Ambos
Brown
Hathaway
Roscini
Scheffer

Kai Ambos, Dr.jur., Privatdozent LMU München Professor of Law Georg-August-University Göttingen

Cyber-Attacks as International Crimes under the Rome Statute of the International Criminal Court?

The conventional physical bombardment of a military base or causing a complete loss of function through a cyber-attack may have the same effect, that is, the temporary suspension of the use of the military base. Still, even though the attacks are comparable in their effect, they are achieved in fundamentally different ways: while physical damage occurs in the case of conventional attacks, it is usually absent in the case of cyber attacks.

Summary

In this short comment1 I argue that cyber operations in the form of cyber-attacks may entail individual criminal responsibility under international criminal law, especially when they amount to war crimes. In Section I, I start with some conceptual remarks regarding the umbrella term cyber operations and cyberwarfare, then, in Section II, I argue that cyber attacks may amount to “attacks” in the legal sense of the term on the basis of an effects approach. In Section III, I apply this approach to the international core crimes within the meaning of Article 5 of the Rome Statute focusing mainly on war crimes. I then conclude in Section IV with some remarks on the law on individual criminal responsibility.

Argument

I. Preliminary Conceptual Remarks: Cyber Operations and Cyber Warfare

“Cyber operation” is an umbrella term referring to “employment of cyber capabilities to achieve [certain] objectives in or through cyberspace.”2 The term is more specific than the broader “cybercrime”3 and covers inter alia cyber espionage, cyber manipulation, and cyber attacks.4 Thinking of cyber operations in terms of international criminal law the focus shifts to cyber attacks given that they constitute the strongest, most aggressive form of a cyber operation and are as such the only possible candidates serious enough to qualify as international crimes (see, infra, Section III).5

“Cyberwarfare” is, more narrowly, the conduct of a cyber operation by military means in order to achieve military objectives.6 Means of cyberwarfare “are cyber weapons and their associated cyber systems.”7 Given that cyber attacks can reasonably be expected to cause injury or death to persons or damage or destruction to objects, they can be fairly described, together with the device and/or software employed, as cyber weapons and thus as means of cyberwarfare.

II. Cyber Attacks as “Attacks” Due to Their Effects

The main difference between cyber and conventional attacks is the lack of the exertion of kinetic force of the former. In contrast to conventional kinetic attacks, cyber attacks regularly do not cause damage through direct kinetic force, but rather indirectly through the alteration or destruction of data. Kinetic means, in this regard, that the damage is related to or results from the motion or the dynamic of the attack. Kinetic weaponry is weaponry that acts through mechanical transmission.

However, kinetic and cyber-attacks may be comparable in their effects or consequences. The conventional physical bombardment of a military base or causing a complete loss of function through a cyber-attack may have the same effect, that is, the temporary suspension of the use of the military base. Still, even though the attacks are comparable in their effect, they are achieved in fundamentally different ways: while physical damage occurs in the case of conventional attacks, it is usually absent in the case of cyber attacks. Notwithstanding, a cyber operation may well trigger and/or cause kinetic damage, e.g. widespread flooding caused by the deactivation of the regulating system of a large dam. For these scenarios of cyber attacks with indirect kinetic effects, the notion of “cyber-kinetic-attacks” has been coined.8 The term is somewhat misleading, though, since it lumps together apparently contradictory—cyber vs. kinetic—notions. It is thus clearer to speak of indirect, secondary or even reverberating effects of cyber attacks.9

Expand

At any rate, given the fundamental difference between a conventional (kinetic) and a cyber (non-kinetic) attack, it has been argued that only the former amounts to an attack in the legal sense of the term since such an attack presupposes physical damage and the ensuing replacement of physical components of the attacked object.10 The opposing view holds that damage to an operating system (with the ensuing need to reinstall it) or destruction of particular data may suffice to be qualified as an “attack” if similar harmful consequences (loss of functionality, etc.) ensue.11 This latter view is, in principle, more convincing.12 While physical objects and mere data are certainly different, they are inseparably connected and interrelated. For this reason, cyber attacks may have an effect comparable to physical damage through functionally producing data corruption, which, in turn, has a significant negative impact on cyberinfrastructures. Indeed, in today’s cyber world, the traditional concepts of “use of force”, “armed attack” or “acts of violence”13 need to be reconsidered focusing on their effects instead of overemphasizing the means (the kind of weapon) used to bring about these effects. This is even more true in the case of damage to so-called critical infrastructures.14 Thus, in sum, interpreting cyber attacks in the light of existing international (humanitarian) law, the effect-based approach focusing on the effects or consequences of a cyber attack with regard to a concrete target is to be preferred over a mere means or instruments approach.15

III. Cyber Attacks as International Crimes

International crimes may be committed through cyber-attacks alone or in combination with kinetic acts. At any rate, such attacks must be of a sufficient gravity to fall under the ICC’s mandate as a consequence of the (autonomous) gravity threshold within the framework of the complementarity regime of Article 17(1)(d) of the Rome Statute. While no cyber situations have yet been the object of analysis of the ICC’s Prosecutor,16 cyber-attacks surely have the potential to reach the necessary gravity threshold due to their effects and the associated external impact in line with the criteria of “scale, nature, manner of the commission, and impact”.17

Let us now have a look at the crimes under the Rome Statute, focusing in particular on war crimes.

A. War Crimes (Article 8 of the Rome Statute)

The basic requirement for the application of the war crime regime is that an armed conflict exists (common Article 2 of the Geneva Conventions (GC) ), i.e., that armed force has been employed between parties to a conflict and it can be attributed to one of them.18 As argued above, the question of whether a pure cyber attack can be qualified “armed force” needs to be answered from the perspective of the effects of such attacks as compared to traditional kinetic attacks. This effect-based reading is also in line with the definition of “armed attacks” as “acts of violence” in the sense of Article 49(1) of the Additional Protocol [AP] I GC provided that a cyber attack produces violent effects, for example, by harming a physical part of a computer network which results in its replacement. In contrast, if a cyber attack does not produce any (lasting) physical or serious functional damage, it does not reach the armed conflict threshold. At any rate, generally it can be said that cyber attacks hardly reach the armed conflict threshold on their own but only in combination with traditional kinetic attacks; yet, cyber means of warfare may be employed in the context of a traditional armed conflict.19

It is more difficult to meet the second element of the armed conflict requirement, namely the attribution of a cyber attack to one of the parties to the conflict. While there are rules of attribution which may serve as guidance, e.g. in the International Law Commissions’s Draft on State Responsibility20 or, more specifically, in the Tallinn Manual,21 the difficulties are mainly of a factual and evidentiary nature. They lie in the identification of the attacker and/or the attribution of the attack to a party to the respective armed conflict. On the one hand, the attack may come out of the anonymity of the Internet and thus may not be traceable to a specific person or group; or it may be traced to the wrong person or group. At best, it may be possible to identify the computer responsible for the attack via its IP address and thus establish its territorial location. Yet, while this may arguably allow one to presume the responsibility of the territorial State, such a presumption may be rebutted by this State, for example, by pointing to a group of non-state actors which it does not control.22 On the other hand, the attacker may be identified but s/he may not belong to or be affiliated with a party to the conflict and thus the attack may not be attributable to such a group; in addition, the attackers themselves may not qualify as an armed group within the meaning of International Humanitarian Law (IHL)—lacking the necessary degree of organization, i.e., command, control, discipline, and hierarchy—and thus would not, on their own, constitute an autonomous party to the conflict. For example, groups of hackers usually lack the IHL criteria just mentioned; a spontaneous collective attack, e.g. a denial-of-service attack, does not comply with the organization requirement either. One may avoid these problems of attribution invoking a due diligence obligation of the (territorial) State to prevent cyber-attacks from happening in the first place or to intervene to stop them since such an approach focuses on the primary obligation of due diligence and its breach.23 However, this approach entails other problems. In particular, to establish a fair control standard—what can be fairly expected from a State in terms of control of cyber activities on its territory—and a sufficiently precise mental or cognitive standard.24

In line with the effects approach, it is conceivable that cyber-attacks that disrupt the function of critical infrastructure—e.g. the health care system—cross the armed conflict and attack thresholds and amount to war crimes under Article 8 of the Rome Statute by “wilfully causing great suffering, or serious injury to body or health,” “attacks against the civilian population as such or against individual civilians not taking direct part in hostilities” or “[i]ntentionally directing attacks against […] medical units.” Any person acting on behalf of a party to the conflict may commit such a war crime and thus be a responsible agent. In the cyber context, the participation of civilians is of particular relevance since the reliance on civilian expertise is indispensable. These civilians may be members of formal armed forces but also of non-State actors and thus be targetable according to the (highly controversial) general rules of participation in hostilities. Here, too, certain particularities are to be noted, above all how cyber-active civilians are to be distinguished from ordinary civilians in terms of their participation in hostilities. Generally, it can be said that the decision about the participation (with the ensuing loss of immunity from attacks) depends on the importance of the cyber civilian’s contribution and his/her expertise. Thus, if an attack would not have been possible without this contribution, a participation is to be affirmed while a mere support function, e.g. maintenance of a computer network, does not justify such an affirmation. While the decision depends ultimately on the circumstances of the concrete case, it is clear that a (too) broad reading of the participation requirement may undermine the protective purpose of IHL,25 as especially expressed by the principle of distinction to which we now turn.

The usual IHL principles , i.e., humanity, necessity, proportionality,26 precaution, and distinction,27 also apply to cyber attacks if they amount to “attacks” under IHL28. Take, for example, the war crime of “[i]ntentionally directing attacks against civilian objects, that is, objects which are not military objectives” from Article 8(2)(b)(ii) of the Rome Statute. This provision constitutes a concrete implementation of the principle of distinction, embodied in Article 48 AP I GC and part of customary international law applicable in both international and non-international armed conflicts. Civilian objects are (only) defined negatively in delimitation to “military objectives” and these are “limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose […] neutralization […] offers a definitive military advantage” (Article 52 AP I GC [emphasis added]). While it is fairly uncontroversial that the principle of distinction also applies to cyber attacks, its concrete application is shrouded by controversy and uncertainty.29 Apart from the usual difficulties to distinguish between civilian and military objects pursuant to the just mentioned blurred definition, the situation is even more complicated in the cyber area given that any computer system can be used for both civilian and military purposes at the same time or interchangeably—the dual-use problem .30 Thus, ultimately, the decision whether a certain object is “military” and can therefore be targeted is very much case-based on the specific circumstances.

B. Other International Core Crimes

In line with the effects approach, it is easily conceivable that cyber attacks may produce the objective effects of a genocidal attack on a protected group pursuant to Article 6(a)–(e) of the Rome Statute, or bring about the results of the underlying crimes of crimes against humanity pursuant to Article 7 of the Rome Statute. In the former case it will, as always, be difficult to overcome the high subjective threshold in the form the specific intent to destroy one of the protected groups. In the latter case, the cyber-attack would have to be carried out pursuant to a certain policy and, further, to be widespread or systematic. With regard to the organizational requirement in Article 7(2)(a) of the Rome Statute, similar questions as under war crimes, with a view to a minimum organisational threshold, arise.

Last but not least, the crime of aggression under Article 8 bis is only of limited, if any, relevance in the cyber context. This is so mainly for three reasons. First, Article 8 bis does not cover non-State actors but these are often behind cyber attacks. Secondly, a cyber attack may only exceptionally amount to a “use of armed force” within the meaning of Article 8 bis(2).31 Third, it is even less conceivable that such attacks constitute “a manifest violation” of the U.N. Charter as required by Article 8 bis(1).

IV. Individual Criminal Responsibility

Individual criminal responsibility presupposes the existence of international crimes and the relevant participation in these crimes by natural persons. The Tallinn Manual 2.0 now explicitly recognizes individual and superior (criminal) responsibility, albeit limited to war crimes, in line with Articles 25 and 28 of the Rome Statute;32 as to superiors, it additionally provides a responsibility for “ordering cyber operations that constitute war crimes.”33

Participants in cyber-attacks are criminally responsible, under various subsections of Articles 25 and 28 of the Rome Statute, according to the nature and degree of involvement in the attack either as perpetrators acting alone, jointly with another, or through another person—or as secondary participants—inducing the attack or collaborating in it. Superiors may order the attack or fail to properly supervise subordinates carrying out such an attack. Liability for ordering is based on the general provision of Article 25(3)(b) of the Rome Statute, i.e., it is not limited to superiors within the meaning of Article 28, although there is, in factual terms, good reason to argue that only such superiors are in the position to order. At any rate, the just mentioned Tallinn Manual’s specific Rule 85(a) turns out to be redundant in light of the ordering alternative in Article 25(3)(b) of the Rome Statute. Apparently, the Tallinn drafters wanted to incorporate both the superior’s active conduct and failure to act in one specific Rule, i.e., Rule 85.34

In the case of the crime of aggression, criminal responsibility only arises, pursuant to the so-called leadership clause in Article 8 bis(1) of the Rome Statute, with regard to “a person in a position effectively to exercise control over or to direct the political or military action of a State.” This means that the persons effectively carrying out a cyber attack would not be criminally liable but, at best, their superiors would be, if they belong to the leadership level and can be held responsible for the acts of the actual “cyber warriors”.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1.
This comment draws upon the following two sources. The research assistance of Luca Petersen is gratefully acknowledged.

