Q1/2023 - Executive Summary

Q1/2023 - Executive Summary

Current happenings in the Internet governance context January to March 2023:

In the first quarter of 2023, the global Internet governance discussion focussed on four central topics:

  • The consequences of the war in Ukraine for cyber space,
  • The new US cyber security strategy and the 2nd Democracy Summit,
  • The Global Digital Compact and the future of the Internet Governance Forum (IGF),
  • The UN negotiations on cyber security.

After a year of war in Ukraine, it is becoming increasingly clear that this war is a hybrid war that has a cyber component of its own. (Further Information)
The idea that a war in the 21st century is primarily a cyber war and that a classic war with death and physical destruction is a thing of the 20th century has been proven wrong. Like a war on land, at sea, in the air or in space, "cyber war" is part of a comprehensive warfare. It turns out that "cyber" is not a "stand-alone miracle weapon" and is usually used as a "supplement" to air, sea and land operations. "Cyber" expands previous military capabilities, especially in the area of espionage and sabotage. In this respect, the Ukraine war is also a "test area" for the use of Internet-based defensive and offensive tools. Russian cyber attacks on Ukraine have existed since 2014, and Ukraine received extensive early support from the US through the US Cyber Command to build up an effective cyber defence, which continued to prove effective also after February 2022. Further analysis will be needed to define more precisely the role the Internet will assume in future military conflicts. Nevertheless, eight observations can already be generalised:

  • The most common cyber attacks are denial-of-service attacks (DDOS). DDOS attacks are easy to execute but have only a small and temporary effect. They are like pinpricks and complement other military actions;
  • More effective is the penetration of foreign networks and the manipulation of data, including extortion software (ransomware). The damage that can be caused differs depending on the target of the attack and can run into the millions. In the meantime, however well-functioning cyber defence systems have been developed against such attacks;
  • Cyber attacks on critical infrastructures such as electricity and water supply, public administrations and cable systems are serious threats but very costly to prepare and implement. The Ukraine war shows that once the threshold for the use of force under Article 4.1 of the UN Charter is crossed, infrastructures are more effectively attacked by conventional means;
  • Cyber operations play a crucial role in military reconnaissance. The combination of GEO and LEO satellites with drones, as well as the tracking of Internet communications between servers in real time, enables the fighting opponents – and uninvolved third parties – to create a comprehensive picture of the situation in order to optimise offensive and defensive operations. The spy behind the front line becomes practically superfluous;
  • Artificial intelligence is playing a new role, especially with regard to Internet-based armed or unarmed drones. The use of autonomous weapon systems (AWS) – fully autonomous drones or future killer robots – is still in its infancy. For the development of AWS, the weapons industry needs especially real-time data from real battles. In this respect, the Ukraine war is giving AWS development an extreme boost;
  • Not new but reaching new dimensions is propaganda taking an essential role. What the radio stations were in the "cold war" are now the social networks. Their aim is to spread powerful narratives (soft power) in order to sustainably shape public opinion at home, in the enemy's country and worldwide in one's own interest;
  • The Ukrainian president's call to all the country's computer geeks to defend their homeland even from their home offices has yielded a "private IT army". The Russian response was to activate "patriotic hackers". Such a "privatisation of cyber war" raises complicated legal questions about the allocation of and responsibility for cyber operations. It also blurs the line to criminal cyber activities;
  • What is new is the way transnational IT companies act in a war. Microsoft's and Google's analyses are often more precise than those of state intelligence services. Elon Musk has used Starlink to maintain Internet communications in Ukraine, but at the same time has forbidden to use Starlink terminals for the operation of armed military drones. And he has presented invoices to the US Department of Defence for his services. On the Russian side, the "Vulcan Papers" have provided insight into how military operations and private business activities are intertwined. However, the role and responsibilities of private companies in a war (and within a military command structure) are completely unclear. The CEO of a company does not report to the general of an army.
  • Cyber attacks between warring parties cannot be limited territorially in a globally networked world. The Russian cyber attack on Ukrainian satellite communication systems had consequences for the operation of wind turbines in Germany. Russian hackers target countries supplying weapons to Ukraine with incalculable cascading effects for uninvolved third parties. NonPetya (2017) showed that a Russian cyber attack on an electricity plant in Ukraine resulted in billions of dollars of damage around the globe.
  • The question of what the consequences will be for handling universal Internet resources - root servers, domain names and IP addresses - remains open. The Ukrainian Information Minister's demand to ICANN to remove the top level domains .ru, .rf (Cyrillic) and .su from the Internet root in order to cut Russia off from the Internet has been rejected by ICANN with reference to its neutral role as steward of global Internet resources. However, ICANN's "One World, One Internet" philosophy for the transport layer is increasingly coming into conflict with the reality on the application layer – "One World, 193 National Jurisdictions" – and this is fuelling the risk of creeping Internet fragmentation.

