Formation of an International Legal System for Countering Cybercrime: from Terminology to the Draft Universal Convention

Gorelik Il'ya Borisovich Postgraduate student, Department of International Law, Diplomatic Academy of the Russian Foreign Ministry 119021, Russia, Moscow, Ostozhenka str., 53/2, p. 1 gorelik.ilya@yandex.ru Other publications by this author

 In modern realities, cybercrime is one of the most acute problems that pose a significant threat both to individual States and to the entire international community as a whole.

Despite the active cooperation of States and international organizations, the problem of cybercrime is still very controversial. This circumstance is largely due to the fact that such criminal acts have become a fundamentally new phenomenon, for which neither national legislation nor international law were initially fully prepared.

The process of forming an international legal system for countering cybercrime at its very first stages faced a number of difficulties. One of these was the problem of terminology. So, there are many different definitions for cybercrime. Here are some of the known options.

At the Tenth UN Congress on the Prevention of Crime and the Treatment of Offenders, the issue of cybercrime was discussed separately. According to the Report published on the results of the work carried out within the framework of the Congress, the participants developed the term "computer crimes", covering two main aspects of such crime:

1) new types of crimes for which computer devices, their networks and users act as objects of a criminal act;

2) "traditional" forms of criminal acts for which the mentioned computer technologies act as a tool or means of committing ^[4].

Another example of the definition of cybercrime is the definition referred to by the International Telecommunication Union in its document "Understanding Cybercrime: A Guide for Developing Countries". The above definition states that cybercrimes are "actions through computers that are either illegal or considered illegal by some parties and that can be committed using global electronic networks" ^{[9, p. 17]}.

In addition, in the context of the problem under study, it is also possible to pay special attention to the somewhat less common, but much broader term "technotronic crime". According to Evdokimov K. N., this phenomenon is "a set of interrelated and forming a single integrity of socially dangerous acts committed by persons using computer, information and telecommunications, cognitive, space, robotic and other high technologies in a certain territory for a certain period of time, where the main object of criminal encroachment are specific public relations in the field of safe creation, the use and dissemination of high technologies" ^{[5, p. 16]}.

If we study the legislation of Russia, it turns out that the term "cybercrime" is not used at all in Russian regulatory legal acts. Thus, according to the title of the 28th chapter of the Criminal Code of Russia, such criminal acts are designated as "crimes in the field of computer information" ^[14]. If we talk about Russian law-making in the field of international law, we can mention the Draft UN Convention on Countering the Use of Information and Communication Technologies for Criminal Purposes developed by Russia ^[10]. Neither the Criminal Code of the Russian Federation, nor the said Draft, nor any other national legal acts of Russia or international legal initiatives contain definitions for the terms "crimes in the field of computer information", "use of information and communication technologies for criminal purposes" or any other synonymous in meaning. On the other hand, the very wording of these terms makes their semantic meaning quite clear.

In search of a definition of the term "cybercrime", it would be logical to turn to some international legal act, which is specifically devoted to the problem of cybercrime. At the moment there is only one such act – the Council of Europe Convention on Computer Crimes. However, even here there is no definition for the terms "computer crimes" or "cybercrime".

Of particular interest may be the fact that in the English version of the Convention (which, along with the French-speaking version, is considered one of the official versions), its name is presented as "Convention on Cybercrime", while in the text of the translation of the Convention into Russian (at the moment there is only an unofficial translation, but published on the official website of the Budapest Convention ^[21]) the document is called the "Convention on Computer Crimes". The word "cybercrime" can be literally translated as "cybercrime", but in the above translation we are faced with "computer crimes". In this regard, the question arises – can there be an unambiguous identification between cybercrime and computer crimes?

It is logical to assume that the prefix "cyber-" is derived from the term "cybernetics". According to the definition given in the 1974 Encyclopedia of Cybernetics, cybernetics is "the science of the general laws of obtaining, storing, transmitting and converting information in complex control systems" ^{[2, p. 440]}. At the same time, it is noted that control systems can mean not only "technical, but also any biological, administrative and social systems" ^{[2, p. 440]}.

If we start from such a definition of cybernetics, then the concept of "cybercrime" is much broader than the concept of "computer crimes", which does not allow us to identify them. In addition, in the absence of a universal source defining computer crimes, it is still not clear enough what exactly can be considered such a form of criminal act.