Kai Ambos, International Criminal Responsibility in Cyberspace, in Research Handbook on Cyberspace and International Law 118 (Nicholas Tsagourias & Russell Buchan eds., 2d ed. 2021), earlier version available online; Kai Ambos, Individual Criminal Responsibility for Cyber Aggression, 21 J. Conflict & Security L. 495 (Aug. 7, 2016), paywall, doi. ↩
2.
Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 564 (Michael N. Schmitt ed., Feb. 2017) [hereinafter Tallinn Manual], paywall, doi; Accord Paul A.L. Ducheine, The Notion of Cyber Operations, in Research Handbook on Cyberspace and International Law 211 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015), paywall, doi, later version with Peter B.M.J. Pijpers (Apr. 14, 2020) available online. ↩
3.
Philipp Kastner & Frédéric Mégret, International Legal Dimension of Cybercrime, in Research Handbook on Cyberspace and International Law 190 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015), available online, doi

(“Cybercrime” refers to any criminal activity involving computer technology, committed by means of or against a computer).

Convention on Cybercrime, ETS No. 185 (Nov. 23, 2001) [hereinafter Budapest Convention], available online

(At the international level, the most comprehensive regulation of Cybercrime has been the Budapest Convention, said to have influenced the criminal law legislation of about 120 States).

Cf. Council of Europe, Cybercrime Programme Office, The Global State of Cybercrime Legislation 2013–2021: A Cursory Overview (Jun. 30, 2021), available online. ↩
4.
See Ducheine, supra note 2.

(In a profound analysis, Ducheine demonstrates the similar strategic objectives and common operational means and methods of State and Non-State actors and set out six typical phases of a cyber operation, i.e., reconnaissance, design, intrusion, action, camouflage, and exfiltration). ↩
5.
See Marco Roscini, Cyber Operations as Use of Force, in Research Handbook on Cyberspace and International Law 233 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015), available online, earlier version, doi.

(In contrast, the previously mentioned cyber espionage or manipulation is, as a rule, non-destructive and only employed to enter a computer system to extract information). ↩
6.
Tallinn Manual, supra note 2, at 564

(This is a military extension of the definition of “cyber operation”).

Ducheine, supra note 2, 290 n.112

(offering a critical discussion, but also, however, create the impression that the Tallinn Manual, quoting the first edition from 2013, provides a definition of “cyber warfare”).

Heather Harrison Dinniss, Cyber Warfare and the Laws of War 294 (2012), paywall

(referring to “electronic warfare” as “Military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy.”). ↩
7.
Tallinn Manual, supra note 2, at 452. ↩
8.
See e.g. Scott D. Applegate, The Dawn of Kinetic Cyber, in 5th International Conference on Cyber Conflict (Karlis Podins, Jan Stinissen & Markus Maybaum eds., 2013), available online. ↩
9.
Cf. Karine Bannelier-Christakis, Is the Principle of Distinction Still Relevant in Cyberwarfare?, in Research Handbook on Cyberspace and International Law 343 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015), available online, doi

(with further references). ↩
10.
Tallinn Manual, supra note 2, at 417.

(“a majority”).

See also William H. Boothby, Weapons and the Law of Armed Conflict 239 (2d ed. 2016), paywall, doi. ↩
11.
Tallinn Manual, supra note 2, at 417–18

(“Some of the experts”).

See also Julia Dornbusch, Das Kampfführungsrecht im internationalen Cyberkrieg 97–98 (2018), paywall; see also Terry D. Gill, International Humanitarian Law Applied to Cyber-Warfare: Precautions, Proportionality and the Notion of “Attack” Under the Humanitarian Law of Armed Conflict, in Research Handbook on Cyberspace and International Law 366 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015), paywall, doi

(discussing effects which may turn data destruction into an attack).

See Bannelier-Christakis, supra note 9

(discussing loss of functionality). ↩
12.
Roscini, supra note 5

(for a narrower view with regard to attacks on data as use of force).

See also Bannelier-Christakis, supra note 9

(on the opposing views regarding data). ↩
13.
Cf. Roscini, supra note 5

(on the synonymity of these concepts). ↩
14.
U.S. Executive Order, Improving Critical Infrastructure Cybersecurity, § 2 (Feb. 12, 2013), available online

(According to § 2, a “critical infrastructure” “means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This definition is still valid).

U.S. Executive Order, Improving the Nation’s Cybersecurity (May 12, 2021), available online; U.S. Presidential Proclamation, Critical Infrastructure Security and Resilience Month, 2021 (Oct. 29, 2021), available online

(confirming the Biden administration’s commitment to secure the critical infrastructure, focusing, inter alia, on critical software). ↩
15.
See Bannelier-Christakis, supra note 9

(For the same view with several further references but rightly pointing to the evidentiary problems with regard to the proof of damage caused by a cyber operation and the precise extent of this damage).

See also Roscini, supra note 5.

(A combination of the instruments (weapons) and effects (of these weapons) approaches, as advocated by, does not yield different results since ultimately the decisive question is whether the cyber attacks cause a significant (physical) damage or a significant loss of functionality affirming a use of force in these cases while only seeing a violation of the principle of non-intervention in case of “other” cyber attacks). ↩
16.
However, while the issue did not give rise, so far, to a preliminary examination or even investigation, it is likely to increasingly come up in Article 15 communications and appears to be considered as part of overall investigative/protection strategies and information security management. ↩
17.
International Criminal Court, Regulations of the Office of the Prosecutor, ICC-BD/05-01-09, Reg. 29(2) (Apr. 23, 2009), available online, archived ; see Jennifer Trahan, The Criminalization of Cyber-operations Under the Rome Statute, 19 J. Int’l Crim. Just. 1133, 1138–46 (Nov. 8, 2021), paywall, doi; see also Marco Roscini, Gravity in the Statute of the International Criminal Court and Cyber Conduct That Constitutes, Instigates or Facilitates International Crimes, 30 Crim. L. Forum 247 (Jun. 1, 2019), available online, doi. ↩
18.
Cf. The Prosecutor v. Dusko Tadić, IT-94-1-AR, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction ¶ 70 (ICTY AC, Oct. 2, 1995), available online; see Michael Cottier & Matthias Lippold, Article 8, War Crimes in Commentary of the Rome Statute of the ICC ( Kai Ambos ed., 4th ed. 2022)

(detailed discussion with further case law). ↩
19.
Cf. Gill, supra note 11; see also Bannelier-Christakis, supra note 9

(stating that “it has never been proven” that the use of cyber operations during armed conflict had the same harmful consequences as the use of kinetic weapons);

but see Trahan, supra note 17, at 1155

(considering the (Russian) cyber attacks on Eastern Ukraine as ”possible“ war crimes). ↩
20.
International Law Commission, Articles on Responsibility of States for Internationally Wrongful Acts, with Commentaries, U.N. Doc. A/56/10, Arts. 4–9 (Aug. 2001), available online

(establishing the rules of attribution of acts of State organs or private groups or agents to a State). ↩
21.
Tallinn Manual, supra note 2, Rules 15–18. ↩
22.
See Constantine Antonopoulos, State Responsibility in Cyberspace, in Research Handbook on Cyberspace and International Law 55 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015), paywall, doi

(for a discussion). ↩
23.
Cf. id. ↩
24.
Id.

(While a strict knowledge standard would make it difficult if not impossible to establish the territorial State’s responsibility, lower standards, like the infamous constructive knowledge, are highly controversial and thus difficult to agree on). ↩
25.
See Bannelier-Christakis, supra note 9

(“kind of Trojan horse” leading to a “total cyber war”). ↩
26.
Gill, supra note 11

(on proportionality in particular, Gill argues that the principle largely applies in the same way in case of cyber attacks). ↩
27.
Cf. Note of the Secretary General, Group of Governmental Experts on Development in the Field of Information and Telecommunication in the Context of International Security, U.N. Doc. A/70/174, at ¶ 28(d) (Jul. 22, 2015), available online

(mentioning the principles of humanity, necessity, proportionality, and distinction). ↩
28.
Cf. Tallinn Manual, supra note 2, at 422

(“Only when a cyber operation […] rises to the level of an attack it is prohibited by the principle of distinction”).

Bannelier-Christakis, supra note 9

(providing a more nuanced, dynamic interpretation, arguing that IHL principles may also apply to cyber operation below the attack threshold). ↩
29.
See Bannelier-Christakis, supra note 9.

(In a recent, profound analysis, Bannelier-Christakis stresses the uncertainty and examines State practice and non-State/academic views in detail). ↩
30.
Id.

(In a deeper analysis, Bannelier-Christakis concludes that it is “rather illusory” to strictly limit attacks to military objects given that the “interconnection between civilian and military networks is so deep”). ↩
31.
Cf. Andreas Zimmermann & Elisa Freiburg-Braun, Article 8 bis, in Commentary of the Rome Statute of the ICC ( Kai Ambos ed., 4th ed. 2022).

(Note that the drafters preferred a narrow understanding focusing on kinetic force, notwithstanding, in line with the effects approach defended above, “the use of computer networks as weapons” may be qualified as the use of armed force within the meaning of the provision). ↩
32.
Cf. Tallinn Manual, supra note 2, Rules 84, 85. ↩
33.
Id. Rule 85(a). ↩
34.
Cf. Id. at 397 n.958.

(In fact, the commentary to Rule 84 on Individual Criminal Responsibility omits to mention the ordering alternative when discussing Article 25(3)(b) and moves this discussion to Rule 85(a) ). ↩
Suggested Citation for this Comment:

Kai Ambos, Cyber-Attacks as International Crimes under the Rome Statute of the International Criminal Court?, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar#Ambos.

Suggested Citation for this Issue Generally:

When Might Cyber Operations Constitute Crimes Under the Rome Statute?, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar.

Collapse

Gary D. Brown, J.D., LL.M. Professor of Cyber Law College of Information and Cyberspace; National Defense University

Some Nondestructive State Cyber Operations Probably Constitute the Crime of Aggression under the Rome Statute, but Attribution Difficulties and State Practice Make Effective Deterrence Unlikely

A body of law designed to deal with kinetic options is a poor fit for cyberspace, where effective operations can result in widespread effects that, while effective in advancing strategic interests, may not directly result in damage or injury. [...] Some states appear to carefully structure their cyber activities to ensure that the effects remain below the traditional understanding of a use of force in violation of the U.N. Charter. In other cases, states use cyber capabilities to undertake massive espionage campaigns which, although exponentially larger in scale than more traditional espionage, remain just espionage and therefore currently beyond the reach of international law.

Summary

Cyber activities continue to harass and confound governments and citizens alike. Although, under some circumstances, cyber operations constitute a welcome alternative to military force for advancing state interests, some disruptive cyber activities that don’t constitute a use of force under the U.N. Charter are nevertheless serious enough to cause concern. Some of these non-destructive cyber activities could constitute the crime of aggression under the Rome Statute. However, given the growing practice of states in cyberspace, the generally muted reactions to transgressive cyber behavior, and the difficulty in attributing cyber aggression to states, the Rome Statute is unlikely to have a significant deterrent effect on disruptive cyber behavior.

Argument1

States, the U.N., and other international organizations struggle to determine which state-sponsored cyber operations violate international law. Although it seems intuitively clear that cyber operations disrupting normal civilian life or interfering with the conduct of government business should constitute violations of international law, the law itself can be difficult to interpret in the virtual context. International law governing aggression is geared toward kinetic (physical) effects. International aggression has been closely aligned with military force, and military force results in physical destruction, injuries, and deaths. A body of law designed to deal with kinetic options is a poor fit for cyberspace, where effective operations can result in widespread effects that, while effective in advancing strategic interests, may not directly result in damage or injury. Despite scholarly attempts to address this gap in the law by generous interpretation of the applicability of sovereignty and discussion of the nonintervention principle, it remains an ambiguous and hotly debated area of law. Some states appear to carefully structure their cyber activities to ensure that the effects remain below the traditional understanding of a use of force in violation of the U.N. Charter. In other cases, states use cyber capabilities to undertake massive espionage campaigns which, although exponentially larger in scale than more traditional espionage, remain just espionage and therefore currently beyond the reach of international law.

