Cybercrime and the crisis of global governance

Late last year, the United Nations (UN) convened a signing ceremony for the seminal new ‘Convention against Cybercrime’, the only multilateral criminal justice instrument to be negotiated in over two decades. India was among the many large member states that didn’t sign the convention, along with the United States, Japan and Canada, indicating fractures in the global governance of cyberspace. The text adopted by the General Assembly in December 2024, received support from 72 countries.

Conceived through a resolution proposed by Russia in 2017, the Convention represents the culmination of negotiations among UN members, with inputs from civil society experts and private sector actors. It took eight formal sessions and five intersessional consultations for the UN to generate some consensus. This saga underlines challenges in global governance which implicate India. An uncertain global order, coupled with a widening gulf between international legal principles and their practice, may lead to a polycentrism that the country is not fully equipped to handle. 

Uncertain allegiances

Russia and China collaborated to bring the UN Convention to fruition. Theirs was a united front to reshape the status quo of global cyber governance frameworks, which so far hinged on the 2001 Budapest Convention on Cybercrime, a European effort with 76 parties, not involving either Russia or China. The Budapest Convention limits accession to only invited states and is therefore inherently non-inclusive, and India fittingly stayed out of it.

Conversely, the UN Convention is open to all, but still saw a lot of division. The Europeans signed it because it borrows definitions and even substantive procedure from their Budapest Convention. It would seem incongruent for them not to join. Besides, they would rather sit-in on global rulemaking. A July 2025 EU Council document justified this decision as a means to ensure that it has a “meaningful voice early in the implementation” of the new framework. The Americans were sceptical of the Sino-Russian effort. Several of their civil society groups also warned that the Convention’s broad definition of serious crimes, could enable prosecution of journalists, activists, or political opponents of authoritarian leaders.

India’s reluctance to sign perhaps represents a different calculus. Unlike in the case of the Budapest Convention, New Delhi actively engaged in the negotiations of the UN Convention. But its proposals, such as those aimed at retaining greater institutional control over its citizens’ data, were not retained. The country hasn’t got its way in global rulemaking over the last two decades, eroding gains made in the early days of the climate change conventions where it united a group of 77 developing countries.

Russia and China perhaps see a weakened UN as worthy platform to legitimise an otherwise cynical worldview, the Europeans and other receding powers cling on to the high-table, a revivalist U.S. doesn’t want to hand over the keys to the kingdom, and an ever-cautious India doesn’t want to give up institutional control. The divisions seen in Hanoi even cut across plurilateral groups such as the Quad and the Five Eyes and underscores that the intricate geopolitics of today. 

Gulf between principles and practice

The UN Convention also exposes a widening gap between international legal principles and on-ground realities. The negotiations began with wide agreement on the urgency of addressing online harms, such as the creation and distribution of child sexual abuse material. But the definition of cybercrime in the Convention is not precise enough to limit it to areas of consensus. Instead, it allows signatories to stretch the scope of criminal offences, potentially to the detriment of human rights. Standard procedural safeguards, such as the need for judicial review in criminal law, are tethered to the prevailing domestic frameworks of the signing parties.

A similar pattern follows the global governance of artificial intelligence (AI). Here too, governments, including India, have coalesced around broad principles that AI should be “safe, secure, and trustworthy”, “human-centric”, and consistent with international law. From the OECD’s AI Principles to the G7’s Hiroshima Process and the UN’s Global Digital Compact, the language of consensus is universal.

Yet, as in the case of the Cybercrime Convention, consensus on principles masks large divergences in practice. India’s rulemaking efforts on watermarking of AI-generated content on social media is a recent example. It anchors on the universally accepted principle of user-safety. But the draft rules envision a potential mandate that social media companies carry labels that cover 10% of the body of any AI-generated content, an exceptionally prescriptive means of implementing an accepted principle. 

Polycentricism 

Global governance is facing a serious crisis that is no cause for celebration. The U.S. has significantly curtailed its financial contributions to the UN. The impotence of the Security Council is evident in modern conflicts from Ukraine to Gaza. The World Trade Organization’s dispute-settlement system is paralysed since 2019. This latest Convention also shows that relatively new issues like cyber governance are unlikely to produce consensus responses.  

The emerging global order relegates multilateralism to high-level principles, and depends on smaller, plurilateral or bilateral groups for consensus on operating clauses. But this leads to polycentricism, with institutional overlaps and interactions that continually test state-capacity. Attempts at international governance of cross-border data flows has seen this play out, and so now will cybercrime. The idea that data should flow between trusted partners is near universal, but mechanisms to realise this are not. 

India will struggle to retain its much-cherished institutional autonomy in global governance unless it builds technical capacities to engage on several levels all at once. Domestically, the canvas for regulatory and administrative reforms is vast, and the hour of action is here.

* Vivan Sharan and Sukanya Thapliyal are public policy experts in Koan Advisory Group, New Delhi. 

Published – January 27, 2026 12:36 am IST