In general, speaking about the terminological side of the described problem, researchers have previously noted the lack of well-established specialized terminology in international law ^[6]. This circumstance may create certain difficulties in classifying the main types of cybercrimes and their legal qualification ^[16]. Thus, it becomes obvious that even the issue of unified and clear terminology within the framework of international legal regulation of cybercrime remains unresolved. However, this state of affairs, nevertheless, did not prevent attempts to create both regional and global legal systems to counter cybercrime.

The process of forming the basic principles of the international legal system for countering cybercrime was based, first of all, on the national law enforcement practices of individual States and international organizations. However, despite this, the phenomenon of cybercrime has become a phenomenon for which both national jurisdictions and international law were not ready. To a large extent, this circumstance was explained by the cross-border and immaterial nature of cyberspace, which forced us to raise the question of whether modern international law is applicable to cyberspace? Or, for example, how does the principle of state sovereignty relate to cyberspace?

It can be assumed that the process of forming an international legal system for countering cybercrime began in the second half of the 1980s. At this stage, special emphasis was placed on the adaptation of national legislation to the problems associated with the criminal use of ICT. In particular, in 1986, the Organization for Economic Cooperation and Development (OECD) formulated proposals to improve the legislation of the organization's member States in order to optimize them for an adequate response to the threat of computer crimes.

Further, in 2000, the Tenth UN Congress on the Prevention of Crime and the Treatment of Offenders, already mentioned above, was held in Vienna. In addition to developing terminology, it was separately noted at the Congress that the development and dissemination of ICT provides criminals with new opportunities to commit illegal acts. A separate emphasis was also placed on the fact that it is not entirely clear exactly how national law enforcement agencies should act when conducting investigations of computer crimes. In particular, it was noted that some data that can serve as evidence of the commission of a criminal act may contain personal information of individuals, access to which is protected by law. Moreover, it was also noted that the process of investigating such offenses can cause damage to commercial organizations that have computer systems containing the necessary data. The issues of regulating the interaction of law enforcement agencies with service providers for the storage and processing of computer data were also raised. In general, it was noted that, taking into account the new threats associated with cybercrime, modernization of existing legislation is required ^[4]. 

The recommendations made at the Congress and the problems noted were taken into account by various international organizations. In particular, on June 1, 2001, the Commonwealth of Independent States concluded an Agreement on cooperation of the CIS member States in combating crimes in the field of computer information. The Agreement stipulated that the participating States criminalize a number of different criminal acts carried out using ICT. Among these acts , the following can be distinguished ::

1) Unauthorized access to data in a computer system, if such caused the deletion, modification or copying of data;

2)      Creation and distribution of malware;

3) Violation of the rules of operation of the computer system, if such caused the deletion or modification of data;

4) Copyright infringement in the operation of computer systems ^[13].

However, the CIS is far from the only regional international organization that has taken such an initiative. The Council of Europe has made a significant contribution to the adaptation of modern international law to the threats of cybercrime. At the turn of the 20th and 21st centuries, the Council was engaged in the development of a convention regulating the fight against cybercrime. The result of this work was the adoption of the Convention on Computer Crimes (Budapest Convention) on November 23, 2001. As of the beginning of September 2022, this convention has been ratified by 67 States. One of the main features of this convention is that it is open for signature by any State, even if it is not a member of the Council of Europe. This circumstance allows us to consider the Convention as claiming universality.

A significant advantage of the Convention is that its text specifies a number of illegal acts that need to be criminalized. Among these acts , the following stand out:

1)      Illegal access to a computer system;

2)      Data interception;

3) Undue influence on data and computer devices;

4)      Fraud and forgery carried out using computer technology;

5) Distribution of child pornography;

6) Copyright infringement using ICT ^[20]

In compliance with the recommendations of the Tenth UN Congress, Chapter 3 occupies a separate position in the Budapest Convention, in which the parties are required to organize the widest possible international cooperation in order to counter cybercrime. Special attention should be paid to paragraph b of article 32, which reads as follows:

"A Party may, without the consent of the other Party ... obtain through a computer system on its territory access to computer data stored on the territory of the other Party or receive them if that Party has the lawful and voluntary consent of a person who has the legal authority to disclose this data to that Party through such a computer system" ^[20].

