Cybercrime as a Global Governance Crisis

After Reading This Article You Can Solve This UPSC Mains Model Questions:

In an emerging polycentric digital order, cybercrime has become a global governance challenge. Examine India’s decision not to sign the UN Convention Against Cybercrime and suggest how India can balance strategic autonomy with global interoperability. 15 marks (GS-2 International Relations)

Context:

The recently concluded UN Convention Against Cybercrime marks a pivotal moment in digital diplomacy. While intended as a landmark instrument for global security, it has instead exposed deep fractures in the international order, highlighting a transition from multilateralism to a complex polycentric world.

About Cybercrime

According to the National Cybercrime Reporting Portal (NCRP), cybercrime refers to illegal activities in which a computer system, digital network, or electronic device is either the instrument or the target of the offence.
Classification of Cybercrime:
- Common forms include malware attacks, ransomware, phishing, vishing (voice-based fraud), smishing (SMS-based fraud), and identity theft.
- With rapid technological advancements, newer threats have emerged such as digital arrest scams, cryptojacking, deepfake-based frauds, and Crime-as-a-Service (CaaS).

Historical Context: From Budapest to Hanoi

Global cyber governance has been split between two competing philosophies:

The Budapest Convention (2001): A Council of Europe initiative.
- Nature: Western-led, focusing on harmonizing laws and investigative techniques.
- Critique: India and other nations viewed it as non-inclusive because they were not involved in its drafting and accession is by invitation only.
The UN Convention (2024): Proposed by Russia in 2017, supported by China.
- Nature: The first truly global, UN-led criminal justice instrument in over 20 years.
- Outcome: Adopted by the General Assembly but met with resistance during the signing ceremony in Hanoi (2025).

Why India Did Not Sign the UN Convention (2024)

Despite participating in the 8-session negotiation process, India refrained from signing due to several core concerns:

Institutional Autonomy: India’s proposals to maintain greater sovereign control over citizen data were not fully integrated.
Vague Definitions: The Convention allows for a broad definition of “serious crimes” (any crime with a prison term of 4+ years), which India fears could be used to infringe on its domestic regulatory space.
Eroding Rule-making Power: Unlike the early days of climate negotiations where India led the G-77, India now finds its influence diluted in a space where major powers (US, EU, Russia, China) have fixed agendas.
Technical Sovereignty: New Delhi is cautious about committing to international procedural safeguards that are “tethered to domestic frameworks” of other parties, which might not align with Indian laws like the DPDP Act 2023.

[rev_slider alias="slider-2"][/rev_slider]

Dimensions of the Global Governance Crisis

1. Geopolitical Fractures

Bloc Rivalry: A “united front” of Russia and China pushed the treaty to challenge the Western-led 2001 Budapest Convention.
Internal Splits: The Hanoi Signing Ceremony (Oct 2025) revealed deep rifts. Major states like the US, India, Japan, and Canada refused to sign, while the EU and Australia joined, fracturing groups like the Quad and Five Eyes.
Cynical Multilateralism: Russia and China use the UN to legitimize a “cyber-sovereignty” model, while receding Western powers cling to high-table influence.

2. Principles vs. Practice

Masked Divergence: Global consensus on broad principles (e.g., “user safety”) fails at the implementation stage.
Prescriptive Overreach: India’s 10% Watermark Rule (mandatory AI content labels covering 10% of visuals/audio) is criticized as an “exceptionally prescriptive” and rigid way to implement safety principles.
Legal Rift: A widening gap exists between international legal ideals and the on-ground “sovereign” practices of individual states.

3. Institutional Decay

UN Impotence: The Security Council’s inability to act in Gaza and Ukraine has eroded faith in multilateralism.
Economic Paralysis: The WTO Dispute Settlement system has been non-functional since 2019, pushing nations toward smaller, plurilateral (e.g., BRICS+, Quad) or bilateral “mini-deals.”
Shift to Polycentricism: Global order is moving from one “center” (UN) to multiple, overlapping centers, testing the technical and diplomatic capacity of states like India.

4. Human Rights Risks

Vague Definitions: The treaty defines “serious crimes” as any offense carrying a 4+ year sentence. This allows authoritarian states to target journalists and activists under the guise of cyber-policing.
Weak Safeguards: Civil society warns that standard procedural safeguards (like judicial review) are left to domestic laws, offering no protection against state-led surveillance or censorship.
Surveillance Tool: Critics call it a “surveillance treaty” that facilitates excessive sharing of sensitive personal data without robust privacy frameworks.

Polycentric Global Order: An Emerging Crisis

Definition: A fragmented system where rules are made across different levels—bilateral, plurilateral (Quad, BRICS), and regional—rather than a single global body.
Operational Consensus: High-level “principles” are signed at the UN, but actual “operating clauses” (how data flows) are decided in smaller, “trusted” groups.
Institutional Overlap: Governments must now navigate a “spaghetti bowl” of competing treaties, such as the Budapest Convention vs. the UN Cybercrime Convention.