The international law applicable to the top and bottom of the range of state cyber activities is relatively clear. At the top end, cyber activities that cross the use of force threshold violate Article 2(4) of the U.N. Charter.2 There is room for discussion about exactly where this line falls, but cyber actions directly resulting in physical damage or destruction of objects, or injury or death to people, clearly violate the Charter, just as their analogs in physical space would. At the bottom end, it is well-established that espionage, while not likely to win any friends, does not violate international law—or at least constitutes a “no-go” zone for the law.

Between these two limits there is a vast gray zone where the legality of state-sponsored cyber activities remains unclear. Two examples of these difficult categories are dual-purpose implants on critical systems and large-scale disruption of non-critical systems.

Expand

State operations conducted in the virtual environment can quickly step back and forth between espionage and more aggressive activities. Software surreptitiously implanted on systems can provide states continuing, long-term access to any computer network.3 Such access can potentially give operators who control it the ability to gather information, manipulate or delete information, or even physically damage electronic systems. Given the appropriate access, any of these activities may be the intent and culmination of a particular cyber operation. It can be nearly impossible for victim states to determine exactly what the intent is. These operations are troublesome enough on nonessential systems. The real challenge arises when states are able to gain access to critical systems. Particularly sensitive targets of this type of dual operation include power grids, national intelligence systems, or even systems connected to nuclear power plants, or nuclear command and control. Given the criticality of these systems, it would be appropriate to take steps to ensure they are not penetrable by malicious actors. Unfortunately, it seems that whatever steps have been taken to defend them have, on some occasions, proven insufficient. States are understandably reluctant to discuss vulnerabilities in these systems, but successful incursions and threats have been reported in the press.4 Even systems considered to be “air-gapped,” i.e., completely disconnected from the internet, seem to be vulnerable to skilled and tenacious cyber actors.5

It is also possible that, beyond the access provided to human operators, implanted malware itself can be dual-use, and could even be artificially intelligent, allowing the malware to determine an appropriate time and situation to convert from gathering intelligence to wreaking havoc on the affected system.6 This stacked ambiguity combined with the sensitivity of certain systems creates the potential for aggression that was simply not contemplated as the international legal system developed.

The second gray-zone activity to be addressed here is using cyber capabilities to disrupt, but not damage, non-critical civilian systems.7 In addition to those listed above, examples of such civilian systems are web conferencing services, financial institutions, and entertainment streaming services. Using kinetic capabilities to disrupt such systems—for example by severing communications cables or physically attacking banks or server farms—would meet the traditional definition of aggression and the application of international law in those cases is well-established. By contrast, a state-sponsored cyber operation could disrupt the same systems with malware programmed to make them unavailable or unusable at unpredictable and inconvenient times, for unknown periods of time, without actually damaging or destroying the systems. As soon as the aggressive state’s goals are met, it could return the affected systems to normal operations. The effects of these operations are considered “temporary,” so they may be considered less important, but such effects can be long-term and devastating to affected individuals, and they can play a significant role in advancing a state’s strategic interests.

The examples above, currently falling into a much-exploited “gray zone,” could be better deterred if states accepted that they were crimes of aggression under the Rome Statute. Under Article 8 bis(2) the crime of aggression requires a use of armed force in an “act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.”

Of course nothing is as simple as it seems. There is even a question of whether cyber activities could ever constitute “armed force”, but that question is beyond the scope of this short comment. Here, we will assume that aggressive state-sponsored cyber actions meet this requirement, and focus on which of such cyber activities constitute a manifest violation of the Charter based on their character, gravity, and scale.

As noted above, states have been quite hesitant to discuss cyberspace operations in an official context. That reluctance extends to both discussions of offensive cyber operations they may have undertaken, as well as fully open discussions of incidents where they might find their systems victimized by malicious cyber activities of other states. The reasons for states’ recalcitrance in the area include protecting intelligence sources and methods, avoiding further exploitation of vulnerable systems, and the desire to maintain their own operational prerogatives. However justifiable, this lack of a meaningful official dialogue about state cyber operations has left the field open for individuals and organizations to control the conversation.8 Fortunately, a clear-eyed assessment of the application of international law in the cyber context is provided in Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Tallinn Manual 2.0).9

Rule 68 in Tallinn Manual 2.0 notes the applicability of U.N. Charter Article 2(4) to cyber operations. It goes on to explain the straightforward application of the rule in situations involving kinetic (i.e., physical) effects resulting from aggressive cyber activities. The manual suggests that under some circumstances cyber activities below the kinetic threshold might violate Article 2(4), but does not argue that there is unambiguous law on the matter. Instead, Tallinn Manual 2.0 sets out a complex, eight-part test to determine whether a particular cyber operation is a use of force.10 The test is perfectly reasonable, but the very notion that such a test is needed weighs heavily against any argument that such incidents are “manifest” violations of the Charter.

One way to address the potential gap in international law coverage is to simply interpret the law in a creative way that eliminates the gap. In other words, to consider whether:

[D]isruptive cyber operations also fall under the scope of U.N. Charter Article 2(4) if the disruption caused is significant enough to affect state security.11

Although scholars continue to make arguments that this might be the case, states are not acting in ways that suggest this is an accepted interpretation of the law.12 Additionally, such a significant expansion of the definition of a key term of art is inconsistent with the normal development of international law, in that it would create a cyber-specific rule that would be more broadly restrictive than the rule used in cases of international aggression involving physical means.

Another line of effort in the legal community has been the notion that virtual activities alone can violate a state’s sovereignty. So far, this argument has not been particularly successful. There is also the point that states have very different views on how cyberspace and sovereignty intersect. For example, even states with friendly relations can have wildly different views on how minor cyber effects on cyber infrastructure in a state’s territory impacts sovereignty.13 Discussions about sovereignty in this context seem more academic than practical and, in any event, it’s unclear whether a naked violation of sovereignty through the use of non-damaging cyber capabilities would be of sufficient character, gravity, and scale to violate the Rome Statute.

A potentially more useful—and certainly more creative—trail was blazed in 2021 by scholars with the Oxford Process on International Law Protections in Cyberspace.14 They suggest that focusing solely on the effects of cyber operations ignores the possibility that even cyber operations lacking specific effects might violate Art 2(4) by constituting a threat to use force.15

The possibility of this approach is suggested at Tallinn Manual 2.0, Rule 70. After establishing that U.N. Charter Article 2(4) prohibits threats to use force, the rule notes:

[T]here is no requirement that a specific ‘demand’ accompany the threat. The essence of a threat is that it must be communicative in nature, that is, it must be intended to be conveyed to the target State.16

The Oxford experts put forward that some cyber espionage operations could violate the threat of a use of force prohibition because:

[1] The same activity necessary to conduct espionage against a target is necessary to use force against it, [2] many cyber operations have […] much larger footprints than their authors may intend, [and 3] these operations regularly go beyond the acquisition or demonstration of a capacity to its actual deployment [inside a state’s borders].17

These three observations are addressed below.

Taken separately, none of the three arguments is sufficient to demonstrate a manifest violation of the prohibition against the threat to use force. Although there are often striking similarities between cyber capabilities used for espionage and those used for aggression, that similarity alone does not evidence violation of the Charter. Normally, it would be self-defeating for a cyber espionage operation to be disruptive or destructive, since it would then likely interrupt a potential source for acquiring further strategic information. Also, espionage operations are usually conducted with the intent that they not be discovered, which would fail the required “communicative in nature” portion of the test.18

The second observation, that a cyber operation might create a presence on an unintentionally large number of systems is similarly insufficient to demonstrate an intentional communication of a threat. In addition, it requires a rather ambitious leap of logic to use an unintentional effect as proof of intent to communicate a threat.

Even the third observation, that deploying malicious, potentially destructive code in another state’s territory constitutes a threat to use force is perilously close to the so far unsuccessful suggestion that states consider such presence alone to be an act of aggression. The New York Times reported that the U.S. has engaged in malware prepositioning operations, which would suggest the U.S. doesn’t consider the activity to be unlawful.19 Russia reportedly went a step farther in Ukraine, actually taking down a power grid for a time, but refraining from engaging in the kind of destructive attack that would have been possible, perhaps with the intent to send a message.20

The strongest case can be made by combining all three factors in a single case. In other words, if a state implants potentially destructive code on an important system in another state, and the aggressor state intends that the targeted state discover the implanted capability and understand that there is a threat associated with the presence of the malware, it might be enough to constitute a clear violation of the Charter’s prohibition of the threat to use force in violation of the Rome Statute. This could be the case even if the malware is or could be used for espionage, if the malware has a destructive capability.

At this point, states don’t appear to be ready to go that far, however. Even if states agreed the law is sufficient to establish a case that prepositioned malware could constitute a threat to use force, building a factual case would require dealing with a constantly looming issue in the cyber arena—attribution.

Discussions of law and cyber activities inevitably raise questions about attribution. Even if certain cyber activities constitute unlawful aggression as argued here, the International Criminal Court (ICC) would be left to determine what level of certainty would be required to attribute an unlawful cyber activity to a state. As a matter of course, cyber operators obfuscate their operations, routing activities through any number of states while using various systems that may be commercially leased or accessed without the owner’s consent—but are almost certainly not obtained by the sponsoring state openly.

Given how cyber operations are conducted, even with near perfect information, it can be difficult to establish state responsibility. Knowing the location and identity of networks and systems used to launch or facilitate malicious activities is only part of the case; the critical step is the necessity of determining the intent, identity, and sponsorship of those putting the systems to work. And unfortunately, analyzing responsibility for operations with near perfect information is rarely an option. Sifting through network traffic, intelligence reports, intercepted communications, technical “tells,” clues contained in computer code, etc. requires time and highly-skilled personnel to arrive at the most basic conclusions.21 Even when states have the resources and willingness to commit to such a difficult undertaking, they have rarely been willing to speak openly about what they discover, fearing the disclosure of classified sources and methods of collecting intelligence. Even if state positions were to modify sufficiently to make it possible to apply the Rome Statute, the attribution issue must be addressed.

Conclusion

The spirited debate around the adoption of the crime of aggression amendment has generally focused on large-scale aggression—such as military invasion and occupation—where the issue is mostly the justification for the action. This comment has focused rather on the activity itself, especially on whether strategic cyber operations that might have no direct physical effects could possibly have the character, gravity, and scale to constitute a manifest violation of the U.N. Charter. The likelihood of actual prosecution is another issue entirely. Still, just defining these offenses rationally under international law would be a huge step forward.

The Rome Statute has relevance in the cyber arena, but like much (or all) of international law, merely saying it applies to cyber operations is only the first step. The devil is in the details, and determining precisely how it applies will be the key to making progress toward a more stable and predictable international system. So far, states seem more serious about conducting operations in cyberspace than they are about limiting them. That fact, coupled with the ever-present challenge of cyber attribution, is likely to prevent prosecution of disruptive cyber operations at the ICC.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1.
The views expressed in this comment are those of the author and are not an official policy or position of the National Defense University, the Department of Defense, or the U.S. Government. ↩
2.
U.N. Charter Art. 2(4)

(“All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”). ↩
3.
What Is an Advanced Persistent Threat (APT)?, Kaspersky, available online, (last visited Feb. 25, 2022).

(An advanced persistent threat requires significant resources, and is often state-sponsored).

(“[A]n advanced persistent threat (APT) uses continuous, clandestine, and sophisticated hacking techniques to gain access to a system and remain inside for a prolonged period of time, with potentially destructive consequences.”). ↩
4.
See, e.g., William J. Lynn III, Defending a New Domain: The Pentagon’s Cyberstrategy, Foreign Aff. 97 (Sep. 2010), available online; Herbert Lin, Cyber Risk Across the U.S. Nuclear Enterprise, 4 TNSR 107 (2021), available online, doi; Michael Riley, What Happens When Russian Hackers Come for the Electrical Grid, Bloomberg News, Jan. 26, 2022, available online; Danny Yadron, Iranian Hackers Infiltrated New York Dam in 2013, Wall St. J., Dec. 20, 2015, paywall; ↩
5.
Raymond Pompon, Attacking Air-Gap-Segregated Computers, F5 Labs (Sep. 5, 2018), available online. ↩
6.
Paul Kraus, Will AI Malware Change the Game?, Security (Mar. 5, 2021), available online.

(Artificial intelligence in malware is currently employed to avoid detection, but will certainly be adapted to other uses in the future). ↩
7.
See, e.g., Colleen M. Newbill, Defining Critical Infrastructure for a Global Application, 26 Ind. J. Global Legal Stud. 761 (2019), available online, doi.