Against the background of the Ukraine war, the US government readjusted its cyber diplomacy in Q1/2023, revised the national cyber security strategy and forged new multilateral coalitions of cyber democracies. Notwithstanding the continuing universality of the Internet, the Biden administration has come to believe that a political "bifurcation" of the Internet is inevitable. Despite partial criticism from the Internet community, the thesis put forward in a study by the US Council for Foreign Relations in July 2022 that "the era of the global Internet is over" is finding more and more supporters in Washington.

  • The increasing divergence between democratic and autocratic ideas about the Internet's future is leading to disillusionment in the US with regard to possible solutions for maintaining and shapinge a unified, global and universal Internet. For the time being, this does not affect the technical management of critical Internet resources, which, after the IANA transition (2016) and ICANN's demonstrated neutrality in managing the root server system (2022), is currently not questioned by any side. However, this is no guarantee for a lasting system stability of the "Technical Internet Governance" (TIG). In fact, democracies and autocracies have very different ideas for the use of these resources (Political Internet Governance). To put it succinctly, autocracies rely on cyber sovereignty, Internet censorship and digital mass surveillance. Democracies rely on a human rights approach in which necessary restrictions on freedom and control mechanisms, e.g. for criminal prosecution and defence against terrorists, are tied to principles of the rule of law. Autocracies rely on the central role of the state, democracies on state separation of powers, a strong private sector and support for the multistakeholder model.
  • At the centre of the political conflict is the U.S.-Chinese technology war. In order to push China back and consolidate US leadership in Internet development, the Biden administration has adapted its domestic and foreign Internet policy to the new realities. The "new strategy" essentially consists of three elements:
  • Strengthening its own security-related cyber capacities,
  • Building bilateral and multilateral networks and alliances with like-minded democratic partners around the globe; and
  • a pushback against the influence of autocracies on the global Internet ecosystem, especially by maintaining technological leadership and market dominance.

Instruments to implement this strategy include a stronger role for the state, centralisation, regulation and new partnerships between government and the private sector.

On 2 March 2023, President Biden published a new national cyber security strategy.

  • The cyber security strategy aims to strengthen the resilience of the US against cyber attacks and to redistribute roles and responsibilities between different stakeholders. The core idea is that the primary responsibility for cyber security must rest with the government and transnational corporations, not with the "end user" or smaller companies whose high level of "vulnerability" could become a national security problem. Therefore, US transnational Internet companies will have to submit to more regulation;
  • The strategy aims to create market incentives and adopt regulations that lead to higher security standards for hardware and software. The partnership between governments and the private sector should be strengthened. "We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us. 2. we must realign incentives to favour long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future. ... The government must use all tools of national power in a coordinated manner to protect our national security, public safety, and economic prosperity".
  • As a consequence, the US government wants to play a stronger leadership role and there will be new regulations (e.g. for the certification of hardware and software and the supervision of cross-border data flows) and government intervention in market mechanisms. This includes the domain market, which has so far largely functioned through a kind of "self-regulation". "Cyber security" does not exist without "DNS security", as Sue Watts argues in CircleID. (Further Information)

The US government is building international alliances, thus seeking to create a close-knit network of bilateral and multilateral "coalitions of the willing" that are committed to the goals and values defined in the "Declaration on the Future of the Internet" (DFI) of 30 April 2022 in specific geographic regions or in specific subject areas. The Declaration was signed by 61 governments in Washington. The six basic principles formulated in the Declaration are: open, free, global, interoperable, trustworthy and secure.

