UN: Draft Cybercrime Convention remains seriously flawed
The United Nations, New York, NY, USA
In the lead up to the concluding session of the Ad Hoc Committee negotiating an international convention on cybercrime, ARTICLE 19 remains gravely concerned about the continued incompatibility of the draft text of the Convention with international standards on freedom of expression. We regret that the Ad Hoc Committee has done close to nothing to meaningfully address the plethora of our concerns, as well as the concerns raised by numerous States and stakeholders during the most recent session. The key problems of the draft text include fundamental vagueness on the scope of the Convention, numerous content-based offences, and underlying conflict of the Convention’s plain text with human rights standards. We urge the states not to conclude this Convention and make sure the draft is comprehensively revised.
ARTICLE 19 has closely monitored the drafting process of the proposed Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (the Convention). We provided legal analysis on several drafts, most recently the joint analysis with Human Rights Watch on the Consolidated Draft used as the basis for the negotiations of the Sixth Session in New York in August 2023. In anticipation of the Ad Hoc Committee’s final session, to take place from 29 January to 9 February 2024 in New York, a new Draft Text has been released.
ARTICLE 19’s key concern with the recent draft include the following issues. We also note that this comment does not seek to provide an in-depth legal analysis on every provision, many of which are simply repeated from the prior Consolidated Draft, or are currently undergoing ongoing informal negotiations.
The Draft Text takes a step backward from basic human rights protections
Article 5 of the prior draft required States to ensure that implementation of the Convention is “in accordance” with their international human rights obligations. ARTICLE 19 is concerned that the current draft only requires that implementation is “consistent with” rights obligations. This softened language is significant, as it no longer requires compliance with human rights norms. Further, the Preamble of the Convention still fails to mention international human rights standards as the framework for the whole Convention. Moreover, paragraph 3 of the Preamble still includes cyber-enabled offences “related to terrorism, trafficking in persons, smuggling of migrants, illicit manufacturing of and trafficking in firearms,” which, as highlighted in more detail below, in our view have no place in this treaty. For instance, the reference to terrorism alone is particularly concerning, as there is no universally agreed upon definition of terrorism under international law.
Additionally, Article 21, which provides for parameters of prosecution, adjudication, and due process, only applies to offences established “in accordance” with the Convention., meaning its scope beyond the offences explicitly named is unclear. It also only requires that due process protections are “consistent with” international human rights obligations. This makes no mention of the presumption of innocence or principles of legality, strict necessity and proportionality. Finally, Article 24 of the current draft, which provides for conditions and safeguards, only applies to the procedural measures adopted under Chapter IV rather than the whole Convention. It fails to incorporate the principles of necessity and legality and the need for prior judicial authorization.
The Draft Text retains all its numerous contentious content-based offences
ARTICLE 19 has criticized the previous draft text for containing unnecessary content-related that may infringe freedom of expression online. Several of these offences were subject to considerable debate in the Sixth Session as they criminalize conduct never before seen in an international treaty. Some of these offences are cyber-enabled rather than cyber-dependent, meaning they do not even clearly fall under the scope of a cybercrime treaty. ARTICLE 19 recalls that criminal laws prohibiting dissemination of content are, by definition, restriction on freedom of expression, and therefore must be analyzed according to the tripartite test of restrictions enumerated under Article 19(3) of the ICCPR. The provisions in question under the Draft Text include:
- The Draft Convention infringes on the rights of survivors of online gender-based violence (Article 15): While the trend of non-consensual sharing of images is problematic, addressing it in an international criminal instrument raises serious and complex issues in balancing freedom of expression and privacy rights, and is likely to backfire against the very vulnerable groups the provision is purported to protect. Article 15 does not appropriately mitigate the risk of criminalizing survivors particularly where the perpetrator is an authority figure, nor does it center the lack of freely given consent, or exempt conduct that is a matter of public interest or for a legitimate purpose related to the administration of justice.
- The Draft Convention unduly restricts the rights of children and risks banning books (Articles 13 and 14). As drafted, Articles 13 and 14, which purport to curb the dissemination of child exploitation materials, go well beyond international standards on the matter and risk infringing on children’s rights and criminalizing content that may have scientific, educational, artistic, or literary value. Particularly in states where gender expression is repressed, these articles may also restrict the legitimate experience and expression of gender and sexuality of children, including adolescents. Finally, Article 13 is written so broadly that it would appear to ban books including classic works of fiction taught in universities; indeed, Article 13(2)(b) defines “material” to include not only “images” but also “written material.” ARTICLE 19 recalls that informal report covering these articles, following the recent Sixth Session, reveals little consensus as to basic definitions and scope, noting a number of key provisions where “attempts to reduce the gap [between States] did not yield any fruit” and several where “delegations could not agree.”
