Background Materials — Cyberwarfare

  • Relevant Treaties (in reverse chronological order)

  • ICC Documents (reverse chronological order)

    • Office of the Prosecutor, ICC, Strategic Plan 2019–2021 (Jul. 17, 2019). Available online.

    • Office of the Prosecutor, ICC, Policy Paper on Case Selection and Prioritisation (Sep. 15, 2016). Available online.

    • Office of the Prosecutor, ICC, Strategic Plan 2016–2018 (Jul. 6, 2015). Available online, archived.

    • Office of the Prosecutor, ICC, Policy Paper on Preliminary Examinations (Nov. 2013). Available online.

    • Office of the Prosecutor, ICC, Draft Policy Paper on Preliminary Examinations (Oct. 4, 2010). Available online.

    • International Criminal Court, Regulations of the Office of the Prosecutor, ICC-BD/05-01-09 (Apr. 23, 2009). Available online.

    • Office of the Prosecutor, ICC, Policy Paper on the Interests of Justice (Sep. 2007). Available online.

  • Governments and Intergovernmental Organizations (reverse chronological order)

    • The Permanent Mission of Liechtenstein to the United Nations, The Council of Advisers’ Report on the Application of the Rome Statute of the International Criminal Court to Cyberwarfare (Aug. 2021), available online

  • News Articles (reverse chronological order)

    • Joseph Menn & Craig Timberg, The Dire Predictions About a Russian Cyber Onslaught Haven’t Come True in Ukraine. At Least Not Yet., Wash. Post Feb. 28, 2022. Available online.

    • David E. Sanger, Julian E. Barnes & Kate Conger, As Tanks Rolled Into Ukraine, So Did Malware. Then Microsoft Entered the War., N.Y. Times, Feb. 28, 2022. Available online.

    • Aron Vaughan, Modern Cyberwarfare: Russia’s Social Media Blackout and the War on Many Fronts, Innovation & Tech Today Feb. 28, 2022. Available online.

    • Dan Milmo, Anonymous: The Hacker Collective That Has Declared Cyberwar on Russia, The Guardian Feb. 27, 2022. Available online.

    • Ian Bogost, ‘Netwar’ Could Be Even Worse Than Cyberwar, The Atlantic Feb. 26, 2022. Available online.

    • Ken Dilanian, “They Are Hair on Fire”: Biden Administration Mulls Cyber Attacks Against Russian Hackers, NBC News, Jun. 3, 2021. Available online.

      Because ransomware attacks are not carried out directly by governments, attacks like the ones that hit Colonial Pipeline and JBS Foods have for years been treated as purely criminal matters, investigated by the FBI with an eye toward prosecution. Criminal accountability was rare, however, because most of the hackers live in Russia and other places beyond the reach of U.S. law enforcement. Russia allows the hackers to operate without interference as long as they are attacking the West, U.S. officials say.

  • Articles (alphabetical by author, then reverse chronological order)

    • Kai Ambos, Individual Criminal Responsibility for Cyber Aggression, 21 J. Conflict & Security L. 495 (Aug. 7, 2016). Paywall, doi.

      Ambos begins by acknowledging his view that computer network attacks will not amount to a crime of aggression under Article 8 bis of the Rome Statute, because the Statute requires that the crime of aggression be carried out by a State (whereas computer attacks are normally carried out by non-state actors) and the Statute establishes a two-fold threshold which is difficult to pass. Ambos spends the remainder of the article assuming that a State-led computer attack does amount to a crime of aggression, and focuses on the issue of whom may be held individually responsible for such an attack. He analyzes the “complex leadership clause” of Article 8 bis (1) and concludes that there is no difference between a kinetic and a cyber-attack as far as the ensuing individual criminal responsibility is concerned.

    • M. Cherif Bassiouni, The History of Aggression in International Law, Its Culmination in the Kampala Amendments, and Its Future Legal Characterization, 58 Harv. Int’l L.J. 87 (2017). Available online.

      The conception of a crime against aggression in the traditional sense should be abandoned. Instead, the international law community should focus on cyberattacks since that is the kind of aggression that States engage in.

