Has Russia Overplayed Its Hand in UN Cyber Negotiations?

In recent years, the UN General Assembly—especially its First Committee, dedicated to peace and security issues, and the Third Committee addressing social, humanitarian, and cultural issues, including crime prevention and human rights—has seen a surge of technology-related initiatives spearheaded by Russia and China. Nominally aimed at improving online security, their underlying goal is to tilt global cyber governance to a state-centric model that would allow them to exert control over the internet. These proposals draw significant support, particularly in developing countries seeking opportunities to redress structural imbalances that manifest in how the internet economy accrues globally and that too often find themselves bearing the costs of cybercrime they are ill equipped to absorb.

While Russia achieved political success with the 2024 adoption of the UN Convention against Cybercrime (Hanoi Convention) by the General Assembly, it has been far less successful in attaining its substantive goals across UN processes dealing with the cyber domain. The resulting instruments have not, at least so far, adopted Moscow’s authoritarian narrative or the restrictive provisions promoted by Beijing. While few delegations have been as successful as Russia in leveraging the dynamics of multilateral fora to their advantage, recent developments across the UN General Assembly’s main committees show that agenda-setting success does not guarantee control over outcomes. Russia’s geopolitical isolation increasingly offsets the country’s tactical gains, and its maximalist positions alienate regional coalitions and even some traditional allies.

However, Russia and China are playing the long game, often in tandem, and, buoyed by recent wins, they will continue to use UN fora to achieve their aims––authoritarian-leaning governance institutionalized through international frameworks, limits on technology they will advocate for but not comply with, and restrictions on expression and human rights they deem as threats to their regimes. Accordingly, democratic countries cannot define their ambition by blocking potentially harmful procedural moves alone. They need to engage in multilateral processes with strategic discipline: anticipate procedural moves, build coalitions on substantive matters before votes are called, and develop a compelling agenda that offers a credible response to rising cyber insecurity.

The Pursuit of Global Treaties

From the beginning of cyber discussions at the United Nations, Russia has doggedly pursued negotiations of a global treaty—with respect to both transnational cybercrime and, more amorphously, cybersecurity. On cybercrime, Moscow quickly rejected the Convention on Cybercrime (Budapest Convention) negotiated by Council of Europe members and several other countries in 2001 even though the Russian delegation had participated in those negotiations. Though many viewed Budapest as the “gold standard” and 83 countries have signed on to it so far, Russia objected to one provision, claiming it undermined state power to control access to evidence within its territory. Russia, joined by China, honed its opposition to a skillful narrative that appealed to many nonaligned countries, arguing that, regardless of the value of its substantive provisions, the Budapest Convention is a tool to serve Western interests.

Russia’s actual motives were nefarious. The Kremlin hoped for a global treaty that would criminalize content more broadly. Its delegations continually rejected the term “cybercrime” in favor of the broader “crimes committed by and through the use of Information and Communications Technologies (ICTs).” Russia has openly pushed for a new international convention as part of its campaign to support authoritarian control over the internet since the 12th UN Crime Congress in Salvador de Bahía, Brazil, in 2010. Western like-minded states opposed this, arguing that the urgent need was for capacity building and practical implementation, not years of negotiation that would produce an instrument parallel to Budapest. In 2017, Russia presented a letter to the UN General Assembly attaching its own draft convention on crimes committed using ICTs. Their diplomatic consistency, even relentlessness, coupled with a perceived lack of a legitimate alternative from the West, resulted in a relative majority of states voting to launch negotiations in 2019.

On cybersecurity, Russia first proposed an international information security treaty in 1998 when it tabled a Code of Conduct at the UN General Assembly. Following a playbook akin to the one it used to secure a cybercrime treaty, it raised this issue and circulated proposed treaty text in different formats over the years. This included proposals in 2011 with China, in 2015 with the Shanghai Cooperation Group, and in 2023 with a small cadre of states in the Open-Ended Working Group on Information and Communication Technologies in the context of international security (OEWG).

The Russian proposal for an information security treaty had overlapping goals with its cybercrime proposals but went well beyond its aspirations for that instrument. Like Moscow’s cybercrime treaty proposals, it sought to restrain online content in order to protect regime stability and to force technology companies to collaborate with states to secure state power. It also sought to undermine multistakeholder governance of the internet in favor of a state-centric model that would facilitate state control over information. Furthermore, the ICT treaty concept note called for the inadmissibility of unsubstantiated attributions, in particular if those are used to justify sanctions. Such a step would effectively diminish the importance of state attribution in cyber accountability—creating an unrealistically high bar behind which state-supported irresponsible activity could hide.

