International Agreements—and Disagreements—on Cybersecurity

Russian media report here and here that Russia and China are preparing to sign a cybersecurity treaty when Vladimir Putin visits China on November 10. The reported agreement would be the latest addition to the increasingly complex landscape of international agreements related to various aspects of cybersecurity—an area that in recent months has also added an African Union treaty and a NATO declaration. The long-term effect of the bilateral and regional agreements is unclear: they could pave the way for broader multilateral treaties or less formal agreements, or they could entrench opposing views and thereby make broad international agreements more difficult. The most likely outcome may be somewhere in the middle.

The details of the Russia-China treaty are sketchy. Media reports indicate that the treaty would allow Russia and China to develop “joint projects and conduct[] joint cybersecurity operations” and to cooperate on “information security.” “Information security” typically refers not just to the security of systems and networks, which is what the United States and other countries mean in using the term “cybersecurity,” but also to regulation of information content. For example, a Shanghai Cooperation Organization agreement on “Cooperation in the Field of Information Security,” signed by China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan in 2008, lists as a major international information security threat the “[d]issemination of information harmful to the socio-political and socio-economic systems, spiritual, moral and cultural environments of other States.”

With the exceptions of the Shanghai Cooperation Organization agreement and, most importantly, the Council of Europe Convention on Cybercrime (or Budapest Convention), cybersecurity has been a rather agreement-poor area. But the new Russia-China agreement will be the latest in an increasingly long list of recent cybersecurity-related agreements.

In June, the African Union (A.U.) adopted the “African Union Convention on Cyber Security and Personal Data Protection.” The Convention addresses e-commerce and personal data protection, but also cybersecurity and cybercrime. It commits A.U. member states to develop national cybersecurity policies and to adopt criminal legislation to address, for example, attacks on computer systems and data breaches. It also, however, addresses information content. The Convention requires states to adopt criminal provisions regarding computerized production and dissemination of child pornography. Other provisions—more controversial for U.S. audiences accustomed to the scope of U.S. First Amendment protections—require criminalization of computerized creation and dissemination of “racist or xenophobic” ideas, discriminatory threats or insults, and expressions of denial, approval, or justification of genocide or crimes against humanity.

In September, NATO endorsed an “Enhanced Cyber Defence Policy,” building on its 2011 “Policy on Cyber Defence.” In a declaration accompanying a meeting of heads of state, NATO affirmed that “international law, including international humanitarian law and the UN Charter, applies in cyberspace,” and clarified that “a decision as to when a cyber attack would lead to the invocation of Article 5 [governing collective defense] would be taken by the North Atlantic Council on a case-by-case basis.” (See paragraph 72 of the declaration.)

The long-term impact of the proliferation of regional agreements on prospects for an overarching international cybersecurity treaty is not entirely clear. On the one hand, development of a number of agreements could help build toward a broad international consensus: groups of states could agree on the same positions seriatim, or if a series of agreements come to differing conclusions, then at least bargaining positions would be clearer for purposes of negotiating a broad multilateral treaty. On the other hand, regional agreements could lock states into divergent positions and render subsequent compromise on a single international agreement more difficult. The recent agreements may be heading in this direction by entrenching the Russian-Chinese view of the importance of “information security” (as opposed to the U.S.-European Union emphasis on “cybersecurity”) and establishing an A.U. position in support of criminalizing expression that would violate the U.S. First Amendment.

The most likely outcome may be somewhere in the middle.

As I explore in more detail in a forthcoming article, specific issues may be ripe for broader international agreements. For example, although A.U. member states have generally refrained from joining the Budapest Convention (A.U. member Mauritius is an exception), some of the cybercrime provisions of the new A.U. agreement suggest overlap with the Council of Europe and could form the basis for a broader treaty in the future, despite potential disagreements over particular questions, like treatment of computer-based racist speech. For its part, the United States has advocated harmonization of cybercrime laws across countries specifically by encouraging countries to ratify the Budapest Convention, as the United States and a handful of other non-Council of Europe countries have done. The development of a competing regional cybercrime treaty may cause the United States to reconsider its insistence on the primacy of the Budapest Convention and to look more favorably on the possibility of a new, truly international cybercrime treaty that would span regions.

In contrast to the potential consensus developing on cybercrime, the disagreements over the questions of cybersecurity and sovereignty are more fundamental and render broader international agreements less likely. China and Russia’s conception of “information security” leads them to advocate for a sovereignty-focused governance model that is antithetical to the multistakeholder, bottom-up approach that the United States and European states have advocated. Regional agreements that entrench these fundamentally different approaches are more likely to be hindrances, rather than stepping stones, to broader future agreements. However, regional agreements like the NATO declaration may nonetheless provide helpful clarity about how particular countries and their allies view specific behaviors in cyberspace and how they will respond to cybersecurity incidents. In other words, although conflicting regional agreements may not foster broader agreement, they may at least help to promote clarity and avoid conflict. 

About the Author(s)

Kristen Eichensehr

Assistant Professor at UCLA School of Law, Affiliate Scholar at Stanford Law School's Center for Internet and Society, Former Special Assistant to the Legal Adviser of the U.S. Department of State Follow her on Twitter (@K_Eichensehr).