The Hanoi Convention and the Contest to Shape Global Cybercrime Norms

The UN’s cybercrime treaty reflects both the promise of multilateral cooperation and the steady erosion of liberal norms in global cyberspace governance.

At the signing ceremony of the United Nations Convention against Cybercrime held on 25–26 October, 72 states signed the ‘Hanoi Convention’. The treaty criminalising cybercrime has shifted the focus back to the exigencies and challenges facing global cyberspace governance. Adopted by the United Nations General Assembly (UNGA) on 24 December 2024, the Convention has been hailed as a triumph of multilateralism amid widening polarisation that curtailed avenues for international cooperation. However, such a multilateral consensus was achieved not by resolving the definitional disagreements over what constituted cybercrime, but by diluting the existing principles. While regional frameworks laid the normative groundwork for a global convention, consensus was a consequence of the influence of ‘norm entrepreneurial’ states striking strategic bargains. 

Evolution of Cybercrime Norms: Regional to Global

Despite global recognition of the transnational nature of cybercrime, the marked differences in the construction of the crime itself precluded the formation of a consensus, as apparent in disparate localised frameworks. Several regional instruments dealing with cybercrime emerged, such as the Budapest Convention on Cybercrime (2001), the SCO Agreement on Cooperation for International Information Security (2009), the Arab Convention on Combating Informational Technology Offences (2010), and the African Union Convention on Cyber Security and Personal Data Protection (2014), among others. Varying in scope, the instruments had limited capacity for cross–border enforcement, and the fragmented normative landscape often impeded effective investigation in the criminal use of Information and Communication Technologies (ICTs).

The transboundary nature of ICTs and their extensive use as tools for cross-border terrorism necessitated harmonising regional frameworks to enable states to coordinate action effectively at the global level. 

The transboundary nature of ICTs and their extensive use as tools for cross-border terrorism necessitated harmonising regional frameworks to enable states to coordinate action effectively at the global level. Even though the Budapest Convention was regarded as the de facto international instrument on cybercrime, most non-Western states did not ratify it. At the UN, initial normative discussions on cybercrime took place primarily through an open-ended Intergovernmental Expert Group tasked with conducting a ‘Comprehensive Study on Cybercrime’. Eventually, Russia and 17 other co-sponsors took on the role of ‘norm entrepreneurs’ by proposing a cybercrime treaty.  The resolution passed in the UNGA despite opposition from the US and the EU, with various human rights organisations opposing it as well. In 2019, the UNGA consolidated the parallel processes to establish an open-ended Ad Hoc intergovernmental committee (AHC) to negotiate and draft an international convention on countering the use of ICTs for criminal purposes. Following intense negotiations between 2021-2024, the UN Convention on Cybercrime was adopted unanimously without a vote. 

The Politics of Defining ‘Cybercrime’ 

Despite its comprehensive provisions, the Budapest Convention failed to garner universal acceptance – it faced criticism for excluding the Global South from the negotiation process and for providing leeway for cross-border operations, raising concerns over territorial sovereignty. While the UN-led process was intended to be more egalitarian and representative, defining cybercrime and its related provisions revealed an inherent ideological tussle even within the AHC negotiations. Nonetheless, there was a degree of consensus on categorising cybercrimes as either ‘cyber-dependent’ — offences that can only be committed through the use of ICT devices — or ‘cyber-enabled’ — traditional offences that are facilitated by the use of ICT. 

The European Union (EU) consistently advocated for a narrow construction of cybercrime by limiting its application to cyber-dependent crimes. The stance was based on the argument that a broader construction of cybercrime risked disproportionate interference with human rights and fundamental freedoms. The EU cautioned against including national security matters under the scope of ‘cybercrime’, asserting that it could potentially threaten an open, free, and secure cyberspace. Despite their initial opposition, countries such as the United States and Australia eventually called for both cyber-dependent as well as cyber-enabled crimes to be included, albeit judiciously. 

The influence of revisionist states in defining the cybercrime norms reveals newer dynamics at play within the international order. Global cyberspace governance remains an evolving domain, and who gets to define the emergent norms has become a battleground for intense competition between states.

On the other hand, Russia and China lobbied for a broader construction of cybercrime to include the criminalisation of the use of ICT for spreading disinformation, cross-border cyber-enabled espionage, and cyber operations targeting critical infrastructure. To this end, Russia also registered its protest against the final naming of the Convention, when its title was scaled down to ‘UN Convention against Cybercrime’ from the original mandate to draft a ‘comprehensive international convention on countering the use of ICTs for criminal purposes’. Other revisionist states, such as Pakistan and Iran, were also vocal on issues such as the removal of human rights safeguards from the text of the convention.

Overall, the proposals in AHC on defining cybercrime reflected a broader pattern of systemic erosion of the liberal character of global norms in cyberspace governance. Most Western states opposed proposals to include content-related cybercrimes such as “extremism–related offenses” and “terrorism-related offenses”. The US and its allies participated in AHC primarily to prevent Russia and China from setting the tone of the negotiations. However, the compromised draft was eventually adopted by the AHC – states did not block the convention’s passage and swing voters like Indonesia, Mexico, Singapore, and South Africa ultimately supported the treaty.

Implications for Global Governance

The Hanoi Convention is the first international criminal justice treaty to have been negotiated and adopted in over 20 years, reflecting the reluctant will of member states to combat cybercrime. While the adoption of the convention marks a critical step in multilateral cooperation and in consolidating the normative framework for tackling cybercrime, the development is marred by a few caveats. First, while the treaty was adopted unanimously and 72 countries signed the convention in Hanoi, the real test lies in its ratification by states. Historically, even after becoming signatories, states take considerable time to ratify multilateral treaties, as this requires aligning national legislation with treaty provisions. Second, the influence of revisionist states in defining the cybercrime norms reveals newer dynamics at play within the international order. Global cyberspace governance remains an evolving domain, and who gets to define the emergent norms has become a battleground for intense competition between states. The US and its allies moved from vehement opposition to a Russia-led treaty on cybercrime to seeking definitional bargains, and finally to conditional acceptance of the UN convention. However, the fundamental challenge for the convention will be to bridge the gap between normative consensus and the creation of an accountable, robust global governance model.

This commentary originally appeared in Observer Research Foundation.