The UN Cybercrime Treaty: A Trojan Horse for Suppressing Dissent

Executive Summary

Not content to only suppress human rights in their own countries, Russia and China are exporting oppression around the world and using the United Nations as legal cover. On December 24, 2024, the United Nations General Assembly adopted the Convention Against Cybercrime.¹ While ostensibly intended to enhance international cooperation to address cybercrime,² the treaty is actually a platform for authoritarian states to advance ideas about state control of the internet, rope democratic governments into complicity with repression, and weaken key cybersecurity tools on which Americans depend.

The treaty’s overly broad yet still vague definition of cybercrime and its emphasis on mutual assistance mean Russia could potentially use its terms to force Washington to acquiesce to or even assist Moscow’s own trumped-up criminal prosecutions. While the United States is unlikely to ratify the treaty, it voted³ in support of its final text and later voiced support for its formal adoption, opening the door for its entrance into international law. The United Nations is hosting a signing ceremony in Hanoi on October 25-26.⁴ Only those that ratify the treaty will be obliged to follow it, but the ability to cite a multilateral standard will enable ratifying states to exert pressure on others.

The treaty’s trajectory follows China and Russia’s escalating cyber aggressions towards the U.S. and its allies. China’s “Volt Typhoon” cyberattack gave China unprecedented access to U.S. water, electricity, and critical infrastructure, providing them valuable information to compromise key U.S. response systems.⁵ Yet, at the same time, these malign actors claim to be leading the charge in crafting a safer international cyberspace with the UN treaty.

Washington cannot undo the passage of the cybercrime treaty. Instead, the United States must prepare the Department of Justice to withstand authoritarian attempts to leverage the treaty to compel U.S. assistance in suppressing dissent. Washington must also strengthen its cyber diplomacy capabilities within the State Department to thwart further attempts by Russia and China to shape multilateral cyber laws and norms. Finally, the United States must push back, promoting instead an earlier cybercrime agreement, the Budapest Convention, that aligns with U.S. interests and affirms democratic values. To advance human rights online and freedom of expression safeguards around the world, the United States and its allies must confront digital authoritarianism, even when it takes the form of a multilateral treaty.

Digital Sovereignty and the Genesis of the Treaty

The UN cybercrime treaty is the culmination of nearly a decade of persistent Russian — and later, Chinese — efforts to change existing international law. As these two nations increased exports of intrusive surveillance technology and other tools of repression, they rallied dozens of undecided nations to their cause. The United States, meanwhile, ceded the battlespace and then ultimately lent its approval, fearing that opposing the treaty would only undermine U.S. influence further.⁶

Previously, the primary international mechanism defining cybercrime and encouraging interstate cooperation to combat it was the 2001 Convention on Cybercrime of the Council of Europe, also known as the Budapest Convention. This convention affirms an individual’s freedom of expression and right to privacy. While it boasts 81 members, including the U.S., China, Russia, and other countries with problematic human rights records have refused to sign it since few developing countries were involved in drafting.⁷ By putting forward a new treaty, Moscow, Beijing, and their partners hope to eclipse the Budapest Convention, which countries continue to use to develop domestic laws and facilitate international cooperation.⁸

Russia has been attempting to ingrain the concept of digital sovereignty in international forums since 2012, when large-scale anti-government protests demanding political reforms, largely coordinated online, swept the nation.⁹ Digital sovereignty holds that a government should be able to control the internet that its citizens use. For leaders like Russian President Vladimir Putin, digital sovereignty means shaping a domestic information space completely severed from the global internet and fully subject to state surveillance.¹⁰ Consistent with standard UN procedure, the Kremlin presented a letter for circulation to the United Nations General Assembly containing the first draft of what would become the UN’s cybercrime treaty.¹¹

In 2018, as Moscow was first starting to rally support, Russia submitted a request that the UN establish an Open-Ended Working Group (OEWG) on Information and Communication Technologies. The OEWG was open to any interested UN member states, with the stated intent of making the UN negotiation process “more democratic, inclusive and transparent.”¹²

The United States proposed a competing approach to UN discussions about technology and security issues, forming a 25-state Group of Governmental Experts (GGE).¹³ GGEs are a common structure within the UN to study issues of concern, but the OEWG, by virtue of its more inclusive approach, became the de facto group making decisions and amendments to the drafted treaty. The GGE, meanwhile, remained more of an observer group.