The proposal was also likely motivated by a desire to constrain the U.S. and its allies’ substantial lead in advancing technology. A treaty banning particular “cyber weapons” would allow Russia to catch up with the West, assuming the latter would comply with constraints, while Moscow would not. A related objective was to create competitive disadvantages for Western-aligned technology companies by increasing the liability associated with normal business operations. This in turn would create advantages for competitors based in autocratic states, who would have no legal impediments to acting as state proxies, something firms headquartered in democratic states could not legally do.

The majority of UN members opposed an information security treaty arguing, among other things, that existing international law applied and a new treaty was not required. Indeed, a new treaty could call into question the applicability of existing instruments such as the Geneva Conventions. They also posited that:

• ICT technologies were dual use and not amenable to classification and restriction as weapons.
• Technology was moving too fast for a slow-moving treaty process.
• Such a treaty would impinge on human rights and free expression.
• State control of internet governance would interfere with both human rights and innovation.
• Even if new binding obligations were agreed, Russia, China, and others would not comply.
• And, importantly, unlike cybercrime, where there were decades of experience both in practice and in drafting legal prohibitions, international cybersecurity still required time for norms to evolve before any binding obligations can be agreed.

In procedural terms, Russia’s proposal for an ICT Group of Governmental Experts (GGE), first convened in 2004-2005, was intended to lead to treaty negotiations. However, this gambit failed when the GGE, a consensus process, ended in deadlock. In the second GGE in 2009-2011, the U.S. sought to derail the treaty by joining with Russia to propose a cyber stability framework of voluntary, nonbinding norms of responsible state behavior and confidence building measures. Capacity building was also addressed for the first time to address the needs of developing countries. GGEs in 2013 and 2015 agreed and expanded upon various aspects of this framework—including agreement, in principle, on the application of international law in cyberspace, and the elucidation of particular norms and confidence building measures. This framework became the basis for further work in the First Committee. In spite of this agreed consensus, Russia continued to argue that voluntary norms were insufficient and that new binding norms are needed, disputing the adequacy and even applicability of existing international law.

The launch of the UN cybercrime treaty negotiations in May 2021 brought Russia closer to its goal—and set the stage for a similar move on information security. Though emboldened by its procedural success, the Kremlin might have overplayed its hand. States spent considerable resources negotiating the cybercrime treaty, a strain particularly for small and less developed countries, which already had to stretch to cover both the cybercrime and cybersecurity processes. The delegates had to pull cybercrime expertise away from capitals, ironically often including the same officials whose line responsibilities were for day-to-day international cooperation on these same offences. Indeed, the abrupt resolution of divergent positions in the cybercrime negotiations owed less to genuine convergence than to negotiating fatigue.

The Third Committee: The Trick Is in the Implementation

With the 2024 Hanoi Convention, Western-aligned democracies agreed to a new global instrument for the sake of compromise and appeasement, jeopardizing their long-standing strategic priority of keeping the Budapest Convention as the principal framework for transnational cybercrime. By joining the negotiations, the U.S. and like-minded states ceded and legitimized the process by putting aside their opposition and fully participating. However, the decision to influence the talks from within meant that many proposals of Russia and its allies were rejected. Moscow did not achieve the type of information control treaty it wanted. Its submissions for restricting expression, often in tandem with China, were rejected.

The convention’s final text is completely different from the initial document that Russia put forward for negotiations, hoping it would become the basis for a future treaty draft, which extended beyond typical cybercrime offenses, encompassing virtually any offense involving technology. The Russian draft contained vague provisions prohibiting the “creation and use of digital data to mislead the user” and incitement to subversive and so-called “extremist” activities, including for political purposes. Instead, the treaty prescribes a much narrower set of traditional cybercrime activities and largely follows the Budapest Convention that Russia reviles—though without the provisions they most disliked. Indeed, many more countries signed up to the Budapest Convention once UN treaty negotiations commenced, as signing up was no longer perceived as a political decision to block such negotiations, but a practical acceptance of the benefits the existing treaty offered. This practice signaled that, as in other cases, the two instruments could coexist.

In sum, Russia’s aspiration to control the substantive direction of the UN treaty process was largely not realized. However, Moscow will have another opportunity to expand the cybercrime convention through additional protocols in early 2027. Considering that its diplomats have been working to build support for new protocols even before the ink dried on the Hanoi Convention’s final text, it is no one surprise that both Russia and Egypt have already submitted their proposals to extend criminalization. It is also highly likely that Russia and others will introduce provisions related to artificial intelligence (AI), both to see what they can get adopted and to gauge the level of support for AI “safety”-related treaty proposals among the participating states.

Two questions will ultimately determine which camp can claim the cybercrime treaty as a strategic victory. The first is procedural, whether the Conference of State Parties––the body that will implement its text––becomes a venue for authoritarian revisionism or provides effective oversight to ensure human-rights-respecting implementation. The second is operational, whether the treaty delivers on the promise of increased capacity to fight against cybercrime––a promise that brought developing countries to the negotiating table in the first place.

