The Fractured Realm, India, the Global Cybercrime Governance Crisis, and the Imperative of Strategic Sovereignty

The Fractured Realm, India, the Global Cybercrime Governance Crisis, and the Imperative of Strategic Sovereignty

The late 2024 United Nations signing ceremony for a new global ‘Convention against Cybercrime’ was meant to be a landmark moment, establishing a rare multilateral framework for the digital age’s most pervasive transnational threat. Instead, it laid bare a deepening crisis in global governance. As public policy experts Vivan Sharan and Sukanya Thapliyal analyse, the absence of signatures from pivotal powers like India, the United States, Japan, and Canada alongside the endorsements from 72 other nations—primarily led by Russia and China—reveals more than a mere diplomatic disagreement. It exposes the profound fractures in the international order, a widening chasm between legal principle and state practice, and the perilous emergence of a polycentric world where rules are fragmented and allegiances uncertain. For India, this moment represents a critical inflection point: a choice between passive abstention and the active, capacity-driven forging of a strategic path that protects its institutional autonomy, digital economy, and citizens in an increasingly anarchic digital frontier.

The genesis of the UN Convention itself is a tale of geopolitical realignment in cyberspace. Conceived by Russia in 2017 and shepherded to fruition in collaboration with China, the Convention was a direct challenge to the established, Western-centric order embodied by the 2001 Budapest Convention. The Budapest Convention, with its 76 parties, has long been critiqued for its exclusive, invitation-only membership—a club from which both Russia and China, and fittingly India, were absent. The UN Convention’s open accession was a tactical masterstroke by Moscow and Beijing, offering the veneer of inclusive multilateralism while constructing a framework that could advance their interests. European nations, as Sharan and Thapliyal note, largely signed on because the new text heavily borrows from the Budapest Convention’s DNA, allowing them to retain influence. The United States’s skepticism, rooted in fears that the Convention’s broad definitions could be weaponized by authoritarian regimes to target dissidents and journalists, highlights a fundamental ideological divide on the balance between security and human rights in cyberspace.

India’s decision to abstain from signing is particularly revealing and, as the authors argue, stems from a distinct and complex calculus. Unlike its non-participation in the Budapest Convention, New Delhi was an active participant in the eight-year negotiation marathon for the UN treaty. Its reluctance signifies not disengagement, but strategic dissatisfaction. India’s core proposals, particularly those aimed at preserving greater institutional control over data sovereignty and shielding its domestic legal frameworks from overreach, failed to find sufficient traction. This outcome is symptomatic of a broader trend: India’s diminishing clout in shaping global digital rulemaking, a stark contrast to its earlier, coalition-building successes in forums like the UNFCCC. The authors pinpoint a crucial dilemma: in a room where “Russia and China perhaps see a weakened UN as [a] worthy platform to legitimise an otherwise cynical worldview,” and the West is either co-opting or resisting, India’s “ever-cautious” stance of protecting institutional autonomy leaves it without a clear coalition, its influence diluted.

This diplomatic stalemate illuminates a deeper, more troubling fissure: the yawning gap between international legal principles and their practical implementation. The UN Convention, in its attempt to garner consensus, employs broad, often vague definitions of cybercrime. While this allowed for a text to be adopted, it creates a dangerous flexibility. As the U.S. and civil society groups warned, terms like “serious crimes” can be stretched by signatory states to criminalize a wide range of online activities, from legitimate political dissent to investigative journalism. The procedural safeguards within the treaty are tethered to domestic legal systems, meaning a country with weak judicial independence or draconian cyber laws could use the convention to legitimize repressive actions while paying lip service to universal principles.

India’s own domestic policy moves, such as its draft rules on watermarking AI-generated content, exemplify this “principles-practice rift.” The principle—user safety and combating misinformation—is universally laudable. However, the proposed method—mandating social media platforms to overlay content with obstructive labels covering 10% of the screen—is exceptionally prescriptive and potentially unworkable. It demonstrates how a nation, even while championing a noble principle, can propose implementation mechanisms that are out of sync with global technical norms and user experience, potentially isolating its digital ecosystem.

The fallout from the cybercrime convention impasse is a microcosm of a broader crisis of multilateralism. The UN is financially strained and politically paralyzed; the WTO’s dispute mechanism is defunct; the Security Council is gridlocked. As Sharan and Thapliyal astutely observe, the emerging order “relegates multilateralism to high-level principles, and depends on smaller, plurilateral or bilateral groups for consensus on operating clauses.” This is polycentrism—a world not of one rulebook, but many overlapping, competing, and sometimes contradictory mini-regimes. We see it in data governance, with the EU’s GDPR, the U.S.’s fragmented sectoral approach, and China’s walled-garden model. We now see it starkly in cybercrime, with the Budapest club, the new UN Convention bloc, and likely new U.S.-led initiatives forming parallel tracks.

For India, this polycentric reality is a formidable challenge. Its cherished strategic autonomy—the ability to navigate global politics without formal alignment—is tested when it must simultaneously engage with multiple, competing governance frameworks. To retain true autonomy, it cannot afford to be a bystander or a perpetual naysayer. Autonomy in the 21st century is not passive isolation; it is the capacity for proactive, informed, and influential engagement across multiple forums. India’s current struggle, as the authors conclude, is one of capacity. It lacks the dense ecosystem of technical-legal diplomats, the cutting-edge think tanks, and the synchronized public-private partnerships needed to draft winning clauses, build coalitions of the like-minded (especially across the Global South), and project its digital model convincingly.