The underlying scope of the Draft Convention remains unclear
The Draft Convention continues to lack a coherent articulation of what does or does not constitute a cybercrime, which is astonishing this late into the drafting process. From the Sixth Session, an informal meeting was convened to present two proposals on the Convention’s scope. As a result of the meeting, the co-chairs of the working group noted that States disagreed on “several live issues,” including whether Article 17 served as “morphing it into a general crimes convention” or whether it “would apply to the full suit of procedural powers and international cooperation.” The proposed solutions, nonetheless, both adopt an expansive scope in contravention of the numerous States that have taken pause at the ambiguous scope and the obligations it would impose on them.
- The first proposal is to merge Article 17 into Article 35 within the section on procedural measures, which would explicitly apply procedural powers to any new offences passed in accordance with the Convention that carry “a penalty of three years or more.”
- The second proposal seeks to require the criminalization of any offence under a United Nations convention or protocol.
We note that both these proposals are significantly problematic and do little to nothing to mitigate the underlying problem with Article 17. Allowing procedural powers to flow merely from the severity of penalty has no basis in the actual substance of an offence, and rewards expansive police, surveillance, and extradition powers to States that merely impose disproportionate penalties. Additionally, United Nations conventions include a number of obligations and frameworks, such as that surrounding hate speech, which would be undermined or lead to conflicts if suddenly required to be bluntly criminalized. In this respect, the purported ‘limitation’ to United Nations instruments is tone-deaf to the practical complexities of such instruments, threatening to undermine them and create unnecessary confusion. The full implications of Article 17 and these proposals still cannot be understood because as currently drafted, it could also apply to future treaties including where those future treaties deliberately avoid applying their provisions to online environments.
The Draft Convention is unresponsive to fundamental concerns regarding its broad cross-border surveillance and police powers
The bulk of the Convention’s proposed provisions allow for expansive and highly intrusive sharing of personal data, which among other fatal problems, threatens to chill the use of tools that promote freedom of expression online. For instance, the Draft Text in Article 40 still authorizes proactive information disclosures without any consideration for the safeguards of sending or recipient states. Article 47 continues to contemplate generalized information sharing beyond the scope of particularized investigations. These are not constrained by any explicit data protection safeguards. Provisions such as these, and others which ARTICLE 19 has previously analyzed, are more problematic given the aforementioned lack of human rights or due process safeguards, including prior judicial authorization requirements.
ARTICLE 19 finds it astonishing that after several years and several drafting sessions, such fundamental issues with the Convention remain. ARTICLE 19 urges States to reconsider the necessity of rushing an inherently flawed and overbroad instrument this late in the process. We will continue to work closely with partners in civil society and relevant stakeholders as we follow the outputs of the negotiations and drafting process.
Reflecting On The Evolution Of Cybersecurity In 2023
Emil Sayegh
Contributor
CEO of Ntirety. Cover all things cloud, cybersecurity & tech.
Dec 12, 2023
2023 marked a transformative journey for the cybersecurity, IT, and cloud industries.
2023 marked a transformative journey for the cybersecurity, IT, and cloud industries. Reflecting on the past, it’s clear these sectors experienced substantial shifts in focus, witnessed notable service upgrades, and confronted persistent challenges along with transformative changes. Amidst the continuous evolution aimed at countering emerging threats, it’s crucial to ponder the key takeaways from the year—many of which we extensively discussed in articles published throughout 2023.
1. Cybersecurity Amidst Geopolitical Turmoil: Impact of the Russia-Ukraine Conflict
The geopolitical upheaval stemming from the Russia-Ukraine war cast a profound shadow over cybersecurity landscapes in 2023. The conflict triggered an escalation in state-sponsored cyberattacks, with both nations engaging in digital offensives. The intensification of cyber espionage, disinformation campaigns, and ransomware attacks highlighted the interconnectedness of geopolitics and cybersecurity. As the conflict unfolded, organizations worldwide faced the challenge of safeguarding their digital assets amid heightened global tensions. The year served as a stark reminder that geopolitical events can have far-reaching implications, necessitating a vigilant and adaptive cybersecurity approach in an ever-changing digital world.
2. Meta-Disappointment
The much-hyped metaverse faced a disappointing trajectory, with even tech giant Facebook rebranding itself to align with the futuristic concept. Economic downturns and a lack of forethinking about privacy and security implications took a toll on the metaverse's momentum, affecting associated technologies like NFTs. Despite these setbacks it’s possible the allure of the metaverse might resurface, but for now the spotlight has shifted to the burgeoning realm of Artificial Intelligence (AI).