  • As early as 2021, the Biden administration created the process of a "Summit on Democracy" as an important vehicle for achieving these goals. In this process, the US government intends to assert its claim to leadership in the further development of a democratic Internet worldwide. The first Summit on Democracy took place in December 2021. One of its outcomes was the signing of the DFI four months later. From 28 to 30 March 2023, the US State Department hosted the 2nd Democracy Summit. More than 100 countries participated in the event, including more than 50 heads of state and government such as France's President Macron or Germany’s Chancellor Scholz. A third summit is planned for 2024 in Seoul, Korea. There are a total of 14 topics, which are shaped by so-called "Democratic Cohorts". Issues of Internet governance, cyber security and technology development play a prominent role. The "Democratic Cohorts" are composed according to the multistakeholder principle but follow a top-down approach and are led by governments.
  • The global "democracy summit process" is complemented by the establishment of new regional multilateral networks. For Europe, this is in particular the US-EU Trade and Technology Council (TTC). For the Indo-Pacific region, this is the Quadrilateral Security Dialogue (QUAD), which now includes Vietnam, Korea and New Zealand (QUAD+) in addition to the founding members USA, India, Japan and Australia. Moreover, there is the AUKUS alliance between Australia, the United Kingdom and the United States. Internet governance, cyber security and digital cooperation are central discussion points at the TTC as well as at QUAD+ and AUKUS.
  • In the multistakeholder arena, the US is using its 2023 presidency of the Freedom Online Coalition (FOC) to gain broader support. At the initiative of the US, the FOC adopted nine core principles for the use of surveillance technologies by governments on 30 March 2023.The document corresponds with President Biden's "Executive Order on Prohibition on Use by the US Government of Commercial Spyware that Poses Risks to National Security" adopted on 27 March 2023.  This document is supplemented by a "Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware" of the 2nd Democracy Summit, which, however, only nine of the 35 FOC members have signed. Germany signed the FOC document but not the "Joint Statement". Another document of the Democracy Summit is the "Code of Conduct" of the "Export Controls and Human Rights Initiative". All these documents aim to minimise the risk of digital cooperation with China and other authoritarian states. They correspond with the results of the OECD Ministerial Conference in Gran Canaria (December 2022), such as the reference to the principles defined in the DFI, the certification of hardware and software and the handling of data by governments and companies. This includes US support for the new "OECD Global Forum on Technology" (GFT). The US government obviously sees greater opportunities to influence the global development of the Internet governance ecosystem in such "coalitions of the willing" (TTC, QUAD+, AUCUS, OECD) than by getting involved in the various UN bodies, such as the Global Digital Compact, the IGF+ or WSIS+20.

The main adversary for the USA is China. The Biden administration has not only continued but enhanced the Trump administration's China-critical course in the area of "cyber". Biden has expanded the sanctions imposed by Trump against Huawei and TikTok.

  • In the first quarter of 2023, the five-hour hearing with TikTok's CEO Shou Zi Chew before „US House Committee on Energy and Commerce" on 20 March 2023 was symbolic of this. (Further Information)
    After US President Biden had already ordered that public officials should not install and use TikTok, the main concern of the congressmen was to clarify whether TikTok posed a threat to US national security, i.e. whether TikTok spied on US citizens and issued Chinese propaganda. Shou Zi Chew denied the allegations. "The Chinese government has actually never asked us for US user data and we've said this on the record, that even if we were asked for that, we will not provide that. All US user data is stored, by default, in the Oracle Cloud infrastructure and access to that data is completely controlled by US personnel. ... If the Chinese government would use the app to spew propaganda to a US audience, this would be bad for business. ... Misinformation and propaganda has no place on our platform, and our users do not expect that."
  • In addition to the restrictions on Chinese Internet companies in the US market, the US government has expanded its export controls on the supply of high technology by US companies to China. US Secretary of State Blinken made it clear that the export and import controls on China do not represent "de-coupling", but rather "de-risking", i.e. they are designed to reduce the risk of China influencing the US and the dependence of the US on Chinese imports. (Further Information)
    This also includes new efforts by the US government to expand cooperation with the global South in the IT sector. At the 2nd Democracy Summit, the US Agency for International Development (USAID) announced new IT assistance programmes and the development of "Donor Principles for the Digital Age" to strengthen Internet projects in favour of human rights and democratic principles in developing countries. (Further Information)
    This is complemented by the EU project "Global Gateway". All these activities are intended to counter the Chinese "Digital Silk Road" with a coordinated Western front.
  • US export and import restrictions were discussed at the Chinese National People's Congress in Beijing from 8 - 14 March 2023. China wants to strengthen its cyber sovereignty. To this end, it is investing in IT research and development in particular. (Further Information)
    China is already an international leader in areas such as robotics and artificial intelligence. China will invest more than US$450 billion in research and development in 2023, more than double the amount the US wants to spend. (Further Information)
    China needs to become independent of Western IT technology and needs its own alliances. The People's Congress has therefore decided to expand digital cooperation in the intergovernmental networks BRICS, BRICS+ and the Shanghai Cooperation Organisation (SCO). With the "Digital Silk Road" as part of the Belt and Road Initiative (BRI), China is aiming for countries in the global South in order to gain both influence in the respective countries and support for Chinese proposals at the UN cyber security negotiations through this digital cooperation. However, no progress was achieved in the first quarter of 2023 with the attempt to institutionalise the "World Internet Conference" (WIC), founded in 2014 under President Xi in Wuzhen, as an NGO in its own right and to position it against the "Summit on Democracy" and the DFI.

