A new cybercrime treaty Russia presented to the UN signals once again that the regime won’t help clamp down on attacks.
AT THE END of June, just before the White House scrambled to respond to another ransomware attack from Russia, Moscow presented a new international cyber treaty in the United Nations. Moscow has tightened its grip on the internet domestically for years, and has recently pushed for a sovereign internet. While the Russian government’s internet strategy and policies are often misunderstood in the West—based on the false assumption that Putin’s hand moves everything in Russia—this focus on state dominance has remained crystal clear. But as the Biden administration moves to confront the growing ransomware threat from Russian cybercrooks, the new treaty underscores just how unwilling the Putin regime is to cooperate.
The crux of the 69-page document is hardly shocking: The Putin regime is continuing its battle for a more closed, state-controlled internet. Newly significant, however, is that it follows the passage of a new UN cyber agreement by Moscow (and Beijing and other authoritarian governments) in December 2019. Then, the Russian government capitalized on both surging calls for “cyber sovereignty” and the Trump administration’s undermining of American cyber diplomats to garner wide support from longtime backers of an open global internet. What followed was the creation of a UN committee tasked with considering a new cyber treaty—one meant to replace the Budapest Convention on cybercrime that Moscow has long opposed.
Russia’s treaty, awkwardly titled the Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, is nominally about cybercrime, but the word “cybercrime” means something very different to the Putin regime than to Washington or Berlin. In the West, “information security” is used interchangeably with “cybersecurity,” generally referring to the confidentiality, integrity, and availability of systems, networks, and data. For the Russian government, information security is far more expansive, wrapping the security of the Putin regime, the state’s control over information flows, and the “stability” of Russian society into a single concept. When dozens of countries back Russia’s call for information security, then, it constitutes a push for greater state censorship and internet control around the world.
The definition of crimes is equally problematic. For a regime that wields all manner of violence against people challenging or resisting it—including murder, kidnapping, police brutality, and jailing—“internet crimes” are merely any online actions that scare the Kremlin or threaten Putin’s hold on power. Russia already has many laws to censor tech companies and punish individuals sharing what it deems “false information.” The treaty’s anti-cybercrime language extends Moscow’s push for greater top cover for internet repression. References to “terrorism” fall into the same bucket, given the state’s long-standing use of terms like “counterterrorism” and “counterextremism” to suppress dissent. The treaty contains incredibly broad definitions of terrorism that include unlawful acts motivated by political or ideological “hatred,” establishing a pretext to crack down on opposition.
The treaty also brandishes many other familiar rhetorical tools of the Russian regime: references to state sovereignty and nonintervention in other countries’ domestic affairs, which Putin continually stresses—usually in bad faith—as important to Russian security; vague definitions of computer operations that impact the “security of information”; surveillance-expanding calls for companies to archive user data and intercept online traffic; and cynical lip service to human rights.
Russia’s December 2019 feat in the UN might give the new treaty stronger legs than it would otherwise have; states voted to establish a new committee to weigh a cyber treaty, and Moscow has now presented such a document. It’s an open question whether the previous agreement’s many backers will support it. It also remains to be seen whether Biden can marshal diplomatic resources to successfully fight it.
But it also portends that Putin’s regime has very little, if any, intention of cooperating with the US on cyber issues. Biden and Putin agreed in June to hold future conversations on cybersecurity, and the White House appears keen on using these meetings as a venue to spotlight American “red lines” in cyberspace that Moscow shouldn’t cross. The Kaseya ransomware attack launched over the July 4 weekend catalyzed calls for a strong US response, and Biden called Putin and pressed him to stem the attacks coming from within Russia. There has been little word from Washington since.
The new cyber treaty, though, conveys a sense of commitment to the same old lack of cooperation. It purports to advance common ground between countries on cybersecurity, while the meaning of “cybersecurity” itself isn’t even agreed upon. It promotes a broad range of requirements for technology companies under the guise of increasing stability in the cyber realm, when in reality it would encourage greater state censorship, surveillance, and control of the internet where countries are seeking more top cover to do so. It does all of this in an effort to replace the Budapest Convention on cybercrime, a treaty already passed by an international body of countries to which Russia belongs.
The treaty also has language on extraditing cybercriminals, which the Russian government—beyond its human rights dangers, per the Kremlin’s definition of “crime”—uses to rip the rug out from under US-Russia cyber talks. Following the Geneva summit, for example, Putin told a state news agency that, yes, of course, Russia is willing to discuss extraditing cybercriminals to the United States—so long as the US does the same. Russia’s new UN treaty similarly lays the groundwork for Russia, China, and other signatories to claim that critics, dissidents, and expats in other countries must be extradited for upsetting those in power through the internet. Moscow might also have more reason to claim that certain kinds of espionage operations through cyberspace are in fact crimes that should be prosecuted.
There was never much wiggle room to negotiate with Putin. Russia’s new proposal for an international cyber treaty attempts to freeze any wiggling, and shows that no matter how harmful Russian state cyber behavior or how dangerous the government’s cyber proposals, Russian officials will still go on record lauding their “responsible approach to cybersecurity issues.”