SearchTodayMainsPrelimsSubjectCSAT

Cybercrime and Its Impact on Global Governance

India must build technical capacity to navigate the complex landscape of international cyber governance amidst rising global tensions.
GopiGopi
6 mins read
UN Convention on Cybercrime: Fragmented Global Consensus
Not Started

1. Background: Emergence of the UN Convention against Cybercrime

The United Nations adopted the text of the ‘Convention against Cybercrime’ through the General Assembly in December 2024, marking the first multilateral criminal justice treaty negotiated in over two decades. The Convention was conceived through a 2017 Russian-sponsored resolution and required eight formal negotiation sessions and five intersessional consultations, reflecting both urgency and deep disagreement.

The Convention seeks to establish a global legal framework to address cyber-enabled crimes, responding to rising digital harms such as online fraud, child sexual abuse material, and cross-border cyber offences. Its universal ambition contrasts with earlier instruments that were geographically or politically limited.

However, only 72 countries supported the final text, and several major digital powers, including India, the United States, Japan, and Canada, did not sign the Convention at the initial ceremony. This non-participation underscores fragmentation in global cyber governance.

The episode highlights the difficulty of achieving consensus in an increasingly contested international system, particularly in domains where technology, sovereignty, and human rights intersect.

The governance logic is that cybercrime requires collective responses, but weak consensus leads to diluted norms; if ignored, fragmented approaches will reduce enforcement effectiveness and increase regulatory arbitrage.

2. Competing Cybercrime Frameworks and Global Power Alignments

Global cyber governance has long been shaped by the 2001 Budapest Convention on Cybercrime, a Europe-led initiative with 76 parties. Its restricted accession model excluded countries like Russia, China, and India, limiting its claim to universality and legitimacy.

The UN Convention was positioned as an alternative, open to all states and negotiated multilaterally. Russia and China collaborated closely to advance it, seeking to reshape global cyber norms away from Euro-Atlantic dominance and towards state-centric control over cyberspace.

European states signed the UN Convention despite reservations, as it borrows several definitions and procedures from the Budapest Convention. An EU Council document (July 2025) justified participation as a way to retain influence during implementation rather than remain outside rule-making.

The United States and allied civil society groups expressed concern that the Convention’s broad definitions of “serious crimes” could enable misuse against journalists, activists, or political opponents, particularly in authoritarian contexts.

The underlying logic is strategic positioning rather than legal coherence; ignoring this dynamic risks normalising power-driven rulemaking over rights-based governance.

3. India’s Position and Constraints in Global Rulemaking

India actively participated in negotiations on the UN Convention, unlike its disengagement from the Budapest framework. However, key Indian proposals, particularly those aimed at retaining stronger institutional control over citizens’ data, were not incorporated into the final text.

India’s decision not to sign reflects a cautious calculus: participation without sufficient safeguards could dilute domestic sovereignty over data and law enforcement processes. This contrasts with earlier successes in global negotiations, such as climate change, where India led coalitions like the Group of 77.

Over the past two decades, India has struggled to shape outcomes in emerging areas of global governance, including digital trade, data flows, and cyber norms. This has gradually eroded its bargaining leverage in multilateral forums.

The divisions over the Convention also cut across plurilateral groupings such as the Quad and Five Eyes, indicating that shared strategic interests do not automatically translate into common digital governance positions.

The governance reasoning is that participation without influence weakens autonomy; if ignored, India risks being a rule-taker in domains critical to national security and development.

4. Digital Constitutionalism and the Rights–Security Tension

The Convention reveals a widening gap between international legal principles and domestic implementation. While negotiations began with broad agreement on addressing universally condemned harms, such as child sexual abuse material, the final text lacks precise limits on what constitutes cybercrime.

This flexibility allows signatory states to expand criminal offences under domestic law, potentially infringing on freedom of expression, privacy, and due process. Procedural safeguards, including judicial oversight, are made contingent on existing national legal frameworks rather than universal standards.

Such an approach weakens the idea of digital constitutionalism, where cyberspace governance is anchored in shared rights-based principles. Instead, it legitimises divergent practices under the cover of multilateral consensus.

The result is a system where the same treaty can enable both rights-protective and rights-restrictive outcomes, depending on domestic political contexts.