    • Georgia Beatty, War Crimes in Cyberspace: Prosecuting Disruptive Cyber Operations Under Article 8 of the Rome Statute, 58 Mil. L. & L. of War R. 209 (Dec. 2020). Paywall.

      Beatty discusses whether “purely disruptive (as opposed to physically destructive) cyber operations could be prosecuted as war crimes at the International Criminal Court under Article 8 of the Rome Statute.” She looks largely at the Tallinn Manual as an authoritative restatement on international cyber law. She concludes that if the ICC were to base cyber crimes only on the Tallinn Manual, they would effectively exclude disruptive cyber operations which could be problematic in a world where both militaries and civilians are so reliant on computers and the internet.

    • Gary Brown & Keira Poellet, The Customary International Law of Cyberspace, 6 SSQ 126 (2012). Available online.

      International customary laws are those cries that are universally accepted as impermissible. Many of these crimes apply to times are war. Cyberspace does not neatly match up with attacks occurring in times of “armed conflict” in the traditional sense and so gives nation-states new options on how to do “war” without “attribution.” He argues that there is an emerging consensus among states that most cyber activity falls below the level a “use of force” with several notable exceptions—” actions against major financial institutions and disruptive actions to nuclear command and control systems.” Because there are no formal agreements, he believes that the permissiveness of the international regime will allow cyberspace to be a “competitive intellectual battlefield” for better or worse.

    • Chance Cammack, The Stuxnet Worm and Potential Prosecution by the International Criminal Court Under the Newly Defined Crime of Aggression, 20 Tul. J. Int’l & Comp. L. 303 (2011). Paywall.

      Cammack outlines and examines the crime of aggression under the ICC as it applies to the Stuxnet worm, an advanced and sophisticated piece of computer technology that targeted and destroyed key parts of Iran’s nuclear program at the Natanz uranium enrichment center. He argues that a computer worm such as Stuxnet could be classified as an armed attack by state actors. Thus, despite the textual limitations of the crime of aggression under the Rome Statute, a broad interpretation of the Statute could include cyber attacks like Stuxnet and others in the future.

    • Kristen E. Eichensehr, The Law & Politics of Cyberattack Attribution, 67 UCLA L. Rev. 520 (2020). Available online.

      Eichensehr discusses the legal and policy questions about when and how to accuse governments of responsibility for cyberattacks. She argues that when cyberattacks are publicly attributed to states, such attributions should be governed by legal standards. She also argues that an international institution can be developed that would handle attribution of state-sponsored cyberattacks, but that any institution should supplement, rather than replace, the current decentralized system of attribution.

    • Lindsay Freeman, Law in Conflict: The Technological Transformation of War and Its Consequences for the International Criminal Court, 51 N.Y.U. J. Int’l L. & Pol. 807 (2019). Available online.

      The author discusses how new technologies have shaped the way international conflict arises and how new technologies might affect future wars. She further discusses how these new methods of warfare might be handled by the ICC.

    • Gianpiero Greco, Cyber Attacks as Aggression Crimes in Cyberspace in the Context of International Criminal Law, 4 EJPSS 40 (2020). Available online, doi.

      The author discusses the concept of cyber-attacks as crime of aggression.

    • Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Elizabeth Nowlan, William Perdue & Julia Spiegel, The Law of Cyber-Attack, 100 Cal. L. Rev. 817 (2012). Available online.

      The authors outline how cyber attacks fit into the common schemes of jus ad bellum and jus in bello. They also show to what extent current institutions and regimes already govern cyber attacks and where their shortcomings lead to a need for new frameworks.

    • Ido Kilovaty, Virtual Violence—Disruptive Cyberspace Operations as “Attacks” Under International Humanitarian Law, 23 Mich. Telecomm. & Tech. L. Rev. 113 (2016). Available online.

      Kilovaty analyzes the consequences of cyber operations and how many of the severe consequences of attacks that cause disruptions or interruptions of normal processes are overshadowed by headliners that cause deaths, injuries, or physical destruction. Kilovaty argues that disruptive cyber operations are actually an integral part of nearly every recent armed conflict, and cause far more damage in absolute terms than the relatively rare cyberattacks that lead to direct deaths.