In 2019, China, Russia, and several of their allies took the next typical step toward a UN treaty by proposing a General Assembly resolution calling for an international convention to combat cybercrime based on Russia’s initial draft. The resolution passed by a vote of 79 to 60 with 33 abstentions, with the United States, the European Union, and other democracies voting no.¹⁴ A month later, the General Assembly took the usual step of creating an ad hoc committee (AHC) comprised of member states, nonmember state observers like the European Union, and civil society organizations to begin the drafting process. While the AHC planned to hold its first meeting in the summer of 2020, the COVID-19 pandemic delayed it until 2021.¹⁵

From 2021 to 2024, six AHC negotiation sessions took place. Throughout the fraught process, the principal complaints democracies lodged against the draft remained the same: its overly broad scope and lack of human rights protections. There was a lack of consensus around the definition of “cybercrime,”¹⁶ with Russia and China pushing for a broad definition to include content-related crimes, such as incitement of terror, disinformation, extremism, and subversion.¹⁷ Without precise definitions of such terms in the UN treaty, human rights experts warned at the time, authoritarian nations would use the treaty to criminalize all dissent by arbitrarily branding it as disinformation or one of the other prohibited activities.¹⁸ A narrower definition of cybercrime would have focused on unauthorized access to computer systems. The Budapest Convention, for example, focuses on preventing illegal access to computer systems, illegal interception of nonpublic data transmissions, data and system interference, fraud, and forgery.¹⁹

Russia and China strengthened cooperation with potential supporters via international partnerships and trade. Since 2015, but with greater intensity in recent years, China has been mounting a diplomatic campaign to build its Community with a Shared Future in Cyberspace, an association that seeks to rally like-minded states around a pro-sovereignty vision for global cyberspace.²⁰ Meanwhile, Chinese technology companies whose products are well-equipped to support state surveillance and censorship are finding receptive buyers among African governments.²¹ These commercial relationships then feed back into China’s diplomatic efforts to promote its vision of the internet. China has not published the membership list of its Community with a Shared Future in Cyberspace; however, an acceleration in cyber cooperation agreements among regional alliances such as Brazil, Russia, India, China, and South Africa and the Shanghai Cooperation Organization over the past two years indicates China’s progress in rallying support for its vision of sovereign cyberspace.²²

Russia, meanwhile, has already been introducing interested states to its System for Operative Investigative Activities (SORM), its mass communications surveillance system.²³ Unlike in the West, where judicial warrants are required for targeted surveillance, Russian telecommunications operators automatically give the state’s security agency a backdoor into all internet communications. Security services in Kazakhstan, Kyrgyzstan, and Belarus now use “SORM-style systems,” and Russia has exported this capability to clients ranging from the Gulf monarchies to leftist Latin American regimes such as Cuba and Venezuela.²⁴

These commercial and diplomatic efforts are bearing fruit. Countries that were initially opposed to the treaty, such as Brazil, changed their tune. Other countries that were considered swing voters, like Indonesia, Mexico, Singapore, and South Africa, ultimately supported the treaty.

During this same time, the United States failed to make meaningful changes to the draft text or to rally opposition against its passage. By the summer of 2024, participating UN member states agreed on the treaty’s final text.²⁵ In November, when the United Nations held its final meeting on the treaty, the United States and its allies vocally endorsed the final text, paving the way for the final December vote.²⁶

At least part of the United States’ failure can be attributed to how the State Department chose to engage in the process. Compounding the mistake of not including developing nations in the GGE, State failed to bring the right experts to the table to represent U.S. interests in the negotiations. The U.S. negotiators hailed from the Bureau of International Narcotics and Law Enforcement Affairs (INL). Unlike INL, State’s Bureau of Cyberspace and Digital Policy has extensive expertise in cyber diplomacy, regularly coordinating with allies and partners to build cyber resilience.²⁷ Without this critical expertise, the U.S. representatives mistakenly prioritized the largely symbolic win of participating in international cooperation over the critical need to prevent the UN cybercrime treaty from passing. The INL negotiators defended their support for the final text on the grounds that it is better to be able to influence the treaty’s implementation and evolution than vote against the treaty and risk not being able to participate.²⁸ Senior State Department officials accepted this rationale and approved the decision to support the treaty’s adoption.²⁹

The Damage the Treaty Will Do

Fragmentation of the global internet into sovereign internet ecosystems is an affront to the open, free, and secure internet that has been a touchstone of democratic values in the digital age. By cementing protections for digital sovereignty, Russia, China, and their partners are seeking to remove critical human rights protections and threatening to make democratic signatories complicit in their trumped-up prosecutions of journalists and dissidents.

