UN Cybercrime Treaty: Why Is the Tech Industry up in Arms?

Share
As the treaty heads to the General Assembly for final vote in December, its adoption appears likely
The treaty enters its final vote in December following US approval, but articles in the convention still has many in the tech industry concerned

As the world becomes increasingly digital, the opportunities for progress are seemingly limitless. 

Businesses, governments, and individuals alike benefit from enhanced efficiencies, global connectivity, and the rapid exchange of information. 

However, this digital transformation has also brought with it an unprecedented rise in international cybercrime and addressing these challenges requires cooperation on a global scale.

Against this backdrop, the United Nations (UN) has introduced its first cybercrime treaty, aiming to establish a framework for tackling the growing threat. 

Although the US’ Biden administration only just approved its consent, it has sparked significant debate, particularly within the tech community over particular passages surrounding cybersecurity research. 

The genesis of the Cybercrime Treaty  

The treaty traces its roots back to a General Assembly vote in 2019, when Russia challenged the existing Budapest Convention, calling for a new framework to address cybercrime. 

This is the second attempt to finalise the treaty by reaching agreement on the key sticking points that have divided states for over two years on the approach, content and wording of this legal instrument.

Youtube Placeholder

In the end, Iran called for votes in an unsuccessful bid to have certain items that safeguard human rights removed. All were defeated, and the convention was adopted. The treaty now heads to the 2024 General Assembly for adoption, and can then be ratified by governments.

Although Iran’s efforts were defeated, the resulting text still gave little to celebrate, as it remains riddled with many issues of contention.

One such issue is one that is central to the treaty: the ability to collect and share electronic evidence to combat crimes committed through digital systems. Countries can compel service providers to cooperate in investigations and exchange data across borders.

Why tech companies are tentative

The tech sector has been particularly vocal in its criticism. The Cybersecurity Tech Accord - a global industry group representing more than 157 large tech companies, including Microsoft, Meta, Oracle, Cisco, SalesForce, Dell, GitHub, HP and more - has warned of the treaty’s potential to criminalise legitimate cybersecurity research. 

“In the age of AI, where safety and resilience rely heavily on research, criminalising such work is deeply problematic,” Nick Ashton-Hart, Tech Accord’s Head of Delegation to the Negotiations, explained. 

Nick Ashton-Hart, Tech Accord’s Head of Delegation to the Negotiations

This is because treaty has broad and ambiguous language that can stop hackers, regardless of intent. 

By criminalising unauthorised access to computer systems without distinguishing between malicious actors and ethical hackers, it could expose security professionals to legal repercussions even when their actions aim to enhance security.

Moreover, the treaty's prohibition on intercepting non-public data transmissions fails to recognise the necessity for security researchers to validate vulnerabilities. 

Similarly, its stipulations against manipulating or deleting data could misapply to legitimate practices like penetration testing and red-teaming, which are crucial for identifying weaknesses.

The treaty also enables broad electronic evidence collection for serious crimes, raising fears of unchecked state power.  

“They are choosing to believe that a bad treaty is better than no treaty. In reality, the UN Cybercrime Convention would undermine cybersecurity, particularly by casting or creating a more uncertain legal framework for security research,” Nick said.

US representative to the UN Jonathan Shrier acknowledged the risks but insisted that robust domestic safeguards could mitigate misuse. 

What comes next for cybersecurity?

As the treaty heads to the General Assembly for final vote in December, its adoption appears likely, but its future will depend on how nations implement its provisions.

The treaty encourages signatories to recognise the contributions of legitimate security researchers, provided their activities are intended to strengthen and improve security to the extent permitted by law. 

“They are choosing to believe that a bad treaty is better than no treaty."  

Nick Ashton-Hart, Tech Accord’s Head of Delegation to the Negotiations

While the treaty aims to address an urgent global problem, its flaws highlight the complex interplay between security, privacy, and human rights in the digital age

In the face of escalating cybercrime, the UN Cybercrime Treaty represents an ambitious step towards fostering global cooperation against digital threats.

However, the tech industry’s concerns underscore a critical tension: how to balance the need for robust security with the protection of legitimate research and innovation. 

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand

Share

Featured Articles

Cisco Talos: Tracking Ransomware’s 35 Year Evolution

Martin Lee, Technical Lead for Security Research, Cisco Talos highlights how the ransomware landscape has shifted across the last 35 years

Resilience: Firms Fail to Grasp Cyber Financial Impact

Resilience and YouGov survey reveals 74% of mid to large UK businesses face cybercrime, while ransomware understanding lags behind data breach concerns

SonicWall and CrowdStrike Unite for SMB Security Service

SonicWall partners with endpoint protection specialist CrowdStrike to offer managed detection and response capabilities through managed service providers

FS-ISAC CISO Talks Cyber Strategies for Financial Providers

Cyber Security

Darktrace Reports 692% Surge in Black Friday Cyber Scams

Cyber Security

KnowBe4 Launches AI Agents to Counter Phishing Threats

Technology & AI