At any rate, given the fundamental difference between a conventional (kinetic) and a cyber (non-kinetic) attack, it has been argued that only the former amounts to an attack in the legal sense of the term since such an attack presupposes physical damage and the ensuing replacement of physical components of the attacked object.10 The opposing view holds that damage to an operating system (with the ensuing need to reinstall it) or destruction of particular data may suffice to be qualified as an “attack” if similar harmful consequences (loss of functionality, etc.) ensue.11 This latter view is, in principle, more convincing.12 While physical objects and mere data are certainly different, they are inseparably connected and interrelated. For this reason, cyber attacks may have an effect comparable to physical damage through functionally producing data corruption, which, in turn, has a significant negative impact on cyberinfrastructures. Indeed, in today’s cyber world, the traditional concepts of “use of force”, “armed attack” or “acts of violence”13 need to be reconsidered focusing on their effects instead of overemphasizing the means (the kind of weapon) used to bring about these effects. This is even more true in the case of damage to so-called critical infrastructures.14 Thus, in sum, interpreting cyber attacks in the light of existing international (humanitarian) law, the effect-based approach focusing on the effects or consequences of a cyber attack with regard to a concrete target is to be preferred over a mere means or instruments approach.15

III. Cyber Attacks as International Crimes

International crimes may be committed through cyber-attacks alone or in combination with kinetic acts. At any rate, such attacks must be of a sufficient gravity to fall under the ICC’s mandate as a consequence of the (autonomous) gravity threshold within the framework of the complementarity regime of Article 17(1)(d) of the Rome Statute. While no cyber situations have yet been the object of analysis of the ICC’s Prosecutor,16 cyber-attacks surely have the potential to reach the necessary gravity threshold due to their effects and the associated external impact in line with the criteria of “scale, nature, manner of the commission, and impact”.17

Let us now have a look at the crimes under the Rome Statute, focusing in particular on war crimes.

A. War Crimes (Article 8 of the Rome Statute)

The basic requirement for the application of the war crime regime is that an armed conflict exists (common Article 2 of the Geneva Conventions (GC) ), i.e., that armed force has been employed between parties to a conflict and it can be attributed to one of them.18 As argued above, the question of whether a pure cyber attack can be qualified “armed force” needs to be answered from the perspective of the effects of such attacks as compared to traditional kinetic attacks. This effect-based reading is also in line with the definition of “armed attacks” as “acts of violence” in the sense of Article 49(1) of the Additional Protocol [AP] I GC provided that a cyber attack produces violent effects, for example, by harming a physical part of a computer network which results in its replacement. In contrast, if a cyber attack does not produce any (lasting) physical or serious functional damage, it does not reach the armed conflict threshold. At any rate, generally it can be said that cyber attacks hardly reach the armed conflict threshold on their own but only in combination with traditional kinetic attacks; yet, cyber means of warfare may be employed in the context of a traditional armed conflict.19

It is more difficult to meet the second element of the armed conflict requirement, namely the attribution of a cyber attack to one of the parties to the conflict. While there are rules of attribution which may serve as guidance, e.g. in the International Law Commissions’s Draft on State Responsibility20 or, more specifically, in the Tallinn Manual,21 the difficulties are mainly of a factual and evidentiary nature. They lie in the identification of the attacker and/or the attribution of the attack to a party to the respective armed conflict. On the one hand, the attack may come out of the anonymity of the Internet and thus may not be traceable to a specific person or group; or it may be traced to the wrong person or group. At best, it may be possible to identify the computer responsible for the attack via its IP address and thus establish its territorial location. Yet, while this may arguably allow one to presume the responsibility of the territorial State, such a presumption may be rebutted by this State, for example, by pointing to a group of non-state actors which it does not control.22 On the other hand, the attacker may be identified but s/he may not belong to or be affiliated with a party to the conflict and thus the attack may not be attributable to such a group; in addition, the attackers themselves may not qualify as an armed group within the meaning of International Humanitarian Law (IHL)—lacking the necessary degree of organization, i.e., command, control, discipline, and hierarchy—and thus would not, on their own, constitute an autonomous party to the conflict. For example, groups of hackers usually lack the IHL criteria just mentioned; a spontaneous collective attack, e.g. a denial-of-service attack, does not comply with the organization requirement either. One may avoid these problems of attribution invoking a due diligence obligation of the (territorial) State to prevent cyber-attacks from happening in the first place or to intervene to stop them since such an approach focuses on the primary obligation of due diligence and its breach.23 However, this approach entails other problems. In particular, to establish a fair control standard—what can be fairly expected from a State in terms of control of cyber activities on its territory—and a sufficiently precise mental or cognitive standard.24

In line with the effects approach, it is conceivable that cyber-attacks that disrupt the function of critical infrastructure—e.g. the health care system—cross the armed conflict and attack thresholds and amount to war crimes under Article 8 of the Rome Statute by “wilfully causing great suffering, or serious injury to body or health,” “attacks against the civilian population as such or against individual civilians not taking direct part in hostilities” or “[i]ntentionally directing attacks against […] medical units.” Any person acting on behalf of a party to the conflict may commit such a war crime and thus be a responsible agent. In the cyber context, the participation of civilians is of particular relevance since the reliance on civilian expertise is indispensable. These civilians may be members of formal armed forces but also of non-State actors and thus be targetable according to the (highly controversial) general rules of participation in hostilities. Here, too, certain particularities are to be noted, above all how cyber-active civilians are to be distinguished from ordinary civilians in terms of their participation in hostilities. Generally, it can be said that the decision about the participation (with the ensuing loss of immunity from attacks) depends on the importance of the cyber civilian’s contribution and his/her expertise. Thus, if an attack would not have been possible without this contribution, a participation is to be affirmed while a mere support function, e.g. maintenance of a computer network, does not justify such an affirmation. While the decision depends ultimately on the circumstances of the concrete case, it is clear that a (too) broad reading of the participation requirement may undermine the protective purpose of IHL,25 as especially expressed by the principle of distinction to which we now turn.