(Here I use the term “non-critical” to distinguish systems from those necessary to sustain life, such as systems directly providing food, water, medical care, etc. I consciously avoided using the U.S. (or any other state’s) overbroad definitions of “critical infrastructure”). ↩
8.
Homepage, Global Commission on the Stability of Cyberspace, available online (last visited Feb. 25, 2022); Kurt John, Critical Infrastructure Security and a Case for Optimism in 2022, Siemans (Jan. 28, 2022), available online; Joseph Guay & Lisa Rudnick, What the Digital Geneva Convention Means for the Future of Humanitarian Action, The Policy Lab (Jun. 25, 2017), available online. ↩
9.
Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 564 (Michael N. Schmitt ed., Feb. 2017) [hereinafter Tallinn Manual 2.0], paywall, doi; ↩
10.
Id. Art. 69(9).

(The test suggests such factors as severity, immediacy, and invasiveness are relevant in determining whether a particular cyber activity is a use of force). ↩
11.
Marco Roscini, Cyber Operations and the Use of Force in International Law 55 (2014), paywall. ↩
12.
Interview with Paul M. Nakasone, Commander, U.S. Cyber Command, 92 JFQ 4 (2019), available online

(“In the last 10 years, our adversaries have been operating below the threshold of armed conflict, stealing our intellectual property, leveraging our personally identifiable information, or attempting to influence our elections—again, all below the threshold of armed conflict.”).

See also Lin, supra note 4; Riley, supra note 4; Yadron, supra note 4. ↩
13.
See Jeremy Wright, UK Attorney General, Speech at Chatham House, Cyber and International Law in the 21st Century (May 23, 2018), available online; see also Michael N. Schmitt, France’s Major Statement on International Law and Cyber: An Assessment, Just Security (Sep. 16, 2019), available online

(“France contends that a hostile cyber operation against French cyber infrastructure or one causing “effects” on French territory violates French sovereignty if it has been launched by another State’s organs, persons or entities exercising elements of government authority, or by persons or entities operating under the instruction or direction or control of another State.”). ↩
14.
The Oxford Process on International Law Protections in Cyberspace, Oxford Inst. Ethics, L., Armed Conflict, available online (last visited Feb. 25, 2022).

(Convened by well-regarded international law experts Dapo Akande and Duncan Hollis, the Oxford Process is sponsored by Oxford’s Institute for Ethics, Law, and Armed Conflict; the Government of Japan; and Microsoft. Because the vast majority of cyber infrastructure is privately owned, the involvement of the private sector is essential for ensuring success in establishing a normative framework. This is yet another unique challenge in applying international law to cyberspace). ↩
15.
Duncan B. Hollis & Tsvetelina van Benthem, What Would Happen If States Started Looking at Cyber Operations as a “Threat” to Use Force?, Lawfare (Mar. 30, 2021), available online. ↩
16.
Tallinn Manual 2.0, supra note 9, Rule 70(4). ↩
17.
Hollis & van Benthem, supra note 15. ↩
18.
François Dubuisson & Agatha Verdebout, Espionage in International Law, Oxford Bibliographies (Sep. 25, 2018), available online, doi.

(“International espionage consists of the access, on behalf of a state, to information that is held by another state and considered as confidential or strategic, in the military, security, or economic field.”).

(Although the definition doesn’t require it, espionage is ordinarily thought to be carried out secretly). ↩
19.
David E. Sanger & Nicole Perlroth, U.S. Escalates Online Attacks on Russia’s Power Grid, N.Y. Times, Jun. 15, 2019, available online; David E. Sanger & Mark Mazzetti, U.S. Had Cyberattack Plan if Iran Nuclear Dispute Led to Conflict, N.Y. Times, Feb. 16, 2016, available online. ↩
20.
Kim Zetter, Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid, Wired (Mar. 3, 2016), available online.

(One expert quoted in the article interpreted Russia’s actions as, “We want to be seen, and we want to send you a message.” The alleged Russian activity took place in the context of the continuing armed conflict with Ukraine over disputed territory, so its relevance here is by analogy to state actions outside armed conflict). ↩
21.
Office of the Director of National Intelligence, A Guide to Cyber Attribution (Sep. 14, 2018), available online. ↩
Suggested Citation for this Comment:

Gary D. Brown, Some Nondestructive State Cyber Operations Probably Constitute the Crime of Aggression under the Rome Statute, but Attribution Difficulties and State Practice Make Effective Deterrence Unlikely, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar#Brown.

Suggested Citation for this Issue Generally:

When Might Cyber Operations Constitute Crimes Under the Rome Statute?, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar.

Collapse

Oona A. Hathaway Gerard C. and Bernice Latrobe Smith Professor of International Law Yale Law School

To What Extent and Under What Conditions Might Cyber Operations or Cyberwarfare Constitute Crimes Specified in the Rome Statute?

Some advisers, including myself, took the position that only cyber operations resulting in loss of, or injury to, human life would reach the level of a “manifest” violation. Others maintained that cyber operations with large-scale physical destruction might also reach the level of a manifest violation. Others suggested loss of functionality or incapacitation, without physical destruction, could even be sufficient. Suffice it to say that there are, as of this writing, significant differences among experts on the matter. There is agreement, however, that cyber operations with mere economic effects would not be sufficient to constitute a crime of aggression.

Argument

Introduction

This comment will focus on one of the four crimes in the Rome Statute: the crime of aggression. This crime, and whether it should be included in the Rome Statute, has of course been the subject of intense debate and discussion. This comment puts that debate to one side to focus on the question of whether the crime of aggression—whatever one may think of it—applies to cyber operations or cyberwarfare and under what conditions.

Does the Crime of Aggression Apply to Cyber Operations?

An initial question is whether the crime of aggression applies to cyber operations at all. Article 8 bis(1) defines a “crime of aggression” to include:

[T]he planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.1

Nothing in this definition limits the crime to a particular set of weapons or tools. Article 8 bis(2) goes on to define an “act of aggression” as:

[T]he use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations.2

It then includes a list of acts that “regardless of a declaration of war” qualify as an act of aggression.

This presents two questions: First, can a cyber operation constitute a manifest violation of the Charter of the United Nations ? Second, is the list of actions that qualify as an “act of aggression” exhaustive or merely illustrative?

On the first question—whether a cyber operation can constitute a manifest violation of the Charter of the United Nations —the answer is clearly yes. When the possibility of aggressive cyber incidents first emerged, there was an initial debate over whether international law applied to cyber operations. Some scholars thought that it did not. Those who took what is sometimes referred to as an “instrument-based approach,” argued that:

[A] cyber-attack alone will almost never constitute an armed attack for purposes of Article 51 ‘because it lacks the physical characteristics traditionally associated with military coercion’—in other words, because it generally does not use traditional military weapons.3

That view, however, has largely given way to the view that, though the technology is relatively new and certainly post-dates the Charter, the U.N. Charter nonetheless can be applied to cyber incidents.4

Expand

Argument Continued

States affirmed this conclusion in the 2013 and 2015 Reports of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. They concluded that states are obligated to follow their U.N. Charter obligations in their use of information and communications technologies, including cyber operations.5 The 2018 “Paris Call for Trust and Security in Cyberspace,” signed by a number of states and private organizations and actors, similarly affirmed that international law applies to cyber operations:

We also reaffirm that international law, including the United Nations Charter in its entirety, international humanitarian law and customary international law is applicable to the use of information and communications technologies (ICT) by States.

It continued:

We reaffirm that international law, together with the voluntary norms of responsible State behavior during peacetime and associated confidence and capacity-building measures developed within the United Nations, is the foundation for international peace and security in cyberspace.6

Hence the clear consensus is that cyber operations are governed by international law, including the prohibition on the use of force in the United Nations Charter.

On the second question—is the list of actions that qualify as an “act of aggression” in the Rome Charter exhaustive or illustrative?—there remains some disagreement, but the better view is that it is illustrative. The Council of Advisers’ Report on the Application of the Rome Statute of the International Criminal Court to Cyberwarfare, convened by the Permanent Mission of Liechtenstein to the United Nations, considered this question directly.7 It concludes that there are two ways in which cyber operations could fit into the specific list of acts of aggression enumerated in Article 8 bis. First, the list is non-exhaustive; hence it allows the ICC to find other uses of armed force that constitute an act of aggression. Second, many of the acts in the list could be interpreted to apply to cyber operations. Hence it is clear that the crime of aggression as defined in the Rome Statute can apply to cyber operations.

When Does a Cyber Operation Constitute a “Crime of Aggression”?

Having established that a cyber operation can constitute a crime of aggression under the Rome Statute, the next question is to what extent and under what conditions does it do so.

There are two different scenarios in which this question may arise: First, it may arise where the cyber operation is a part of a broader aggressive war; second, it may arise where the cyber operation is a stand-alone event.

As to the first, it is clear that a cyber operation carried out in concert with a conventional kinetic act of aggression in manifest violation of the United Nations Charter can constitute a part of an overall crime of aggression. For example, the Russian government has used cyber operations in direct connection with its war of aggression against Ukraine that is currently under way.8 Those cyber operations are part of the overall act of aggression and thus part of the overall crime of aggression that is being committed.

The much harder questions come in the second scenario, where a cyber operation takes place in the absence of conventional kinetic military force. It is important to note that to establish that a stand-alone cyber operation constitutes a crime of aggression under the Rome Statute, it is not sufficient that the cyber operation violate Article 2(4) of the U.N. Charter. The violation must be manifest, as justified by its “character, gravity, and scale.”

This is a very high threshold to meet. Indeed, to date, there is disagreement as to whether any stand-alone cyber operation has constituted a “use of force” in violation of Article 2(4), much less a manifest violation. Nearly or perhaps all cyber operations to date have been what are referred to as “below the threshold” operations—meaning they fall below the Article 2(4) use of force threshold.

The test most commonly applied to assess whether a cyber operation is an illegal use of force is to look at its effects. As my coauthors and I explained in 2012:

[W]e conclude that the best test of when a cyber-attack is properly considered cyber-warfare is whether the attack results in physical destruction—sometimes called a ‘kinetic effect’—comparable to a conventional attack.9

For a cyber incident to be a use of force in violation of Article 2(4), it must cause a tangible physical effect—for example, causing something to explode or a dam to open above a populated area.10 It may also do so through an incident where the immediate and direct effect is loss of life or serious physical injury—for instance shutting down air control systems when airplanes are in flight, causing fatal accidents as a result.

As already noted, there remains significant debate about whether any cyber incident to date constitutes an act of cyber war. Thomas Rid, in his 2013 book, Cyber War Will Not Take Place, argues that “So far there is no known act of cyber ‘war,’ when war is properly defined.”11 The 2017 Tallinn Manual 2.0 asserts that the use of the Stuxnet malware on Iranian nuclear facilities—causing centrifuges to malfunction, in the process destroying 984 uranium enriching centrifuges, one fifth of Iran’s total centrifuges reportedly by the U.S. and Israel12—was a use of force.13 This is in some tension, however, with its conclusion that, “To date, no international armed conflict has been publicly characterized as having been solely precipitated in cyberspace.”14

What is clear is that a cyber operation that causes an effect comparable to a conventional kinetic weapon could constitute a “use of force” in violation of Article 2(4) of the U.N. Charter and could even constitute a manifest violation, if of sufficient “character, gravity, and scale.” Thankfully, no violation has yet occurred that might meet this stringent test. In part as a result, exactly what a “manifest” violation of the U.N. Charter means in the context of cyber operations has not yet been established.

Illustrating the current lack of consensus, Members of the Council of Advisers on the Application of the Rome Statute to Cyberwarfare reached different conclusions about what would constitute a “manifest” violation.15 Some advisers, including myself, took the position that only cyber operations resulting in loss of, or injury to, human life would reach the level of a “manifest” violation. Others maintained that cyber operations with large-scale physical destruction might also reach the level of a manifest violation. Others suggested loss of functionality or incapacitation, without physical destruction, could even be sufficient. Suffice it to say that there are, as of this writing, significant differences among experts on the matter. There is agreement, however, that cyber operations with mere economic effects would not be sufficient to constitute a crime of aggression.16 There is agreement, as well, that it is important to be cautious about an expansive interpretation of what constitutes a cyber operation in violation of Article 2(4), because doing so could open the door to actions in self defense under Article 51 of the U.N. Charter—actions that need not be limited to the cyber realm.

Conclusion

There is significant agreement about core principles when it comes to application of the Rome Statute’s crime of aggression to cyber operations: International law prohibiting the use of force applies in the cyber context, and cyber operations can constitute a crime of aggression. Whether a particular cyber operation constitutes a crime of aggression must be determined by examining its effects—whether the operation has an effect comparable to a conventional attack that would itself constitute a “manifest” violation of the U.N. Charter’s prohibition on use of force. While there remains disagreement about precisely what stand-alone cyber operations would be sufficient to meet this stringent test, the next several years will likely bring greater clarity, as the world inevitably confronts increasingly destructive cyber operations.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1.
Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 8 bis(1), available online. ↩
2.
Id. Art. 8 bis(2). ↩
3.
Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue & Julia Spiegel, The Law of Cyber-Attack, 100 Cal. L. Rev. 817, 823 (Aug. 2012), available online citing Duncan B. Hollis, Why States Need an International Law for Information Operations, 11 Lewis & Clark L. Rev. 1023, 1042 (Dec. 2007), available online .

