Cybercrime Convention:
Is a Flawed Agreement Better than None?
February 2025
February 2025
With various reactions to the adoption of the Cybercrime Convention, this piece weighs the pros and cons of agreeing to a 'not perfect' framework in pursuit of global cooperation and evaluates the implementation mechanisms embedded in the Convention.
Context
The United Nations Cybercrime Convention was adopted in December 2024 by the General Assembly, marking a significant milestone as the first global convention under UN auspices countering the use of information and communications technologies (ICTs) for criminal purposes. The Convention will open for signature in Vietnam in 2025 and will enter into force 90 days after being ratified by the 40th signatory.
There are at least four other regional instruments that were developed in the past twenty-five years: the Budapest Convention on Cybercrime (2001) - developed under the Council of Europe (46 states) but open for global adoption; the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention, 2014); the League of Arab States Convention on Combating Information Technology Offenses (2010); the Agreement on Cooperation in the Field of International Information Security (2009, updated in 2018). All of them have slightly different approaches that eventually played out in the negotiation of the UN Cybercrime Convention.
The UN Cybercrime Convention covers a broad range of offences, including cyber-dependent crimes (like interfering with electronic data and ICT systems, misuse of devices) and cyber-enabled crimes (such as fraud and child sexual abuse). It emphasizes state sovereignty and incorporates a more state-centric approach, leaving a generous space for state discretion. The UN Cybercrime Convention limits international cooperation to serious crimes punishable by at least four years of imprisonment, as compared to any crimes in the Budapest framework. However, the UN Convention has a broader scope, expanding cooperation to areas like crime prevention and asset recovery, and including provisions from the UN Convention against Transnational Organized Crime and the UN Convention against Corruption. Meanwhile, its lack of detailed safeguards on privacy, broad data access powers, and jurisdictional overreach raised concerns about surveillance and interference in domestic affairs.
Mixed Reactions to the Convention
Given ongoing geopolitical tensions, reaching a consensus on the draft was a major achievement. Until the final moments, the outcome of negotiations remained dim. Despite the importance of the global agreement, none of the major players were fully satisfied with the final draft. With numerous controversies surrounding key provisions of the treaty, states were forced to make concessions that led to a final draft accepted by all.
The United States, while announcing that they are joining the consensus, reiterated its intent to seek further clarifications to address stakeholder concerns on issues related to transparency, human rights and other safeguards.
Russia, which initially proposed the convention, celebrated its adoption as a diplomatic victory that legitimizes its state-centric approach to cyber governance. However, there is a strong sentiment that the final draft is far from the original proposal. In particular, from the proposed list of twenty-three criminal offences, only ten made it to the final draft, bringing its scope closer to that of the Budapest Convention. For example, disinformation, cyber-enabled terrorism and political extremism were eventually excluded from the list. The official press release from the Ministry of Foreign Affairs mentions an intention to work on an additional protocol to expand the list of offences, addressing the use of ICTs for ‘terrorist and extremist’ purposes, as well as drug and arms trafficking. During the last session, Russia highlighted that it dissociates itself from the consensus on the title of the convention and intends to make a separate statement interpreting its vision when signing or ratifying this instrument. The press called the convention a ‘suitcase without a handle’ - something so altered that it becomes useless, yet too late to abandon because too much has already been invested.
China, while strongly supporting the adoption of the convention and viewing it as a significant step in international efforts to combat cybercrime, was also dissatisfied with certain omissions. In particular, its proposed provisions criminalising the dissemination of false information online—deemed necessary for maintaining social order and national security - were excluded from the final draft.
The European Union adopted a somewhat nuanced position, endorsing the final draft of the convention as an important step in international cooperation in combating cybercrime and highlighting the human rights safeguards, while receiving a strong pushback from the representatives of 29 civil society organisations and industry experts that strongly called to vote against the convention, citing concerns over its broad provisions and the safety and privacy of internet users globally.
Is a Flawed Agreement Better than None? Balancing Risks and Opportunities
Such mixed reactions lead to an evident question: why and when an international agreement is still worth signing? In traditional negotiation theory, the simple answer to whether a “bad agreement” is better than none is ‘NO’. It is better to walk away with no agreement than to settle for a suboptimal one that compromises your fundamental values and interests. However, in international multilateral negotiations, the reality is far more complicated because the context, parties and potential consequences all play a crucial role.
On the one hand, a “bad” agreement with broad and vague language could lock in certain concepts that would be difficult to amend in the future. Additionally, the agreement that lacks safeguards and enforcement mechanisms could lead to the misuse of the convention.
On the other hand, even an imperfect agreement can lay the foundation for collective action, signalling international recognition of cyber threats and political will to address them. Symbolic agreements can demonstrate commitment and build momentum for future negotiations. For example, the landmark Kyoto Protocol (1997) aimed to combat climate change by setting legally binding targets for developed countries. While it ultimately failed to meet its goals, it initiated global cooperation. An even more successful story was The Vienna Convention for the Protection of the Ozone Layer, adopted in 1985, which was a framework treaty that promoted international cooperation to protect the ozone layer, primarily through research, information sharing, the development of the Montreal Protocol in 1987 and led to the universal ratification in 2009.