3. White House National Cybersecurity Strategy Implementation Plan
The White House unveiled a comprehensive implementation plan comprised of over 65 initiatives aimed at mitigating cyber risks and boosting cybersecurity investments. The plan delineates responsibilities across federal agencies, emphasizing public-private sector collaboration. Initiatives include enhanced cyber incident reporting, updating response plans, tackling ransomware, and prioritizing software transparency.
4. Cybersecurity and Cloud Interdependence: A Growing Nexus
Throughout 2023, cybersecurity and cloud technologies became increasingly intertwined, revealing a growing relationship of interdependence. The reliance on cloud services surged, amplifying both the opportunities and risks for digital security. The year highlighted the need for a harmonized cybersecurity strategy that addresses the evolving landscape of cloud-based threats. As organizations continued to migrate to the cloud, the intricate dance between safeguarding data and leveraging cloud efficiencies underscored the imperative of an integrated and holistic cybersecurity approach.
The U.S. Securities and Exchange Commission revamped its rules on cyber risk management, governance, and incident disclosure, effective December 2023. This regulatory update reflects the growing centrality of cybersecurity in corporate compliance.
6. Multimedia Content Security
As cyberattacks increasingly target data-intensive content and particularly streaming services, companies like Amazon's Prime Video have prioritized robust security measures. Protection now extends to every facet of content delivery, guarding against threats like external tampering during live events.
7. Emerging Cybersecurity Trends
The cybersecurity landscape shifted towards new frontiers, with a focus on zero trust, AI, and cloud technologies. Global cyberattacks spiked by 40 to 45%, necessitating reliance on these emerging security and cloud technologies to address the evolving threat landscape.
8. Role of Automation and Service Partners
Amid rising cyber threats and constrained budgets, the significance of automation and partnerships with cybersecurity service providers became evident as Enterprise SOCs started to reach their limitations. These partners expedite secure and complaint cloud adoption, seamlessly integrate security measures, and help streamline challenges associated with cloud migration.
9. AI in Cybersecurity
The unexpected surge in practical AI brought both opportunities and cybersecurity challenges to the forefront. A vigilant and strategic approach is crucial in harnessing AI's potential, emphasizing targeted applications to address specific vulnerabilities and challenges within the technology infrastructure.
10. Quantum Computing Challenges and Opportunities
The emergence of quantum computing posed both challenges and opportunities for cybersecurity in 2023. While the potential for unprecedented computational power promises breakthroughs in encryption, it also raises concerns about the vulnerability of existing cryptographic methods. As organizations grapple with quantum-resistant security solutions, the landscape of digital defenses may be poised for a paradigm shift.
11. Cybersecurity Funding Surge
Throughout the year confidence in the cybersecurity sector soared, manifesting in substantial investments across various companies. The third quarter witnessed a remarkable surge in funding, underlining the industry's significance in current and future digital endeavors.
12. Crypto Turmoil: 2023 Crashes and Hacks
Cryptocurrency faced significant turmoil this year, and 2023 was marked by crashes and high-profile hacks that underscored the vulnerabilities that exist within the crypto landscape. The surge in crypto adoption revealed challenges, with notable instances of cybercrimes targeting digital assets. Simultaneously, these incidents prompted a critical examination of the security infrastructure surrounding cryptocurrencies. As the crypto ecosystem navigated crashes and security breaches, the industry grappled with the imperative of fortifying against evolving cyber threats. This tumultuous year underscored the importance of robust cybersecurity frameworks in the ever-changing realm of digital currencies.
2023 in Reflection
The multifaceted challenges and opportunities encountered in 2023 further highlight the complex and ever-evolving nature of cybersecurity, cloud, and IT. As we navigate these uncharted territories, adapting to quantum advancements, cloud interdependence, geopolitical shifts, and environmental imperatives will be pivotal in fortifying our digital future.
Emil Sayegh is the President and CEO of Ntirety, a global leader in Comprehensive Compliant Cybersecurity Services.
Emil is an early pioneer of the Cloud, having launched and led successful Cloud computing businesses for Rackspace, HP, and Codero. Recognized as one of the “fathers” of Open Stack, Emil also led the merger between Hostway Inc. and Hosting Inc. to form Ntirety, which manages IT Security for organizations across the Fortune 500. Ntirety is the only company that embeds compliant security throughout an organization’s IT systems and culture.
Emil has spent more than 25 years in the IT industry developing, marketing, and growing businesses for Dell, Rackspace, HP/Compaq, RLX Technologies, Codero, Hostway, and now Ntirety. He holds nine patents.
Written by
James Coker
Deputy Editor, Infosecurity Magazine
There has been a wide range of major cybersecurity incidents in 2023, from nation-state espionage campaigns to attackers gaining a gateway to thousands of enterprises through software supply chain vulnerability exploitations.