    • Adi Libsker-Hazut, Cybercrimes: What Is and What Ought to Be? Rethinking the Role of Recklessness and Negligence in the International Criminal Court, Cyberlaw Blogospace (Jun. 11, 2019). Available online.

      Libsker-Hazut notes the fundamental difficulty and limitation that Article 30 of the Rome Statute imposes on the applicability of international law to cyberspace. Article 30 requires that there must be a mental element—a “guilty mind”—for criminal liability to attach. Consequently, reckless and/or negligent criminal acts are given a pass and criminal liability cannot be imposed for the same. The author points out that given the unique characteristics of cyberwarfare, it is easy for offenders to wriggle out of criminal liability by claiming that they did not intend or were unaware of the consequences of their acts. Thus, the author argues that an acknowledgement of crimes of negligence and crimes of recklessness is justified and necessitated to uphold a higher standard of conducted in cyberspace.

    • Joseph N. Madubuike-Ekwe, Cyberattack and the Use of Force in International Law, 12 BLR 631 (Jun. 22, 2021). Available online, doi.

      Madubuike-Ekwe outlines applying existing doctrines such as the U.N. Charter, international treaties, and international law to cyberwarfare. Due to the ability of cyberwarfare to easily transcend borders and act from extreme distances, this allows combatants to easily become emotionally and morally detached from the consequences of their actions. Madubuike-Ekwe elaborates the need to adapt existing frameworks to create an international legal system that can better handle cybercrimes.

    • Ryan McClure, International Adjudication Options in Response to State-Sponsored Cyber-Attacks Against Outer-Space Satellites, 18 New Eng. J. Int’l & Comp. L. 431 (2012). Paywall.

      McClure argues that current international adjudication options are inadequate to solve disputes between states conducting state-sponsored cyber-attacks against outer-space satellites. He argues that certain textual barriers could preclude ICC jurisdiction.

    • Kevin L. Miller, The Kampala Compromise and Cyberattacks: Can There Be an International Crime of Cyber-Aggression?, 23 S. Cal. Interdisc. L.J. 218 (Feb. 2014). Available online.

      Miller discusses the definition of the crime of aggression agreed upon at the Kampala Review Conference in 2010 and considers whether the definition can be applied to cyberattacks in order to decelerate an aggressive cyberspace. He argues that although the definitions can be interpreted to incorporate cyberaggression, it is unlikely that the crime of aggression will be applied in the context of cyberaggression for the time being.

    • Kevin L. Miller, Cyberattacks, the Laws of War, and the Crime of Aggression, 22 ILSA Q. 21 (Oct. 2013). Paywall.

      Miller examines both the traditional laws of war and the newly-drafted ICC crime of aggression in the context of state-sponsored cyberattacks.

    • Jonathan A. Ophardt, Cyber Warfare and the Crime of Aggression: The Need for Individual Accountability on Tomorrow’s Battlefield, 9 Duke L. & Tech. Rev. 1 (2010). Available online.

      Ophardt argues that it is up to the ICC to address the cyber attack threat, and that this can be done in better defining the crime of aggression. He claims the definition should be expanded to include non-state actors and should leave room for new conceptions of territoriality (including both the victim state in cyberspace and the states whose physical assets are targeted), or for a broad interpretation of “armed” in the crime of aggression.

    • Alexandra Perloff-Giles, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 43 Yale J. Int’l L. 191 (2018). Available online.

      Perloff-Giles applies the language of the U.N. Charter and other sources of international humanitarian law to argue that cyberattacks fit within the definition of a use of force or aggression. She investigates several methods of holding perpetrators accountable including a special arbitration tribunal and the ICC, but argues that, as of now, the ICC likely does not have subject matter jurisdiction. She argues that the definition of “crimes of aggression” in the Rome Statute is too narrow to apply to cyber crimes.

    • Ellen S. Podgor, Cybercrime: National, Transnational, or International?, 50 Wayne L. Rev. 97 (Jan. 1, 2004). Available online.