The first meeting of the Conference of State Parties ended in deadlock largely due to Russia’s obstinate approach to the rules of procedure. However, that inflexibility may prove self-defeating. The stalled process can undermine how like-minded states view future implementation and influence their decision to ratify or accede to the instrument. A treaty implementation filled with friction is less appealing than a functioning mechanism that fulfills its global ambition. It would also be politically easier for democratic countries not to join if the process is closed and transparency is nonexistent. If it is, governments will inevitably face renewed pressure from their constituents and stakeholders who have long railed that states must do their utmost to ensure that the treaty is not abused and genuinely contributes to tackling cybercrime instead of free speech.

Right now, the Hanoi Convention has only limited uptake and slowing momentum. After the initial success, when 72 states became signatories in Hanoi, only Tajikistan and Colombia have formally added their signature, and only Qatar, Azerbaijan, and Vietnam have ratified the instrument. Most countries have dragged their feet on this decision, including major economies such as India, Indonesia, Mexico, Germany, Japan, and Canada. The U.S. has disengaged from the process, with its delegation only observing the latest round of the Ad Hoc Committee from the sidelines, signaling that the U.S. is unlikely to sign let alone ratify it.

The UN cybercrime convention’s operational value continues to be in question. Support for engaging in the process for the new instrument was predicated on its being a catalyst for investment—and that key states with jurisdiction over the data needed for enforcement were participating. This promise is now in peril. The U.S. has defunded a number of cyber-related capacity-building initiatives and will contribute neither funding nor experts to a treaty it has no plans to join. Other donor countries have not stepped up, and many have also limited spending for capacity building.

It is yet to be decided who will provide the technical assistance necessary to operationalize cybercrime investigations and international cooperation. Russia and China could fill the gap. These states have a long history of tying aid and commercial relationships to those countries’ support of their diplomatic efforts to promote their state-centric vision of the internet.

If authoritarian states and their proposals dominate the implementation and follow-on negotiations of the Hanoi Convention, Western democracies will be further dissuaded from joining the instrument or supporting capacity building efforts to implement the treaty. This will make one of the primary benefits of the treaty essentially meaningless: The majority of the electronic evidence needed by virtually every country to investigate cybercrime offenses is within the jurisdiction of the U.S. and a handful of other Western-aligned states. If those countries do not join, that data will be inaccessible under the UN treaty framework, making Budapest the only real option for the large number of states interested in practical cooperation. That, coupled with a lack of meaningful and resourced capacity building, will likely disappoint the many countries that supported a new treaty expressly to achieve these goals and dampen their enthusiasm when Russia courts them for a cybersecurity-focused treaty where promises will again well exceed reality.

The First Committee: The Treaty That Keeps Eluding Russia

The Kremlin sees the UN cybercrime convention as a natural stepping stone for its broader global governance efforts to continue shaping a comprehensive international legal framework regulating the ICT domain. In March 2023, Russia introduced the concept of a UN convention on ensuring international information security. The delegation expressed that “a number of States are afraid of such initiatives like fire, torpedoing the relevant discussion at the international platforms trying to maintain the purely voluntary nature of the abovementioned rules.”

The statement continued with a direct reference to cybercrime:

We have already faced a similar situation with the topic of combating information crime. At first, a narrow group of States was strongly against the Russian proposal to develop a universal convention in this area. And now, under the UN auspices, the relevant Ad Hoc Committee is working, where all Member States are negotiating the text of a future international treaty. We are sure that the situation will similarly develop with regard to the security in the use of ICTs.

Supported by Belarus, North Korea, Nicaragua, and Syria under the Assad regime, Russia submitted a draft for such a convention in May 2023 and circulated an updated concept in December 2024.

Although Russia has not yet introduced a resolution to begin such negotiations, it has actively laid the groundwork for it at the recently concluded OEWG on ICTs. The future format––the Global Mechanism––will create a permanent process on technology and security issues. The so-called G-Mech held its organizational session in March 2026 and will officially commence in July.

The two-day session already revealed cracks in the fragile consensus that established the permanent mechanism. Russia and its small band of supporters fought to reopen already agreed upon items, including stakeholder participation in the dedicated thematic groups. Russia also sought to complicate the appointment of state facilitators for those groups, though the G-Mech chair decided to move ahead, appointing those facilitators under her own authority as provided in the original authorizing consensus. Many of the most contentious issues, including the future of international law in cyberspace and whether new binding norms or a new treaty are needed, will be shaped in these thematic groups.

Russia’s tactical priority in the G-Mech will be fighting for legally binding commitments. With growing instability in cyberspace, this proposal may eventually appeal to some states as a viable alternative to voluntary norms, especially if other states do not propose a different mechanism to address escalating cyber insecurity rapidly. Yet the central argument for a treaty––that it requires mandatory compliance instead of voluntary understanding––is illusory. Russia and other states routinely and flagrantly violate international law and other binding obligations—the issue is not whether there are binding rules but whether there is accountability when they are violated.