The logic is that vague norms prioritise agreement over protection; if ignored, international law may legitimise rights dilution rather than constrain it.

5. Parallels with Global Governance of Artificial Intelligence

A similar pattern is visible in the governance of artificial intelligence. Globally, states agree on high-level principles such as “safe, secure, and trustworthy” AI, reflected in instruments like the OECD AI Principles, the G7 Hiroshima Process, and the UN Global Digital Compact.

However, consensus at the level of principles masks significant divergence in regulatory practice. India’s draft rules on watermarking AI-generated content illustrate this gap. While grounded in the accepted principle of user safety, the proposal envisages highly prescriptive measures, such as labels covering 10% of content.

This mirrors the cybercrime debate, where shared objectives coexist with contested implementation strategies. Such divergence increases compliance costs and complicates cross-border digital operations.

The absence of harmonised operational norms risks fragmenting the global digital ecosystem, even as technologies like AI and cybersecurity are inherently transnational.

The governance takeaway is that principle-only consensus is insufficient; if ignored, implementation conflicts will undermine trust and cooperation.

6. Polycentricism and the Erosion of Multilateral Effectiveness

The cybercrime Convention reflects a broader crisis in multilateral governance. The U.S. reduction in UN funding, paralysis of the WTO dispute settlement system since 2019, and the Security Council’s ineffectiveness in conflicts such as Ukraine and Gaza illustrate systemic weakening.

In this context, global governance is increasingly limited to broad principles, while operational rules emerge through smaller bilateral or plurilateral arrangements. This leads to polycentricism, marked by overlapping institutions and competing norms.

Cyber governance and cross-border data flows exemplify this trend. While the idea of data sharing among “trusted partners” is widely accepted, there is no consensus on mechanisms to operationalise trust.

Such fragmentation places high demands on state capacity, as countries must engage simultaneously across multiple forums with differing rules and expectations.

The logic is that fragmented governance strains institutions; if ignored, capacity gaps will translate into strategic vulnerabilities.

7. Implications for India and the Way Forward

India’s ability to preserve institutional autonomy in a polycentric global order depends on strengthening domestic technical, legal, and negotiating capacities. Regulatory and administrative reforms must keep pace with technological change.

Domestically, India faces a vast reform agenda to align cybersecurity, data protection, and AI governance with global debates while safeguarding national interests. Internationally, sustained engagement across multiple forums is essential to avoid marginalisation.

Without such capacity-building, India risks being constrained by externally defined norms that may not align with its developmental and security priorities.

The governance logic is that autonomy flows from capacity; ignoring this will lock India into reactive rather than agenda-setting roles.

Conclusion

The UN Convention against Cybercrime exemplifies the tensions shaping contemporary global digital governance: inclusivity versus precision, sovereignty versus rights, and consensus versus effectiveness. For India, navigating this landscape requires moving beyond caution to capability-building. In the long term, only sustained institutional and technical strengthening can enable meaningful participation in shaping rules that will define the digital foundations of governance and development.

Quick Q&A

Everything you need to know

Overview: The UN Convention against Cybercrime, adopted by the General Assembly in December 2024, is the first multilateral criminal justice instrument focused on cybercrime in over two decades. It was conceived to address online harms including cyberattacks, distribution of child sexual abuse material, and other forms of cyber-enabled offenses.

Significance:

  • It represents an effort to create a universal legal framework for cybercrime enforcement, open to all UN member states.
  • It challenges existing frameworks such as the Budapest Convention, making cyber governance more inclusive for countries previously excluded.
  • It underscores the geopolitical dimensions of cyberspace, with major powers like Russia and China driving its agenda and countries like the U.S., India, Japan, and Canada opting not to sign, reflecting global divisions in priorities and principles.

Implications: The Convention could harmonize definitions of cybercrime, enhance cooperation in investigations, and facilitate extradition and legal assistance. However, broad definitions may allow signatories to stretch criminalization to potentially infringe on human rights, highlighting the delicate balance between enforcement and civil liberties.

Institutional control and data sovereignty: India’s primary concern was retaining greater institutional control over its citizens’ data and cyber operations. Although New Delhi participated in negotiations and proposed amendments, its suggestions were largely not incorporated into the final text.