      Despite the seriousness of cybercrime, it is difficult to determine which crimes should be pursued on a national, transnational, or international level. When the jurisdiction of a certain cybercrime falls into more than one of the three levels, it is important to establish clear priorities that acknowledge the difference between traditional crime and cybercrime. The difficulty of these decisions does not excuse a failure to address the problem.

    • Bradley Raboin, Corresponding Evolution: International Law and the Emergence of Cyber Warfare, 31 J. NAALJ 602 (Oct. 15, 2011). Available online.

      Raboin begins by addressing how cyberwarfare is conducted and the weapons it uses, such as spoofing, trojan horses etc. It then explains three modern day examples of major cyber attacks that occurred in Estonia, Georgia, and Iran. At the end, the author explains the inadequacies of international law to address cyberwarfare. Particularly, the areas of focus are attribution, jurisdiction, and the use of force problems. The attribution problem is the question of whose acts are attributable to a sovereign national state. Is Russia, for example, responsible for the actions of individual hackers that operate in their territory? This is a critical issue. Next, the jurisdiction issue must be addressed. The first question is whether a state can claim actual jurisdiction over cyberspace based on any traditional principles. The second question is whether any of the traditional jurisdiction principles already existing and applicable under the present international law regime can also be applied to cyberwarfare operations. Lastly, the uncertainty surrounding what constitutes use of force in cyberwarfare is also a problem that needs to be addressed.

    • Marco Roscini, Gravity in the Statute of the International Criminal Court and Cyber Conduct that Constitutes, Instigates or Facilitates International Crimes, 30 Crim. L. Forum 247 (Jun. 1, 2019). Available online, doi.

      Roscini claims cyber attacks that cause civilian casualties, injury, destruction of protected objects, or damage the environment, in the context of an armed conflict, would constitute war crimes under Rome Statute Article 8(2)(b)(i)–(ii), Article 8(2)(b)(iv), and 8 (2)(e)(i). He focuses on the gravity threshold, and explores relevant factors: scale, nature, manner of commission, and impact.

    • Marco Roscini, WorldWide Warfare—” Jus ad Bellum ” and the Use of Cyber Force, 14 Max Planck Y.B. U.N. L. 85 (Jun. 30, 2010). Available online.

      Roscini considers how cyber security continues to be a general concern of the international community. Even though cyber attacks can be linked to state actors acting upon other states, it is still unclear how existing rules of force can apply, if at all, to cyber crimes. These crimes might apply under the crimes of aggression as per Article 8(2) of the Rome Statute, but also may conflict with Article 22.

    • Paul Rosenzweig, International Law and Private Actor Active Cyber Defensive Measures, 50 Stan. J. Int’l L. 103 (2014). Paywall.

      Rosenzweig states that private defense measures can be incorporated within government action to supplement the current ineffectual international measures in place to protect against cyber crime. He indicates that while countries such as Germany have legislation opposing certain anti-cybercriminality actions like “hack backs”, private entities frequently rely on such practices, especially in international cyber criminal attacks, to protect institutions. This leads to a paradoxical dilemma between official disapproval and informal tolerance.

    • Arie J. Schaap, Cyber Warfare Operations: Development and Use Under International Law, 64 A.F. L. Rev. 121 (2009). Paywall.

      Schaap explains how existing international treaties could help regulate cyberwarfare. First, the Outer Space Treaty lays a general legal basis for the peaceful uses of outer space and provides a framework for the developing law of outer space. This could apply to cyberwarfare because cyber attacks could be involved in neutralizing the controlling of satellites in space. International Aviation Law can also help control cyberwarfare. International conventions prohibit attacks on civil airlines. Likewise, this could control cyber attacks on the control towers of civilian aircraft. Lastly, cyberwarfare operations involving the targeting of telecommunication networks may implicate international telecommunication laws. In short, no solutions are provided but the author tries to fit cyberwarfare within the current paradigm of international treaties.

    • David Scheffer, The Missing Pieces in Article 8 bis (Aggression) of the Rome Statute, 58 Harv. Int’l L.J. 83 (2017). Available online.

