The UN must engender greater consensus and collaboration if it wishes to respond effectively to the challenge of cybercrime. 

One of the earliest references to criminals taking advantage of the vulnerabilities inherent in networked computers can be traced back to the 1960s, when an expert from research organization RAND Corporation forecast that people would find ways to compromise, corrupt or steal data that computers were sharing. Policymakers were warned of the vulnerabilities in the technologies of the day, which were ‘unable to provide a secure system in an open environment’. These warnings turned out to be accurate.

Fast-forward almost five decades: computerized networks have been privatized and have gone global. Yet despite efforts to improve security in the intervening years, the vulnerabilities in the technologies persist, and at a scale unimaginable even just a decade ago. Anyone with a computer and a connection can steal stuff or scam online. Computer-dependent crime (or cybercrime) has become a lucrative business. Those who are technologically savvy are able not only to steal a lot of stuff, but also create a lot of disruption in the process.

According to the World Economic Forum, the cost of cybercrime to the global economy (in 2016) was estimated at $445 billion a year. Calculating the cost of cybercrime is not easy, and it is likely that this figure is an overestimate. However, even, say, a third of that figure would still amount to a significant sum in terms of its global impact.

Numerous entities – corporations, governments, multilateral organizations, specialized tech and law-enforcement bodies and financial organizations – are developing responses to cybercrime. Many of these efforts are informed by the ever-growing body of literature produced by academia and think tanks. Meanwhile, we spend billions trying to make tech products and services safer and more secure, yet the imbalance between those efforts and the pace of technological innovation is still significant. The potential for criminals to use Internet of Things-related vulnerabilities to cause harm is a case in point.

Current UN approaches to cybercrime

The UN’s normative bodies have been discussing computer-dependent crime since the term ‘information highway’ was coined back in the 1990s. The issue gradually made its way into the deliberations of the UN General Assembly, where discussions have focused on establishing a normative base to respond to computer-related crime and cybercrime. The World Summit on the Information Society Forum has also focused on the issue. These processes have been fitful, though, to say the least.

Tackling cybercrime requires much cross-border cooperation, including exchanges of information and intelligence. For this to happen, there must be trust between states, and between national institutions and industry actors. The question of a global convention to enable such cooperation and information exchange was discussed at the 12th UN Congress of the Commission on Crime Prevention and Criminal Justice (CCPCJ) in 2010. However, the congress revealed limited consensus among states on the most appropriate instrument to facilitate such cooperation. On the one hand, a number of states advocated ‘globalizing’ the existing Council of Europe Convention on Cyber Crime (also known as the Budapest Convention), which criminalizes certain forms of behaviour for individuals and includes norms for cooperation on law enforcement. This convention is seen as the most comprehensive instrument in place, has the highest number of states parties (53 to date), and is open for signature to non-members of the Council of Europe. However, some analysts have noted the difficulty of scaling up its procedural and cooperation commitments to a global level, as well as the comparatively high standards agreed upon in a European context, while others suggest it is becoming outdated. Many also agree it has become outdated in light of more recent technological developments, including the shift to Cloud computing, which creates additional challenges for law enforcement and cross-border access to data essential for criminal investigations. This latter concern is, however, being addressed through ongoing efforts to develop a new protocol to the convention that would enhance international cooperation on cybercrime and electronic evidence.

Meanwhile, other states, including the Russian Federation, the BRICS members and many other developing countries, have objected to signing a convention whose drafting they were not involved in, and to some provisions relating to cross-border access to data – to which they object on procedural and substantive grounds. Instead they have called, unsuccessfully to date, for the negotiation of a new instrument under the auspices of the UN.

The impasse at the 2010 CCPCJ resulted in a General Assembly resolution establishing an open-ended intergovernmental expert group to study the problem of cybercrime and international responses to it. The group has held four sessions to date, with the first resulting in a draft Comprehensive Study on Cybercrime produced by the UN Office on Drugs and Crime (UNODC) and the International Telecommunication Union (ITU). The comprehensive study provides a reference framework for member states on a number of issues relating to trends, legislation, law enforcement and investigations, electronic evidence and criminal justice, international cooperation and the role of the private sector. It has also served as a framework for the UNODC’s Global Programme on Cybercrime, established in 2013 to support member states in preventing and combating cybercrime ‘through crime prevention and criminal justice technical support’.

The reports from the second and third sessions of the CCPCJ expert group nonetheless reveal persisting disagreements among states on several fronts, including around cooperation between states, cross-border access to data and capacity constraints. Even though the number of states ratifying the Budapest Convention continues to grow, some continue to push for a new instrument.

Finding a way forward

Although the expert group remains a legitimate channel for dialogue among member states, growing tensions on a number of issues – some of them ICT-related, others not – mean that agreement on the issue within the UN is becoming harder to achieve. The UNODC (a UN System lead on cybercrime) is restricted by its mandate to providing a neutral platform for the CCPCJ expert group, and cannot itself develop an informed position on the best way forward. At the same time, it does engage with member states on the cybercrime-related challenges they face, helping identify entry points for law-enforcement cooperation and collaboration, and providing legal, technical and capacity-building assistance. But these efforts should be strengthened. In addition, the UNODC’s cybercrime repository could prove an important tool for comparative case law and for studying emerging precedent regarding the prosecution of cyber-dependent crime – if, that is, member states and other key stakeholders allocate the resources needed to strengthen and sustain the tool.

Some of these efforts are implemented in cooperation with other agencies, such as the ITU, which, in line with the World Summit on the Information Society Forum’s Tunis Agenda, provides legislative and technical support to member states.

The UN may be but one actor in the response to cybercrime, and a relatively small one at that, but every effort is important in responding to the challenges at hand and those looming on the horizon. One area where the UN may well be able to contribute more effectively is in placing greater emphasis on the links between ICT, crime and development, and working across sectors to identify the risks that can delay achievement of the global commitments laid down in the 2030 Sustainable Development Goals. This should include a focus on the other (linked) worrisome challenge: cyber-enabled crime, which has received much less attention than cyber-dependent crime, despite the detrimental societal effects it also produces.

Strengthening the links between ICT, crime and development will also require greater investment in capacity building and technical assistance, so as to build greater resilience against criminal behaviour. It will require making much stronger links at international and national levels between cybersecurity capacity building and technical assistance on the one hand, and the digital transformation agenda and existing governance challenges on the other. And it will require closer collaboration between member states and other key stakeholders to identify and prioritize areas where such efforts are most urgently required. The UN, in partnership with others (or vice versa), has the potential to promote or facilitate such an approach.

Finally, the UN secretary general, too, might prioritize these issues as he moves to strengthen the UN System’s response to the risks posed by existing and emerging technologies. To this end, he could promote greater focus on the crosscutting dimensions of cyber-enabled and cyber-dependent crime as they relate to the core pillars of the UN’s work (i.e. international security, development and human rights), tethering these efforts to the organization’s core values and principles. He can also promote and facilitate greater relations between UN System entities and other actors – specialized law-enforcement agencies, private-sector actors, technical associations, civil society and academia – that are key to shaping and implementing policy and operational responses in this area.

This is, admittedly, no easy task, especially if cooperation between and support from member states (both political and financial) is not forthcoming. But it is certainly one that could contribute to meeting the SDGs.