These have had significant real-world impacts, such as victim organizations experiencing loss of service and crippling financial costs, while many millions of individuals have had highly sensitive data stolen, putting them at risk of follow-on attacks.
In this article, Infosecurity Magazine has set out the top 10 cyber-attacks of 2023, which have been decided based on factors like the scale of the incident and its longer-term implications. These have been listed in order of the dates the attacks were first reported.
1. Royal Mail Faces Huge Financial Loss Following LockBit Attack
In January 2023, it emerged that the UK’s postal service the Royal Mail was hit by a ransomware attack which resulted in a temporary halt to international deliveries. Data was also stolen by the attackers. The Royal Mail refused the pay the £65.7m ($79.85m) demand from the LockBit group to return the stolen data. However, the service revealed it had experienced huge financial costs as a result of the attack, including large revenue losses and the company is said to have spent £10m on ransomware remediation.
2. Enormous Data Breach at T-Mobile
International telecoms giant T-Mobile admitted that 37 million customers had their personal and account information accessed by a malicious actor via an API attack that began on November 25, 2022. The incident was not discovered until January 5, 2023. In a separate incident, T-Mobile USA notified customers of another breach of personal and account data that occurred in February and March 2023. The breaches mean many millions of customers are vulnerable to follow-on fraud attempts.
3. City of Oakland Declares State of Emergency After Ransomware Attack
In February 2023, the administration of the City of Oakland, California, declared a state of emergency as a result of a ransomware attack. The incident shut down many non-emergency services, while government buildings were forced to close temporarily. It was later reported that the hackers stole a decade’s worth of sensitive data from city servers in the attack, including information about employees in sensitive roles such as the police.
4. MOVEit File Transfer Exploitation
The exploitation of a zero-day vulnerability in the popular file transfer software MOVEit is thought to have impacted thousands of organizations, ranging from media to healthcare. The flaw was first exploited by the notorious Clop ransomware gang in May 2023. Clop continued to successfully compromise end users despite a patch being released on May 27. The group’s continued exploitation of the vulnerability is believed to have driven a record number of ransomware attacks in July 2023.
5. Chinese Espionage Campaign Infiltrates US Government
Microsoft discovered a Chinese cyber-espionage campaign that enabled the Storm-0558 group to gain access to customer email accounts from May 15, 2023. This included employees in the US State and Commerce Departments and other US government agencies. To launch the campaign, the attackers compromised a Microsoft engineer’s corporate account, leading to the tech giant being criticised and even accused of negligence by a US lawmaker.
6. UK Electoral Commission Attack Exposes 40 Million Voters’ Data
In August 2023, the UK’s Electoral Commission revealed it had been the victim of a “complex cyber-attack” exposing the personal data of anyone in the UK who was registered to vote between 2014 and 2022. Worryingly, the attackers had remained undetected in the systems for 15 months, suggesting they were in search of something beyond quick financial gain. It was later reported that the Electoral Commission had received an automatic failure during a Cyber Essentials audit.
7. Casinos Taken Down by Cyber-Attacks
In September 2023, hotels and casinos giant MGM Resorts International reported that it had experienced a cyber-incident affecting critical parts of its business for several hours. The attack, perpetrated by the ALPHV/BlackCat ransomware gang, cost the firm more than $100m after refusing to pay the ransom demand. Just days after the MGM incident, another Las Vegas based casino and hotel chain company, Caesars Entertainment, revealed it had also been compromised by ransomware threat actors.
8. Logistics Firm Closes Due to Ransomware Attack
One of the UK’s largest privately owned logistics firms, KNP Logistics Group, was forced into administration in September 2023 following a ransomware attack it suffered earlier in the year. The firm will be forced to make over 700 employees redundant, with the business stating that it has been unable to secure urgent investment due to the attack. The incident highlights the serious real-world impact that cyber-extortion attacks can have.
9. 23andMe Suffers Major Data Breach
A DNA testing firm 23andMe confirmed its customers had their profile information accessed by threat actors following a credential stuffing campaign in October 2023. The threat actor claimed to have 20 million 23andMe data records in their possession, raising concerns that highly sensitive data, such as ethnicity, could be used against victims. 23andMe later confirmed that over 6 million individuals' information was accessed from the data breach, and revealed the hackers were able to access a significant number of files containing information about users' ancestry.
10. British Library Suffers Damaging Ransomware Incident
One of the world’s largest and most renowned libraries, the British Library, was hit by a ransomware attack that took down online and onsite services. The library revealed the attack occurred on October 28, later confirming that internal HR data was stolen and leaked and that user data was hacked and offered for sale on the dark web. The Rhysida ransomware group have claimed responsibility for the attack.