Strategic caution: India is navigating a polycentric global order where multiple power centers, including the U.S., China, and Europe, have differing approaches to cyber governance. Signing a convention driven largely by Sino-Russian interests could compromise India’s autonomy in regulating domestic cyberspace.

Geopolitical calculus: Non-signature allows India to preserve flexibility in bilateral and plurilateral arrangements, including partnerships under the Quad and other cybersecurity frameworks. This approach enables India to engage on its own terms, rather than cede rulemaking influence to an international framework that may not align with national priorities or democratic safeguards.

Broad and flexible definitions: The Convention allows signatories to interpret cybercrime offenses in ways that may extend beyond initial objectives, such as prosecuting journalists, activists, or political dissenters in authoritarian contexts.

Procedural disparities: Safeguards like judicial review depend heavily on domestic legal frameworks, meaning uniformity in enforcement is limited. Countries with weak legal institutions or divergent human rights standards may implement the Convention differently from its intended purpose.

Illustrative parallels: Similar challenges arise in global AI governance. While principles such as safety, transparency, and human-centric AI are widely agreed upon, implementation—such as India’s draft rules for AI content watermarking—can be prescriptive and vary from the principle’s spirit. This underscores that consensus on high-level norms often masks substantive divergences in practice.

Pros:

  • Preserves institutional autonomy and control over domestic cybersecurity policy.
  • Prevents exposure to broad definitions that could infringe on citizens’ privacy or civil liberties.
  • Allows India to engage selectively in bilateral or plurilateral arrangements with like-minded nations, optimizing strategic influence.

Cons:
  • Limited participation in formal rule-making could reduce India’s influence in shaping international cyber norms.
  • May complicate cross-border cooperation for cybercrime investigations with signatory states.
  • Could be perceived as hesitancy to participate in global governance, affecting India’s credibility in multilateral forums.

Balanced perspective: India’s approach emphasizes caution and sovereignty. However, sustaining technical and diplomatic capacities is essential to mitigate risks of non-participation while remaining a key actor in cyber governance.

Domestic impact: India can design regulations such as the draft AI watermarking rules without being constrained by international definitions. This allows targeted enforcement and adaptation to local conditions, aligning with national priorities for data privacy and security.

International influence: India can participate in forums like the Quad Cybersecurity Dialogue or the G20 digital economy track to shape operational standards and trusted partnerships. This approach allows India to negotiate norms bilaterally or plurilaterally while avoiding blanket commitments that may conflict with domestic law.

Strategic leverage: By engaging actively yet selectively, India retains bargaining power, shaping cooperation frameworks on cross-border data flows, cybercrime investigations, and AI governance, without diluting institutional autonomy.

Complexity of multiple centers: Polycentricism means that no single institution or treaty dominates global cyber governance. Multiple overlapping groups—including the UN, Quad, Five Eyes, EU initiatives, and bilateral agreements—create varying standards and obligations.

Resource and capacity strain: Engaging simultaneously with diverse rules, standards, and stakeholder expectations requires advanced technical, legal, and diplomatic capacities. For India, aligning domestic law with multiple international commitments without compromising sovereignty is a significant challenge.

Implications: Failure to build multi-level technical and institutional capabilities could result in India being sidelined in norm-setting, jeopardizing its influence over cross-border data governance, cybersecurity collaboration, and digital trade rules.

Principle vs. practice: India’s AI governance efforts, such as proposed watermarking of AI-generated content, align with universally accepted principles like user safety and transparency. However, the implementation is highly prescriptive, showing that operationalizing broad principles often creates technical and regulatory challenges.

Global parallels: Similar to the UN Cybercrime Convention, consensus on AI principles masks large divergences in practice across countries. India must reconcile domestic priorities with international norms while maintaining enforcement effectiveness and protecting rights.

Strategic takeaway: The AI example illustrates that India’s engagement in digital governance requires strong institutional capacity, multi-level coordination, and technical expertise to influence norms effectively without compromising sovereignty or innovation.

Attribution

Original content sources and authors

Vivan Sharan
Vivan Sharan
The Hindu
The Hindu
Sign in to track your reading progress

Comments (0)

Please sign in to comment

No comments yet. Be the first to comment!