In the case of the Cybercrime Convention, the involvement of multiple stakeholders, geopolitical tensions, and the urgent need to address the rising threat of transnational cybercrime suggest that even a flawed agreement could serve as an important first step toward international cooperation and norm development. The consensus achieved its broader goal: the treaty established a framework for global cooperation by introducing the mutual legal assistance scheme that extends beyond parties of the Budapest Convention.
Having a starting point agreement with core broad principles that everyone can agree upon also creates opportunities for future renegotiation, amendments, or additional protocols. For example, the General Agreement on Tariffs and Trade (GATT, 1947), which was incomplete and left out critical areas like services, intellectual property, and agriculture, paved the way for the establishment of the WTO in 1995 and evolved into a robust framework that addressed many of the initial shortcomings through separate agreements. With the cybercrime convention, several parties have already announced their intention to follow a similar path.
The U.S. stance on the convention has fluctuated throughout the five years of negotiations. In some ways, it resembled a cycle of acceptance - a pattern of responses to the significant changes that involve radical shifts in one's beliefs and expectations due to changed circumstances. Initially, the U.S. fundamentally rejected a proposal initiated by Russia, then actively campaigned against it, before eventually entering the bargaining phase and ultimately offering conditional acceptance. The “denial” was rooted in the belief that the new treaty might weaken the existing framework created by the Budapest Convention. The “anger” phase was fueled by the fact that the ad-hoc Committee was eventually voted for and established, which began global deliberations despite the fact that most of the like-minded states voted against it. Frustration and concern over the dominance of authoritarian voices in shaping the treaty pushed Western states into an inevitable negotiation and bargaining process that ensured the representation of their interest and vision. By the final stages, like-minded states, including the U.S., accepted the treaty as a reality but emphasized that its success would depend on implementation and future amendments. Hence, while the final text may not fully align with the vision of like-minded states, partial success in negotiations and the opportunity for future strategic influence led many to support it.
“Depends on the Agreement”
Ultimately, the effectiveness of any agreement depends not just on the strength of its provisions but also on the broader governance framework surrounding it, supported by the willingness of states to adhere to it. Even after signing a convention, ratifying it might be a complicated task for many countries. In the U.S., the Cybercrime Convention has a high chance of being added to the list of other international treaties that the country has never ratified.
The global conventions are known to contain vague and broad provisions open to flexible interpretation. The Cyber Convention is not an exception with strong cyber sovereignty language and a national security exception to providing mutual legal assistance (Article 40). As noted by some authors, the Convention also sticks to the technologically neutral language, if methods and mechanisms of illegal activities change, drawing lessons from rapidly evolving AI landscape.
Progress is possible when agreements serve as a foundation for continuous negotiation and adaptation. The Cybercrime Convention allows for amendments after five years after its entry into force (Article 66) and regulates the adoption of supplementary protocols (Article 61) once the Convention has at least 60 state parties. If all efforts to reach a consensus on the protocol have been exhausted, it can be adopted by a two-thirds majority vote of the state parties present and voting at the conference - meaning, de facto, that 40 states out of 60 could be enough to adopt a protocol. This relatively low number might lead to a continuous battle between competing frameworks. Another important note is that, obviously, to be able to propose a Protocol, one needs to be a party to the Convention, which, as was mentioned earlier, is complicated in the case of the U.S.
The Conference of the State Parties (Article 57) is tasked with establishing a procedural and governance framework, as well as reviewing the implementation of the Convention by the parties. The current text of the Convention contains a relatively modest set of compliance mechanisms. Following strong sovereignty language, most of these mechanisms are non-intrusive, such as state reporting (Article 57.6), the exchange of information and cooperation with scientific experts and other stakeholders in the field (Article 57.5), and dispute settlement (Article 63). There aren’t any mentions of the collective enforcement measures, such as countermeasures or sanctions.
Conclusion
Consensus might be the only viable path forward to gain the momentum necessary for addressing issues that require global cooperation. While a perfect agreement that satisfies all parties may be unattainable, establishing a framework for sustained dialogue is essential as a foundation for future progress. Meanwhile, existing regional frameworks, alongside the global convention, can help test existing and crystallize new effective practices.
The adoption of the cybercrime convention highlights the global necessity for cooperation against malicious cyber activities while also exposing deeper fractures in the international community. It also underscores how shifts in power dynamics and trust can shape international law.
As implementation unfolds, its true impact will depend on how states choose to interpret, enforce, and build upon its provisions. With the broad language on its implementation, the real test of the Cybercrime Convention lies ahead: whether it will evolve into a robust framework for cooperation or serve as a tool for contesting governance models.