By Liliya Khasanova

Context

The United Nations Cybercrime Convention was adopted in December 2024 by the General Assembly, marking a significant milestone as the first global convention under UN auspices to counter the use of information and communications technologies (ICTs) for criminal purposes. The Convention will open for signature in Vietnam this year and will enter into force 90 days after being ratified by the 40th signatory. 

According to the latest reports, the worldwide costs inflicted by cybercrime are expected to reach $10.5 trillion in 2025. Cybercriminals are also increasingly leveraging AI, with a reported 1,200% rise in malicious bot activities. 

There are at least four other regional instruments that were developed in the past twenty-five years: the Budapest Convention on Cybercrime (2001) - developed under the Council of Europe (46 states) but open for global adoption; the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention, 2014); the League of Arab States Convention on Combating Information Technology Offenses (2010); the Agreement on Cooperation in the Field of International Information Security (2009, updated in 2018). All of them have slightly different approaches that eventually played out in the negotiation of the UN Cybercrime Convention. 

The UN Cybercrime Convention covers a broad range of offenses, including cyber-dependent crimes (like interfering with electronic data and ICT systems, misuse of devices) and cyber-enabled crimes (such as fraud and child sexual abuse). Introduced initially by Russia in 2019, it emphasizes state sovereignty and incorporates a more state-centric approach, leaving some generous space for discretion. The UN Cybercrime Convention limits international cooperation to serious crimes punishable by at least four years of imprisonment, as compared to any crimes in the Budapest framework. However, the UN Convention has a broader scope, expanding cooperation to areas like crime prevention and asset recovery, and including provisions from the UN Convention against Transnational Organized Crime and the UN Convention against Corruption. It also opens up cooperation with states that were not part of existing regional frameworks.

Given ongoing geopolitical tensions and the fragile state of multilateralism, reaching a consensus on the draft was a major achievement. Until the final moments, a successful outcome seemed unlikely. Controversies over key provisions required states to make concessions, resulting in a consensus draft accepted by all. Yet, consensus means compromise, and none of the major players were fully satisfied with the outcome. I described some of the reactions to the Convention in detail and discussed whether a ‘bad’ agreement is better than no agreement in my recent post.

The U.S. stance on the convention has fluctuated throughout the five years of negotiations. In some ways, it resembled a cycle of acceptance—a pattern of responses to the significant changes that involve radical shifts in one's behaviour and expectations. Initially, the United States fundamentally rejected Russia’s proposal of a global convention, then actively campaigned against it, before eventually entering the bargaining phase and ultimately offering conditional acceptance. The analysis below shows the evolution of the U.S. stance in cybercrime negotiations amid shifts in power dynamics. 

Denial Phase: ‘No Consensus is Possible’

In 2019, when Russia, supported by 17 other countries, proposed to create an ad-hoc committee to elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, the prospects for the success of the negotiations were gloomy. The proposal came about at a time when there was a strong divergence in understanding of how exactly existing international norms apply in the ICT domain and how they should be developed. The two parallel processes under the UN, the Open-Ended Working Group (OEWG) and the Governmental Group of Experts (GGE), were a clear indication that countries diverge on procedural and substantial issues related to norm negotiations. This initiative aimed to create a comprehensive international framework to address cybercrime, reflecting Russia's longstanding advocacy for a state-centric approach to internet governance. The United States, the European Union and other like-minded states strongly opposed the proposed convention and were reluctant to engage fully in early discussions. 

In Western academia, the Cybercrime Convention debate was mostly considered chimeric, with no chance for success. A strong pushback to the idea of a global cybercrime convention under the UN framework was explained by concern that a new treaty might weaken the existing framework by allowing authoritarian states to create a system they can abuse. The reaction was also driven by the opinion that the existing agreements under the Budapest Convention on Cybercrime (2001) were sufficient. 

Anger Phase: ‘Consensus on Given Terms is Impossible’

The proposal to create an ad-hoc committee went through the Third Committee vote and was established by the General Assembly by a recorded vote of 88 to 58, with 34 abstentions, with most of the like-minded states voting against it. As negotiations continued, Western nations expressed frustration over proposals by Russia and allied states (including China), which seemed to prioritize state control over cybersecurity at the expense of individual freedoms by enabling surveillance and suppressing dissent. 

Academic and civil societies raised strong criticisms of the articles and of the extended list of offenses that included, for example, the dissemination of false information online. An op-ed from the CyberPeace Institute described the treaty as "a Trojan horse for censorship and authoritarianism". Nick Ashton-Hart, representing the Cybersecurity Tech Accord - which includes companies like Meta, Microsoft, Salesforce, and Oracle - remarked, "it's not a Trojan Horse, it's a Russian horse, and it always was," highlighting apprehensions about the treaty's origins and potential misuse by authoritarian regimes.

Bargaining Phase: ‘Consensus on Our Terms Might be Possible’

Frustration and concern over the dominance of authoritarian voices in shaping the treaty, as well as global support to attempt to regulate growing rates of cybercrime, pushed Western states into an inevitable negotiation process. Realizing that the convention was moving forward with international support, Western states stepped up their engagement, proposing amendments and pushing for additional safeguards. 

Several key goals were at the center of the negotiation strategy. First, limiting the list of offenses to prevent it from infringing civil liberties, so exclude offenses such as disinformation, cyber-enabled terrorism and political extremism, aligning it closer to a limited, ‘more technical’ framework like that established by the Budapest Convention. Second, negotiating the language on controversial topics like surveillance and the possibility of cross-border data access in investigations. Third, ensuring the inclusion of provisions for transparency, accountability, and capacity building. Over the past few years of negotiation, the divide and confrontations over fundamental issues—including human rights safeguards—were so deep that many believed the negotiations were destined to fail.

Conditional Acceptance: ‘Consensus on Our Terms Will be Possible’ 

By the final stages, like-minded states, including the U.S., accepted the treaty as a reality but emphasised that its success would depend on implementation and future amendments. Despite persisting concerns and calls to boycott the convention from various advocacy groups: tech companies, civil society, and members of Congress (6 Democratic senators), the text of the convention was adopted by the ad-hoc committee in August 2024 and by the General Assembly on December 24 without a vote. The U.S. explained its position by the need for future strategic engagement with allies and civil society to improve and refine the framework over time, as well as push back “on any efforts to enable misuse or abuse on any subsequent protocols”. Hence, rather than rejecting, participation allows it to keep its foot in the door to shape implementation and future revisions.

Conclusion

Sometimes, consensus is the only viable path forward to build momentum on issues requiring global cooperation. The pressing need for cooperation against malicious cyber activities helped bring the Cybercrime Convention negotiations to a close. For like-minded states that initially resisted the initiative, the realization eventually set in: engagement in the process was unavoidable. While the final text did not fully align with their vision, partial success in negotiations and, most importantly, the need for future strategic influence, convinced many to support it.

This divergence reflects shifting dynamics in agenda-setting within the cyber domain, a realm that is inherently global. More than that, the process exposed deeper fractures in the international community and underscored how shifts in power dynamics and trust can shape international law. Ultimately, the real test for the Cybercrime Convention’s momentum lies ahead: whether it will evolve into a robust framework for cooperation or serve as a tool for contesting competing governance models.

Cybercrime is by Alpha Photo and is licensed under CC BY-NC 2.0.