The usual IHL principles , i.e., humanity, necessity, proportionality,26 precaution, and distinction,27 also apply to cyber attacks if they amount to “attacks” under IHL28. Take, for example, the war crime of “[i]ntentionally directing attacks against civilian objects, that is, objects which are not military objectives” from Article 8(2)(b)(ii) of the Rome Statute. This provision constitutes a concrete implementation of the principle of distinction, embodied in Article 48 AP I GC and part of customary international law applicable in both international and non-international armed conflicts. Civilian objects are (only) defined negatively in delimitation to “military objectives” and these are “limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose […] neutralization […] offers a definitive military advantage” (Article 52 AP I GC [emphasis added]). While it is fairly uncontroversial that the principle of distinction also applies to cyber attacks, its concrete application is shrouded by controversy and uncertainty.29 Apart from the usual difficulties to distinguish between civilian and military objects pursuant to the just mentioned blurred definition, the situation is even more complicated in the cyber area given that any computer system can be used for both civilian and military purposes at the same time or interchangeably—the dual-use problem .30 Thus, ultimately, the decision whether a certain object is “military” and can therefore be targeted is very much case-based on the specific circumstances.

B. Other International Core Crimes

In line with the effects approach, it is easily conceivable that cyber attacks may produce the objective effects of a genocidal attack on a protected group pursuant to Article 6(a)–(e) of the Rome Statute, or bring about the results of the underlying crimes of crimes against humanity pursuant to Article 7 of the Rome Statute. In the former case it will, as always, be difficult to overcome the high subjective threshold in the form the specific intent to destroy one of the protected groups. In the latter case, the cyber-attack would have to be carried out pursuant to a certain policy and, further, to be widespread or systematic. With regard to the organizational requirement in Article 7(2)(a) of the Rome Statute, similar questions as under war crimes, with a view to a minimum organisational threshold, arise.

Last but not least, the crime of aggression under Article 8 bis is only of limited, if any, relevance in the cyber context. This is so mainly for three reasons. First, Article 8 bis does not cover non-State actors but these are often behind cyber attacks. Secondly, a cyber attack may only exceptionally amount to a “use of armed force” within the meaning of Article 8 bis(2).31 Third, it is even less conceivable that such attacks constitute “a manifest violation” of the U.N. Charter as required by Article 8 bis(1).

IV. Individual Criminal Responsibility

Individual criminal responsibility presupposes the existence of international crimes and the relevant participation in these crimes by natural persons. The Tallinn Manual 2.0 now explicitly recognizes individual and superior (criminal) responsibility, albeit limited to war crimes, in line with Articles 25 and 28 of the Rome Statute;32 as to superiors, it additionally provides a responsibility for “ordering cyber operations that constitute war crimes.”33

Participants in cyber-attacks are criminally responsible, under various subsections of Articles 25 and 28 of the Rome Statute, according to the nature and degree of involvement in the attack either as perpetrators acting alone, jointly with another, or through another person—or as secondary participants—inducing the attack or collaborating in it. Superiors may order the attack or fail to properly supervise subordinates carrying out such an attack. Liability for ordering is based on the general provision of Article 25(3)(b) of the Rome Statute, i.e., it is not limited to superiors within the meaning of Article 28, although there is, in factual terms, good reason to argue that only such superiors are in the position to order. At any rate, the just mentioned Tallinn Manual’s specific Rule 85(a) turns out to be redundant in light of the ordering alternative in Article 25(3)(b) of the Rome Statute. Apparently, the Tallinn drafters wanted to incorporate both the superior’s active conduct and failure to act in one specific Rule, i.e., Rule 85.34

In the case of the crime of aggression, criminal responsibility only arises, pursuant to the so-called leadership clause in Article 8 bis(1) of the Rome Statute, with regard to “a person in a position effectively to exercise control over or to direct the political or military action of a State.” This means that the persons effectively carrying out a cyber attack would not be criminally liable but, at best, their superiors would be, if they belong to the leadership level and can be held responsible for the acts of the actual “cyber warriors”.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1. 1.

   This comment draws upon the following two sources. The research assistance of Luca Petersen is gratefully acknowledged.

   Kai Ambos, International Criminal Responsibility in Cyberspace, in Research Handbook on Cyberspace and International Law 118 (Nicholas Tsagourias & Russell Buchan eds., 2d ed. 2021), earlier version available online; Kai Ambos, Individual Criminal Responsibility for Cyber Aggression, 21 J. Conflict & Security L. 495 (Aug. 7, 2016), paywall, doi. ↩

2. 2.

   Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 564 (Michael N. Schmitt ed., Feb. 2017) [hereinafter Tallinn Manual], paywall, doi; Accord Paul A.L. Ducheine, The Notion of Cyber Operations, in Research Handbook on Cyberspace and International Law 211 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015), paywall, doi, later version with Peter B.M.J. Pijpers (Apr. 14, 2020) available online. ↩

3. 3.

   Philipp Kastner & Frédéric Mégret, International Legal Dimension of Cybercrime, in Research Handbook on Cyberspace and International Law 190 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015), available online, doi

   (“Cybercrime” refers to any criminal activity involving computer technology, committed by means of or against a computer).

   Convention on Cybercrime, ETS No. 185 (Nov. 23, 2001) [hereinafter Budapest Convention], available online

   (At the international level, the most comprehensive regulation of Cybercrime has been the Budapest Convention, said to have influenced the criminal law legislation of about 120 States).