      Scheffer points out several shortcomings, including cyberwarfare, in the definition of crimes of aggression as it stands today under Article 8 bis of the Rome Statute. He notes that despite the growing prevalence of cyberwarfare in modern times, the concept absolutely escapes Article 8 bis. He further notes that the exclusion of acts by non-state actors would limit the inclusion and scope of cyberwar. He also observes that given the nature of a cyber-attack, it would be complex for the ICC to adjudicate upon such matters. However, to completely ignore cyber would be even more detrimental.

    • Lawrence J. Trautman, Is Cyberattack the Next Pearl Harbor?, 18 NC JOLT 233 (Mar. 25, 2016). Available online, doi.

      Trautman imagines a hypothetical scenario involving major U.S. cities under a cyberattack. He engages in a thought exercise around what critical infrastructure would be impacted, how, and potential responses from the government/military. He then moves into a discussion of current geopolitical dynamics, potential cyberattack threats, and responses.

    • Matthew C. Waxman, Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4), 36 Yale J. Int’l L. 421 (2011). Available online.

      The author discusses whether cyber attacks constitute prohibited “force” or an “armed attack” justifying military force in self-defense. He addresses the difficulties of interpreting Article 2(4) of U.N. Charter. He feels that it is not equipped to deal with cyberattacks in the same way it was not well equipped to deal with proxy wars of Cold War. He also states that it is actually difficult to determine who is aggressor, what was done in self defense, etc. Finally, he feels that States will be unlikely to agree on new terms or legal boundaries, so it is likely that outcomes will come from interpretation as crises and claims gradually mold existing law’s existing language.

    • David Weissbrodt, Cyber-Conflict, Cyber-Crime, and Cyber-Espionage, 22 Minn. J. Int’l L. 347 (2013). Available online.

      Weissbrodt analyzes whether cyberattacks can be considered acts of aggression such that they could fit into the ICC’s jurisdictional framework. He argues that cyberattacks are, at the very least, a use of force that pose a growing threat to States and must be addressed by some international legal system. This is due to their inherent transnational nature and the difficult in identifying and extraditing perpetrators. The ICC has potential as the location for prosecution of cybercriminals.

  • Books (alphabetical by author)

    • Kai Ambos, International Criminal Responsibility in Cyberspace, in Research Handbook on Cyberspace and International Law 118 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015). Available online.

      Ambos provides an overview of the state of the art with regard to computer network attacks (CNAs) and cyber-attacks. He focuses on CNAs because he argues that these forms of crimes in cyberspace are normally serious enough to qualify as international crimes and thus be covered by international criminal jurisdiction like the ICC. As to “international criminal responsibility,” he says the current debate in the cyber context is mostly concerned with the application of the law of armed conflict or international humanitarian law to CNAs. He finds there is less intense debate regarding possible criminal responsibility for a crime of aggression from CNAs and virtually no debate regarding the commission of crimes against humanity.

    • Darin Michael Clearwater, Inter-State Cyber Attacks and the State Act Element of the Crime of Aggression (University of Edinburgh, Jul. 9, 2019). Paywall.

      How Article 8 bis of the Rome Statute allows for state-sponsored cyber attacks to be sanctioned by the ICC.

    • Aman Kumar, Placing Cyber Warfare within the Rome Statute Framework, in International Humanitarian Law: A Reflection on 70 Years of Geneva Conventions 1949 (Rashmi Salpekar & Navjeet Sidhu eds., Nov. 16, 2019). Available online.

      Kumar assess whether cyberwarfare fits the elements of a war crime under the Rome Statute and, if so, how the ICC can prosecute cases of cyberwarfare. Kumar proposes that Article 8 of the Rome Statute be amended to include the crime of cyberwarfare. He describes such amendment as a necessary step because nearly every State is currently susceptible to such attacks.

    • Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Michael N. Schmitt ed., Feb. 2017). Paywall, doi.

    • Tallinn Manual on the International Law Applicable to Cyber Warfare (Michael N. Schmitt ed., Mar. 2013). Paywall, doi.