Cybercrime and a global governance crisis
I have sufficient grounded facts from Tier 1 and Tier 2 sources. Compiling the study note now.
Cybercrime and a Global Governance Crisis
UPSC Prelims + Mains Study Note
1. At a Glance
- Core issue: A fracture in global multilateral consensus on combating cybercrime — symbolised by the divergent responses to the UN Convention against Cybercrime (2024) versus the older Budapest Convention (2001). [S1]
- India's position: India did not sign the 2024 UN Convention at the Hanoi signing ceremony, alongside the US, Japan, and Canada — signalling a geopolitical fault line in cyberspace governance. [S4]
- UPSC relevance: Spans GS-II (international institutions, India's foreign policy), GS-III (cyber security, internal security), and contemporary IR — a live, high-probability Mains topic for 2025-26.
- Stakes: The emerging order risks polycentrism — multiple, competing cyber-governance regimes — leaving developing nations with fragmented legal tools against cross-border cybercrime. [S4]
2. Why in the News
- December 2024: UN General Assembly adopted the Convention against Cybercrime — the first multilateral criminal justice instrument in over two decades. [S1][S2]
- 2025: The Convention was opened for signature at a formal ceremony hosted in Hanoi, Vietnam. It will enter into force 90 days after ratification by the 40th signatory. [S1]
- January 27, 2026: The Hindu analysis highlighted India's abstention and the fault lines this reveals in global cyber governance. [S4]
- The Convention received support from 72 countries at adoption — a narrow majority among 193 UN members, illustrating contested multilateralism. [S4]
3. Background & Evolution
| Year | Milestone |
|---|---|
| 2001 | Budapest Convention on Cybercrime adopted by the Council of Europe — first binding international instrument; dominated by Western/European states. [S5] |
| 2017 | Russia proposed a UN General Assembly resolution to negotiate a new, universal cybercrime treaty — challenging Budapest's Western-centric framework. [S4] |
| 2019 | UNGA resolution passed to establish an Ad Hoc Committee to draft the new convention. [S3] |
| 2021 | UNGA formally approved the terms of negotiation amid concerns over a "rushed" vote. [S3] |
| 2019–2024 | 8 formal sessions + 5 intersessional consultations held involving member states, civil society, and private sector. [S4] |
| December 2024 | UNGA adopted the UN Convention against Cybercrime — UN Secretary-General Guterres welcomed it as the first criminal justice treaty in 20+ years. [S1][S2] |
| 2025 | Signing ceremony in Hanoi, Vietnam; India, US, Japan, Canada among major non-signatories. [S4] |
4. Core Static Facts
UN Convention against Cybercrime (2024) - Full name: United Nations Convention against Cybercrime - Adopted by: UN General Assembly, December 2024 [S1] - Proposed by: Russia via a 2017 UNGA resolution [S4] - Support at adoption: 72 countries [S4] - Entry into force: 90 days after 40th ratification [S1] - Signing venue: Hanoi, Vietnam [S1] - Scope: Online child sexual abuse, online scams, money laundering, electronic evidence [S1] - Nature: First international criminal justice treaty in over 20 years [S1][S2] - Key supporters: Russia, China (joint advocates for reshaping global cyber governance) [S4] - Notable non-signatories: India, USA, Japan, Canada [S4]
Budapest Convention on Cybercrime (2001) - Full name: Convention on Cybercrime (ETS No. 185) - Adopted by: Council of Europe, 2001 [S5] - Nature: Regional (European) in origin; open to non-member states for accession - Criticism: Western-centric; does not include major economies like India, Russia, China as parties
India's Domestic Framework - Primary law: Information Technology Act, 2000 (IT Act) — covers identity theft, impersonation, harmful content [S6] - Implementing body: Ministry of Electronics and Information Technology (MeitY) — Cyber Laws Division [S7] - Coordination body: Indian Cyber Crime Coordination Centre (I4C) — under Ministry of Home Affairs [S8] - Reporting portal: cybercrime.gov.in — National Cyber Crime Reporting Portal [S8] - Data agency: National Crime Records Bureau (NCRB) — publishes annual Crime in India report with cybercrime statistics [S9] - Parent ministry (security): Ministry of Home Affairs (MHA) [S6][S8]
5. Multi-Dimensional Analysis
Geopolitical / Strategic