Negotiations on Internet governance at the UN in the first quarter of 2023 focused on the development of the Global Digital Compact (GDC), the preparation of the 18th IGF in Kyoto and the start of planning for the WSIS Review Conference (WSIS+20) in 2025. Important milestones were the first joint meeting between the IGF Multistakeholder Advisory Group (MAG) and the new IGF Leadership Panel (LP) in Vienna on 7 and 8 March 2023, the ITU WSIS Forum in Geneva in March 2023, the meeting of the UN Commission for Science and Technology (UNCSTD), which is responsible for the WSIS process, and the beginning of the GDC consultation process.

  • With three formal multistakeholder consultations and a first "deep dive" discussion, the elaboration of the Global Digital Compact has started in Q1/2023. UN Secretary-General António Guterres has appointed two so-called GDC Facilitators for this consultation process: Sweden and Rwanda. After a further seven "deep dive" discussions, a working paper is to be produced by July 2023 as the basis for the ministerial conference planned for September 2023 in New York. This conference will then decide on the roadmap to the UN World Summit on the Future in September 2024. New questions have now been raised, both about the procedure for drafting the GDC text and about the integration of the GDC into the IGF/WSIS process.
  • It is unclear to what extent the positions put forward by non-state actors in the multistakeholder consultations will be taken into account in the final government negotiations. Switzerland has proposed the formation of "Multistakeholder Drafting Teams" for the envisaged "Issue Papers". So far, the GDC process is described as an "intergovernmental process" with "multistakeholder consultations". There is no procedure for interaction so far.
  • The relationship between the IGF and the GDC is unclear. The "messages" from the IGF in Addis Ababa published in January 2023 are primarily aimed at the GDC, and the IGF assumes that the IGF is the natural landing place for a GDC. (Further Information)
    However, there are ideas circulating in the UN to set up the GDC as a parallel process to the IGF. This could mean that a separate follow-up to the implementation of the GDC will be agreed in September 2024.
  • At the first joint meeting between the IGF Multistakeholder Advisory Group (MAG) and the IGF Leadership Panel (LP) in Vienna on 7 and 8 March 2023, disputes over competences were avoided and it was possible to formulate a common position regarding the future of the IGF. The LP has acknowledged its "ambassadorial role" and will not profile itself as a covert body for the development of independent Internet policies. Accordingly, the dissemination of IGF messages (outreach) is a major task of the LP. The MAG is still responsible for the content of the IGF.
  • For the 18th IGF in Kyoto in October 2022, "The Internet We Want - Empowering All People" was agreed as the general theme. The eight sub-themes are: AI & Emerging Technologies, Avoiding Internet Fragmentation, Cybersecurity, Cybercrime & Online Safety, Data Governance & Trust, Digital Divides & Inclusion, Global Digital Governance & Cooperation, Human Rights & Freedoms, Sustainability & Environment. (Further Information)
    Proposals for workshops can be submitted until the end of June 2023. The Kyoto IGF will consider in detail the outcome of the GDC Ministerial Conference in New York (September 2023).
  • Considerations by the UN Secretariat to start a parallel process with the GDC were viewed critically. In order to turn the IGF into an IGF+, as proposed by UN Secretary-General Guterres in his "Roadmap for Digital Cooperation", UN activities need to be bundled, not fragmented. This also applies to closer cooperation between the IGF and the WSIS Forum of the ITU in the future. Such a strengthening of the IGF is also urgently needed, since the planned "OECD Global Forum on Technology" will soon be a new and well-funded competitor entering the Internet governance ecosystem. There are already numerous annual global Internet events such as the "Lisbon Web Summit" or the "RightsCon" conference that deal with similar topics as the IGF and bring together tens of thousands of participants, including many ministers and CEOs of large companies and civil society organisations. This "competitive situation" will play a role in 2025 in the negotiations regarding an extension of the IGF’s mandate in the framework of WSIS+20.
  • At the UNCSTD meeting in Geneva at the end of March 2023, initial considerations were made on how the WSIS Review Conference (WSIS+20) planned for 2025 could be organised. UNCSTD Chair Peter Major pointed out that the lack of a budget for this conference was a serious problem. The financial bottleneck also blocked thorough preparations, such as analytical reviews of the WSIS action lines and an independent assessment of the results of the IGF.

