Threat Management

Broad stakeholder group inserts itself in looming UN cybersecurity talks

The United Nations emblem hangs above the podium in UN General Assembly Hall at the United Nations Headquarters on Sept. 24, 2021, in New York City. The UN formally rejected requests from 32 different entities including Microsoft, Meta, Oracle and cybersecurity nonprofits, to be accredited members of a state-led working group on cyber norms. (Photo...

A group of more than 50 stakeholders — ranging from major technology firms to think tanks and advocacy groups — cosigned a letter to the United Nations Wednesday pushing back a Russian extreme in coming cybersecurity treaty talks.

At face value, talks on a proposed treaty, titled "countering the use of information and communications technologies for criminal purposes" may seem like a universal benefit. International cooperation on cybercrime, including in extradition and in nations not harboring cybercriminals, is a major sticking point in handling ransomware. To have a bill understating the importance of cooperation agreed to by Russia would seem like a major step forward.

But the signatories of Wednesday's letter nicknamed the "Multistakeholder Manifesto" say that the bill is artfully worded to legitimize human rights violations on the internet, confound ransomware negotiations between the West and Russia, and avoid a substantial impact on the cybercrime countries and victims are looking to prevent.

"Just given the stakes into what Russia has proposed, it was important that those groups speak up," said Klara Jordan, chief public policy officer of the CyberPeace Institute, a signatory of the manifesto. "The industry sees the threat to the open and free internet and the civil society sees a threat to human rights and fundamental freedoms and the victims of cybercrime."

Other signatories include Microsoft, Hitachi, SAP, the Cybersecurity Tech Accord — itself a multistakeholder group — the Cyber Project at Harvard's Belfer Center, the Center for Democracy and Technology, the Silverado Policy Accelerator, the Institute for Security and Technology, as well as civil society groups from Asia, South America, Europe and Africa. Several cybersecurity companies, all of which had a particularly busy year with ransomware, signed on as well, including Dragos, F-Secure, and ESET. Personal signatories include Christopher Painter, the former top diplomat in cybersecurity at the state department, and internet pioneer Vin Cerf.

The path to get to negotiations was itself fraught with controversy. Russia and China have long pushed back against the Budapest Convention on Cybercrime, of which the United States is a signatory, claiming that the convention interferes with state sovereignty. Russia and China advocate for more permission to criminalize information that may work against a government's interest, something critics note is suspiciously similar to the justifications used for those country's broad attacks on internet freedom and online descent.

In 2019, a coalition of countries led by Russia passed a UN resolution to create a study group for a treaty to usurp the Budapest Convention, resulting in the proposal being discussed in January. The proposal contains the same kind of information control and sovereignty language Moscow has wanted for a while.

While the treaty addresses issues like extradition, Jordan said it does not do so in a way that would effectively address recent U.S. demands for Russia to investigate and extradite its international cybercriminals.

"The execution provisions are so detailed that they will allow states to refuse to take action on so many grounds. It will be almost impossible to get someone extradited," she said.

The issues related to nations harboring criminals need more than just new parameters for extradition to solve, said Jen Ellis, vice president of community and public affairs at Rapid7, another signatory of the manifesto. There is a needed element of proactively investigating crime and prosecuting it without the need for extradition.

"The first step is to identify the difference between nations that can't prosecute, and those that won't prosecute," said Ellis. The one may need international assistance, the other may need encouragement to start. But both, she said, might need to create the kinds of infrastructural rules that assist in investigations, for example, forcing cryptocurrency exchanges to abide by know-your-customer laws.

The manifesto puts forth a series of requests for negotiators to consider in January, starting with putting victims at the center of any finalized treaty rather than an abstract concept of cybersecurity. It asks negotiators not to diminish pre-existing international agreements (like the Budapest Convention), undermine a free internet, or allow vague descriptions of crime to couch human rights abuses. It also calls for increased global collaboration on the issue, including with outside stakeholders.

It is critical to get the negotiations right, said Jordan, because so many countries will use international agreements as the basis for their own laws — including nations with fragile democracies.

"It really comes down to the fragility of the emancipation of individuals in the exercise of human rights," she said. "That is the real risk.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.