See also Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion), 1996 I.C.J. Rep. 226, ¶ 39 (Jul. 8, 1996), available online

( Article 2(4) applies to “any use of force, regardless of the weapons employed”). ↩
4.
See, e.g., Hathaway et al., supra note 3; Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Michael N. Schmitt ed., Feb. 2017) [hereinafter Tallinn Manual 2.0], paywall, doi. ↩
5.
See, e.g., United Nations General Assembly, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, U.N. Doc. A/70/174, at 12 (Jul. 22, 2015), available online

(“The 2013 report stated that international law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT [Information and communications technologies] environment. Pursuant to its mandate, the present Group considered how international law applies to the use of ICTs by States.”). ↩
6.
The French Ministry for Europe and Foreign Affairs, Paris Call for Trust and Security in Cyberspace (Nov. 12, 2018), available online.

(Even more recently, the U.N. Open-Ended Working Group stated that “States reaffirmed that norms do not replace or alter States’ obligations or rights under international law, which are binding, but rather provide additional specific guidance on what constitutes responsible State behaviour in the use of ICT s. Norms do not seek to limit or prohibit action that is otherwise consistent with international law.”);

United Nations General Assembly, Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security, Final Substantive Report, U.N. Doc. A/AC.290/2021/CRP.2, at 5 (Mar. 10, 2021), available online. ↩
7.
The Permanent Mission of Liechtenstein to the United Nations, The Council of Advisers’ Report on the Application of the Rome Statute of the International Criminal Court to Cyberwarfare (Aug. 2021) [hereinafter Council of Advisers’ Report], available online

(I was one of the advisers who was consulted in the preparation of the report). ↩
8.
Raphael Satter et al., Ukraine Computers Hit by Data-Wiping Software as Russia Launched Invasion, Reuters, Jan. 24, 2022, available online. ↩
9.
Hathaway et al., supra note 3, at 841 (2012). ↩
10.
See, e.g., Paul C. Ney, Jr., DoD General Counsel, Remarks at U.S. Cyber Command Legal Conference (Mar. 2, 2020) (emphasis added), available online; Harold Hongju Koh, Legal Adviser to the U.S. Dept. of State, Speech at U.S. Cyber Command Inter-Agency Legal Conference, International Law in Cyberspace, Opinio Juris (Sep. 19, 2012), available online. ↩
11.
Thomas Rid, Cyber War Will Not Take Place 10 (Sep. 2013), excerpt available online. ↩
12.
William J. Broad, John Markoff & David E. Sanger, Israeli Test on Worm Called Crucial in Iran Nuclear Delay, N.Y. Times, Jan. 15, 2011, available online. ↩
13.
Tallinn Manual 2.0, supra note 4, at 342

(The consulted experts were “divided as to whether the damage [inflicted by Stuxnet] sufficed to meet the armed criterion.” Id. at 384). ↩
14.
Id. at 384. ↩
15.
Council of Advisers’ Report, supra note 7, at 13–14. ↩
16.
Id. at 14. ↩
Suggested Citation for this Comment:

Oona A. Hathaway, To What Extent and Under What Conditions Might Cyber Operations or Cyberwarfare Constitute Crimes Specified in the Rome Statute?, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar#Hathaway.

Suggested Citation for this Issue Generally:

When Might Cyber Operations Constitute Crimes Under the Rome Statute?, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar.

Collapse

Marco Roscini, Ph.D. Professor University of Westminster School of Law

Cyber Operations Can Constitute War Crimes Under the ICC Jurisdiction Without Need to Amend the Rome Statute

Even if it were demonstrated that Russia was behind the operations, the 2007 Distributed Denial of Service (DDoS) attacks on Estonia would not qualify as an international armed conflict between the two states: although they targeted critical infrastructures—banking and communications—no property damage or personal injury occurred and no serious disruption ensued. A different conclusion would likely be reached with regard to a cyber attack that takes down the national electrical grid for a prolonged time, given likely severe negative repercussions on the provision of medical services, transport, financial markets, and security.

Summary

Cyber operations can constitute war crimes under the jurisdiction of the International Criminal Court (ICC) when:

they have been committed in the context of and in association with an armed conflict, kinetic or otherwise;
they involve the elements of the crimes listed in Article 8 of the Rome Statute;
they have been perpetrated on the territory of a state party or by a national of a state party; and
the case involving them is sufficiently grave.

There is nothing in the elements targeting war crimes under Article 8 which prevents their application to cyber operations and, therefore, there is no need to amend the Rome Statute to prosecute them before the Court. The main challenges are not related to the definition of the crimes or the corresponding rules of international humanitarian law but to the well-known technical obstacles to the identification of the perpetrators and the collection of evidence.

Argument

I. Introduction

The use of cyber technologies as a new means to commit, instigate, or facilitate crimes under the ICC’s jurisdiction has so far received little attention in international criminal law scholarship. Even the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, published by a group of experts in 2017, only devotes two rules (out of 154) to cyber international criminality.1 This comment explores when cyber operations can constitute war crimes under the ICC’s jurisdiction. This can occur when:

they have been committed in the context of and in association with an armed conflict, kinetic or otherwise;
they involve the elements of the war crimes listed in Article 8 of the Rome Statute;
they have been committed on the territory of a state party or by a national of a state party; and
the case involving them is sufficiently grave.

The next sections address these points in turn.

Expand

II. The Cyber Operation Must Be Conducted in the Context of and in Association With an Armed Conflict

There obviously is no “war crime” if there is no “war”. Contemporary international humanitarian law (IHL), however, has dropped the use of this expression in favor of the more objective “armed conflict”, the existence of which depends on the factual occurrence of armed violence and not on the intention of the belligerents (animus bellandi). IHL treaties do not provide a definition of “armed conflict” but according to the International Criminal Tribunal for the former Yugoslavia:

[A]n armed conflict exists whenever there is a resort to armed force between States or protracted armed violence between governmental authorities and organized armed groups or between such groups within a State.2

There is now broad consensus that this definition reflects customary international law. An (international) armed conflict also occurs in

[A]ll cases of partial or total occupation of the territory of a High Contracting Party, even if the said occupation meets with no armed resistance.3

Cyber operations can be employed during an existing traditional international armed conflict as “force multipliers”. An illustration is the 2008 armed conflict between Georgia and the Russian Federation, during which Georgia’s governmental and media websites were taken off-line or defaced during the initial phases of the conflict allegedly by Russian hackers, thus affecting Georgia’s ability to communicate and possibly also the operability of its armed forces.4 Russia has also been accused of conducting cyber operations against Ukraine since 2014.5 In neither case, however, has Russia’s responsibility been conclusively established: indeed, the anonymity that characterizes cyberspace is the main obstacle to the application of IHL.

Cyber operations can trigger an armed conflict themselves when they involve the use of cyber means or methods of warfare in support of a belligerent to the detriment of another. Such use must result, or be reasonably likely to result, in military harm to the adversary, physical damage to property, loss of life or injury to persons, or significant disruption of critical infrastructures. If the cyber operations are conducted between states , international armed conflict breaks out, otherwise the conflict is of a non-international character. In the latter case, however, it is highly unlikely that a loose online collective like Anonymous will ever meet the organization requirement necessary for the existence of a non-international armed conflict (NIAC) under the Tadić definition of armed conflict and Article 8(2)(f) of the Rome Statute. Nothing precludes, however, that a “traditional” armed group can conduct cyber operations (followed or not by kinetic hostilities) capable of triggering a NIAC.

It is arguably only those cyber operations that exceed mere inconvenience and significantly disrupt the correct functioning of military or civilian critical infrastructures that can potentially qualify as resort to armed force/violence and thus initiate an armed conflict, as it is only in this case that the effects of disruption can be equated to those of destruction caused by kinetic armed force. Hence, even if it were demonstrated that Russia was behind the operations, the 2007 Distributed Denial of Service (DDoS) attacks on Estonia would not qualify as an international armed conflict between the two states: although they targeted critical infrastructures—banking and communications—no property damage or personal injury occurred and no serious disruption ensued. A different conclusion would likely be reached with regard to a cyber attack that takes down the national electrical grid for a prolonged time, given likely severe negative repercussions on the provision of medical services, transport, financial markets, and security.

The Elements of Crimes under Article 8 of the Rome Statute require that a war crime be committed in the context of and in association with an armed conflict. This nexus requirement distinguishes war crimes from domestic offenses committed during an armed conflict, although the distinction might not always be easy to make, especially in the cyber context.6 Taking into account the relevant case law, it appears that a sufficient belligerent nexus exists if the conduct is committed when and where armed hostilities are taking place or, if it occurs at a time and place where no combat activities are occurring, it was “shaped or dependent upon the environment” of the armed conflict.7 The Ntaganda Trial Chamber has suggested certain indicators in order to establish the existence of the nexus requirement for war crimes, including:

the status of the perpetrator and victim, and whether they had a role in the fighting;

whether the act may be said to serve the ultimate goal of a military campaign; and

whether the crime is committed as part of, or in the context of, the perpetrator’s official duties.8

From the above considerations it can be evinced that IHL applies to cyber operations, and potential war crimes can be committed in case of its violation, in the following cases:

when the cyber operations are conducted in the context of and in association with an existing kinetic international or non-international armed conflict;
if the exchange of cyber operations between states amounts in itself to “resort to armed force”, i.e. it entails the use of cyber means or methods of warfare resulting or reasonably likely to result in military harm to the adversary, physical damage to property, loss of life or injury to persons, or significant disruption of critical infrastructures;
if an organized armed group conducts cyber operations amounting to protracted armed violence against a state or against another organized armed group;9
if the cyber operations are conducted by the occupying power in the exercise of its policing and governance powers in occupied territory, or are part of the mounted resistance by the local population to the exercise of such powers;
if the cyber operations accompany the resumption or continuation of kinetic hostilities in occupied territory and are conducted in the context of and in association with them, or themselves amount to the initiation, resumption, or continuation of an international or non-international armed conflict in occupied territory.

III. The Cyber Operation Must Be Committed on the Territory or by a National of an ICC State Party

This requirement is prescribed by Article 12(2) of the Rome Statute.10 The territorial jurisdictional link does not cause insurmountable problems in the cyber context: contrary to what it might seem at first sight, cyberspace is not a domain where state territorial sovereignty and jurisdiction do not apply. Indeed, it consists both of a physical and syntactic (or logical) layer: the former includes the physical infrastructure through which the data travel wired or wireless; including servers, routers, satellites, cables, wires, and the computers; while the latter includes the protocols that allow data to be routed and understood, as well as the software used, and the data itself. The ICC, therefore, could exercise territorial jurisdiction when the attacked physical component is located on the territory of a state party.11 Still debated, however, is whether all types of prejudicial effects are relevant to establish jurisdiction or only physical damage: the ICC case law will clarify this point.

With regard to the second jurisdictional link (nationality of the perpetrator), it could be challenging to obtain sufficient evidence to attribute the cyber operation to a specific individual, especially at the preliminary examination stage, as anonymity is one of the main characteristics of cyberspace. The internet, in particular, is a decentralized system where the communications protocol divides the sent data into several packets that take different unpredictable pathways to reach their destination before being reassembled. An IP address identifies the origin and the destination of the data: with the cooperation of the Internet Service Provider through which the system corresponding to the IP address is connected to the internet, it could be associated with a person, group or state. The IP address, however, could be “spoofed”, or the corresponding computer system may only be a “stepping stone” for an attacker located elsewhere.12 Providing sufficient evidence of the identity of the hacker, then, might be a difficult task for the ICC Prosecutor and may require the cooperation of the states from which the cyber operation was conducted.

Having said that, at the preliminary stage the standard of proof is not “beyond reasonable doubt”, a standard which is only necessary for convictions:13 it suffices that there is a “reasonable basis to proceed”, as there is still no accused to protect and the Prosecutor acts only on the basis of publicly available information.14 The evaluation of admissibility, however, is stricter at the post-investigation stage and lack of sufficient evidence might be a significant obstacle to the identification and prosecution of those involved in cyber war crimes. Importantly, in 2013, the Office of the Prosecutor hired an expert in digital forensics for its Scientific Response Unit to improve its ability to collect and analyse digital evidence.15

IV. The Cyber Operation Must Involve the Elements of the ICC War Crimes

In spite of the fact that, by 1998, states had already started to address cyber criminality, cyber issues were completely ignored during the negotiations of the crimes to be included in the Rome Statute. Conduct in cyberspace, however, might fall under the jurisdiction of the Court either because it constitutes a new means to commit a crime already incorporated in the Statute, or because it instigates or facilitates the commission of such crime.16 If cyber crimes were considered new crimes and not new means to commit existing ones, on the other hand, their investigation or prosecution by the ICC would be barred by the nullum crimen sine lege principle incorporated in Article 22 of the Statute.