- Russia–China axis jointly pushed the 2024 UN Convention to displace the Budapest Convention's Western primacy — a direct challenge to the liberal international order in cyberspace. [S4]
- India's non-signing reflects strategic ambiguity: India neither endorses the Budapest framework (to which it is not a party) nor the Russia-China-led alternative — a classic strategic autonomy posture. [S4]
- The fracture risks polycentrism — multiple competing cyber-governance regimes — complicating mutual legal assistance in cybercrime investigations for countries like India. [S4]
- INTERPOL welcomed the 2024 Convention, viewing it as a boost to international law enforcement cooperation. [S3]
Legal / Constitutional
- The Budapest Convention remains the operative global standard for 68+ signatory states; its electronic evidence and mutual legal assistance (MLA) provisions are widely implemented. [S5]
- India's IT Act, 2000 covers major cybercrime categories domestically but lacks robust bilateral/multilateral MLA mechanisms for cross-border enforcement — a gap the UN Convention could have addressed. [S7]
- The new UN Convention addresses crimes like child sexual abuse material (CSAM) online and money laundering — areas where India has active domestic legislation (POCSO, PMLA) but limited international legal reach. [S8]
- Civil society groups (including from India) raised concerns over the Convention's potential for misuse to suppress dissent — a significant objection from democratic nations. [S4]
Technological / Scientific
- Modern cybercrime increasingly involves AI-driven attacks — a 2024-25 PIB release specifically flagged AI-driven cybercrime as a rising threat to India's financial system. [S10]
- I4C (Indian Cyber Crime Coordination Centre) uses analytics and inter-agency coordination to counter cybercrime — but its mandate is domestic; cross-border enforcement requires treaty frameworks. [S8]
- The absence of a universally ratified framework means electronic evidence obtained in one country may not be admissible or shareable with another — a direct investigative bottleneck.
Governance / Ethical
- The multilateral vs. plurilateral tension: the 2024 Convention follows multilateral consensus (UNGA), while Budapest relies on a club-based (European) model — both have legitimacy deficits for different reasons. [S4]
- Civil society and human rights groups warned that the Convention's broad surveillance provisions could be used by authoritarian states to monitor dissidents under the guise of cybercrime enforcement. [S4]
- India's abstention also signals discomfort with both poles — the Russian-led maximalist surveillance approach and the American-led data-localisation resistance. [S4]
Economic
- PIB data confirms Indian citizens face massive losses from cyber fraud — the National Cyber Crime Reporting Portal handles lakhs of complaints annually. [S11]
- Cross-border cybercrime (scam call centres, mule accounts, ransomware gangs) causes measurable economic damage; the absence of enforceable international treaties directly hampers recovery of funds and prosecution. [S8]
- AI-driven financial fraud targeting Indian banking customers was flagged as a growing threat by MHA in 2025. [S10]
Administrative
- I4C under MHA and CERT-In under MeitY represent a split administrative architecture — operational response (MHA) vs. technical/policy (MeitY) — creating coordination needs. [S7][S8]
- State police handle cybercrime FIRs but lack capacity and international reach; all cross-border legal assistance routes through the MHA's treaty division — a single-point bottleneck. [S6]
6. Recent Developments (Last 12–18 Months)
- December 2024: UNGA adopted the UN Convention against Cybercrime by consensus of 72 supporting states; UN Secretary-General Guterres called it historic. [S1][S2]
- 2025: Signing ceremony hosted in Hanoi, Vietnam; India, US, Japan, Canada did not sign. [S1][S4]
- 2025 (PIB): MHA press release highlighted AI-driven cybercrime as a priority threat, outlining new measures to curb financial losses. [S10]
- 2024–25 (PIB): Government announced steps to curb cyber frauds in Digital India — including expansion of cybercrime.gov.in and citizen awareness campaigns. [S11]
- November 2024 (MHA/Rajya Sabha): Government replied to Parliament on steps to deal with cybercrime in a "comprehensive and coordinated manner" — referenced I4C and NCRB data. [S8]
- January 27, 2026: Analysis in The Hindu explicitly linked India's non-signature to the "global governance crisis" and the risk of polycentrism in cyberspace. [S4]
