At the end of June, just before the White House scrambled to respond to another ransomware attack from Russia, Moscow presented a new international cyber treaty in the United Nations. Moscow has tightened its grip on the internet domestically for years, and has recently pushed for a sovereign internet. While the Russian government’s internet strategy and policies are often misunderstood in the West—based on the false assumption that Putin’s hand moves everything in Russia—this focus on state dominance has remained crystal clear. But as the Biden administration moves to confront the growing ransomware threat from Russian cybercrooks, the new treaty underscores just how unwilling the Putin regime is to cooperate.
The crux of the 69-page document is hardly shocking: The Putin regime is continuing its battle for a more closed, state-controlled internet. Newly significant, however, is that it follows the passage of a new UN cyber agreement by Moscow (and Beijing and other authoritarian governments) in December 2019. Then, the Russian government capitalized on both surging calls for “cyber sovereignty” and the Trump administration’s undermining of American cyber diplomats to garner wide support from longtime backers of an open global internet. What followed was the creation of a UN committee tasked with considering a new cyber treaty—one meant to replace the Budapest Convention on cybercrime that Moscow has long opposed.
Russia’s treaty, awkwardly titled the Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, is nominally about cybercrime, but the word “cybercrime” means something very different to the Putin regime than to Washington or Berlin. In the West, “information security” is used interchangeably with “cybersecurity,” generally referring to the confidentiality, integrity, and availability of systems, networks, and data. For the Russian government, information security is far more expansive, wrapping the security of the Putin regime, the state’s control over information flows, and the “stability” of Russian society into a single concept. When dozens of countries back Russia’s call for information security, then, it constitutes a push for greater state censorship and internet control around the world.
The definition of crimes is equally problematic. For a regime that wields all manner of violence against people challenging or resisting it—including murder, kidnapping, police brutality, and jailing—“internet crimes” are merely any online actions that scare the Kremlin or threaten Putin’s hold on power. Russia already has many laws to censor tech companies and punish individuals sharing what it deems “false information.” The treaty’s anti-cybercrime language extends Moscow’s push for greater top cover for internet repression. References to “terrorism” fall into the same bucket, given the state’s long-standing use of terms like “counterterrorism” and “counterextremism” to suppress dissent. The treaty contains incredibly broad definitions of terrorism that include unlawful acts motivated by political or ideological “hatred,” establishing a pretext to crack down on opposition.
The treaty also brandishes many other familiar rhetorical tools of the Russian regime: references to state sovereignty and nonintervention in other countries’ domestic affairs, which Putin continually stresses—usually in bad faith—as important to Russian security; vague definitions of computer operations that impact the “security of information”; surveillance-expanding calls for companies to archive user data and intercept online traffic; and cynical lip service to human rights.
Russia’s December 2019 feat in the UN might give the new treaty stronger legs than it would otherwise have; states voted to establish a new committee to weigh a cyber treaty, and Moscow has now presented such a document. It’s an open question whether the previous agreement’s many backers will support it. It also remains to be seen whether Biden can marshal diplomatic resources to successfully fight it.