   Cf. Council of Europe, Cybercrime Programme Office, The Global State of Cybercrime Legislation 2013–2021: A Cursory Overview (Jun. 30, 2021), available online. ↩

4. 4.

   See Ducheine, supra note 2.

   (In a profound analysis, Ducheine demonstrates the similar strategic objectives and common operational means and methods of State and Non-State actors and set out six typical phases of a cyber operation, i.e., reconnaissance, design, intrusion, action, camouflage, and exfiltration). ↩

5. 5.

   See Marco Roscini, Cyber Operations as Use of Force, in Research Handbook on Cyberspace and International Law 233 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015), available online, earlier version, doi.

   (In contrast, the previously mentioned cyber espionage or manipulation is, as a rule, non-destructive and only employed to enter a computer system to extract information). ↩

6. 6.

   Tallinn Manual, supra note 2, at 564

   (This is a military extension of the definition of “cyber operation”).

   Ducheine, supra note 2, 290 n.112

   (offering a critical discussion, but also, however, create the impression that the Tallinn Manual, quoting the first edition from 2013, provides a definition of “cyber warfare”).

   Heather Harrison Dinniss, Cyber Warfare and the Laws of War 294 (2012), paywall

   (referring to “electronic warfare” as “Military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy.”). ↩

7. 7.

   Tallinn Manual, supra note 2, at 452. ↩

8. 8.

   See e.g. Scott D. Applegate, The Dawn of Kinetic Cyber, in 5th International Conference on Cyber Conflict (Karlis Podins, Jan Stinissen & Markus Maybaum eds., 2013), available online. ↩

9. 9.

   Cf. Karine Bannelier-Christakis, Is the Principle of Distinction Still Relevant in Cyberwarfare?, in Research Handbook on Cyberspace and International Law 343 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015), available online, doi

   (with further references). ↩

10. 10.

    Tallinn Manual, supra note 2, at 417.

    (“a majority”).

    See also William H. Boothby, Weapons and the Law of Armed Conflict 239 (2d ed. 2016), paywall, doi. ↩

11. 11.

    Tallinn Manual, supra note 2, at 417–18

    (“Some of the experts”).

    See also Julia Dornbusch, Das Kampfführungsrecht im internationalen Cyberkrieg 97–98 (2018), paywall; see also Terry D. Gill, International Humanitarian Law Applied to Cyber-Warfare: Precautions, Proportionality and the Notion of “Attack” Under the Humanitarian Law of Armed Conflict, in Research Handbook on Cyberspace and International Law 366 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015), paywall, doi

    (discussing effects which may turn data destruction into an attack).

    See Bannelier-Christakis, supra note 9

    (discussing loss of functionality). ↩

12. 12.

    Roscini, supra note 5

    (for a narrower view with regard to attacks on data as use of force).

    See also Bannelier-Christakis, supra note 9

    (on the opposing views regarding data). ↩

13. 13.

    Cf. Roscini, supra note 5

    (on the synonymity of these concepts). ↩

14. 14.

    U.S. Executive Order, Improving Critical Infrastructure Cybersecurity, § 2 (Feb. 12, 2013), available online

    (According to § 2, a “critical infrastructure” “means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This definition is still valid).

    U.S. Executive Order, Improving the Nation’s Cybersecurity (May 12, 2021), available online; U.S. Presidential Proclamation, Critical Infrastructure Security and Resilience Month, 2021 (Oct. 29, 2021), available online

    (confirming the Biden administration’s commitment to secure the critical infrastructure, focusing, inter alia, on critical software). ↩

15. 15.

    See Bannelier-Christakis, supra note 9

    (For the same view with several further references but rightly pointing to the evidentiary problems with regard to the proof of damage caused by a cyber operation and the precise extent of this damage).

    See also Roscini, supra note 5.

    (A combination of the instruments (weapons) and effects (of these weapons) approaches, as advocated by, does not yield different results since ultimately the decisive question is whether the cyber attacks cause a significant (physical) damage or a significant loss of functionality affirming a use of force in these cases while only seeing a violation of the principle of non-intervention in case of “other” cyber attacks). ↩

16. 16.

    However, while the issue did not give rise, so far, to a preliminary examination or even investigation, it is likely to increasingly come up in Article 15 communications and appears to be considered as part of overall investigative/protection strategies and information security management. ↩

17. 17.

    International Criminal Court, Regulations of the Office of the Prosecutor, ICC-BD/05-01-09, Reg. 29(2) (Apr. 23, 2009), available online, archived; see Jennifer Trahan, The Criminalization of Cyber-operations Under the Rome Statute, 19 J. Int’l Crim. Just. 1133, 1138–46 (Nov. 8, 2021), paywall, doi; see also Marco Roscini, Gravity in the Statute of the International Criminal Court and Cyber Conduct That Constitutes, Instigates or Facilitates International Crimes, 30 Crim. L. Forum 247 (Jun. 1, 2019), available online, doi. ↩

18. 18.

    Cf. The Prosecutor v. Dusko Tadić, IT-94-1-AR, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction ¶ 70 (ICTY AC, Oct. 2, 1995), available online; see Michael Cottier & Matthias Lippold, Article 8, War Crimes in Commentary of the Rome Statute of the ICC ( Kai Ambos ed., 4th ed. 2022)

    (detailed discussion with further case law). ↩

19. 19.

    Cf. Gill, supra note 11; see also Bannelier-Christakis, supra note 9

    (stating that “it has never been proven” that the use of cyber operations during armed conflict had the same harmful consequences as the use of kinetic weapons);

    but see Trahan, supra note 17, at 1155

    (considering the (Russian) cyber attacks on Eastern Ukraine as ”possible“ war crimes). ↩

20. 20.

