US Stands Out in Refusal to Sign UN Cybercrime Treaty

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.The agreement aims to help law enforcement prosecute cross-border cybercrime, but the final treaty could allow unchecked surveillance and human-rights abuses, critics say; and, it includes no protection for pen testers.October 30, 2025As China, Iran, Russia, and the European Union signed onto a new global cybercrime treaty, the United States and a minority of other nations continue to voice concerns over the global agreement's impact on human rights — and the expansion of covered crimes to including any "serious" offense enabled by information communications technology (ICT).On Monday, more than 70 nations signed on to the treaty — formally, the United Nations Convention Against Cybercrime — pledging to aid in the investigation and prosecution of any "criminal offences ... committed through the use of information and communications technology systems," according to a copy of the document. Signers of the agreement promise to cooperate on "serious" crimes, which includes any violation of law that has a maximum prison time of at least four years.The scope of the treaty extends far beyond serious cybercrimes to many activities protected by most democratic nations, including dissent, whistleblowing, and even security research, according to Nick Ashton-Hart, head of the Cybersecurity Tech Accord, a policy group whose members include major companies such as Cisco, Meta, Microsoft, and SAP."There are weak criminal-intent requirements on the specific offenses in the convention, with no protection against criminal liability for security researchers and penetration testers," he says. "In fact, journalists' sources and whistleblower activities could also be criminalized."Related:AI Security Agents Get Persona MakeoversThe language in the treaty has split nations into two groups: human-rights-focused nations who want strong protections and limiting international cooperation to major cybercrimes only, and those nations that see the treaty as a way to enable broad investigations of people who may not even be charged with a crime, Ashton-Hard adds. Provisions in the document provide for real-time surveillance of individuals, confiscation of assets, and the control of corporate systems by law enforcement in another country — all without the requirement of notification, he says.The United Nations focused on the new capabilities that the treaty would deliver, which includes the collection, sharing, and use of electronic evidence, as well as the criminalization of the dissemination of child sexual abuse images and non-consensual intimate images."The UN Cybercrime Convention is a powerful, legally binding instrument to strengthen our collective defenses against cybercrime," UN Secretary-General António Guterres said in a statement announcing the signing of the document. "It is a testament to the continued power of multilateralism to deliver solutions. And it is a vow that no country, no matter their level of development, will be left defenseless against cybercrime."Related:Closing the AI Execution Gap in Cybersecurity — A CISO FrameworkYet, many nations signing the treaty may not have such laudable goals. In 2019, Russia began the process to establish the treaty, when its delegates sponsored a resolution to create a framework for combatting cybercrime. The other signatories included a list of authoritarian countries: Belarus, Cambodia, China, Iran, Myanmar, Nicaragua, Syria, and Venezuela, with the highest ranking country among the sponsors earning a 2.94 on The Economist's 10-point Democracy Index for 2024. For comparison, the Index's most democratic nation, Norway, scored a 9.81. The Nordic country did not sign the UN cybercrime treaty, either.Looking at the group of founders should make any policy watcher skeptical, especially with much of the cybercriminal activity coming from China and Russia, says Zach Edwards, a senior threat analyst with Silent Push, a cyberthreat intelligence firm. He pointed to massive economic costs caused by cybercriminals groups in China and Russia."It's ... naive to believe that Russia and China are suddenly going to change these policies that they've had for decades," he says. "In both of those countries, there are cybercriminal groups and organizations that promote and support cybercrime, while also being used by their governments' APTs [state-sponsored advanced persistent threats]."Related:AI App Spending Report: Where Are the Security Tools?On the other hand, notable non-signing nations beyond the US include Canada, Israel, and New Zealand. Also notable, the UN Cybercrime Treaty is a rare common policy stance between the current and former US administrations. The Biden administration had engaged with the UN during the process, while the Trump administration appears to be taking a similar approach.In addition, tech companies — such as Microsoft and Google — and digital-rights group, such as the Electronic Frontier Foundation (EFF), have criticized the current form of the cybercrime treaty.Listen to this month's Dark Reading Confidential podcast, Cyber's Role in the Rapid Rise of Digital Authoritarianism, featuring Ronald Deibert from Citizen Lab and David Greene from the EFF. Enterprise cyber teams are in prime position to push back against our current "Golden Age of Surveillance," according to our guests.Digital rights groups are also worried. On Oct. 24, Human Rights Watch published a joint statement by nearly 20 organizations that raised concerns with the treaty."The Convention, the first global treaty of its kind, extends far beyond addressing cybercrime — malicious attacks on computer networks, systems, and data," the collection of organizations stated. "It obligates states to establish broad electronic surveillance powers to investigate and cooperate on a wide range of crimes, including those that don't involve information and communication systems. It does so without adequate human rights safeguards."In its joint statement, the groups urged nations to not sign the treaty, or at the very least, establish strong human-rights safeguards and create policy for public- and private-sector organizations, which are facing increasing requests for information on protected activities."The Convention's flaws cannot easily be mitigated, because it lacks a mechanism for suspending states that systematically fail to respect human rights or rule of law," the group said. "It could also provide a vehicle for such states to assert jurisdiction over multinational companies with users in their territory."Global companies and those that do business in nations with repressive governments should expect an uptick in requests for cooperation with investigations. Because of the light protections for human rights in the current treaty, companies may have little recourse but to provide information, says Silent Push's Edwards."This absolutely will create risks for users because as soon as it goes into effect, the big cloud companies are just going to be inundated ... with requests from authoritarian countries for data on their users," he says. "They will have to make really [hard] judgment calls and spend a lot of resources to navigate that."The treaty will not take effect until 40 countries have adopted the cybercrime treaty as part of their laws.Listen to this month's Dark Reading Confidential podcast, Cyber's Role in the Rapid Rise of Digital Authoritarianism, featuring Ronald Deibert from Citizen Lab and David Greene from the EFF. Enterprise cyber teams are in prime position to push back against our current "Golden Age of Surveillance," according to our guests.Robert Lemos, Contributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 0246