This provision is very controversial and served as the basis for Russia's refusal to ratify the Budapest Convention. The unacceptability of the conditions of interstate interaction described in it was noted by Russian researchers. In particular, A. A. Danelyan notes that this paragraph of the convention creates conditions "for a direct violation of the principle of state sovereignty in the information space", as well as "for the violation of fundamental human rights and freedoms in the digital sphere and, in particular, the right to privacy" ^{[3, p. 265]}, because, in fact, the convention gives the right to a certain State and its authorities to obtain uncontrolled access to data on the territory of another State without the need to obtain permission for such access in each individual case.

On the one hand, such a practice can significantly speed up the process of investigating some cybercrimes. However, on the other hand, such actions can be considered as a violation of State sovereignty. Moreover, it is necessary to take into account that the computer systems of some state may contain information that is a state secret, or other legally protected information that foreign states do not have the right to access.

This circumstance is a significant drawback of the Budapest Convention, creating significant difficulties for its ratification by some States.

In addition, it is important to understand that 21 years have passed since the signing of the Convention. Information technologies have always been characterized by the transience of their development, which makes such a period incredibly long in terms of the formation of innovations in the field of ICT. With these innovations, new threats in the field of cybercrime have also formed. For example, such phenomena as laundering of criminal proceeds and financing of terrorism using cryptocurrencies can be separately noted. Also, the use of the Internet for the purpose of trafficking in narcotic substances ^[8] or for the dissemination of extremist materials ^[1] has become a very common phenomenon today. The Budapest Convention, in turn, does not contain any provisions that could separately consider such types of criminal acts.

After signing the convention, two additional protocols were issued to it: the First Additional protocol on xenophobia and racism ^[19] and the Second Additional protocol on improving cooperation ^[23]. None of these protocols supplements the Convention in terms of the types of criminalized acts. Also, the problem of violation of the principle of State sovereignty remains open.

Thus, the above-mentioned features of the Budapest Convention do not allow us to consider it as a sufficiently adequate international legal instrument for countering cybercrime. On the other hand, this document can be described as a "framework" ^{[18, p. 42]} and considered as a basis for creating a more perfect universal international legal act.

The issue of cyberattacks deserves separate consideration. The main problem of this phenomenon is the extreme danger of such attacks for the critical infrastructure of states. In this regard, the question arises whether such attacks can be considered as an armed attack on the state?

An attempt to respond to this was made by the North Atlantic Treaty Organization, also known as NATO. The organization has developed a document entitled "Tallinn Manual on The International Law Applicable to Cyber Warfare" – Tallinn Manual on the Application of International Legal Norms in the Case of Cyber Warfare ^[22].

The main issue addressed in the manual is the possibility of using armed force as a response to aggression carried out through a cyber attack. At the same time, the basis for such application is Article 51 of the UN Charter (on the right to individual or collective self-defense in the event of an armed attack) ^[15].

It was assumed that this document would be able to solve the problem of the legal qualification of military cyber operations, distinguishing such operations from cyber attacks of a purely criminal nature. Also, this guide could act as a basis for the creation of a universal convention regulating issues related to cyber operations.

Thus, there is an opinion that the Leadership "can really contribute to the legitimization of cyber conflicts, their integration into the system of international relations in the XXI century as an acceptable means of solving foreign policy tasks and ensuring national interests" ^{[17, p. 11]}.

In Russia, the reaction to the Leadership was mixed. In particular, concern was expressed that the North Atlantic Alliance decided to "develop a Manual alone and did not involve experts from other countries, including Russia" ^[7].

In addition, Russian researchers separately point out that it is impossible to simply directly apply the principles and norms of international law to cyberspace. In particular, it is noted that the concepts of "act of aggression", "use of force", "armed attack" cannot be applied to any cyberattacks, and the term "information war" cannot be identified with the term "war" in the context of international law ^{[3, p. 263]}.

One of the most recent significant events in the field of the formation of a modern system of countering cybercrime was the development by Russia of a draft universal convention on combating the criminal use of ICT. So, on July 27, 2021, Russia submitted to the UN a draft convention on countering the use of information and communication technologies for criminal purposes ^[10].