Whatever their public or diplomatic narrative, the major powers with offensive capabilities have little interest in restrictions on their freedom of action, and practical proposals to move the needle on this issue face obstinate refusals even from the proponents of binding commitments. China has supported the Russian concept for a convention as a “good foundation” for formulating a new law, while simultaneously sidelining proposals circulated in the OEWG to hold states more accountable for malicious cyber activity and rejecting obligations that stem from rules of state responsibility. A paragraph suggesting that states are responsible for proxies operating from their territory was removed from the final consensus report of the second OEWG on China’s demand. Despite Russia’s rhetoric, a treaty does not solve the compliance issue when neither Moscow nor Beijing has any meaningful interest in accountability, but serves only to dilute existing efforts and undermine the consensus reached on the existing stability framework.

Thus far, the proposal for a new cybersecurity-focused treaty has received limited traction. This lukewarm reaction should not make the West complacent. A future Russian resolution passing the UN General Assembly presents a lower hurdle than this apparent lack of interest indicates. Though the First Committee discussions usually include diplomats with at least some cyber expertise, a number of geopolitical and historical dynamics influence UN General Assembly voting. The competing General Assembly resolutions that framed the debate on the permanent mechanism, one put forward by Russia and the other by France, show how states navigate competing visions: Most supported both proposals, almost equally, despite them being not merely different but directly contradictory at points. A simple majority to commence a new process, as with the cybercrime treaty, can be within Russia’s reach––particularly if memories of the cybercrime treaty negotiation’s resource drain and difficulties fade.

The Shifting Center of Gravity

The two UN cyber processes demonstrate a high degree of parallelism in process and substance, and must be understood within the broader norm setting and geopolitical context. Russia and its allies perceive international organizations as key forums to rally support and legitimize their efforts to reshape global governance, to the detriment of democracies. Petr Litvishko, deputy head of Russia’s international legal cooperation directorate, left little space for doubt when he argued in 2024 that the UN cybercrime convention represents “a new universal instrument at our disposal” to conduct what he called “professional, intense and painstaking work to combat information crime” vis-a-vis “the block of ‘unfriendly’ states,” which can only mean the U.S. and Western like-minded states.

Democratic states must maintain a unified front to counter pushes by repressive countries in cybercrime and cybersecurity negotiations. Too often their delegations are prone to hasty compromise as opposed to Russia and its allies, which, while noticeably fewer, are more insistent. Recent actions in the Ad Hoc Committee on cybercrime may portend a helpful change. The like-minded countries’ refusal to compromise or to jump to suboptimal outcomes that could have undermined stakeholder participation is a positive signal. Keeping stakeholders in the implementation and review process could provide a counterweight to Russia’s hope to expand the remit of the Hanoi Convention to achieve what it could not in the original negotiations. Moreover, if the cybercrime treaty becomes an effective instrument for greater accountability and works against pervasive government-granted safe havens for cybercriminals, it could help tame the proponents’ appetite to propose new rules for cyberspace writ large that similarly may end up being to their detriment.

For broader agenda-setting efforts, it is important to dissuade Russia and its allies from launching a new treaty process on cybersecurity. Though the cybercrime treaty illustrates that “he who has the deal does not control the cards,” beginning a new protracted treaty process risks undermining 30 years of diplomacy and severely harming digital human rights. The issue is not whether cyberspace needs more accountability, but how to achieve it, and nonaligned countries that seek protection from rising cyber threats will decide the next step.

The West needs a new, positive agenda that is constructive and not reactive, and one that is defined and elaborated together with developing states—and, ideally, led by those states. Accordingly, like-minded countries must continually engage with nonaligned states on issues of common interest, such as increased capacity building, including how to apply international law in cyberspace. They should also amplify nonaligned states’ procedural objections grounded in fears of duplication and resource constraints.

Today’s reality is a shift in the cyber debate’s center of gravity. The U.S. and Russia dominated UN cyber discussions for two decades. Now, Russia and China are central players, whereas the U.S. has seemingly withdrawn from the front lines of multilateralism. Yet even if it is no longer an anchoring point for UN cyber discussions, and regardless of whether it is currently an effective advocate for the applicability of international law in the cyber or physical worlds, the U.S. has maintained its core positions. The current administration holds the line against any negotiation of an information security treaty. Furthermore, American diplomacy has a strong self-interest in ensuring the cybercrime treaty develops around human-rights-respecting standards.

The next round of this contest for the future hinges on two things: how democratic countries approach the cybercrime convention protocol negotiations, and whether Western like-minded states can articulate a positive counterproposal in cybersecurity that addresses the underlying causes of growing cyber insecurity. Allowing Russia to continue to have the only proposal on the table is a recipe for failure.