UN and Cybersecurity: The Likelihood and Implications of a Global Cyber Treaty
by Kasek Galgal
“I think they are going to say I have committed grave crimes, I have violated the Espionage Act. They are going to say I have aided our enemies in making them aware of these systems. But this argument can be made against anyone who reveals information that points out mass surveillance systems” (Snowden, 2014). That is what Edward Snowden had to say when being interviewed by Glenn Greenwald of The Guardian, stating also that U.S surveillance was not something he was willing to live under (Greenwald, et al, 2013).
Edward Snowden is an American IT professional who worked as a cyber security contractor for the United States' National Security Agency (NSA) as well as their Central Intelligence Agency (CIA) (Cole & Brunker, 2014). During which time he had access to highly confidential information. Some of this information including that of the United States NSA having ongoing mass surveillance programs did not sit well with Snowden's views on privacy. Hence, in May 2013, he began revealing some of this information to renowned journalists; Glenn Greenwald, Laura Poitras and Barton Gellman (Cole & Brunker, 2014). His revelations were met with varied reception. Some calling him a champion of Internet freedom, others labeling him as a traitor for leaking state secrets. But in the grand scheme of things, how does this affect the global agreements on such issues as cybersecurity, cybercrime, cyber espionage and sabotage? Does it affect the likelihood of a global cyber treaty? And what implications will this cyber treaty have on international relations, the privacy of citizens and on the world as a whole?
In light of these recent developments, the International Telecommunications Union (ITU) (a member of the United Nations development group) Secretary General Dr. Hamadoun Touré had been quoted as saying that "It gives us an opportunity, and I keep saying let's build bridges" in an interview with Reuters (Miles, 2013). ITU is one of the world's respected organisations in terms of standards in ICT and its policing. Dr. Touré goes on to say that he had been calling for a cyber treaty for some time and that countries were reluctant to discuss the issue and would instead blame each other for attacks.
So what is this “opportunity” that Secretary General Touré was referring to? Well, as is the case with any form of espionage, mass surveillance and the like, no country wants to admit that they are involved in such activities. And cybercrime and espionage are no different. A constant game of denial and accusations ensues without fruitful discussion and without positive outcomes, as Dr. Touré explained (Miles, 2013). But now with the information being revealed by Snowden, it exposes the fact that the United States are involved in mass surveillance and are investing in activities that would constitute cybercrimes and that it is very likely that other countries are involved in similar activities. This puts everything in the open now and can allow for fruitful discussion on the issue as the facts state that politically motivated cybercrimes such as espionage is not a myth and positive outcomes such as a cyber treaty can be developed.
But what are the possibilities of a cyber treaty on cybercrime and cybersecurity? It is often stated that the cyber world is a mere reflection of the “real world”. Whether we like it or not, cyberspace is part of the real world as we know it. Thus, the crimes committed in cyberspace must be treated as real crime. “Traditional” espionage and sabotage have effects on a country's economic and political stability and the potential of sparking warfare. Thus there are treaties in place to prevent countries from spying and sabotaging. Cyber attacks and cyber espionage can also destabilise countries and have the same potential to create conflict. This begs the question whether or not efforts have been made to put in place such a treaty to prevent cybercrime and to ensure a level of cybersecurity for citizens. One may point to the Council of Europe Convention on Cybercrime as the leading international agreement on cybercrime and cybersecurity. But what impact has this convention had? And what implications has it had on current national and regional approaches to cybercrime and cybersecurity?
After four years of work, the Council of Europe drafted the Convention on Cybercrime on the 8th of November 2001. Later that month, on November 23, 2001, what is now known as the Budapest convention was open for signing (Keyser, 2002). There are currently forty-four states that have signed and ratified the convention which looks to harmonise national cyber laws in order to make the task of policing cybercrime more efficient on an international level (Council of Europe, 2014). Under the convention, countries who ratify must legislate a minimum list of nine acts such as online fraud and child pornography as criminal offenses. The convention also looks to put in place procedures and mechanisms that enhance international cooperation in the fight against cybercrime. The convention has won particular praise for its ability to avoid conflict and to overcome jurisdictional obstacles when investigating cybercrime (Robel, 2006).