7. Prelims Hooks
- The UN Convention against Cybercrime was adopted by the UN General Assembly in December 2024 — the first multilateral criminal justice treaty in over 20 years. [S1]
- The Convention was originally proposed via a 2017 UNGA resolution initiated by Russia. [S4]
- The Convention opens for signature in Hanoi, Vietnam; enters into force after 40 ratifications. [S1]
- At adoption, 72 countries supported the Convention — India, USA, Japan, and Canada did not sign. [S4]
- The Budapest Convention on Cybercrime (2001) was adopted under the Council of Europe — it is NOT a UN instrument. [S5]
- India's primary domestic cybercrime law is the Information Technology Act, 2000 (administered by MeitY). [S7]
- The Indian Cyber Crime Coordination Centre (I4C) functions under the Ministry of Home Affairs, not MeitY. [S8]
- The National Cyber Crime Reporting Portal URL is cybercrime.gov.in, launched as part of I4C. [S8]
- NCRB (National Crime Records Bureau) is the nodal agency for cybercrime statistics under Crime in India report. [S9]
- The UN Convention took 8 formal sessions + 5 intersessional consultations to negotiate. [S4]
- INTERPOL formally welcomed the adoption of the 2024 UN Cybercrime Convention. [S3]
- The term polycentrism in cyber governance refers to the emergence of multiple competing international regimes with no single dominant framework. [S4]
- Russia and China collaborated to bring the 2024 UN Cybercrime Convention to fruition as an alternative to the Budapest framework. [S4]
- The Budapest Convention is criticised for being Western/European-centric; India, Russia, and China are not parties to it. [S4][S5]
- AI-driven cybercrime targeting India's financial sector was flagged by the Ministry of Home Affairs in a 2025 PIB release. [S10]
8. Mains Relevance
GS Papers: - GS-II: International institutions and treaties; India's foreign policy; bilateral/multilateral groupings - GS-III: Cyber security; internal security; challenges to internal security through communication networks - GS-IV (marginal): Ethical issues in technology; transparency and governance
Specific syllabus headings: - GS-II: "Important International Institutions, agencies and fora — their structure, mandate" - GS-III: "Basics of cyber security; money-laundering and its prevention; role of external state and non-state actors in creating challenges to internal security"
Plausible Mains Question Stems: 1. "The fractures in global cyber governance revealed by the 2024 UN Convention against Cybercrime indicate a widening gulf between multilateral principles and their practice. Examine India's strategic options in this evolving landscape." (GS-II, 250 words) 2. "India's non-signature of the UN Convention against Cybercrime reflects a broader tension between digital sovereignty and international legal cooperation. Critically analyse." (GS-II/III, 250 words) 3. "Evaluate the adequacy of India's domestic legal and institutional framework — IT Act 2000, I4C, and CERT-In — in combating the growing menace of cross-border cybercrime." (GS-III, 150 words)
9. Related Topics to Study Next
| Topic | Connection |
|---|---|
| Budapest Convention on Cybercrime (2001) | The predecessor framework the 2024 treaty seeks to replace; examinable in IR context |
| Information Technology Act, 2000 & IT Amendment Act, 2008 | India's domestic legal spine for cybercrime; Prelims-heavy |
| CERT-In (Indian Computer Emergency Response Team) | Technical arm under MeitY; complements I4C on incident response |
| Digital Personal Data Protection Act, 2023 | Interacts with cyber governance — data protection vs. law enforcement access |
| Cyber Sovereignty vs. Open Internet Debate | Core ideological divide between democratic and authoritarian models of internet governance |
| India's Stance on Internet Governance (ITU vs. multi-stakeholder model) | Same geopolitical fault line as the cybercrime treaty dispute |
| Money Laundering & FATF | The 2024 Convention explicitly addresses cybercrime-linked money laundering; FATF is the parallel financial governance body |
| INTERPOL's role in cybercrime | Operational counterpart to treaty frameworks; India is an INTERPOL member |
10. Common Errors / Trap Areas
- Budapest Convention ≠ UN instrument: It was adopted by the Council of Europe in 2001, not the UN. Aspirants often confuse it with a UN treaty. India is not a party to it.