    International Law Commission, Articles on Responsibility of States for Internationally Wrongful Acts, with Commentaries, U.N. Doc. A/56/10, Arts. 4–9 (Aug. 2001), available online

    (establishing the rules of attribution of acts of State organs or private groups or agents to a State). ↩

21. 21.

    Tallinn Manual, supra note 2, Rules 15–18. ↩

22. 22.

    See Constantine Antonopoulos, State Responsibility in Cyberspace, in Research Handbook on Cyberspace and International Law 55 (Nicholas Tsagourias & Russell Buchan eds., Jun. 26, 2015), paywall, doi

    (for a discussion). ↩

23. 23.

    Cf. id. ↩

24. 24.

    Id.

    (While a strict knowledge standard would make it difficult if not impossible to establish the territorial State’s responsibility, lower standards, like the infamous constructive knowledge, are highly controversial and thus difficult to agree on). ↩

25. 25.

    See Bannelier-Christakis, supra note 9

    (“kind of Trojan horse” leading to a “total cyber war”). ↩

26. 26.

    Gill, supra note 11

    (on proportionality in particular, Gill argues that the principle largely applies in the same way in case of cyber attacks). ↩

27. 27.

    Cf. Note of the Secretary General, Group of Governmental Experts on Development in the Field of Information and Telecommunication in the Context of International Security, U.N. Doc. A/70/174, at ¶ 28(d) (Jul. 22, 2015), available online

    (mentioning the principles of humanity, necessity, proportionality, and distinction). ↩

28. 28.

    Cf. Tallinn Manual, supra note 2, at 422

    (“Only when a cyber operation […] rises to the level of an attack it is prohibited by the principle of distinction”).

    Bannelier-Christakis, supra note 9

    (providing a more nuanced, dynamic interpretation, arguing that IHL principles may also apply to cyber operation below the attack threshold). ↩

29. 29.

    See Bannelier-Christakis, supra note 9.

    (In a recent, profound analysis, Bannelier-Christakis stresses the uncertainty and examines State practice and non-State/academic views in detail). ↩

30. 30.

    Id.

    (In a deeper analysis, Bannelier-Christakis concludes that it is “rather illusory” to strictly limit attacks to military objects given that the “interconnection between civilian and military networks is so deep”). ↩

31. 31.

    Cf. Andreas Zimmermann & Elisa Freiburg-Braun, Article 8 bis, in Commentary of the Rome Statute of the ICC ( Kai Ambos ed., 4th ed. 2022).

    (Note that the drafters preferred a narrow understanding focusing on kinetic force, notwithstanding, in line with the effects approach defended above, “the use of computer networks as weapons” may be qualified as the use of armed force within the meaning of the provision). ↩

32. 32.

    Cf. Tallinn Manual, supra note 2, Rules 84, 85. ↩

33. 33.

    Id. Rule 85(a). ↩

34. 34.

    Cf. Id. at 397 n.958.

    (In fact, the commentary to Rule 84 on Individual Criminal Responsibility omits to mention the ordering alternative when discussing Article 25(3)(b) and moves this discussion to Rule 85(a) ). ↩

35. Suggested Citation for this Comment:

    Kai Ambos, Cyber-Attacks as International Crimes under the Rome Statute of the International Criminal Court?, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar#Ambos.

    Suggested Citation for this Issue Generally:

    When Might Cyber Operations Constitute Crimes Under the Rome Statute?, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar.

II. The Cyber Operation Must Be Conducted in the Context of and in Association With an Armed Conflict

There obviously is no “war crime” if there is no “war”. Contemporary international humanitarian law (IHL), however, has dropped the use of this expression in favor of the more objective “armed conflict”, the existence of which depends on the factual occurrence of armed violence and not on the intention of the belligerents (animus bellandi). IHL treaties do not provide a definition of “armed conflict” but according to the International Criminal Tribunal for the former Yugoslavia:

[A]n armed conflict exists whenever there is a resort to armed force between States or protracted armed violence between governmental authorities and organized armed groups or between such groups within a State.2

There is now broad consensus that this definition reflects customary international law. An (international) armed conflict also occurs in

[A]ll cases of partial or total occupation of the territory of a High Contracting Party, even if the said occupation meets with no armed resistance.3

Cyber operations can be employed during an existing traditional international armed conflict as “force multipliers”. An illustration is the 2008 armed conflict between Georgia and the Russian Federation, during which Georgia’s governmental and media websites were taken off-line or defaced during the initial phases of the conflict allegedly by Russian hackers, thus affecting Georgia’s ability to communicate and possibly also the operability of its armed forces.4 Russia has also been accused of conducting cyber operations against Ukraine since 2014.5 In neither case, however, has Russia’s responsibility been conclusively established: indeed, the anonymity that characterizes cyberspace is the main obstacle to the application of IHL.

Cyber operations can trigger an armed conflict themselves when they involve the use of cyber means or methods of warfare in support of a belligerent to the detriment of another. Such use must result, or be reasonably likely to result, in military harm to the adversary, physical damage to property, loss of life or injury to persons, or significant disruption of critical infrastructures. If the cyber operations are conducted between states , international armed conflict breaks out, otherwise the conflict is of a non-international character. In the latter case, however, it is highly unlikely that a loose online collective like Anonymous will ever meet the organization requirement necessary for the existence of a non-international armed conflict (NIAC) under the Tadić definition of armed conflict and Article 8(2)(f) of the Rome Statute. Nothing precludes, however, that a “traditional” armed group can conduct cyber operations (followed or not by kinetic hostilities) capable of triggering a NIAC.