The path forward demands a multi-pronged national strategy. First, India must urgently invest in building deep, technical diplomatic capital. This means creating specialized cadres within the foreign and IT services trained in cyber law, data economics, and emerging technologies. Second, it must move from reactive critique to proactive agenda-setting. Instead of merely resisting unfavorable clauses, India should draft and champion model frameworks on issues like “responsible data sharing for law enforcement” or “cybercrime definitions that protect free expression,” and shop them in forums like the Quad, the Global South (G77), and BRICS+. Third, it must align its domestic regulatory architecture with its global aspirations. A predictable, rights-respecting, and innovation-friendly domestic cyber law regime (a clear upgrade from the current IT Act) would give India the moral authority and consistency needed to lead. Finally, it must master the art of “minilateral” diplomacy. In a polycentric world, India must be a core member of key plurilateral groups—not just the Quad, but also in shaping digital economy agreements with the EU, ASEAN, and African unions.

The unsigned UN Cybercrime Convention is not just a missed diplomatic opportunity; it is a stark warning. The digital world is splintering into spheres of influence governed by disparate rules. India’s choice is clear: it can remain on the sidelines, its autonomy becoming synonymous with irrelevance, reactive and buffeted by rules made elsewhere. Or, it can embark on the hard work of building the technical, diplomatic, and strategic capacity to become a sovereign rule-shaper in the polycentric age—a nation that defends its interests not by refusing to play, but by mastering the game and helping write its many rulebooks. The integrity of its digital economy, the safety of its citizens online, and its standing as a leading power depend on this choice.

Q&A: The UN Cybercrime Convention and Global Governance

Q1: Why did Russia and China champion the UN Cybercrime Convention, and how does it differ from the existing Budapest Convention?
A1: Russia and China championed the UN Convention as a strategic move to reshape global cyber governance away from the Western-dominated Budapest Convention (2001). The Budapest Convention is exclusionary, allowing accession by invitation only, which kept Russia, China, and India out. The UN Convention, by being open to all members, provided a platform for these powers to create a more inclusive (in theory) framework they could influence. Substantively, while the UN text borrows from the Budapest Convention, its negotiation under Russo-Chinese stewardship aimed to reflect their preferences on sovereignty and state control in cyberspace, challenging the liberal, multi-stakeholder model associated with the Budapest regime.

Q2: What were India’s key reasons for not signing the UN Convention, despite actively participating in its negotiations?
A2: India’s abstention stemmed from strategic dissatisfaction and a defense of institutional autonomy. As an active negotiator, India pushed for provisions that would allow greater state control over data and shield its domestic legal frameworks. When these core proposals were not retained in the final text, India calculated that signing would constrain its freedom of action without delivering sufficient benefits. The decision reflects a broader frustration with its declining influence in global digital rulemaking and a cautious stance against ceding control to an international framework it did not shape decisively.

Q3: What is the “principles-practice rift” illustrated by the Convention and India’s own AI watermarking rules?
A3: The “principles-practice rift” refers to the wide gap between universally agreed high-level principles and their contentious, often divergent, national implementations. The Convention achieves consensus on vague principles (e.g., combating cybercrime) but leaves definitions broad, allowing states to implement them in ways that may violate human rights. Similarly, India’s draft AI watermarking rules endorse the universal principle of user safety but propose an exceptionally prescriptive method (large, obstructive labels). This shows how a shared goal can be pursued through mechanisms that are out of sync with global norms, creating friction and fragmentation in practice.

Q4: What is “polycentrism” in global governance, and why does it pose a challenge for India?
A4: Polycentrism describes an emerging global order where formal, inclusive multilateralism (e.g., the UN) is weak, and governance happens through a patchwork of overlapping, smaller plurilateral or bilateral groups and frameworks (e.g., the Budapest Convention, the new UN Convention, US-led initiatives). This poses a major challenge for India because it strains its capacity and strategy. To protect its interests, India must simultaneously engage with multiple, sometimes competing, forums. Its cherished “strategic autonomy” becomes difficult to maintain if it lacks the deep technical expertise and diplomatic bandwidth to actively shape rules across all these centers of power, risking reactive policy and diminished influence.

Q5: According to the authors, what must India do to effectively navigate the polycentric crisis in global governance?
A5: The authors argue India must transition from a cautious defender of autonomy to a proactive “sovereign rule-shaper.” This requires:

• Building Technical-Diplomatic Capacity: Creating specialized cadres of experts in cyber law and digital policy within its foreign service.

• Proactive Agenda-Setting: Drafting and championing its own model frameworks in minilateral forums (Quad, BRICS, G77) instead of just reacting to others’ proposals.

• Domestic Regulatory Coherence: Aligning its domestic laws (like the IT Act) with rights-respecting, innovation-friendly principles to bolster its credibility abroad.

• Mastering Minilateralism: Strategically engaging in key plurilateral groups to influence the operating clauses that now define global rules, moving beyond mere principle-setting in large multilateral bodies.