Warnings to this effect came from both business leaders and political figures. In January 2024, the Cybersecurity Tech Accord, representing 177 technology and cybersecurity companies, submitted a statement to the AHC arguing that the draft was not fit for purpose because it would make cyberspace less secure and undermine human rights. The statement proposed changes to the draft, noting its current iteration “risk[s] criminalization of a wide range of legitimate online activities” due to overly broad purpose and scope.”³⁰ The statement proposed “minimum necessary changes,” including adding “criminal intent” to all articles concerning criminalization and establishing exemptions and an “enabling environment” for good-faith cybersecurity research.³¹ The leaders argued that states should decline to ratify it if the changes are not made.³²

In October 2024, six U.S. senators wrote a letter to the Biden administration urging the State Department to reject the treaty.³³ The letter pointed to specific problems around privacy and surveillance, censorship and freedom of expression, and cybersecurity research. It warned that the treaty requires countries to “adopt laws that allow their authorities to force any person or company to facilitate” government access to private data and to “collect and share private internet user data with other countries.”

The treaty’s definition of a cybercriminal is at the root of these deficiencies.³⁴ Arguably, the treaty legitimizes domestic laws in authoritarian countries that criminalize speech and peaceful assembly. For example, the text provides wide deference to states to prosecute any cybercrime the state deems serious — defined in the treaty as “constituting an offence punishable by a maximum deprivation of liberty of at least four years or a more serious penalty” under each nation’s own laws. This covers Russian laws like those that prescribe up to 15 years imprisonment for criticizing the war in Ukraine.³⁵

While the text includes superficial nods to protecting human rights, other passages undermine this commitment.³⁶ Under article 6, the treaty advises parties to “ensure” its implementation “is consistent with their obligations under international human rights law.” The article states the treaty cannot “be interpreted as permitting suppression of human rights or fundamental freedoms” such as freedom of expression “in a manner consistent with applicable international human rights law.”³⁷ This language, however, effectively permits countries to decide for themselves what might be considered “applicable” international law. In contrast, the Budapest Convention’s article on human rights requires implementation consistent with the UN’s 1966 International Covenant on Civil and Political Rights, which includes extensive protections for freedom of speech and due process.³⁸

Meanwhile, article 5 also affirms the document’s prioritization of state sovereignty over adherence to any international legal instruments. It emphasizes that “obligations” under the treaty should be interpreted “in a manner consistent with the principles of sovereign equality and territorial integrity of States and that of non-intervention in the domestic affairs of other States.”³⁹ This article, absent from the Budapest Convention, allows states to violate international human rights law and blocks other states from intervening, effectively rendering article 6 unenforceable.

In practice, these flaws in the treaty threaten existing mechanisms for international legal cooperation. The United States uses Mutual Legal Assistance Treaties (MLATs) to establish how and when it cooperates with foreign partners on law enforcement investigations, including how the two sides will exchange evidence, such as electronic data.⁴⁰ MLATs contain provisions articulating when the Department of Justice will refuse to cooperate, particularly when there are concerns about human rights violations. The United States holds MLATs with aggressors like Russia and China, although it refuses to sign MLATs with Iran and other countries with which it has no diplomatic relations.

The Justice Department’s Office of International Affairs (OIA) must respond to each mutual assistance request it receives.⁴¹ A rise in cybercrime has bombarded the OIA with requests for assistance, “straining resources and slowing response times,” according to the department.⁴² While the treaty acknowledges the existing precedent of MLATs, it argues parties should “afford one another the widest measure of mutual legal assistance … in relation to the offences established in accordance with this Convention … as well as of serious crimes.”⁴³ Cybersecurity and national security lawyers Andrew Adams and Daniel Podair maintain that this language “will undoubtedly complicate the Justice Department’s ability to push back on bad-faith requests.” They warn that countries requesting assistance from the United States will argue that their requests “have a clear basis under international law — international law of which the United States [has become] a willing supporter” by virtue of its UN vote, even if it never officially ratifies the treaty.⁴⁴ At its worst, this increased challenge to the already-strained OIA could result in the Justice Department acquiescing to some of the requests out of an inability to fight every battle or a decision to trade its assistance for agreement from the other party on an unrelated issue.⁴⁵

Additionally, U.S. allies that do become parties to the treaty will face increased pressure to assist bad-faith investigations. For instance, law enforcement authorities and courts in Europe may be more inclined to defer to a UN document even if it results in human rights abuses.