The results at the UN negotiations on cyber security in Q1/2023 were of a mixed nature. The Open Ended Working Group (OEWG), which deals with the application of international law in cyber space, met in New York at the beginning of March 2023. At the same time, the GGE LAWS negotiated a ban on autonomous weapons systems in Geneva. And in Vienna, the so-called Ad Hoc Committee (AHC), which is to draft a new UN convention against cyber crime, met for a formal session in January 2023 and for informal consultations in March 2023. Russia participated in all negotiations on an equal footing and contributed its own proposals.

  • The New York OEWG negotiations  once again focused on the application of international law in cyber space and the implementation of the eleven norms for responsible state behaviour in cyber space agreed in 2015. (Further Information)
  • The "Programme of Action (PoA)" introduced by the Western states is making only laborious progress. One point of contention is whether the implementation of existing standards or the elaboration of new standards should have priority. The more autocratically governed states fear that they will be pilloried in implementation reports. The more democratically governed states fear that fundamental human rights such as the right to freedom of expression and the protection of privacy will be questioned if new norms are discussed.
  • Notwithstanding this stalemate, there was nevertheless a little progress on the so-called confidence-building measures in cyberspace (CBMCs). The idea of each UN member state nominating a so-called "point of contact" (PoC) that can be contacted in the event of a cyber attack - a kind of "red phone" - is making headway. Such a PoC directory is already established within the OSCE and could now be extended to the 193 UN members.
  • There is also minimal progress on the topic of "permanent institutional cybersecurity dialogue". Everyone wants an institutionalisation of cyber security negotiations beyond 2025. In 2025, the mandate of the OEWG expires. However, while Russia and China favour an indefinite extension of the OEWG mandate, Western states would prefer a Programme of Action (PoC) under the umbrella of the UN Geneva Disarmament Committee. The next OEWG session will take place in New York again in July 2023.
  • The negotiations of the Group of Governmental Experts on Lethal Autonomous Weapons Systems (GGE LAWS) have been dragging on for almost ten years. They take place under the umbrella of the Convention on Certain Conventional Weapons (CCW). So far, it has only been possible to agree on a few so-called "Guiding Principles". (Further Information)
  • The central issue of the controversy is that a majority of states support the ban on autonomous weapons systems (AWS) called for by the UN Secretary-General, but those states that develop and produce such weapons systems - such as semi-autonomous drones - and already use them in special military operations, oppose a ban under international law;
  • Against the background of a growing awareness of the dangers associated with AWS, a still fragile but already resilient consensus on a list of "legal, ethical, humanitarian, security, environmental and social risks" emerged at the Geneva negotiations in March 2023. Progress was also made on so-called categorisations: It is supposed to include the design of the AWS itself as well as the AWS application, i.e. the human-machine interaction.
  • Agreement on the final legal character of a final document remains complicated. A dichotomy is being discussed: a legally non-binding code of conduct and a ban under international law on fully autonomous systems, i.e. weapons that escape human control and select their own targets to be killed on the basis of biometric recognition data. The proposal by some states, including the USA, Great Britain, Japan and Australia, to limit the ban to the killing of civilians met with a divided response. It is becoming increasingly difficult to identify exactly when a natural person is a "civilian" and when a "combatant". This grey area also complicates discussions on the "how" of applying the Geneva Convention on International Humanitarian Law in a possible AWS treaty. However, such a treaty is still a long way off.
  • The chair of the GGE LAWS, Brazilian Ambassador Flávio S. Damico, will present a report with elements of a possible final document for the next meeting in Geneva in mid-May 2023. However, a formal agreement before 2023 is rather unlikely. The option of ending the AWS negotiations under the umbrella of the CCW and continuing them under the UN umbrella is also open. A number of states, including Austria, spoke out in favour of this approach at the last UN General Assembly.