Compared to the Budapest Convention, this Project is a significant step forward. On the one hand, there are many provisions in the Draft that essentially duplicate those of the Budapest Convention. But, on the other hand, the Project has many advantages, expressed in the presence of a number of provisions addressing the problems that the Budapest Convention bypasses. Thus, the Draft contains a provision directly stipulating the priority of the sovereignty of the State as one of the fundamental principles. In addition, the Draft contains provisions indicating the need to criminalize many criminal acts using ICT that are not described in any way in the Council of Europe Convention, such as the distribution of narcotic substances, illegal arms trade, involvement of minors in criminal activities, incitement to subversion, distribution of counterfeit medicines, incitement to suicide, etc..

Such features of the Project make it the most suitable basis for a universal convention on cybercrime within the UN. However, at the same time, there are a number of factors that can significantly complicate the further progress of this Project.

Firstly, this may be due to the tense political situation, in view of which the Project – taking into account the fact that it was developed by Russia – may be perceived negatively by many UN member states. In addition, it is important to take into account that many countries that have managed to ratify the Budapest Convention (including – and especially – the countries of the European Union that actively participated in its development) insist on the effectiveness of the Budapest Convention and the absence of any need to develop any other international legal instruments in the relevant field.

There are certain arguments in favor of such a conclusion. The fact is that before creating and transferring to the UN the above-mentioned Draft Convention, Russia has already taken a number of initiatives within the UN, which can be considered as a kind of preparation for the creation and transfer of the Project. Thus, on December 17, 2018, the General Assembly adopted Russian resolution 73/187 ("Countering the use of information and communication technologies for criminal purposes"), in which the Secretary-General was requested to request information from the participating States about the difficulties they faced in countering cybercrime. In response to this resolution, a report containing information from many UN member States was prepared in July 2019.

According to the responses received, it was clearly seen that many States that have ratified the Budapest Convention consider this international legal act sufficient for the effective regulation of cybercrime, and any attempts to develop some other document are unnecessary. The part of the report devoted to the German response is particularly exhaustive in this sense. Thus, the text states that "the Council of Europe Convention on Cybercrime is well suited for effectively solving existing problems in the field of combating cybercrime" ^{[4, p. 33]}. As the main arguments in favor of such a conclusion and as if explaining the insufficiently exhaustive list of criminal acts described in the Convention, the opinion is also given there that the definitions of crimes presented in the convention are "technologically neutral", and therefore they can remain relevant in modern conditions ^{[4, p. 33]}. As the conclusion of its response, Germany separately emphasizes that it does not support the development of any other international legal acts in the field of countering cybercrime, and also notes that "parallel processes related to General Assembly resolutions and potential duplication of efforts should be avoided" (i.e., obviously indicating its disagreement with the initiatives Russia).

Thus, taking into account the stages of the formation of the international legal system for countering cybercrime described above, as well as taking into account the specified nuances and conditions under which this formation took place and is taking place, it can be concluded that today such an international legal system does not exist in a global and unified quality. There can be many arguments for such a conclusion. In particular, it can be pointed out that the only existing international legal act in the field of cybercrime today demonstrates itself as unable to adequately respond to the latest threats in the field of criminal use of ICT (due to the elementary lack of provisions that could provide legal regulation of such threats, not to mention disregard for the principle of state sovereignty). Moreover, as indicated at the beginning of the article, at the moment there is not even a well-established, unambiguous and unified legal terminology that could be used in further lawmaking.

Based on the above features, it can be concluded that at the moment only the initial stage of the formation of the international legal system for countering cybercrime, as well as the system of regulation of cyberspace as a whole, is taking place. The international community is only getting closer to creating a truly universal and effective international legal instrument. However, it is now quite difficult to predict when exactly it will arise. One of the main hindering factors can be called a very large number of countries that have taken a stable "protectionist" position in relation to the Budapest Convention, denying the need for any attempts to form a more perfect international legal act. In addition, as can be seen from the provisions given in this article, some key initiatives in the field of cybercrime regulation are undertaken by States and international organizations without prior coordination with other key participants in international relations. This circumstance, of course, has an extremely negative impact on the construction of a global system for countering crimes in the field of ICT. Nevertheless, it is impossible to deny or ignore the serious threat from the developing cybercrime, and therefore it seems that the emergence of a corresponding universal convention within the UN is still a matter of time.