It is arguably only those cyber operations that exceed mere inconvenience and significantly disrupt the correct functioning of military or civilian critical infrastructures that can potentially qualify as resort to armed force/violence and thus initiate an armed conflict, as it is only in this case that the effects of disruption can be equated to those of destruction caused by kinetic armed force. Hence, even if it were demonstrated that Russia was behind the operations, the 2007 Distributed Denial of Service (DDoS) attacks on Estonia would not qualify as an international armed conflict between the two states: although they targeted critical infrastructures—banking and communications—no property damage or personal injury occurred and no serious disruption ensued. A different conclusion would likely be reached with regard to a cyber attack that takes down the national electrical grid for a prolonged time, given likely severe negative repercussions on the provision of medical services, transport, financial markets, and security.

The Elements of Crimes under Article 8 of the Rome Statute require that a war crime be committed in the context of and in association with an armed conflict. This nexus requirement distinguishes war crimes from domestic offenses committed during an armed conflict, although the distinction might not always be easy to make, especially in the cyber context.6 Taking into account the relevant case law, it appears that a sufficient belligerent nexus exists if the conduct is committed when and where armed hostilities are taking place or, if it occurs at a time and place where no combat activities are occurring, it was “shaped or dependent upon the environment” of the armed conflict.7 The Ntaganda Trial Chamber has suggested certain indicators in order to establish the existence of the nexus requirement for war crimes, including:

1. the status of the perpetrator and victim, and whether they had a role in the fighting;

2. whether the act may be said to serve the ultimate goal of a military campaign; and

3. whether the crime is committed as part of, or in the context of, the perpetrator’s official duties.8

From the above considerations it can be evinced that IHL applies to cyber operations, and potential war crimes can be committed in case of its violation, in the following cases:

1. when the cyber operations are conducted in the context of and in association with an existing kinetic international or non-international armed conflict;

2. if the exchange of cyber operations between states amounts in itself to “resort to armed force”, i.e. it entails the use of cyber means or methods of warfare resulting or reasonably likely to result in military harm to the adversary, physical damage to property, loss of life or injury to persons, or significant disruption of critical infrastructures;

3. if an organized armed group conducts cyber operations amounting to protracted armed violence against a state or against another organized armed group;9

4. if the cyber operations are conducted by the occupying power in the exercise of its policing and governance powers in occupied territory, or are part of the mounted resistance by the local population to the exercise of such powers;

5. if the cyber operations accompany the resumption or continuation of kinetic hostilities in occupied territory and are conducted in the context of and in association with them, or themselves amount to the initiation, resumption, or continuation of an international or non-international armed conflict in occupied territory.

III. The Cyber Operation Must Be Committed on the Territory or by a National of an ICC State Party

This requirement is prescribed by Article 12(2) of the Rome Statute.10 The territorial jurisdictional link does not cause insurmountable problems in the cyber context: contrary to what it might seem at first sight, cyberspace is not a domain where state territorial sovereignty and jurisdiction do not apply. Indeed, it consists both of a physical and syntactic (or logical) layer: the former includes the physical infrastructure through which the data travel wired or wireless; including servers, routers, satellites, cables, wires, and the computers; while the latter includes the protocols that allow data to be routed and understood, as well as the software used, and the data itself. The ICC, therefore, could exercise territorial jurisdiction when the attacked physical component is located on the territory of a state party.11 Still debated, however, is whether all types of prejudicial effects are relevant to establish jurisdiction or only physical damage: the ICC case law will clarify this point.

With regard to the second jurisdictional link (nationality of the perpetrator), it could be challenging to obtain sufficient evidence to attribute the cyber operation to a specific individual, especially at the preliminary examination stage, as anonymity is one of the main characteristics of cyberspace. The internet, in particular, is a decentralized system where the communications protocol divides the sent data into several packets that take different unpredictable pathways to reach their destination before being reassembled. An IP address identifies the origin and the destination of the data: with the cooperation of the Internet Service Provider through which the system corresponding to the IP address is connected to the internet, it could be associated with a person, group or state. The IP address, however, could be “spoofed”, or the corresponding computer system may only be a “stepping stone” for an attacker located elsewhere.12 Providing sufficient evidence of the identity of the hacker, then, might be a difficult task for the ICC Prosecutor and may require the cooperation of the states from which the cyber operation was conducted.

Having said that, at the preliminary stage the standard of proof is not “beyond reasonable doubt”, a standard which is only necessary for convictions:13 it suffices that there is a “reasonable basis to proceed”, as there is still no accused to protect and the Prosecutor acts only on the basis of publicly available information.14 The evaluation of admissibility, however, is stricter at the post-investigation stage and lack of sufficient evidence might be a significant obstacle to the identification and prosecution of those involved in cyber war crimes. Importantly, in 2013, the Office of the Prosecutor hired an expert in digital forensics for its Scientific Response Unit to improve its ability to collect and analyse digital evidence.15

IV. The Cyber Operation Must Involve the Elements of the ICC War Crimes

In spite of the fact that, by 1998, states had already started to address cyber criminality, cyber issues were completely ignored during the negotiations of the crimes to be included in the Rome Statute. Conduct in cyberspace, however, might fall under the jurisdiction of the Court either because it constitutes a new means to commit a crime already incorporated in the Statute, or because it instigates or facilitates the commission of such crime.16 If cyber crimes were considered new crimes and not new means to commit existing ones, on the other hand, their investigation or prosecution by the ICC would be barred by the nullum crimen sine lege principle incorporated in Article 22 of the Statute.