  • At the Vienna negotiations on the UN Convention against Cybercrime, the first part of a so-called "Consolidated Negotiating Document" (CDN) was on the agenda at the 4th Formal Session in January 2023. The first part of the CND contains 21 pages of drafts for 55 articles, which are divided into three chapters: General Provisions, Criminalisation and Procedural Measures and Law Enforcement. A second part, to be discussed at the 5th Formal Session in April 2023, will contain six additional chapters: Preamble, International Cooperation, Technical Assistance, Preventive Measures, Mechanisms of Implementation and Final Provisions. (Further Information)
  • The negotiations in January 2023 were controversial. Apart from the fact that the length of the document alone (with the announced second part, the convention would comprise over 100 individual articles) makes a future implementation of the treaty very cumbersome, the vague and ambiguous formulations in the individual articles are basically useless to achieve the actual goal, i.e. an effective fight against obvious crimes in cyber space. Moreover, the guidelines on how to deal with legitimate conflicting legal interests are unclear.
  • Article 4 emphasises the principle of protecting state sovereignty and Article 5 calls for respect for human rights. The current wording would give Article 4 precedence over Article 5. The primacy of national law over international law would undermine a fair balancing of interests in individual cases, taking into account international human rights treaty obligations and the observance of principles such as necessity, proportionality and the rule of law.
  • Even more problematic are the offences listed in Chapter 2 (Articles 6 - 39). A total of 33 possible cyber crimes are listed, grouped into eleven clusters. Practically everything that can be done with computers and could become criminally relevant is classified as "cyber crime" here. This ranges from illegal attacks on networks, software and hardware, manipulation of electronic payment systems, identity and data theft, misuse of personal data, copyright infringements, child pornography, cyber bullying, cyber stalking, cyber grooming, calling for suicide on the Internet, money laundering to spreading false news and promoting extremism and terrorism online. Practically, the entire criminal law is being redefined here. Today, there is hardly a crime that does not involve a computer or smartphone in its execution. This broad listing is of little help in tackling the core area of cyber crime - illegal intrusion into computer systems for the purpose of criminal extortion of financial or other benefits - and is full of loopholes for resourceful criminals. Moreover, this elastic paragraph would give both law enforcement and the courts every leverage to act subjectively and according to political interests against alleged criminals.
  • Representatives of the more than 200 accredited NGOs had their say at the informal consultations in early March 2023. They fear that international agreements between governments against cyber crime could come at the expense of respect for human rights. Electronic Frontier Foundation (EFF) called for a "human centric approach". Freedom of expression, privacy and assembly must be prioritised in the prosecution of cyber crime, evidence gathering, international cooperation and technical assistance. It calls for provisions for an international, neutral and independent oversight with clear transparency rules and reporting obligations and the application of rule of law principles such as "proportionality, necessity and legality" in all individual law enforcement activities. The letter also opposes new obligations for Internet service providers (ISPs) and expanded possibilities to access encrypted communications. "State hacking" and "intrusive surveillance" (Articles 47 and 48) should be prohibited.
  • The chairperson of the AHC, Algerian Ambassador Faouzia Boumaiza Mebarki, now has the task of streamlining the CDN. One option is to consider the UN Convention as an "umbrella" under which states agree on basic principles and shift the implementation to a network of bilateral treaties (Mutual Legal Assistance Treaties/MLATs). In this way, the respective national jurisdiction could be taken into account more specifically when it comes to concrete cross-border criminal prosecution. Another option is to outsource controversial issues to additional protocols, which are to be negotiated later. There are still two two-week rounds of negotiations to come (April 2023 in Vienna and August 2023 in New York). A draft convention ready for signature should then be available.