Once considered petty crime, cybercrime has evolved into a giant, automated, and illicit business almost as profitable as the narcotics trade. Cyberattacks on schools, hospitals, and government agencies have increased, and concern among nations has also increased, as these attacks involve not just financial losses but threats to peace and security. This concern led to the adoption in December of the United Nations (UN) Convention against Cybercrime by the General Assembly, which aims to prevent and fight cybercrime by improving international cooperation and providing technical assistance.  

Jim Lewis spoke about these issues in an interview with the GO’s Jill Stoddard. Lewis is a Senior Vice President and Pritzker Chair at the Center for Strategic & International Studies (CSIS). He served as an adviser for four United Nations (UN) Groups of Governmental Experts on Information Security, and his work on norms for cyberspace is foundational.

This interview has been edited for length and clarity. 

What is your perspective on how cybercrime has evolved over the last 10, 20, or 30 years? 

When the internet was first commercialized almost thirty years ago, cybercrime was largely a petty offense. Today, it has grown into a highly profitable industry that many countries see as creating risk both politically and to their own societies. It’s also hard to control, which raises security concerns. 

The foundation of this is that we’re all connected, and most of us are bad at cybersecurity. When perpetrated against individuals, cybercrime can involve automated searches of stolen personal data for vulnerabilities. Spam and phishing are annoying for individuals, for sure—but the risk of ransomware and its potential to shut down companies, hospitals, government agencies, and schools has driven a lot of attention to the issue, particularly from governments. 

Cybercrime and espionage can be related, and sometimes it’s the same actors. The Chinese engage massively in cyber espionage, but not cybercrime. The Russians do both. North Korea uses cybercrime as a tool of state action to fund both the Kim regime and its nonproliferation activities from cybercrime. It’s a major source of income.  

In countries that are home to illicit cybercrime businesses, state security officials have unspoken rules. If cybercriminals follow those rules and don’t leave the country, their chances of going to jail are almost zero. For example, they are asked not to go after home country targets, to cooperate if needed, and to share the wealth with their local offices.

The number of cyberattacks considered “use of force,” or state-on-state attacks, is very small, according to the reports from the UN Open-Ended Working Group (OEWG) that deals with international security risks from information technology. There are less than a dozen over the history of the internet. The total number of cyberattack incidents is probably in the thousands, and the number of cybercrime incidents is thought to be in the hundreds of thousands to millions. 

Are weapons systems at risk of tampering or ransomware?  

That’s an interesting question, because getting access to weapons systems is very difficult. There are only about twenty or so countries that are capable of this. It’s a risk, but it’s an extreme scenario, so it’s less probable. Hollywood loves to portray some guy sitting in front of a keyboard wearing a hoodie, typing furiously and taking over the death ray—that’s not going to happen. But interfering with radar, missile guidance, or ship propulsion—those risks are very real. 

The UN Convention against Cybercrime was adopted by the UN General Assembly in December and is the first framework on this topic accepted by all member states. What have been some of the previous efforts to create an international framework around cybercrime?  

The biggest success is the Budapest Convention, which started out as a treaty negotiated in the Council of Europe in 2001. Even back then, many leaders saw cybercrime as a growing problem and felt that they needed to cooperate to deal with its transborder nature, so they worked out various mechanisms for cooperation among states.  

The Budapest Convention has grown in scope and membership, but it was handicapped in that it was perceived to be a European thing, which slowed its acceptance in other parts of the world. Also, because the United States (US) has a broader definition of the rights of free speech than most countries, the convention had to create a separate protocol for countries to sign criminalizing hate speech online. The US didn’t sign it, though it did sign the convention. 

Around the same time, the Russians decided to begin an effort to negotiate an international treaty on cybersecurity. They launched a negotiating process in the UN’s First Committee (which works on international peace and security) that ultimately led to the OEWG. The Russians are also the progenitors of the Cybercrime Convention and proposed a convention that took a very broad view of what constitutes a crime. At first, the US was a little hesitant to get involved, but the UN commissioned a negotiation, and it rapidly transformed from a Russian initiative to a global initiative and is a main part of why there’s been agreement on a convention now. Nobody got everything they wanted, but in a negotiation like this, nobody does. However, there are some questions as to whether the US will ratify.  

How broad is support for the treaty among member states? 

Agreement on a treaty text is the first step. For ratification and “entry into force,” you need forty signatures, which they more than likely have since it was adopted by consensus. The question after it’s in effect and ratified is: will countries do anything differently? Countries need to cooperate on cybercrime, and they are trying to figure out how to do it—how do I protect my sovereignty, how do I protect human rights, and how do I enforce the law? There’s some hope that the convention will provide that. 

There’s a global trend to deal with the problems of the internet, but it’s been complicated because you’ve got issues in both sovereignty and internet technology, which doesn’t face borders. While this was being negotiated, some countries that had previously held suspicions of the Budapest Convention began to think they could live with that convention, and there’s been a significant uptick in signatures.  

The US is an important player in cybercrime because it’s home to companies like Microsoft, Meta, Google, Amazon, and Apple, which are where the bulk of the global internet data is stored. Countries are realizing that we need to fix this problem of sovereign protections in a global infrastructure. This convention is one of those steps—probably the most important one.  

