies. The much needed proceedings on a Global cybercrime treaty by United Nations are under way.
The hearings in January 2023 are the 4th round of treaty negotiations. The first round of hearings was held in February 28th, 2022 and the Final 6th round of hearings will be held in September 2023. The treaty will then be submitted to the United Nations General Assembly for the final verdict. The treaty is then scheduled to go into effect from 2024. Naturally, the negotiations between the Member states since they have their own disagreement about the broad topics of the Treaty. Several topics are under discussion including, international cooperation, substantive cybercrime provisions, digital evidence and its availability and access to law enforcement agencies, including across borders, the Treaty further aims to focus on human rights and procedural safeguards from cybercrimes.
Nevertheless, the cyberspace is becoming insecure with new attacks every now and then. Stance against cybercrimes must be strong and the laws must be applicable for a secure cyberspace.