Russia has put forward a draft convention to the United Nations ostensibly to fight cyber-crime.
The proposal, titled "United Nations Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes," [PDF] calls for member states to develop domestic laws to punish a far broader set of offenses than current international rules recognize.
Russia, the ransomware hotbed whose cyber-spies were blamed for attacking US and allied networks, did not join the 2001 Budapest Convention on Cybercrime because it allowed cross-border operations, which it considers a threat to national sovereignty.
Russian media outlet Tass also said the 2001 rules are flawed because they only criminalize nine types of cyber offenses. The new draft convention from Russia, submitted last week, defines 23 cybercrimes for discussion.
Russia's proposed rule expansion, for example, calls for domestic laws to criminalize changing digital information without permission – "the intentional unauthorized interference with digital information by damaging, deleting, altering, blocking, modifying it, or copying of digital information."
The draft also directs members states to formulate domestic laws to disallow unsanctioned malware research – "the intentional creation, including adaptation, use and distribution of malicious software intended for the unauthorized destruction, blocking, modification, copying, dissemination of digital information, or neutralization of its security features, except for lawful research."
It would forbid "the creation and use of digital data to mislead the user," such as deep fakes – "the intentional unlawful creation and use of digital data capable of being mistaken for data already known and trusted by a user that causes substantial harm."
The proposal also contemplates a broader basis for extradition by stating that, where allowed by domestic law, the listed cybercrimes should not be considered "political offenses" (mostly exempt from extradition under current international conventions).
The United States looks forward to an open, transparent, and inclusive process for considering this new global treaty
The Biden administration has called for improved cybersecurity and, following the recent US-Russia Summit, may be inclined to engage with Russia at the UN to modify the language of the proposal so that it's compatible with US norms and policy goals.
“UN member states are beginning negotiations towards a new global treaty to combat cybercrime, which should take into account and preserve existing international agreements,” a US State Department spokesperson told The Register in an email.
“That process is still in a nascent stage and states only recently established the procedures and rules for treaty negotiations. The first negotiating session on the substance of a new treaty will take place in early 2022.”
“The United States looks forward to an open, transparent, and inclusive process for considering this new global treaty. This submission from the Russian Federation is one of many anticipated contributions by member states to this process.”
- Biden warns 'real shooting war' will be sparked by severe cyber attack
- Biden to Putin: Get your ransomware gangs under control and don’t you dare cyber-attack our infrastructure
- G7 nations call out Russia for harbouring ransomware crims ahead of Biden-Putin powwow
- Us? Pwn SolarWinds? With our reputation? Russian spy chief makes laughable denial of supply chain attack
Via Twitter, Dr Lukasz Olejnik, independent cybersecurity researcher and consultant, noted that the draft convention disallows online communication calling for "subversive or armed activities directed towards the violent overthrow of the regime of another State," and requires service providers to provide "technical assistance," which generally means providing a backdoor for authorities.
"It's another attempt in the longer history of such projects attempted for submission by Russia," said Olejnik, a former cyberwarfare advisor at the International Committee of the Red Cross in Geneva.
Russia, he said, has been consistently submitting proposals of this sort for a while, pointing to a similar draft from 2011.
"This new proposal is particularly large, basically a complete proposal for a cybercrime or cybersecurity treaty," said Olejnik. "While it is clear that cybersecurity is among the top agenda items in domestic and international policy (think the recent Biden-Putin meeting in Geneva as a good example), the proposal has a number of contentious items that would be rather hard to swallow for many Western countries and societies, in particular clauses such as those that would potentially curb freedom of speech, expression or press."
Olejnik said the draft rules call for technical backdoors in network systems, network wiretapping capabilities, and potential technical censorship.
Where Western countries are concerned with "cybersecurity," he said, Eastern countries tend to focus on "information security," which often encompasses the press and social media.
"I don't think that the project stands a particularly significant chance, at least as of today, but with the political process of the UN, who knows what happens in a few months," said Olejnik. ®
- Black Hat
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Federal government of the United States
- Government of the United Kingdom
- Identity Theft
- Palo Alto Networks