The United Nations is engaged in a landmark effort to establish a new global cybercrime treaty. The goal is laudable. Cybercrime does not respect borders, nor is it limited by them. And, as we have seen, cyberattacks that begin with one target can quickly spill into the broader digital ecosystem, causing widespread damage.  But this initiative at the U.N. – if not carefully curated – could also serve as a vehicle for countries to criminally prosecute security researchers, technology companies, and others for activities that are essential to the overall security of our global digital community.

The estimated economic cost of cyberattacks is staggering and seems to grow each year.  The expansion of the cyber insurance industry is a natural consequence as more companies look to protect themselves against these attacks.  The damage wrought by cybercrime has a nontrivial human component too. When a cyberattack targets the healthcare industry – a common victim – the impact on individual lives is stark : prescriptions don’t get filled, surgeries are delayed, and an individual’s health can rest in the hands of a cybercriminal thousands of miles away and out of reach of local and allied law enforcement agencies. Innovative approaches to combatting cybercrime, including drawing on all elements of geopolitical power, are needed if the international community hopes to put a dent in the seemingly unbounded growth of this malicious enterprise. But while the goal of increased global cooperation in the prosecution of cybercrime is worthwhile, current proposals from various countries, discussed during the summer’s U.N. Ad Hoc Committee’s Second Session, raise concerns.

As it currently stands, the most influential and important international cybercrime treaty is the Council of Europe Convention on Cybercrime, more commonly referred to as the “Budapest Convention.”  That Convention was the first international cybercrime treaty and has been adopted by 67 countries, including Australia, Canada, the Council of Europe (which includes the European Union as well as other countries), Japan, the U.K., and the U.S..  The goal of the Budapest Convention was to establish a global approach to cybercrime that would involve harmonizing national law, improving investigative abilities, and enabling international cooperation.  Among other things, the Budapest Convention defined criminal offenses for cybercrimes such as illegal access to a computer system, fraud and forgery, and illegal data interception.  While the Budapest Convention has been the subject of controversy over the years, including concerns that it undermines individual privacy rights,  it is generally regarded as a useful instrument setting an international standard for addressing cybercrime.

In 2019, the U.N. General Assembly adopted a resolution that initiated a multi-year process of negotiating what could become a global cybercrime treaty more widely adopted and influential than the Budapest Convention.  Negotiations for this treaty are wide-ranging and illustrate a lack of unanimity concerning what should be defined as “cybercrime.” Where some proposed crimes mirror the language and approach of the Budapest Convention, such as prohibitions against illegal access to a computer system, others include new provisions, such as those that criminalize the receipt of “any stolen computer resource.”  The competing proposals also raise the specter of significant human rights concerns with sweeping concepts of criminalized conduct,  especially since the countries driving the movement toward the new treaty are among those with the most restrictive laws concerning the free and open use of the internet.

While human rights concerns are the most significant danger in some of the proposals, they are not the only problem. Most ironically, one of the potential flaws in many of the proposed crimes is that they may undermine the goal of bolstering global cybersecurity. One of the notable ways this concern manifests is in the number of proposals calling for the criminalization of computer-enabled conduct without a requirement to show some kind of “intent.”

Intent is a common element in many global cybercrime legal frameworks – and criminal law, generally. The crimes outlined in the Budapest Convention, Articles 2-11, specify some element of intent as a prerequisite to the criminal prohibitions, such as illegal access, illegal interception, and data interference.  While some of the parties participating in the negotiation of the new U.N. Cybercrime Treaty have proposed cybercrimes that are consistent with the language of the Budapest Convention, many other countries have proposed crimes without any intent element. That’s ill-advised and dangerous. For instance, with respect to the crime of “[c]omputer interference,” Proposal 5 from India states:

Each State party shall adopt such legislative and other measures as are necessary to establish as an offence under its domestic law, if any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network – (d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network…

Another example is Egypt’s Proposal 1 for an offense relating to “[a]ttack on a site design,” which states:

Each State party shall also adopt such legislative and other measures as are necessary to criminalize the following acts:

The unlawful damaging, disruption, slowing, distortion, concealment or modification of the site design of a company, institution, establishment or natural person.

Where many proposals omit intent, other countries seek to maintain it as an important element of the proposed crimes in the new treaty. For instance, Canada’s Proposal 3 for an offense relating to “data interference” states that countries shall:

Establish as a criminal offence to, intentionally and without right, seriously hinder the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data.

When intent is removed from a criminal prohibition, it increases the likelihood that innocent individuals who inadvertently produce certain effects from their conduct will be subjected to the full weight of criminal prosecution and the threat of significant penalties, including, potentially the loss of their freedom. This is a danger that is well-recognized in the field of cybersecurity.  To be sure, security research does not always involve activities that might implicate cybercrime laws as such research does not necessarily involve conduct that might constitute “interfering” with a system or circumventing security measures. Omitting intent as an element of a cybercrime may, however, criminalize such conduct, in those circumstances when the effects of cybersecurity research are less clear.

By maintaining the intent element in cybercrime laws, many jurisdictions can avoid the risk of discouraging or chilling the activities of security researchers such that those researchers, who are legitimately acting in good faith, should generally not worry about being prosecuted for inadvertent effects for which different parties might debate whether they constitute “accessing” or “interfering” with a system. There should be no room for ambiguity.

Through its enforcement of the Computer Fraud and Abuse Act (CFAA), the United States itself has struggled to reconcile the line between legitimate computer research and criminal access to a computer system.  In particular, in the case of vulnerability research, some identification and testing of vulnerabilities could potentially, if inadvertently, cause effects that some might argue constitute “interfering” with a computer system in violation of the CFAA.  This has left many critics claiming that vital cybersecurity research, including vulnerability research, is threatened unnecessarily by the specter of potential federal criminal prosecution.  Many technology companies that offer cybersecurity services or products, as well as corporate security departments, depend on the ability to obtain and use actionable intelligence concerning cybersecurity vulnerabilities to protect their systems, the many consumers they serve, and the broader cybersecurity ecosystem. The importance of insulating “good faith” security researchers from cybercrime laws was recognized recently by the U.S. Department of Justice, which announced a new policy for federal prosecutors investigating potential violations of the CFAA.   That policy explicitly discourages prosecutors from pursuing “good faith” security researchers for violations of the law.

To the extent any of the current cybercrime proposals that do not require intent survive in the final version of the U.N. Cybercrime Treaty, it could significantly alter the landscape for cybersecurity researchers, discouraging their work and even potentially threatening them with criminal prosecution.

A new global cybercrime treaty, especially one that aspires to something closer to universal adoption in countries that are not parties to the Budapest Convention, could have significant positive effects on the fight against global cybercrime. An instrument that enables more extensive international cooperation in cybercrime investigations could mean, among other things, more favorable conditions for the extradition of cybercriminals from countries currently unwilling to do so. It could also shrink the number of “friendly” jurisdictions where cybercriminals can act with relative impunity. But when significant human rights concerns are coupled with blind spots that could endanger cybersecurity research, it is apparent that an international instrument that is not carefully crafted could have unintended consequences, including undermining the very purpose for its existence.

 

Photo: Third session Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, New York, Aug. 30, 2022.