Of the war crimes contained in Article 8 of the Rome Statute, it is mainly those related to targeting, rather than those concerning mistreatment, that are relevant for cyber operations. Only cyber operations amounting to “attacks” as defined in Article 49(1) of the 1977 Protocol I additional to the 1949 Geneva Conventions on the Protection of Victims of War (“acts of violence against the adversary, whether in offence or in defence”) are the object of the law of targeting and of the corresponding war crimes. When does a cyber operation amount to an “attack”? There is broad agreement that cyber operations that foreseeably result in physical damage to property or persons qualify as “acts of violence”: cyber operations are able to produce damaging physical consequences in the analogue world by corrupting the operating systems of physical infrastructures such as Supervisory Control and Data Acquisition (SCADA) systems, which could result in the malfunction of such infrastructures and possible loss of life or destruction of property. An example is a belligerent’s cyber attack against the adversary which shuts down the cooling system of a nuclear power reactor located in enemy territory, thus causing the release of radioactive substances that indiscriminately reach civilians.

On the other hand, it is controversial whether cyber operations which negatively affect the functionality of infrastructure without physically damaging them also constitute “acts of violence”. It is submitted that the definition of “attack” under Article 49(1) of Additional Protocol I should be interpreted to take into account recent technological developments and that the concept of “violence” should be expanded to include not only material damage to objects, but also the loss of functionality of infrastructures without destruction. Indeed, the dependency of modern societies on computers, computer systems, and networks has made it possible to cause significant harm through non-destructive means. After all, if the use of graphite bombs, which spread a cloud of extremely fine carbon filaments over electrical components, thus causing a short-circuit and a disruption of the electrical supply, would undoubtedly be considered an “attack” even though it does not cause more than nominal physical damage to the infrastructure, one cannot see why the same conclusion should not apply to the use of viruses and other malware that achieve a similar effect.

With the above in mind, the elements of the crimes contained in Article 8 of the Rome Statute can be transposed to the cyber context without significant obstacles. Cyber attacks intentionally aimed at causing civilian casualties or at destroying protected objects, or which are expected to result in “incidental loss of life or injury to civilians or damage to civilian objects or widespread, long-term and severe damage to the natural environment which would be clearly excessive in relation to the concrete and direct overall military advantage anticipated,” would, for instance, amount to war crimes under Article 8(2)(b)(i), (ii) and (iv), and Article 8(2)(e)(i) of the Rome Statute. When the cyber operation aims to cause material damage to property or persons or incapacitation of infrastructures, the attacked “object” is not only, and not mainly, the information itself, but rather the persons, property, or infrastructure attacked through cyberspace. In the case of Stuxnet, for instance, the relevant “object” was not the Siemens software that operated the centrifuges at the Natanz uranium enrichment facility in Iran, but the centrifuges themselves. When a cyber operation aims solely at deleting or altering data stored in computer systems, however, the question arises whether such data are per se an “object” for the purpose of the definition of military objective contained in Article 52(2) of Additional Protocol I (and thus the application of the principle of distinction) if no physical damage or loss of functionality result from it. The problem should not be overestimated. If the cyber operation only causes the corruption, deletion, or alteration of data without consequences in the analogue world, in most cases it will not be an “attack” in the sense indicated above and the law of targeting and the definition of “military objective” will therefore not apply, whether or not the data are an “object”. The only exceptions may be cyber operations targeting data convertible into tangible objects, such as bank account records, so that if the data are destroyed so are the tangible objects; intellectual property that exists only online and that, if attacked and destroyed, cannot be recovered; or data that have an intrinsic value, as in the case of digital art.17 It is only in such and similar exceptional situations that the cyber operation may be an attack even without consequences on physical infrastructures or persons.

Other problems related to the application of existing IHL rules in the cyber context are also overestimated. Take, for instance, the case of the application of the principle of proportionality in attacks. On the one hand, the potentially less damaging character of cyber operations may offer a more effective means to minimize incidental damage on civilians and civilian property. Cyber operations also present advantages for the attacking state, as they virtually entail no risk for its forces thanks to their remote character and the difficulties with regard to identification and attribution. On the other hand, the problem with calculating proportionality in the cyber context resides in the speed and covert nature of cyber attacks: it may be difficult for the parties to the conflict to readily establish their magnitude and consequences. Furthermore, as with biological weapons, some kinds of malware sent through cyberspace might spread uncontrollably because of the malware’s characteristics and the interconnectivity of information systems. All in all, however, meeting the proportionality criterion is essentially a technical issue: customized proportionate cyber reactions are possible if the software is written with this purpose in mind and the targeted system is sufficiently known. The code could, for instance, be designed in a way as to be activated only by the presence of certain characteristics, as in the case of Stuxnet. This requires a high degree of information on the targeted systems, which it may be possible to obtain through traditional intelligence collection and/or cyber espionage.

Another overestimated problem concerns the dual-use nature of most cyber infrastructures, namely the fact that they are, at the same time, used by civilians and the military. This is not unique to the cyber context. The fact that an object is also used for civilian purposes does not affect its qualification under the principle of distinction: if the two requirements provided in Article 52(2) of Additional Protocol I are present, the object is a military objective and is thus targetable, but the neutralization of its civilian component needs to be taken into account when assessing the incidental damage on civilians and civilian property under the principle of proportionality. What is prohibited is to attack the dual-use cyber infrastructure because of its civilian function or to attack a dual-use facility where the incidental civilian damage expected from the attack is excessive in relation to the anticipated concrete and direct military advantage.

Cyber technologies can also be used to instigate or facilitate the commission of crimes under the ICC jurisdiction. Accessory liability, for instance, could be engaged through an act preparatory of genocide like:

[A] network intrusion to acquire the names of individuals registered as a certain race in a State census in order to engage in genocide.18

Individuals could also incite others to commit crimes by posting comments to that aim on blogs, Twitter, or other social media, as noted by the International Independent Fact-Finding Mission on Myanmar established by the U.N. Human Rights Council.19 In September 2012, Azerbaijan also denounced cyber attacks conducted by a self-styled “Armenian Cyber Army” under the direction and control of Armenia that were:

[A]imed at glorifying terrorists and insulting their victims, as well as at advocating, promoting and inciting ethnically and religiously motivated hatred, discrimination and violence.20

V. The Case Involving the Cyber Operation Must Be Sufficiently Grave

Article 17(1)(d) of the Rome Statute provides that a case is inadmissible, and must then be rejected, if it “is not of sufficient gravity to justify further action by the Court.” Article 53 also provides that the Prosecutor may not initiate an investigation or, after an investigation, proceed to a prosecution if he considers the case inadmissible under Article 17. Leaving aside the fact that the persons who are likely to be the object of the investigation or prosecution should include those “most responsible” for the alleged crimes, an issue which faces the already mentioned evidentiary problems,21 ICC case law has indicated that an evaluation of gravity must be made on the basis of both quantitative and qualitative factors, including, but not limited to, the scale, nature, manner of commission of the crimes, as well as their impact. These factors have been applied by the Office of the Prosecutor and the Pre-Trial Chamber (PTC) to assess the gravity of both situations and cases.

A. Scale

As already noted, cyber attacks can potentially cause significant physical damage to persons and objects. One could think of a cyber attack that shuts down an electrical power station in the middle of a harsh winter with consequent deaths among the civilian population due to the low temperatures, or a cyber attack that incapacitates computers controlling waterworks and dams, thus generating flooding of inhabited areas, or that disables the air traffic control system with consequent downing of civilian aircraft.22 Scale includes, among others:

[T]he number of direct and indirect victims, the extent of the damage caused by the crimes, in particular the bodily or psychological harm caused to the victims and their families, or their geographical or temporal spread (high intensity of the crimes over a brief period or low intensity of crimes over an extended period).23

Cyber operations might have a significant geographical spread but still result in limited physical damage. The malicious worm Stuxnet, for instance, spread to computers across several countries, including Iran, Indonesia, India, Azerbaijan, United States and Pakistan, but only caused physical damage to the Iranian uranium enrichment facility in Natanz while causing little harm to computers that did not meet certain specific characteristics. DDoS attacks also often involve millions of botnets across several countries hijacked by a botmaster, but they only result in temporary and reversible harm to the target by shutting down the servers and systems overflooded with requests: this might lead to the temporary interruption of services, but not physical damage to persons or property. It is unlikely, therefore, that, even assuming for the sake of argument that they amounted to crimes under the jurisdiction of the Court, operations like the 2007 DDoS attacks on Estonia, which disrupted banking and communications infrastructures in the Baltic country, would be grave enough from a scale point of view in spite of their geographical spread, unless they also result in loss of life or destruction of physical property.

B. Nature

It is not essential that a situation or case concerns an extensive number of casualties in order to justify investigation and prosecution.24 Indeed, qualitative factors also need to be taken into account. Nature, in particular:

[R]efers to the specific elements of each offence such as killings, rapes and other crimes involving sexual or gender violence and crimes committed against children, persecution, or the imposition of conditions of life on a group calculated to bring about its destruction.25

This implies that certain crimes are by definition graver than others: for instance, national and international sources suggest that murder is considered the most serious crime from a sentencing point of view. Crimes of sexual violence and those involving torture and physical/psychological suffering are also considered serious, while—as recalled by the Trial Chamber26—crimes against property are considered comparably less serious.27 The argument according to which there is a hierarchy among crimes within the jurisdiction of the ICC, and among war crimes in particular, is controversial, as it does not find an explicit basis in the letter of the Rome Statute. If it is accepted, however, cases involving cyber attacks that only cause damage to physical property (like the case of Stuxnet) might not be considered grave enough by their nature especially if compared to other cases involving killing or physical suffering.

C. Manner of Commission

Criteria to assess this factor include, inter alia:

[T]he means employed to execute the crime, the degree of participation and intent of the perpetrator (if discernible at this stage), the extent to which the crimes were systematic or result from a plan or organised policy or otherwise resulted from the abuse of power or official capacity, and elements of particular cruelty, including the vulnerability of the victims, any motives involving discrimination, or the use of rape and sexual violence as a means of destroying groups.28

The means employed to execute the crimes, in our case, are malware and cyber infrastructures like computers and servers, which are unlikely to be an aggravating factor as such (differently, for instance, from the use of electrocution, machetes and prohibited weapons). Intent might be difficult to discern in the cyber context, as malware can function unpredictably due to technical errors or insufficient knowledge of the targeted systems. Cyber operations, however, can be characterized by cruelty, for instance in the case of a cyber operation that changes the medical data of patients so that they receive the wrong, painful, or unnecessary treatment.

D. Impact

Impact can result, among others, from:

[T]he sufferings endured by the victims and their increased vulnerability; the terror subsequently instilled, or the social, economic and environmental damage inflicted on the affected communities.29

Impact, then, has two aspects: the direct impact on the victims and the broader impact on the community. According to the PTC, the impact beyond the victims can be relevant in order to determine sufficient gravity, but its absence does not necessarily negate it.30

The inclusion of this factor in the assessment of gravity entails that even cases that result in a low number of victims on the basis of quantitative requirements might be grave enough from a qualitative perspective if they have a significant impact. For instance, cyber attacks resulting in the death of peacekeepers and humanitarian workers could have a substantial impact because of the importance of peacekeeping missions and of the deterrent effect they could have on them.31 Cyber attacks committed to influence political elections might also have a significant impact on the community. In August 2017, for instance, the Kenyan opposition claimed that hackers had manipulated the results of the recent elections by breaking into the database of Kenya’s electoral commission so to acquire data on the electorate and draft a targeted campaign strategy.32 This is, as such, not an international crime, but at least twenty-four people were killed in the violence that erupted after the contested re-election of President Kenyatta. Certain cyber attacks might also have repercussions on a country’s economy, as in the case of the 2007 DDoS attacks against Estonia. In general, cyber attacks that target national critical infrastructures, thus disrupting the provision of essential services to the society, will have more significant impact on the broader community than those on other infrastructures, especially if their effects are long-term. Not only social and economic damage should be considered in this context, however, but also damage to the natural environment: one could imagine, for instance, a cyber attack on a chemical plant intended to cause the release of hazardous substances into the ocean during an armed conflict.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1.
Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Rules 84, 85 (Michael N. Schmitt ed., Feb. 2017) [hereinafter Tallinn Manual], paywall, doi.