Of the war crimes contained in Article 8 of the Rome Statute, it is mainly those related to targeting, rather than those concerning mistreatment, that are relevant for cyber operations. Only cyber operations amounting to “attacks” as defined in Article 49(1) of the 1977 Protocol I additional to the 1949 Geneva Conventions on the Protection of Victims of War (“acts of violence against the adversary, whether in offence or in defence”) are the object of the law of targeting and of the corresponding war crimes. When does a cyber operation amount to an “attack”? There is broad agreement that cyber operations that foreseeably result in physical damage to property or persons qualify as “acts of violence”: cyber operations are able to produce damaging physical consequences in the analogue world by corrupting the operating systems of physical infrastructures such as Supervisory Control and Data Acquisition (SCADA) systems, which could result in the malfunction of such infrastructures and possible loss of life or destruction of property. An example is a belligerent’s cyber attack against the adversary which shuts down the cooling system of a nuclear power reactor located in enemy territory, thus causing the release of radioactive substances that indiscriminately reach civilians.

On the other hand, it is controversial whether cyber operations which negatively affect the functionality of infrastructure without physically damaging them also constitute “acts of violence”. It is submitted that the definition of “attack” under Article 49(1) of Additional Protocol I should be interpreted to take into account recent technological developments and that the concept of “violence” should be expanded to include not only material damage to objects, but also the loss of functionality of infrastructures without destruction. Indeed, the dependency of modern societies on computers, computer systems, and networks has made it possible to cause significant harm through non-destructive means. After all, if the use of graphite bombs, which spread a cloud of extremely fine carbon filaments over electrical components, thus causing a short-circuit and a disruption of the electrical supply, would undoubtedly be considered an “attack” even though it does not cause more than nominal physical damage to the infrastructure, one cannot see why the same conclusion should not apply to the use of viruses and other malware that achieve a similar effect.

With the above in mind, the elements of the crimes contained in Article 8 of the Rome Statute can be transposed to the cyber context without significant obstacles. Cyber attacks intentionally aimed at causing civilian casualties or at destroying protected objects, or which are expected to result in “incidental loss of life or injury to civilians or damage to civilian objects or widespread, long-term and severe damage to the natural environment which would be clearly excessive in relation to the concrete and direct overall military advantage anticipated,” would, for instance, amount to war crimes under Article 8(2)(b)(i), (ii) and (iv), and Article 8(2)(e)(i) of the Rome Statute. When the cyber operation aims to cause material damage to property or persons or incapacitation of infrastructures, the attacked “object” is not only, and not mainly, the information itself, but rather the persons, property, or infrastructure attacked through cyberspace. In the case of Stuxnet, for instance, the relevant “object” was not the Siemens software that operated the centrifuges at the Natanz uranium enrichment facility in Iran, but the centrifuges themselves. When a cyber operation aims solely at deleting or altering data stored in computer systems, however, the question arises whether such data are per se an “object” for the purpose of the definition of military objective contained in Article 52(2) of Additional Protocol I (and thus the application of the principle of distinction) if no physical damage or loss of functionality result from it. The problem should not be overestimated. If the cyber operation only causes the corruption, deletion, or alteration of data without consequences in the analogue world, in most cases it will not be an “attack” in the sense indicated above and the law of targeting and the definition of “military objective” will therefore not apply, whether or not the data are an “object”. The only exceptions may be cyber operations targeting data convertible into tangible objects, such as bank account records, so that if the data are destroyed so are the tangible objects; intellectual property that exists only online and that, if attacked and destroyed, cannot be recovered; or data that have an intrinsic value, as in the case of digital art.17 It is only in such and similar exceptional situations that the cyber operation may be an attack even without consequences on physical infrastructures or persons.

Other problems related to the application of existing IHL rules in the cyber context are also overestimated. Take, for instance, the case of the application of the principle of proportionality in attacks. On the one hand, the potentially less damaging character of cyber operations may offer a more effective means to minimize incidental damage on civilians and civilian property. Cyber operations also present advantages for the attacking state, as they virtually entail no risk for its forces thanks to their remote character and the difficulties with regard to identification and attribution. On the other hand, the problem with calculating proportionality in the cyber context resides in the speed and covert nature of cyber attacks: it may be difficult for the parties to the conflict to readily establish their magnitude and consequences. Furthermore, as with biological weapons, some kinds of malware sent through cyberspace might spread uncontrollably because of the malware’s characteristics and the interconnectivity of information systems. All in all, however, meeting the proportionality criterion is essentially a technical issue: customized proportionate cyber reactions are possible if the software is written with this purpose in mind and the targeted system is sufficiently known. The code could, for instance, be designed in a way as to be activated only by the presence of certain characteristics, as in the case of Stuxnet. This requires a high degree of information on the targeted systems, which it may be possible to obtain through traditional intelligence collection and/or cyber espionage.

Another overestimated problem concerns the dual-use nature of most cyber infrastructures, namely the fact that they are, at the same time, used by civilians and the military. This is not unique to the cyber context. The fact that an object is also used for civilian purposes does not affect its qualification under the principle of distinction: if the two requirements provided in Article 52(2) of Additional Protocol I are present, the object is a military objective and is thus targetable, but the neutralization of its civilian component needs to be taken into account when assessing the incidental damage on civilians and civilian property under the principle of proportionality. What is prohibited is to attack the dual-use cyber infrastructure because of its civilian function or to attack a dual-use facility where the incidental civilian damage expected from the attack is excessive in relation to the anticipated concrete and direct military advantage.