Strategic Impact of Cybercrime on India

Digital Non-Alignment: India is forging a “Third Way”—refusing to join Western blocs (Budapest Convention) or Sino-Russian blocs (UNCC 2025) to preserve Institutional Autonomy.
The Quad & Five Eyes Friction: India’s refusal to sign the UNCC has created a rare fracture within the Quad, as partners like Australia and the US have diverging views on the treaty’s utility versus its risks.
Leader of the Global South: By hosting the India-AI Impact Summit (2026), India is positioning its “Digital Public Infrastructure” (DPI) model as a fair alternative to the “Big Tech” or “Big State” models.
Biggest Strategic Risk: The WEF Global Risks Report 2026 identifies Cyber Insecurity as the #1 risk for India, overtaking armed conflict.
Targeted Vulnerability: India accounts for 13.7% of global cyber incidents, with the healthcare and banking sectors being primary targets.
The 20% GDP Goal: With the digital economy projected to be 20% of India’s GDP by 2026, any gap in global cyber-governance directly threatens national wealth.
Regulatory Friction: India’s prescriptive rules (e.g., 10% AI Watermarking) reflect a “Sovereignty-First” approach that may conflict with international “interoperability” standards.

India’s Domestic Cybersecurity Framework

1. Legislative Pillars (The Legal Shield)

DPDP Act, 2023 (Operationalized Nov 2025): Full implementation of the Digital Personal Data Protection Rules.
- Establishment of the Data Protection Board (DPB) to adjudicate breaches.
- Fines up to ₹250 crore for per-incident negligence.
Digital India Act (Upcoming): Aimed at replacing the outdated IT Act 2000 to regulate AI, deepfakes, and “online safety” by design.

2. Institutional Architecture (The Frontline)

I4C (Indian Cybercrime Coordination Centre): The nodal agency under MHA.
- 7 JCCTs: Joint Cyber Crime Coordination Teams set up in hotspots (Jamtara, Mewat, etc.).
- CFMC (Cyber Fraud Mitigation Centre): A state-of-the-art facility for real-time coordination with banks and telcos to freeze fraudulent funds.
CERT-In (Computer Emergency Response Team):6-Hour Rule: Mandatory reporting of breaches within 6 hours.
- Cyber Swachhta Kendra: Botnet cleaning and malware analysis for citizens.
CyMAC (Cyber Multi-Agency Centre): A unified platform for IB, RAW, CERT-In, and I4C to share intelligence on cyber-espionage and terrorism.

3. Key Technical & Social Initiatives

Samanvaya & Pratibimb: Digital platforms used by police to map criminal locations and link inter-state cyber-criminal networks.
1930 Helpline & NCRP: The Citizen Financial Cyber Fraud Reporting System has saved over ₹5,400 crore by freezing siphoned money in “near-real-time.”
CSPAI (Certified Security Professional in AI): A 2024-25 program by CERT-In to train professionals specifically in securing AI systems against adversarial attacks.
Cyber Surakshit Bharat: Training for CISOs (Chief Information Security Officers) across government departments.
State Initiatives: Kerala (Cyberdome) and Maharashtra are frontrunners in cyber labs and digital forensics.

Way Forward: Navigating the Global Governance Crisis in Cybercrime

Issue-Based Coalitions: Instead of waiting for stalled universal UN consensus, India should lead “minilateral” groups (like GPAI or Quad Cyber Group) to set technical standards for AI and data.
Bridge-Building: Use the “India Stack” (DPI) as a diplomatic tool to offer Global South nations a secure, non-aligned digital alternative to Western or Chinese models.
Cyber-Diplomacy Corps: Establish a specialized cadre of diplomats with dual expertise in International Law and Computer Science to negotiate the “operating clauses” of future treaties.
Modernizing the Legal Base: Replace the IT Act 2000 with the Digital India Act to address 2026-era threats like quantum decryption and AI-synthetic frauds.
Indigenous Security (Cyber Swadeshi): Incentivize local startups to build “Zero-Trust” architectures and indigenous hardware to reduce reliance on foreign supply chains.
Proactive Defense: Shift CERT-In’s mandate from incident response to “Threat Hunting”—using AI to predict and neutralize attacks before they hit critical infrastructure.
Public Hygiene: Expand the “Cyber Surakshit Bharat” initiative into a mass movement, focusing on the “weakest link”—the rural, first-time internet user.

Conclusion

In a polycentric digital order, India must transcend “reactive sovereignty” to become a norm-setter. By integrating the India Stack with robust technical diplomacy, New Delhi can bridge the gap between strategic autonomy and global interoperability, ensuring a secure, equitable, and inclusive cyberspace for the Global South.