(Rules 84 and 85 are respectively titled “Individual criminal responsibility for war crimes” and “Criminal responsibility of commanders and superiors”). ↩
2.
The Prosecutor v. Dusko Tadić, IT-94-1, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, ¶ 70 (ICTY AC, Oct. 2, 1995), available online. ↩
3.
Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field, 75 U.N.T.S. 31, Article 2 (adopted Aug. 12, 1949, entered into force Oct. 12, 1950), available online. ↩
4.
Independent Fact-Finding Mission on the Conflict in Georgia, Report Vol. II, 217–18 (Sep. 2009), available online. ↩
5.
Marco Roscini, Cyber Operations as a Use of Force, in Research Handbook on International Law and Cyberspace 296, 314 (Nicholas Tsagourias & Russell Buchan eds., 2nd ed. 2021). ↩
6.
Guénaël Mettraux, Nexus with Armed Conflict, in The Oxford Companion to International Criminal Justice 435 (Antonio Cassese ed., Jan. 2009), paywall, doi. ↩
7.
Michael Cottier & Matthias Lippold, Article 8. War Crimes, in Rome Statute of the International Criminal Court: Article-by-Article Commentary 317, 351–52 ( Kai Ambos ed., 4th ed. 2022), paywall. ↩
8.
The Prosecutor v. Bosco Ntaganda, ICC-01/04-02/06-2359, Judgment, ¶ 732 (TC VI, Jul. 8, 2019), available online. ↩
9.
Whether a NIAC falls under Common Art. 3 of the Geneva Conventions or Protocol II Additional to the Geneva Conventions depends on their respective thresholds of applications. ↩
10.
Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 13(b), available online.

(This requirement, however, does not apply when a situation is referred to the ICC Prosecutor by the U.N. Security Council acting under Chapter VII). ↩
11.
Anne-Laure Chaumette, International Criminal Responsibility of Individuals in Case of Cyberattacks, 18 Int’l Crim. L. Rev. 1, 23 (2018), paywall, doi; see also Council of Europe, Explanatory Report to the Convention on Cybercrime, ETS No. 185, ¶ 233 (Nov. 8, 2001), available online. ↩
12.
Scott J. Shackelford & Richard B. Andres, State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem, 42 Geo. J. Int’l L. 971, 982 (2011), paywall, earlier version available online. ↩
13.
Rome Statute, supra note 10, at Article 66(3). ↩
14.
Id. Article 53(1). ↩
15.
UC Berkeley Human Rights Center, Digital Fingerprints: Using Electronic Evidence to Advance Prosecutions at the International Criminal Court, 5 (Feb. 2014), available online. ↩
16.
Rome Statute, supra note 10, Article 25(3). ↩
17.
Michael N. Schmitt, Cyber Operations and the Jus in Bello: Key Issues, 87 Int’l L. Stud. 89, 96 (2011), available online. ↩
18.
Tallinn Manual 2.0, supra note 1, at 66. ↩
19.
Human Rights Council, Report of the Independent International Fact-Finding Commission on Myanmar, U.N. Doc. A/HRC/39/64, ¶ 74 (Sep. 12, 2018), available online. ↩
20.
Letter dated September 6, 2012 from the Chargé d’affaires a.i. of the Permanent Mission of Azerbaijan to the United Nations addressed to the Secretary-General, U.N. Doc. A/66/897-S/2012/687, at 1 (Sep. 7, 2012), available online. ↩
21.
On this aspect, see Marco Roscini, Gravity in the Statute of the International Criminal Court and Cyber Conduct That Constitutes, Instigates or Facilitates International Crimes, 30 Crim. L. Forum 247, 256–59 (Jun. 1, 2019), available online, doi. ↩
22.
Some of these examples are contained in Jeremy Wright, UK Attorney General, Speech at Chatham House, Cyber and International Law in the 21st Century (May 23, 2018), available online. ↩
23.
Office of the Prosecutor, ICC, Policy Paper on Preliminary Examinations, ¶ 62 (Nov. 2013) [hereinafter Policy Paper], available online. ↩
24.
Situation in the Republic of Burundi, ICC-01/17-9-Red, Decision Pursuant to Article 15 of the Rome Statute on the Authorization of an Investigation into the Situation in the Republic of Burundi, ¶ 184 (PTC III, Oct. 25, 2017), available online. ↩
25.
Policy Paper, supra note 23, ¶ 63. ↩
26.
The Prosecutor v. Ahmad al-Faqi al-Mahdi, ICC-01/12-01/15-171, Judgment and Sentence, ¶ 77 (TC VIII, Sep. 27, 2016), available online. ↩
27.
Id. ↩
28.
Policy Paper, supra note 23, ¶ 64. ↩
29.
Id. ¶ 65; see also Situation in the Republic of Kenya, ICC-01/09-3, Request for Authorisation of an Investigation pursuant to Article 15, ¶¶ 56, 59 (PTC II, Nov. 26, 2009), available online. ↩
30.
Situation on the Registered Vessels of the Union of the Comoros, the Hellenic Republic and the Kingdom of Cambodia, ICC-01/13-34, Decision on the request of the Union of the Comoros to review the Prosecutor’s decision not to initiate an investigation, ¶ 47 (PTC I, Jul. 16, 2015), available online. ↩
31.
See The Prosecutor v. Bahr Idriss Abu Garda, ICC-02/05-02/09-243-Red, Decision on the Confirmation of Charges, ¶ 33 (PTC I, Feb. 8, 2010), available online; Situation in Georgia, ICC-01/15-12, Decision on the Prosecutor’s request for authorization of an investigation, ¶ 55 (PTC I, Jan. 27, 2016), available online. ↩
32.
Talita De Souza Dias, Propaganda and Accountability for International Crimes in the Age of Social Media: Revisiting Accomplice Liability in International Criminal Law, Opinio Juris (Apr. 4, 2018), available online. ↩
Suggested Citation for this Comment:

Marco Roscini, Cyber Operations Can Constitute War Crimes Under the ICC Jurisdiction Without Need to Amend the Rome Statute, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar#Roscini.

Suggested Citation for this Issue Generally:

When Might Cyber Operations Constitute Crimes Under the Rome Statute?, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar.

Collapse

Ambassador David Scheffer International Francqui Professor KU Leuven, Belgium

Amending the Rome Statute to Cover Cyberwarfare as Aggression

The many manifestations of cyber measures have become a common staple of international affairs, and yet the entire concept is absent from the Article 8 bis definition. This is unsurprising given the fact that cyber measures, and particularly cyberwarfare, essentially did not exist in 1974 when the General Assembly defined acts of inter-state aggression. But its absence from Article 8 bis is a glaring omission in modern times and will cripple the ICC in how it will investigate aggression that may consist solely or largely of cyberwarfare tactics.

Argument

During the negotiations leading to the establishment of the International Criminal Court (ICC),1 there was no discussion that I recall of cyberattacks as illegal conduct or prohibited weaponry under Article 8 (war crimes) of the Rome Statute governing the ICC.2 Nor was cyberwarfare factored into the discussions concerning the crime of aggression, either during the 1990’s or thereafter in the talks leading up to and including the Kampala Review Conference in 2010 when the definition and implementation procedures of the crime of aggression were codified as amendments to the Rome Statute subject to ratification by Member States.3 While in the lexicon of some pleading before the ICC, judges might be able to interpret the Rome Statute as covering cyber measures including cyberattacks and cyberwarfare, cyber measures are essentially a novel, uncodified, but hugely impactful means of assaulting governments, international institutions, business, and peoples and violating the sovereignty and territorial integrity of a country. Labeling serious injurious cyber measures as criminal, even at the domestic level much less the international level, remains a work in progress.

Nonetheless, there is good reason to consider how the Rome Statute could be amended to prosecute cyber measures within at least the context of the crime of aggression. In 2017, I published a book chapter in The Crime of Aggression—A Commentary,4 and an article in the Harvard International Law Journal5 wherein I proposed amendments to the Rome Statute to accommodate the rapidly rising threat of cyber measures. This comment draws from those publications and I refer the reader to all of the footnotes therein.

War during the twenty-first century often will not be fought conventionally between nations. Non-state actors like the Islamic State of Iraq and Syria (ISIS), Al Qaeda, Boko Haram, the Lord’s Resistance Army, and al-Shabab, to name only a few past and present, will dominate the theaters of conflict and hostilities. Unfortunately, because it is grounded in General Assembly Resolution 3314 (XXIX) of December 14, 1974,6 Article 8 bis(2) of the Rome Statute, defining an “act of aggression,” is already exceptionally antiquated. The definition is relevant only for the actions of states (including “armed bands, groups, irregulars or mercenaries” sent by or acting on behalf of a state).

Article 8 bis(1) of the Rome Statute defines the “crime of aggression” in terms of what a person does in holding a “position effectively to exercise control over or to direct the political or military action of a State.” There is no opportunity for the ICC to prosecute an individual for aggression when he acts in a leadership capacity to guide a non-state entity. The ICC Prosecutor thus is disarmed in connection with vast exercises of aggressive warfare waged by non-state entities across national boundaries. Internal aggression, which has been a favorite tactic of ISIS and other non-state actors determined (sometimes successfully) to seize territory within a state, also escapes the Article 8 bis definition.

Expand

Cyberwarfare refers, at least by one definition, to:

[T]he actions by a nation state or international organization to attack and attempt to damage another nation’s computers or information networks through, for example, computer viruses or denial-of-service attacks.7

Another useful definition is as follows:

Cyberwarfare is the word used to define the most aggressive form of attack by a foe or rival over the internet. It largely applies to actions by states and involves denying internet services to communities or countries, or, at worst, destroying critical infrastructure or industrial facilities.

One other use of the term is to describe activity by a national army that might accompany its invasion of another country using conventional forces. Most major states would today be expected to use cyberwarfare to attack another country’s computer infrastructure as part of an invasion or aggression.

Cyberwarfare tends to be distinguished from other forms of hostile cyber activity. Cybercrime involves activities like raiding bank accounts. Cyber espionage describes the stealing of secrets. Cyberwarfare tends to describe an assault that affects the national security of the state that is victimized.8

The U.S. Department of Defense has identified cyberattacks as having the capacity to constitute acts of war.9 Since 2010, the Pentagon has operated a U.S. Cyber Command to confront cyber threats to the national security of the United States.10 Other countries have also been focusing on cyberattacks and cyberwarfare as part of the modern threat environment.11 There is not much of a leap from the cyber attacks and cyberwarfare described in most reports and scholarship about cyberspace to the reality of cyber aggression. The distinction of the latter is one of “character, gravity, and scale” that “constitutes a manifest violation of the Charter of the United Nations.”12

The description of cyberwarfare, however, continues to evolve and, in my view, certainly involves actions by non-state actors such as ISIS, other terrorist organizations, paramilitaries, insurgencies, and even rogue corporate interests that might one day engage in such actions to disrupt part of a nation’s infrastructure in a manner that imperils the national security or democratic integrity of that country.

Cyberwarfare typically would be executed with far greater secrecy than conventional uses of force. Thus, the challenge for the Prosecutor would be to identify the source of the cyberattack and then assess whether it meets the jurisdictional conditions for designation as the crime of aggression. But, in many respects, that is the challenge in evaluating conventional acts of aggression already described in Article 8 bis(2) of the Statute, so this task should not be regarded as insurmountable. It is entirely plausible, indeed logical, to classify cyberwarfare as an act of aggression under some circumstances, particularly as cyber capabilities exponentially expand into the future. Ignoring the reality of cyber measures would be similar to ignoring the utility of tanks, aircraft bombers, and V2 rockets as major implements of aggression during the Second World War.

For example, if a state or a non-state entity were to use cyber measures to seriously undermine the democratic processes of a target state and significantly influence the outcome of elections, that action should not be immune from ICC investigation as an act of aggression. The same could be said of cyberattacks that shut down a nation’s power grid or disable vital communications or transportation networks or military capabilities. All of this is currently the subject of intense speculation, protective measures, and action by governments. One must recognize, however, that the United States and its allies reportedly use cyber measures to defend against major threats, including nuclear, from such adversaries as North Korea and Iran. The distinction between waging cyber aggression and engaging in cyber self-defense measures would rest upon the “character, gravity, and scale” that “constitutes a manifest violation of the Charter of the United Nations.”13 This would surely be a complex calculation for the ICC to adjudicate, but to ignore it would be to miss the elephant in the room.

