We’re focused on…
The new UN convention on cybercrime.
Why?
Because the draft text of the UN Convention Against Cybercrime was finalised on 8 August 2024, and we asked Betania Allo (Founder and Principal Consultant, BA Cyber Law & Policy) to tell us more about it.
On the blog this week, we’ve explored some of the details of the convention in a two part interview. First, we talked about the key strengths and weaknesses of the draft convention; and then we considered how this new convention aligns with existing agreements on cybersecurity.
Here in the newsletter, though, it’s time to get more practical. What does the UN convention mean, in real terms, for cybersecurity practitioners and organisations in UN Member States?
What does the convention mean for international collaboration in cybersecurity?
“The convention introduces a new era of international cooperation in combating cybercrime,” said Allo. “By mandating the implementation of new laws and regulations in Member States, the convention aims to facilitate cross-border investigations and prosecutions. The success of this endeavour hinges on the willingness of nations to collaborate effectively and establish robust mechanisms to address jurisdictional disputes.
“Practically, the convention is expected to bolster national cybercrime laws, deter cyberattacks and create a safer digital environment for businesses and individuals alike. The enhanced capacity to pursue cross-border cybercriminals will undoubtedly increase accountability and deter future offences.
“For cybersecurity practitioners, the convention will expand the legal framework, driving demand for specialised expertise. Professionals will need to navigate a complex legal landscape while fostering international collaboration.
“Businesses will face new obligations, including heightened cybersecurity investments, supply chain security measures, and robust data protection protocols. Balancing these requirements with the need for innovation will be a critical challenge. “
Which provisions of the UN Cybercrime Convention draft (A/AC.291/L.15) would be most beneficial for a diverse audience (including cybersecurity experts, business leaders, governance, risk, and compliance professionals, and government policymakers) to focus on and elaborate upon?
“This topic resonates with a wide range of stakeholders, each with a vested interest in the protection against cybercrime.
“For example, Article 28 outlines the procedures for the search and seizure of electronic data across borders. For cybersecurity experts, this provision is vital as it addresses the technical and legal challenges of accessing data stored in foreign jurisdictions. The clear guidelines provided in this article help ensure that such actions are carried out legally and efficiently, which is critical for timely incident response and mitigation.
“For business leaders, the implications of this article are important, too. It highlights the need for robust data protection measures and a clear understanding of the legal obligations that may arise if their company’s data is subject to international seizure requests. Understanding this provision can help businesses better prepare for potential cross-border legal challenges related to data security.
“A provision particularly relevant for GRC professionals is in the next Article, 29 – it deals with the real-time collection of traffic data; a crucial tool in tracking cybercriminal activities. The article emphasises the importance of lawful surveillance while balancing the need for privacy and civil liberties.
“GRC professionals must understand this balance to develop compliance strategies that align with both the Convention’s requirements and their organisation’s ethical standards.
“For government policymakers, moreover, Article 29 is a focal point for creating regulations that govern real-time data collection. Policymakers need to ensure that such regulations protect national security while also safeguarding individual privacy rights, a balance that is often challenging but essential.
“Article 30, central to the interception of content data, is a critical tool in investigating serious cybercrimes such as terrorism and child exploitation. This provision is crucial for cybersecurity experts who are involved in the technical aspects of lawful interception. Understanding the legal framework governing these activities ensures that cybersecurity measures are both effective and compliant with international law.
“For business leaders, ### the interception of content data raises important concerns about data privacy and the potential liabilities their companies might face. Being aware of these provisions helps businesses navigate the complex legal landscape surrounding data interception and develop strategies to protect their interests.”
Read our full interview with Betania Allo on the BHMEA blog
In Part 1, find out what sparked Betania’s interest in the UN Convention against Cybercrime, and discover her perspective on the convention’s strengths and weaknesses.
In Part 2, find out how this new convention aligns with existing cybersecurity agreements, and how we can measure the success of the convention when Member States must develop their own local regulations.
P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!