16 March 2023
Cybercrime and the fight against are no longer a niche topic: the economic repercussions alone are too high, costing the Federal Republic of Germany over 200 billion euros annually according to an estimate from the industry association Bitcom. However, other costs - such as the social and political issues that can aggravate domestic tensions or even fan international crises - are rarely at the forefront of discussions. In other words, cybercrime is a peace risk that concerns us all - far beyond the circle of experts – at the domestic and international levels.
Cybercrime and Societal Peace
Cybercrime does not produce a ‘Robin Hood effect’ within society. While it is true that a lack of economic prospects, especially during the pandemic, is a factor in the recruitment of cybercriminals, a redistribution of wealth did not take place, nor will it. On the contrary, ransomware or other forms of attacks are often being directed against hospitals, schools, local administrations and other public infrastructures. Moreover, rampant cybercrime can gradually call a state's monopoly on the use of force into question. When trust in a state's security organs dwindles, resource-rich actors sometimes resort to self-help. The debate on whether so-called private hack-backs should be legalised flares up repeatedly, even in established democracies. However, the risks of such a step would be immense. For example, private retaliation could thwart law enforcement investigations or it could lead to third parties suffering considerable damage as a result given the interconnectedness of IT hardware and software. So-called spill-over or cascade effects have been observed time and again in the past. One such case is the vast spread of NotPetya in 2017, causing an estimated 10 billion US dollars in damage globally.
Cybercrime and Interstate Peace
The example above already highlights the international dimension. Intrusion into foreign computer systems can serve very different purposes and be conducted by a variety of actors. Often, collateral damage is caused, which coupled with the difficulty of attribution, increases the risk of misinterpretation and unintended escalation. For example, criminal cyberattacks and private counterattacks can both be misinterpreted as state operations, especially in a climate of increasing geopolitical tensions. To avoid such escalations, geopolitical adversaries must also establish and apply crisis management mechanisms. Innovative proposals, such as a cyber equivalent of the Incidents at Sea Agreement from the time of the East-West conflict are on the table and worth examining.
At the same time, it is important to take action against state-supported or instrumentalised forms of cybercrime. For example, North Korea has systematically used criminal cyber operations to obtain foreign currency for many years, while Russia has been offering cyber criminals a "safe haven" as long as they seek their targets abroad. In the wake of Russia's war of aggression against Ukraine, the politicisation of the criminal underground has progressed even further, especially in Eastern Europe. This became visible, when criminal groups such as Conti or Killnet showed solidarity with the Kremlin, in some cases even taking active action against targets in Ukraine or the West. Reports also point to a division of criminal forums along geopolitical fault lines.
International coalitions, for example within the newly established International Counter Ransomware Task Force, aim to limit the manoeuvring room for of uncooperative regimes and their criminal proxies (so-called cyber proxies).
Requirements for the Cybercrime Convention
The current negotiations on a convention against cybercrime at the United Nations (UN) also offer an opportunity to expand the circle of cooperating states and to impede the jurisdiction hopping of cybercriminals. For example, homogeneous definitions of criminal offences as well as simplified and accelerated processes for data exchange could contribute to this. The expansion of technical and administrative assistance for weaker states also plays a role in the negotiations.
Nevertheless, an interim assessment from the perspective of peace studies is ambivalent. It is no coincidence that the initiative for a UN convention came from Russia and other authoritarian states. One presumed impetus was the weakening of existing cooperation mechanisms, especially the Council of Europe's Convention on Cybercrime. Another could be authoritarian states seeking to legitimise excessive powers and repressive practices by security agencies. For example, an early Russian draft treaty as well as proposals from authoritarian regimes aimed to criminalise the dissemination of or support for allegedly "extremist" or "terrorist" content. The surveillance and imprisonment of opposition bloggers, human rights activists or LGBTQIA+ communities is already justified in many regions by reference to such vague powers.
In this context, it cannot be stressed enough that the principles defined in the Convention concern far more than ‘just’ cybersecurity policy, for example in the storage and interstate exchange of digital evidence. After all, almost every offence nowadays leaves digital traces. It is therefore all the more important that human rights obligations and procedural standards based on the rule of law are enshrined in the draft treaty. In addition, it must be a matter of ensuring compatibility with the existing Budapest Convention against Computer Crime.
Only if these preconditions are met can the convention as a whole make a contribution to peace inside and outside of cyberspace instead of itself becoming - even if only indirectly - a risk to peace.