- I4C under MHA, not MeitY: The Indian Cyber Crime Coordination Centre (I4C) is under the Ministry of Home Affairs. CERT-In (technical response) is under MeitY. Mixing these two is a common slip.
- 72 supporters ≠ unanimous adoption: The Convention was supported by 72 countries, not the entire UNGA membership of 193 — do not confuse "adopted" (procedural majority) with "ratified" or "signed by all."
- Russia proposed — not Western democracies: The 2024 UN Convention was driven by Russia (2017 resolution); the Budapest Convention was a Western/European effort. The ideological allegiance of each framework is frequently reversed by aspirants.
- Entry into force requires 40 ratifications, not signatures: Signing the convention and ratifying it are distinct acts; the 90-day clock starts only after the 40th ratification, not signing.
11. Sources
- [S1] UN News — "UN General Assembly adopts milestone cybercrime treaty" — https://news.un.org/en/story/2024/12/1158521 — (Tier 2)
- [S2] UN India — "UN General Assembly adopts landmark convention on cybercrime" — https://india.un.org/en/286669-un-general-assembly-adopts-landmark-convention-cybercrime — (Tier 2)
- [S3] INTERPOL — "INTERPOL welcomes adoption of UN convention against cybercrime" — https://www.interpol.int/en/News-and-Events/News/2024/INTERPOL-welcomes-adoption-of-UN-convention-against-cybercrime — (Tier 2)
- [S4] The Hindu — "Cybercrime and a global governance crisis" (Vivan Sharan & Sukanya Thapliyal, Koan Advisory Group), January 27, 2026 — https://www.thehindu.com/todays-paper/2026-01-27/th_international/articleGFFFG9PAS-13254809.ece — (Tier 4 / supplied article)
- [S5] UN Treaty Collection — Budapest Convention on Cybercrime (Council of Europe, ETS 185, 2001) — https://treaties.un.org/pages/ViewDetails.aspx?mtdsg_no=XVIII-16&chapter=18&clang=_en — (Tier 2)
- [S6] MHA Lok Sabha Reply on Cybercrime — https://www.mha.gov.in/MHA1/Par2017/pdfs/par2025-pdfs/LS02122025/452.pdf — (Tier 1)
- [S7] MeitY — Cyber Laws Division — https://www.meity.gov.in/cyber-security — (Tier 1)
- [S8] PIB — "Steps to Deal with Cyber Crimes in a Comprehensive and Coordinated Manner" — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2042137 — (Tier 1)
- [S9] NCRB — Crime in India 2022 (cybercrime statistics) — https://www.ncrb.gov.in/uploads/nationalcrimerecordsbureau/custom/1701607577CrimeinIndia2022Book1.pdf — (Tier 1)
- [S10] PIB — "Rise of AI-Driven Cybercrime and Measures to Curb Financial Losses" — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2158408 — (Tier 1)
- [S11] PIB — "Curbing Cyber Frauds in Digital India" — https://www.pib.gov.in/PressNoteDetails.aspx?NoteId=155384&ModuleId=3®=3&lang=2 — (Tier 1)