A second problem arising from the cybercrime treaty is of direct concern to technology and cybersecurity firms, many of which oppose the treaty’s blanket criminalization of all unauthorized access to computer systems without carve-outs for good-faith research efforts. Today’s cybersecurity ecosystem relies on penetration testing, red teaming, and independent researchers responsibly identifying cybersecurity vulnerabilities so that they can be fixed. The six senators noted in their letter that Department of Justice guidelines say that the federal government will not prosecute good-faith security researchers because “computer security research is a key driver of improved cybersecurity.”⁴⁶ Artificial Intelligence (AI) systems similarly use simulated attacks to identify problems in their models. In contrast, article 7 on “illegal access” defines as punishable any “intentional” access to “an information and communications technology system without right,”⁴⁷ with no exception for responsible and critical security research. Amy Hogan-Burney, a lawyer with Microsoft, warned that the text fails to protect “lawful cybersecurity work that keeps the digital ecosystem secure,” such as identifying flaws and testing cybersecurity defenses.⁴⁸

This may dampen critical research into software vulnerabilities to malicious actors and the necessary solutions, leaving systems less secure as a result. The security research community is international. In a 2024 open letter to government officials, HackerOne — a company that hosts bug bounty programs and connects companies with ethical hackers — warned that because of the treaty, “Security researchers operating in or collaborating with entities in countries with fewer protections for good faith security research may find themselves at heightened risk of potential legal consequences for activities that are both ethical and essential to maintaining global cybersecurity.”⁴⁹

Policy Recommendations

Over the long term, wrenching UN processes out of authoritarian hands requires a broader reform of UN institutions.⁵⁰ In the short and medium term, however, Washington must prepare to withstand the damage of the new UN cybercrime treaty and better advocate for U.S. interests on cybersecurity and internet freedom issues.

1. Fortify the Department of Justice for an influx of bad-faith MLAT requests: The Department of Justice should issue internal guidance and prepare procedures to abide by existing MLATs. The department should refuse to entertain requests that it would have previously rejected out of hand. The department should also work with its counterparts in Europe and other democracies to ensure these countries are similarly prepared to withstand an onslaught of requests for evidence and data that will be used to prosecute journalists, dissidents, and human rights activists in authoritarian countries. Furthermore, the department should consider amending existing MLATs with authoritarian countries by inserting language explicitly stating America’s deference to the Budapest Convention when reconciling international and domestic procedures. The attorney general should also issue clear guidance to the legal community that the UN treaty holds no weight in U.S. deliberations.
2. Empower State’s Bureau of Cyberspace and Digital Policy to lead international cyber negotiations at the United Nations and in other international forums: With the passage and likely ratification of the UN cybercrime treaty, Russia and its allies are no doubt emboldened to continue exploiting the UN as a vehicle to embed their authoritarian interests in international norms. Russia has already presented a new proposal to the UN to implement a framework to prevent “political provocations” committed via information technology, such as America’s supposed hybrid warfare against the Kremlin. Like the cybercrime treaty, the proposal seeks to further ingrain the framework of digital sovereignty in international cyberspace governance, which will offer states more latitude in cross-border surveillance and further degrade protections for good-faith research and human rights.⁵¹ So as not to make the same mistakes again in UN negotiations, the secretary of state should designate the Bureau of Cyberspace and Digital Policy as the lead negotiator in future settings and ensure that other bureaus, as well as the U.S. mission to the United Nations, defer to cyber experts on issues of international cyber law. The White House should also nominate a new ambassador-at-large for cyber to lead the bureau, which has been without a Senate-confirmed appointee since the start of the Trump administration.
3. Rally support behind the Budapest Convention and oppose the implementation of the UN cybercrime treaty: Russia, China, and their allies are portraying the UN cybercrime treaty as a replacement of the Budapest Convention, but Washington need not adopt this frame. Instead, the United States should continue to encourage additional countries to sign onto the Budapest Convention, emphasizing the longevity of the document and the plethora of non-European signatories. At the same time and in all relevant forums, U.S. diplomats should highlight the failings of the UN cybercrime treaty, contrasting its permissive attitude towards human rights abuses with the Budapest Convention’s strong protections.
4. Reassert American opposition to authoritarian initiatives at the United Nations: A major takeaway from the treaty’s success is that Russia and like-minded countries perceive international organizations as key forums in which to rally support for and legitimize their efforts to reshape cyberspace.⁵² Petr Litvishko, deputy head of Russia’s international legal cooperation directorate, argued in 2024 that the cybercrime treaty represents “a new universal instrument at our disposal” to conduct what he described as “professional, intense and painstaking work to combat information crime” vis-a-vis “the block of ‘unfriendly’ states” — meaning the United States and its allies.⁵³ This is the true intent behind the treaty. Washington should reassert itself as a voice of opposition in the General Assembly, and rally allies and like-minded parties to do the same.

Conclusion

Addressing cybercrime is critical in today’s interconnected world, but an international framework must be crafted with care to safeguard against abuse and protect human rights. The ongoing struggle for freedom of information stands as a formidable challenge to autocratic regimes, which depends on complete control of the information atmosphere. The entry into force of the UN cybercrime treaty is a failure of the United States and its allies to prevent authoritarian states from weaponizing international law for their geopolitical and ideological benefit.