There were debates over human rights during the negotiations. The way some negotiations deal with this in the First Committee is to have a paragraph that says everyone agrees to observe their commitments under the Universal Declaration of Human Rights (UNDHR). That didn’t work in the Cybercrime Convention. There were about twenty countries in the room that argued against strong human rights protections, and, up until the end, they tried to water down the treaty’s commitment to human rights. The US, the Europeans, and many others had made it clear that the convention wouldn’t go anywhere unless it had strong human rights protection. In the end, they agreed to accept the text without the language they wanted. 

How do you see the treaty impacting technology companies, businesses, and individuals?  

There are a couple of areas of major concern among the privacy and business communities. One is the definition of “researcher.” There was some concern that if there were a broad carve-out for cybersecurity research, that countries with governments that are cybercrime-adjacent would claim these criminal acts were related to research. But I think that language turned out okay.  

The concern is that the convention would empower authoritarian states to be more aggressive in prosecuting people they didn’t like. Much of the debate was over “cyber-enabled” crime—for example, if someone uses the internet to write a poem making fun of the head of state, that’s a crime in some countries.  

The opponents of “cyber-enabled” got it negotiated down to “cyber-dependent” crime, to the chagrin of some negotiators. Cyber-dependent means crimes that wouldn’t have otherwise occurred unless you had the internet. The groups were debating that point up until the last minute—questions like: does the broad definition of “crime” include political speech? You can’t take the easy route of simply agreeing that it constitutes a crime if it’s a crime under national law, because some countries have national laws that others don’t support. 

So, the debates revolved around the definition of what counts as a serious crime, the line between national authority and international commitments, and, above all, the seriousness of commitments to the UN, including to the UN Charter, sovereignty, and the UNDHR. It can frustrate a lot of people, because you traditionally can’t get very precise language in treaties—a lot of states won’t agree to it. But the Western countries felt like they needed precise language that limited the set of crimes to which this would apply, and using “cyber-dependent” offers a degree of protection. 

Are the US and the European Union already cooperating on cybercrime?  

Years ago, the US came up with the Cloud Act, which says that if you have human rights protections equivalent to those in the US, US law enforcement agencies can serve warrants and court proceedings on American data providers much faster. Unfortunately, only the UK and Australia have made it through the hoops to be included in the act.  

That’s likely to change in the next few years, because the Europeans, after wrestling with this for a long time, came up with “e-Evidence Acts,” which say that countries within the European Union can cooperate on sharing information across borders for transnational crime. When that’s in place, you could envision a deal between the United States and the European Union. 

Does the treaty address a situation like Myanmar, where the government is a military junta and the country is home to cyber criminals perpetrating crimes around the globe? 

Because UN treaties respect sovereignty, each country is responsible for enforcing the treaty and their national laws, which vary. One country can request that another sovereign nation enforce the treaty under a Mutual Legal Assistance Treaty (MLAT). I got to do this once as a junior officer using what’s called a letter rogatory. It’s an old thing; it practically comes on parchment. One head of state requests of another head of state, “Would you help me out in this crime?” And that is the sovereign’s decision. A country needs to be able to approach another country with what they would see as a legitimate request. You must also be able to identify who the perpetrators are, but MLAT requests can be very slow. 

Does the treaty provide a way to fill gaps of the varying levels of expertise different countries have in addressing cybercrime? Are all countries concerned about it?  

There’s a growing concern among almost all countries. There’s also a variety of expertise. There have been excellent negotiators from Africa, Latin America, and Asia. The chair of the OEWG is Singaporean. The chair of the Cybercrime Convention was Algerian. So, cyber expertise is becoming global. 

Most of the Global South likes this treaty for two reasons. First, they’re worried about cybercrime. Second, they want capacity building that would give them the ability to enforce their laws in their own country in cyberspace.  

There’s already a good amount of cooperation on law enforcement agencies through the UN Office on Drugs and Crime (UNODC). There’s also something called the Global Forum for Cyber Expertise, which grew out of the First Committee negotiations and works to give countries the expertise to exert in cyberspace.  

Is there anything in the treaty that you think should be changed? 

There are always things that you wish had been a little clearer. I think there are concerns about the definition of “serious crime.” There are also human rights concerns that the treaty could be exploited by authoritarian regimes. I think those are a little overstated.  

One of the things I learned as a negotiator is that sometimes your choice is either broad language or no agreement. The convention creates a framework for cooperation. I don’t believe this convention is somehow going to justify countries engaging in behavior that’s contrary to the UNDHR. I think there’s only so far you can go to prevent abuse. Considering it started out as a Russian proposal intended to prohibit free speech, it’s turned into something that most of the world thinks is useful. 

The big questions mean that privacy groups and US companies believe the US should not ratify the treaty. This is a misunderstanding of how the UN works, but if I had to take a bet right now, I’d say the US won’t ratify it, at least not in 2025.  

The problem for American companies will be that even if the US doesn’t ratify the convention, they’re going to have to make a strong case as to why a treaty that works against cybercrime that is in the international interest, and has been endorsed by every country in the world doesn’t apply to them when they get a request for help. And that’s going to make the US look bad. I wish that weren’t the case, but that’s where we are.