Market research suggests the collective fallout of cybercrime globally last year to governments, businesses and consumers was US$8.15 trillion. That figure is equal to more than seven percent of the world’s formal economy. It may also be a massive undercount. By 2028, the quantifiable harm of cybercrime is forecast to reach nearly US$14 trillion.
Clearly, there’s an urgent need for intergovernmental action to strengthen cybersecurity. Yet after holding six prior meetings dating back to March 2022, a special committee tasked with drafting a cybercrime convention under the United Nations’ purview couldn’t reach consensus on the text’s provisions during the committee’s concluding session in early February. In part, this stems from the treaty having become another political flashpoint between authoritarian states, such as China and Russia, versus liberal democracies, led by the United States.
Another inherent obstacle in the process has been defining what exactly cybercrime entails. In an increasingly hyperconnected world, criminal enterprises, terrorist groups, state actors and other malevolent entities are constantly inventing novel ways to exploit digital vulnerabilities. These range from corporate espionage and blocking website access through distributed denial-of-service attacks to remote installation of ransomware and malware. Internet fraud is continually changing as well, with social engineering schemes, data hacks, extortion, identity theft and embezzlement all evolving in myriad ways. Digital stalking and other forms of predatory behaviour can be added to that list.
The two rival blocs argue that what’s at stake are the future contours of the internet. And no matter whether all countries sign on — two-thirds majority voting rules apply — the convention will still have great downstream effect. “Even if the implementation can be spotty,” Raman Jit Singh Chima, policy director at digital rights group Access Now, told Foreign Policy last August, “it’s going to have a massive impact on the design of cybercrime laws for the next 20, 30 years.”
Lost in the noise are the interests and needs of developing countries.
The committee hopes to reconvene later this year. The goal is to deliver a proposal for a binding legal framework for dealing with cybercrime. This includes details on procedures, norms and requirements around international cooperation, information sharing between governments, access to digital evidence by law enforcement agencies and human rights guardrails. But negotiations have broken down over the convention’s scope. Western diplomats and civil society groups say it should cover only specific cybercrimes. China, Russia and others want it to apply to crimes committed using information and communications technologies in general.
A more hostile and fragmented geopolitical environment has given rise to what are called advanced persistent threats (APTs). In these cases, sophisticated state-sponsored or state-run hacker groups covertly compromise the systems of high-profile companies and government agencies over a long period of time. Their efforts typically are focused on exfiltrating certain prized information, such as intellectual property or state secrets, in phases. Cybersecurity experts estimate there are around 40 APTs in operation worldwide, roughly half of them believed to originate in China.
In late March, the United States and the United Kingdom announced sanctions against China after allegedly uncovering a years-long mass digital spying campaign orchestrated by an APT contracted by Beijing’s Ministry of State Security. Canadian intelligence officials later stated the same group has been probing networks in Canada as well. A spokesperson for China’s foreign ministry denied the allegations, blaming Western officials for “spreading disinformation” and “smearing other countries when facts do not exist,” and asserting that China itself is a victim of cyberattacks. Previously, a hacker group named Cozy Bear — suspected of links to Russian intelligence services — secretly mined the inner networks of Microsoft and Hewlett Packard for months before being discovered in late 2023. On behalf of Iran, Helix Kitten has targeted financial, energy, chemical and telecoms companies in countries across the Middle East for the past decade. Tehran may have also previously masterminded a massive hacking campaign against the US Treasury Department, State Department and US-based private sector defence contractors. In an indictment unsealed on April 23 in New York, American prosecutors charged four Iranian citizens linked to Iran’s Islamic Revolutionary Guard Corps with trying to steal defence-related information from at least 200,000 victim devices over a five-year period beginning in 2016.
On February 14, Microsoft and OpenAI co-published research on how state-backed actors in China, Iran, North Korea and Russia have also started using OpenAI’s large language models (LLMs) to enhance their offensive cyber strategies. A main focus has been on using the tools’ coding abilities to accelerate and improve the writing of scripts of computer code necessary to identify, interact with and manipulate various web-based technologies. The same LLMs are aiding in scouting technical vulnerabilities related to numerous things, ranging from satellite capabilities to Microsoft’s own customer support diagnostic tools. North Korea is said to have used LLMs to compile information on foreign experts and think tanks examining the country’s secretive nuclear weapons program.
Critics of the proposed UN convention argue it’s an Orwellian push by authoritarian states that has little to do with stopping cybercrime at all.
Meanwhile, in its latest Global Risks Report, the World Economic Forum (WEF) points to cybercrime as a means for transnational criminal networks to “adopt blended business models” and “fragment the physical presence of organized crime.” Expect the democratization of generative artificial intelligence (AI) to accelerate these efforts by rendering phishing material and digital voice impersonations more convincing. What’s more, a trio of academic researchers recently established proof of concept for a new breed of computer worms powered by generative AI. Their work underscores how nefarious actors could soon use adversarial programs to hijack control of other generative AI agents, such as email assistants or customer service chatbots.