Revising the Definition of the “Crime of Aggression”

Article 8 bis(1) of the Rome Statute defines the “crime of aggression” by relegating it only to acts of aggression that have been planned, prepared, initiated, or executed “by a person in a position effectively to exercise control over or to direct the political or military action of a State[.]” Adding offensive cyber measures to the acts of aggression, as proposed here, would require amending the text to include individuals who can exercise control over or direct cyberattacks. One would want to avoid the contention that a cyberattack is neither political nor military in character, and thus outside the realm of leadership culpability under Article 8 bis(1). Adding the possibility of a non-state entity committing an act of aggression, also proposed here, would require that the relevant leader of the non-state entity be subjected to the jurisdiction of the ICC. Thus, the text of Article 8 bis(1) should be revised to read as follows:

For the purpose of this Statute, “crime of aggression” means the planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political, or military, or cyber action of a State or non-State entity, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.

Since the crime of aggression is so integrally tied to the definition of an act of aggression, the role of any non-state entity in the commission of an act of aggression would be critical to establish and thus is addressed immediately below.

Article 8 bis(2) of the Rome Statute sets forth, in its preambular component, the umbrella definition of an “act of aggression.” This is followed in seven sub-sections thereunder with a listing of explicit actions qualifying as acts of aggression. The entire wording is drawn from 1974 G.A. Resolution 3314. It is thus of limited relevance for certain modern developments in the use of force that would be understood to be acts of aggression as a matter of common sense, such as actions by non-state entities and cyber measures.

In approaching a revision of Article 8 bis(2), I am also mindful that two uses of military force and even of cyber measures actually should be preserved with much greater clarity than currently exists in the Rome Statute. Defensive or protective responses to cross-border transgressions aimed at territorial acquisition, and to the relentless commission of atrocity crimes against civilian populations related to such actions, remain critical options and grow in importance with every passing year. Carefully calibrated and proportional cyber counter-measures may also be legitimate acts of self-defense to a cyberattack. There are potential uses of military force or cyber measures undertaken for defensive purposes or to protect civilians at risk that should not be prohibited as a matter of criminal law under the Statute. Indeed, such uses should be explicitly shielded from liability under Article 8 bis(2).

The existing wording in Article 8 bis(2) of “in any other manner inconsistent with the Charter of the United Nations” may technically preserve the inherent right of self-defense under Article 51 of the Charter. However, modern challenges to state sovereignty from multiple threats, including international terrorism, resurgent empire-building, and the tactics of cyberwarfare, require a stronger acknowledgement of the right of self-defense than currently exists in Article 8 bis(2).

I propose revision of the preambular segment of Article 8 bis(2) of the Statute to read as follows:

For the purpose of paragraph 1, ‘act of aggression’ means the use of armed force or cyber measures by a State or non-State entity against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations, exclusive of acts that are in exercise of the right of self-defense under Article 51 of the Charter of the United Nations. Any of the following acts, regardless of a declaration of war, shall, in accordance with United Nations General Assembly Resolution 3314 (XXIX) of 14 December 1974 or part (h) hereunder, qualify as an act of aggression:

The reference to “part (h)” points to cyber measures as a new act of aggression added to the 1974 G.A. Resolution 3314 list of acts of aggression already set forth in Article 8 bis(2) of the Rome Statute. This is addressed below.

Adding Cyber Measures as an Act of Aggression

Adding cyber measures to the list of acts of aggression would be appropriate as the crime of aggression has been operationalized. The capacity for cyberwarfare already has arrived and is recognized by the military, governments, corporations, civil society, and scholars as a real threat to international peace and security. Cyber measures should be added to the acts of aggression listed in Article 8 bis(2) of the Statute. So new subsection (h) of Article 8 bis(2) would read as follows:

(h) The use of cyber measures for an offensive purpose that significantly disrupts or degrades governmental, military, commercial, cultural, or media entities or other societal activities in another State.

The Prosecutor and judges of the ICC would have to determine whether the contextual “character, gravity and scale” requirements for an act of aggression and, by extension, of a crime of aggression are met. That tight-knit filter will leave only the most egregious cyber attacks across borders within the scrutiny of the ICC. Nonetheless, I have established, within the defining character of this act of aggression, a magnitude test of “significantly disrupts or degrades” so as to reinforce the presumably narrow category of cyber measures that would constitute an act of aggression for the purposes of the Rome Statute. The fact that the General Assembly did not foresee this type of aggression in 1974 should not prevent the States Parties to the Rome Statute from recognizing the reality of the threat today; cyber measures that are used for offensive purposes to inflict significant damage on another state’s public or private infrastructure should be subject to criminal prosecution before the ICC.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1.
Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], available online; see also David Scheffer, All the Missing Souls: A Personal History of the War Crimes Tribunals 163–247 (Dec. 2011), paywall. ↩
2.
Rome Statute, supra note 1, Article 8. ↩
3.
Assembly of State Parties, The Crime of Aggression, RC/Res.6 (Jun. 11, 2010), available online; The amendments to the Rome Statute were circulated by the U.N. Secretary General in Depositary Notification, C.N.651.2010.TREATIES-8 (Nov. 29, 2010), available online. ↩
4.
David Scheffer, Amending the Crime of Aggression under the Rome Statute, in The Crime of Aggression: A Commentary 1480 (Claus Kreβ & Stefan Barriga eds., Jul. 2016), available online. ↩
5.
David Scheffer, The Missing Pieces in Article 8 bis (Aggression) of the Rome Statute, 58 Harv. Int’l L.J. Online 83 (2017), available online. ↩
6.
United Nations General Assembly Resolution, Definition of Aggression, G.A. Res. 3314 (XXIX) (Dec. 14, 1974), available online. ↩
7.
Cyber Warfare, Rand Corporation, available online (last visited Feb. 21, 2022). ↩
8.
Cybersecurity Ventures, Cyberwarfare.com Acquired By Cybersecurity Ventures, EIN Presswire, Jan. 16, 2017, available online

(quoting the definition for “cyberwarfare” which used to be on the “Lexicon” section of the Financial Times’ website, but is no longer available). ↩
9.
David E. Sanger & Elisabeth Bumiller, Pentagon to Consider Cyberattacks Acts of War, N.Y. Times, May 31, 2011, available online; William J. Lynn III, Defending a New Domain: The Pentagon’s Cyberstrategy, Foreign Aff. 97 (Sep. 2010), available online.

(“As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare.”). ↩
10.
Home, U.S. Cyber Command, available online (last visited Feb. 21, 2022); see also U.S. Cyber Command, Achieve and Maintain Cyberspace Superiority: Command Vision for U.S. Cyber Command (Apr. 2018), available online.

(“Military superiority in the air, land, sea, and space domains is critical to our ability to defend our interests and protect our values. Achieving superiority in the physical domains in no small part depends on superiority in cyberspace.”). ↩
11.
Richard A. Clarke & Robert K. Knake, Cyber War: The Next Threat to National Security and What to Do About It (Apr. 20, 2010), paywall, excerpt available online; Newton Lee, Counterterrorism and Cybersecurity: Total Information Awareness 77–118 (2013), paywall, doi. ↩
12.
Rome Statute, supra note 1, Article 8 bis(1). ↩
13.
Id. ↩
Suggested Citation for this Comment:

David Scheffer, Amending the Rome Statute to Cover Cyberwarfare as Aggression, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar#Scheffer.

Suggested Citation for this Issue Generally:

When Might Cyber Operations Constitute Crimes Under the Rome Statute?, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar.

Collapse

Featured Comments

Jordan Murphy: The Extent to Which Cyberwarfare May Constitute Crimes Under the Rome Statute and Conditions for Accountability The International Court of Justice held in 1996 that international humanitarian law applies to all means of warfare, including those of the future.1 Such a concept must be applicable to the Rome Statute; if means and methods of war change, so too must the laws regulating them. The regulation of cyber... (more)
Rory Razi: Cyber Attacks and the Crime of Aggression With rapidly advancing technology comes the disastrous reality of cyber attacks. This comment explores whether cyber attacks can be prosecuted at the International Criminal Court (ICC) as crimes of aggression. Section I discusses the Iran Stuxnet cyber attack. Section II, explores creative interpretation of the Rome Statute, Art. 8 bis, and... (more)
SimonRuhland: Economic Cyber Crimes and the Rome Statute Summary This comment examines the possibility to prosecute perpetrators of economic cyber attacks under the Rome Statute. It considers economic cyber attack to be cyber attacks on financial institutions, businesses, or individuals with the primary goal of financial enrichment. The comment first assesses the possibility of prosecution under Article 8 and... (more)
danielkim0610: Defining the Unique Issues Prosecuting Criminal Cyber Defense Actions Under the Rome Statute Presents: A Lost Cause? Cybersecurity has launched itself to the spotlight within both the scope of governmental organizations protecting national security and private industry keeping their own systems intact. Societal dependence on technology has brought with it the magic of efficiency, cost-effectiveness and widespread digital penetration on a scale... (more)
Pankhuri97: Incorporation of Cyberwarfare in the Rome Statute: A Futile Endeavour Introduction How wars are conducted has evolved throughout history with nations adopting more and more efficient and sophisticated means of causing mass destruction. We are witnessing a transition from traditional weapons such as ammunition to cyber weapons. The Tallinn attack of 2007, the Georgia hack of 2008 and the Stuxnet worm detected in 2010 are already some... (more)
Jeng2023: Tackling Territoriality: Fitting Cyber Crimes into the Crime of Aggression Introduction Territoriality has always been a key issue in national sovereignty. Wars have been fought over borders of nations, as territorial disagreements are often the precursor to war.1 This has led to conclusions where: “if you want to avoid war, learn how to settle territorial disputes non-violently.”2 However, the uniqueness of cyber activities... (more)
JohnG: Distinguishing Cyberwarfare in the Law of Armed Conflict I. Introduction The dawn and parabolic expansion of the Internet over the last half-century revolutionized how individuals, businesses, organizations, and states interact with one another. As states and their militaries have become increasingly interconnected and dependent on these technologies, a new realm of warfare has evolved beyond the conventional battlefields of air, land,... (more)
Smithp2022: Social Media May be Used to Commit Genocide Under the Rome Statute I. Introduction As technology progresses, cyber crime grows as a concern on a national, transnational, and international level. As the International Criminal Court pursues its goals of holding actors accountable for criminal violations of international law in 2022 and beyond, it will have to contend with a world that depends more and more on technology in all... (more)
mschneer: Accountability for NotPetya: Why the International Criminal Court Can, and Should, Prosecute the Perpetrators of the NotPetya Cyber Attack as a War Crime I. Introduction In June 2017, a popular Ukrainian tax accounting software called M.E.Doc underwent a routine software update. Unbeknownst to the thousands of Ukrainians who use this software, that update served as the entry point for a destructive malware that would soon gain access to... (more)

Topic for March 2022 – July 2022

Cyber Operations and Cyberwarfare Question To what extent and under what conditions might cyber operations or cyberwarfare constitute crimes specified in the Rome Statute?

Invited Experts on Cyberwarfare Question

Cyber-Attacks as International Crimes under the Rome Statute of the International Criminal Court?

Summary

Argument

I. Preliminary Conceptual Remarks: Cyber Operations and Cyber Warfare

II. Cyber Attacks as “Attacks” Due to Their Effects

III. Cyber Attacks as International Crimes

A. War Crimes (Article 8 of the Rome Statute)

B. Other International Core Crimes

IV. Individual Criminal Responsibility

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

Suggested Citation for this Comment:

Suggested Citation for this Issue Generally:

Some Nondestructive State Cyber Operations Probably Constitute the Crime of Aggression under the Rome Statute, but Attribution Difficulties and State Practice Make Effective Deterrence Unlikely

Summary

Argument1

Conclusion

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

Suggested Citation for this Comment:

Suggested Citation for this Issue Generally:

To What Extent and Under What Conditions Might Cyber Operations or Cyberwarfare Constitute Crimes Specified in the Rome Statute?

Argument

Introduction

Does the Crime of Aggression Apply to Cyber Operations?

Argument Continued

When Does a Cyber Operation Constitute a “Crime of Aggression”?

Conclusion

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

Suggested Citation for this Comment:

Suggested Citation for this Issue Generally:

Cyber Operations Can Constitute War Crimes Under the ICC Jurisdiction Without Need to Amend the Rome Statute

Summary

Argument

I. Introduction

II. The Cyber Operation Must Be Conducted in the Context of and in Association With an Armed Conflict

III. The Cyber Operation Must Be Committed on the Territory or by a National of an ICC State Party

IV. The Cyber Operation Must Involve the Elements of the ICC War Crimes

V. The Case Involving the Cyber Operation Must Be Sufficiently Grave

A. Scale

B. Nature

C. Manner of Commission

D. Impact

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

Suggested Citation for this Comment:

Suggested Citation for this Issue Generally:

Amending the Rome Statute to Cover Cyberwarfare as Aggression

Argument

Revising the Definition of the “Crime of Aggression”

Adding Cyber Measures as an Act of Aggression

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

Suggested Citation for this Comment:

Suggested Citation for this Issue Generally:

What’s Your Opinion?

Forum Schedule

Featured Comments