Being the first of its kind in terms of international treaties dealing with cybercrime, the Budapest convention gained support from the Council of Europe's member states. However, the convention was not without its critics and its potential pitfalls. A particular issue may not be with the convention itself but with its adoption (Weber, 2003). With only forty-four states having ratified the convention, it is not a universally adopted convention. This doesn't actually solve the issue of jurisdiction. This allows cyber criminals to conduct their operations without much fear of the law in countries that have yet to ratify the convention. Countries without effective cybercrime laws and lacking enforcement can potentially become havens for cyber criminals. With notable countries which pose a cyber risk such as China, Indonesia and South Korea having not signed the convention, it could have an adverse effect on the global fight against cybercrime. Robel (2006) illustrates how this treaty can be circumvented by attacking a country like the United States by going through several countries outside the convention and attacking U.S offshore operations in a country that is also outside the convention. Dr. Touré of the UN's ITU is also known to express his reservations on the convention. He was reported stating that the treaty is now somewhat outdated and having most of the contribution toward the convention being from European countries (Harley, 2010). There have been reservations expressed by countries about some aspects of the convention. One such example is Brazil's concerns over certain aspects relating to the criminalization of intellectual property infringements (Harley, 2010). This certainly doesn't help the cause for a global cyber treaty to be put in place but a lot can be learned from this pioneering piece of work. Improvements can be made and better treaties can be drafted.
So the Council of Europe's Convention of Cybercrime may not be without its pitfalls as pointed out by numerous experts, but that does not mean there is no likelihood of a global cyber treaty. In relation to Dr. Touré's comments in a Reuters interview with regard to Snowden's revelations - “ It gives us an opportunity, and I keep saying let's build bridges” - as well as his reservation that the Budapest convention was drafted mostly by European states, I believe it is an opportunity for a larger global organisation such as his own ITU or the UN to take the lead with this proposed idea of a global cyber treaty. According to the same Reuters article that ITU are working closely with the UN Office on Drugs and Crime as well as with Interpol on how best to enforce laws in cyber space (Miles, 2013). Particularly after the UN had rejected a bid for an international cyber treaty back in 2010 (Ballard, 2010), I believe this is a step in the right direction. And the possibility of such a treaty may have just improved given the recent events and concerns raised.
As can be seen with other UN treaties such as their most ratified treaties in “The Vienna Convention and Montreal Protocols on Substances that Deplete the Ozone Layer” and the “United Nations Framework Convention on Climate Change” which have nearly Universal participation, it is possible for a the UN to garner more ratification for a treaty (United Nations Blog, 2012). So as stated earlier, one of the major issues in the pioneering work in the Council of Europe Convention on Cybercrime was the participation has managed to garner. More participation mean better harmonisation of national laws and better regional and global cooperation in policing cyber space.
In conclusion, the events surrounding the Snowden's revelations and the US NSA has made it clear that something has to be done about the growing issue of cyber security. Previous work done in the Budapest Convention have not been able to provide tangible results in alleviating the problem as we've seen. In support of what Dr. Touré's had to say, there needs to be a global cyber treaty put in place. And I believe the UN should be the ones to lead the way in this respect. It would have positive implications on regional and global efforts against cybercrime as the UN, from their record, would be better able to garner greater participation. Being a world-leading organisation, their treaties have more ratification and are adhered to better such as the widely adhered “United Nations Convention on the Law of the Sea”. Hence, the possibilities of having a global cyber treaty are improving, and if things keep going as they are, it may even be seen as a necessity.
References
Ballard, M. 2010. UN Rejects International Cybercrime Treaty Available at: http://www.computerweekly.com/news/1280092617/UN-rejects-international-cybercrime-treaty [19 December 2014]
Cole & Brunker. 2014. Edward Snowden: A Timeline. Available at: http://www.nbcnews.com/feature/edward-snowden-interview/edward-snowden-timeline-n114871 [19 December 2014]
Council of Europe. 2014. Convention on Cybercrime. Available at: http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=&DF=&CL=ENG [18 December 2014]
Greenwald, Poitras & McAskill. 2013. Edward Snowden: US surveillance 'not something I'm willing to live under.' Available from: http://www.theguardian.com/world/2013/jul/08/edward-snowden-surveillance-excess-interview [11 December 2014]
- Harley, B. 2010 A Global Convention on Cybercrime? Available at: http://stlr.org/2010/03/23/a-global-convention-on-cybercrime/ [20 December 2014].
Keyser, M. 2002. Council of Europe Convention on Cybercrime, The. J. Transnat'l L. & Pol'y, 12, 287.
Miles, T. 2013 Snowden affair is chance for truce in cyber war: U.N. Available at:http://www.reuters.com/article/2013/07/15/net-us-usa-security-cybertruce-idUSBRE96E0L320130715 [14 December 2014]
Robel, D. 2006. International cybercrime treaty: Looking beyond ratification. Sans Institute Reading Room, 15.
Staff Writer, United Nations Blog. 2012. Most Ratified International Treaties. Available at: http://blogs.un.org/blog/2012/09/24/most-ratified-international-treaties/#sthash.je4fFVxF.dp