The way forward is anything but clear. Critics of the proposed UN convention argue it’s an Orwellian push by authoritarian states that has little to do with stopping cybercrime at all — the result of concerted Russian efforts beginning in the mid-2010s to shift global cyber norms in a more authoritarian direction. This culminated in December 2019, when the UN General Assembly adopted a Russia-sponsored resolution to establish an international convention on “countering the use of information and communication technologies for criminal purposes.” It received the support of 79 nations and benefited from the abstention of 33 others.
Among countries that voted in favour were Russia’s geostrategic allies China, Iran and North Korea — all leading instigators of cybercrime — along with 30 African countries, or more than half the continent. A mutual priority for those in favour of the resolution is the expansion of digital sovereignty. Also called cyber sovereignty, this refers to a national government asserting control over its domestic cyberspace — from data and software to online services, digital protocols and physical infrastructure. This occurs to some degree in every country, China’s Great Firewall being the most extreme example.
Western officials and human rights groups say the treaty in its present form is a Trojan horse that will legitimize pro-authoritarian models of digital sovereignty under the guise of combatting crime. A joint letter signed by 100 civil society organizations and submitted to UN negotiators ahead of the committee’s concluding session in February expressed concern that the draft text is too vague and excessively broad in scope. They say the convention will open the door to greater criminalization of free expression and allow governments to circumvent their other obligations under international humanitarian law. One feared outcome is a huge increase in state surveillance and censorship capabilities. The European Union’s Data Protection Supervisor has recommended that EU member states refuse to sign the treaty unless data and privacy protections are strengthened.
The risk of governments misusing the treaty to monitor citizens and silence dissent is a serious issue and real concern. But invoking the authoritarianism versus democracy paradigm is unhelpful. Indeed, doing so dismisses the agency of low- and middle-income countries that credibly seek a greater degree of digital sovereignty to support their development efforts.
Close to one-third of humanity, some 2.6 billion people, still lack internet access — the vast majority of them in the Global South. But with each passing year, more and more citizens and devices in developing nations come online. As these jurisdictions build out their fledgling digital ecosystems, the addition of new internet users is generating valuable data and insights into patterns of consumer behaviour, population health, transportation and logistics, financial activity and more. Such information can be rocket fuel for improving service delivery. Governments in these same countries are meanwhile harnessing digitalization for strategic purposes, such as mapping out risks to national security, adapting to climate change and planning infrastructure investments. However, data access remains an issue: possession and stewardship over it are still predominantly ring-fenced by foreign tech companies.
Because of their lack of state capacity, developing nations also require more robust information-sharing mechanisms between foreign governments and domestic law enforcement agencies. The more sophisticated cyber defences now emerging in the industrialized world are driving criminals to redirect their operations toward less digitally literate populations reliant on less secure infrastructure and systems. “Already prevalent in Latin America, cybercrime,” the WEF’s Global Risks Report 2024 predicts, “will continue to spread to parts of Asia and West and Southern Africa, as affluency grows and internet connectivity brings large swathes of the global population online.” Ensuring developing nations have the external support they need to properly defend against cybercrimes within their jurisdiction can improve domestic and regional economic resilience. It will also build the trust necessary to support the creation of more equitable rules of digital trade.
Western officials framing the convention as another proxy battle against the world’s growing club of autocrats could also further alienate the Global South by appearing hypocritical and paternalistic. After all, many intelligence agencies in liberal democracies have been found to be avid users of commercial spyware technology. Western firms have likewise provided illiberal regimes with numerous digital tools of repression. And thanks to revelations by American whistle-blower Edward Snowden, we know how the United States and Britain pioneered modern mass electronic surveillance programs a decade ago. Before that, Israel and America are suspected of jointly creating the Stuxnet virus that crippled an Iranian nuclear enrichment facility in 2009–2010.
However, an amendment to the treaty’s draft text presented by Canada at the committee’s concluding session in February may offer an elegant solution to the dilemma of how to mitigate cybercrime while still considering human rights. It reads: “Nothing in this Convention shall be interpreted as permitting or facilitating repression of expression, conscience, opinion, belief, peaceful assembly or association; or permitting or facilitating discrimination or persecution based on individual characteristics.”
If, over the next few months, UN negotiators can use that amendment to produce a revised treaty text that achieves the broadest possible level of support, that would represent meaningful compromise and progress. But should competing political blocs torpedo a deal out of ideological competition, it would put the world further down the path toward a widely feared “splinternet” scenario. In that scenario, it will be developing countries that end up suffering the most.