Cyber technologies can also be used to instigate or facilitate the commission of crimes under the ICC jurisdiction. Accessory liability, for instance, could be engaged through an act preparatory of genocide like:

[A] network intrusion to acquire the names of individuals registered as a certain race in a State census in order to engage in genocide.18

Individuals could also incite others to commit crimes by posting comments to that aim on blogs, Twitter, or other social media, as noted by the International Independent Fact-Finding Mission on Myanmar established by the U.N. Human Rights Council.19 In September 2012, Azerbaijan also denounced cyber attacks conducted by a self-styled “Armenian Cyber Army” under the direction and control of Armenia that were:

[A]imed at glorifying terrorists and insulting their victims, as well as at advocating, promoting and inciting ethnically and religiously motivated hatred, discrimination and violence.20

V. The Case Involving the Cyber Operation Must Be Sufficiently Grave

Article 17(1)(d) of the Rome Statute provides that a case is inadmissible, and must then be rejected, if it “is not of sufficient gravity to justify further action by the Court.” Article 53 also provides that the Prosecutor may not initiate an investigation or, after an investigation, proceed to a prosecution if he considers the case inadmissible under Article 17. Leaving aside the fact that the persons who are likely to be the object of the investigation or prosecution should include those “most responsible” for the alleged crimes, an issue which faces the already mentioned evidentiary problems,21 ICC case law has indicated that an evaluation of gravity must be made on the basis of both quantitative and qualitative factors, including, but not limited to, the scale, nature, manner of commission of the crimes, as well as their impact. These factors have been applied by the Office of the Prosecutor and the Pre-Trial Chamber (PTC) to assess the gravity of both situations and cases.

A. Scale

As already noted, cyber attacks can potentially cause significant physical damage to persons and objects. One could think of a cyber attack that shuts down an electrical power station in the middle of a harsh winter with consequent deaths among the civilian population due to the low temperatures, or a cyber attack that incapacitates computers controlling waterworks and dams, thus generating flooding of inhabited areas, or that disables the air traffic control system with consequent downing of civilian aircraft.22 Scale includes, among others:

[T]he number of direct and indirect victims, the extent of the damage caused by the crimes, in particular the bodily or psychological harm caused to the victims and their families, or their geographical or temporal spread (high intensity of the crimes over a brief period or low intensity of crimes over an extended period).23

Cyber operations might have a significant geographical spread but still result in limited physical damage. The malicious worm Stuxnet, for instance, spread to computers across several countries, including Iran, Indonesia, India, Azerbaijan, United States and Pakistan, but only caused physical damage to the Iranian uranium enrichment facility in Natanz while causing little harm to computers that did not meet certain specific characteristics. DDoS attacks also often involve millions of botnets across several countries hijacked by a botmaster, but they only result in temporary and reversible harm to the target by shutting down the servers and systems overflooded with requests: this might lead to the temporary interruption of services, but not physical damage to persons or property. It is unlikely, therefore, that, even assuming for the sake of argument that they amounted to crimes under the jurisdiction of the Court, operations like the 2007 DDoS attacks on Estonia, which disrupted banking and communications infrastructures in the Baltic country, would be grave enough from a scale point of view in spite of their geographical spread, unless they also result in loss of life or destruction of physical property.

B. Nature

It is not essential that a situation or case concerns an extensive number of casualties in order to justify investigation and prosecution.24 Indeed, qualitative factors also need to be taken into account. Nature, in particular:

[R]efers to the specific elements of each offence such as killings, rapes and other crimes involving sexual or gender violence and crimes committed against children, persecution, or the imposition of conditions of life on a group calculated to bring about its destruction.25

This implies that certain crimes are by definition graver than others: for instance, national and international sources suggest that murder is considered the most serious crime from a sentencing point of view. Crimes of sexual violence and those involving torture and physical/psychological suffering are also considered serious, while—as recalled by the Trial Chamber26—crimes against property are considered comparably less serious.27 The argument according to which there is a hierarchy among crimes within the jurisdiction of the ICC, and among war crimes in particular, is controversial, as it does not find an explicit basis in the letter of the Rome Statute. If it is accepted, however, cases involving cyber attacks that only cause damage to physical property (like the case of Stuxnet) might not be considered grave enough by their nature especially if compared to other cases involving killing or physical suffering.

C. Manner of Commission

Criteria to assess this factor include, inter alia:

[T]he means employed to execute the crime, the degree of participation and intent of the perpetrator (if discernible at this stage), the extent to which the crimes were systematic or result from a plan or organised policy or otherwise resulted from the abuse of power or official capacity, and elements of particular cruelty, including the vulnerability of the victims, any motives involving discrimination, or the use of rape and sexual violence as a means of destroying groups.28

The means employed to execute the crimes, in our case, are malware and cyber infrastructures like computers and servers, which are unlikely to be an aggravating factor as such (differently, for instance, from the use of electrocution, machetes and prohibited weapons). Intent might be difficult to discern in the cyber context, as malware can function unpredictably due to technical errors or insufficient knowledge of the targeted systems. Cyber operations, however, can be characterized by cruelty, for instance in the case of a cyber operation that changes the medical data of patients so that they receive the wrong, painful, or unnecessary treatment.

D. Impact

Impact can result, among others, from:

[T]he sufferings endured by the victims and their increased vulnerability; the terror subsequently instilled, or the social, economic and environmental damage inflicted on the affected communities.29

Impact, then, has two aspects: the direct impact on the victims and the broader impact on the community. According to the PTC, the impact beyond the victims can be relevant in order to determine sufficient gravity, but its absence does not necessarily negate it.30

The inclusion of this factor in the assessment of gravity entails that even cases that result in a low number of victims on the basis of quantitative requirements might be grave enough from a qualitative perspective if they have a significant impact. For instance, cyber attacks resulting in the death of peacekeepers and humanitarian workers could have a substantial impact because of the importance of peacekeeping missions and of the deterrent effect they could have on them.31 Cyber attacks committed to influence political elections might also have a significant impact on the community. In August 2017, for instance, the Kenyan opposition claimed that hackers had manipulated the results of the recent elections by breaking into the database of Kenya’s electoral commission so to acquire data on the electorate and draft a targeted campaign strategy.32 This is, as such, not an international crime, but at least twenty-four people were killed in the violence that erupted after the contested re-election of President Kenyatta. Certain cyber attacks might also have repercussions on a country’s economy, as in the case of the 2007 DDoS attacks against Estonia. In general, cyber attacks that target national critical infrastructures, thus disrupting the provision of essential services to the society, will have more significant impact on the broader community than those on other infrastructures, especially if their effects are long-term. Not only social and economic damage should be considered in this context, however, but also damage to the natural environment: one could imagine, for instance, a cyber attack on a chemical plant intended to cause the release of hazardous substances into the ocean during an armed conflict.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1. 1.

   Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Rules 84, 85 (Michael N. Schmitt ed., Feb. 2017) [hereinafter Tallinn Manual], paywall, doi.

   (Rules 84 and 85 are respectively titled “Individual criminal responsibility for war crimes” and “Criminal responsibility of commanders and superiors”). ↩

2. 2.

   The Prosecutor v. Dusko Tadić, IT-94-1, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, ¶ 70 (ICTY AC, Oct. 2, 1995), available online. ↩

3. 3.

   Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field, 75 U.N.T.S. 31, Article 2 (adopted Aug. 12, 1949, entered into force Oct. 12, 1950), available online. ↩

4. 4.

   Independent Fact-Finding Mission on the Conflict in Georgia, Report Vol. II, 217–18 (Sep. 2009), available online. ↩

5. 5.

   Marco Roscini, Cyber Operations as a Use of Force, in Research Handbook on International Law and Cyberspace 296, 314 (Nicholas Tsagourias & Russell Buchan eds., 2nd ed. 2021). ↩

6. 6.

   Guénaël Mettraux, Nexus with Armed Conflict, in The Oxford Companion to International Criminal Justice 435 (Antonio Cassese ed., Jan. 2009), paywall, doi. ↩

7. 7.

   Michael Cottier & Matthias Lippold, Article 8. War Crimes, in Rome Statute of the International Criminal Court: Article-by-Article Commentary 317, 351–52 ( Kai Ambos ed., 4th ed. 2022), paywall. ↩

8. 8.

   The Prosecutor v. Bosco Ntaganda, ICC-01/04-02/06-2359, Judgment, ¶ 732 (TC VI, Jul. 8, 2019), available online. ↩

9. 9.

   Whether a NIAC falls under Common Art. 3 of the Geneva Conventions or Protocol II Additional to the Geneva Conventions depends on their respective thresholds of applications. ↩

10. 10.

    Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 13(b), available online.

    (This requirement, however, does not apply when a situation is referred to the ICC Prosecutor by the U.N. Security Council acting under Chapter VII). ↩

11. 11.

    Anne-Laure Chaumette, International Criminal Responsibility of Individuals in Case of Cyberattacks, 18 Int’l Crim. L. Rev. 1, 23 (2018), paywall, doi; see also Council of Europe, Explanatory Report to the Convention on Cybercrime, ETS No. 185, ¶ 233 (Nov. 8, 2001), available online. ↩

12. 12.

    Scott J. Shackelford & Richard B. Andres, State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem, 42 Geo. J. Int’l L. 971, 982 (2011), paywall, earlier version available online. ↩

13. 13.

    Rome Statute, supra note 10, at Article 66(3). ↩

14. 14.

    Id. Article 53(1). ↩

15. 15.

    UC Berkeley Human Rights Center, Digital Fingerprints: Using Electronic Evidence to Advance Prosecutions at the International Criminal Court, 5 (Feb. 2014), available online. ↩

16. 16.

    Rome Statute, supra note 10, Article 25(3). ↩

17. 17.

    Michael N. Schmitt, Cyber Operations and the Jus in Bello: Key Issues, 87 Int’l L. Stud. 89, 96 (2011), available online. ↩

18. 18.

    Tallinn Manual 2.0, supra note 1, at 66. ↩

19. 19.

    Human Rights Council, Report of the Independent International Fact-Finding Commission on Myanmar, U.N. Doc. A/HRC/39/64, ¶ 74 (Sep. 12, 2018), available online. ↩

20. 20.

    Letter dated September 6, 2012 from the Chargé d’affaires a.i. of the Permanent Mission of Azerbaijan to the United Nations addressed to the Secretary-General, U.N. Doc. A/66/897-S/2012/687, at 1 (Sep. 7, 2012), available online. ↩

21. 21.

    On this aspect, see Marco Roscini, Gravity in the Statute of the International Criminal Court and Cyber Conduct That Constitutes, Instigates or Facilitates International Crimes, 30 Crim. L. Forum 247, 256–59 (Jun. 1, 2019), available online, doi. ↩

22. 22.

    Some of these examples are contained in Jeremy Wright, UK Attorney General, Speech at Chatham House, Cyber and International Law in the 21st Century (May 23, 2018), available online. ↩

23. 23.

    Office of the Prosecutor, ICC, Policy Paper on Preliminary Examinations, ¶ 62 (Nov. 2013) [hereinafter Policy Paper], available online. ↩

24. 24.

    Situation in the Republic of Burundi, ICC-01/17-9-Red, Decision Pursuant to Article 15 of the Rome Statute on the Authorization of an Investigation into the Situation in the Republic of Burundi, ¶ 184 (PTC III, Oct. 25, 2017), available online. ↩

25. 25.

    Policy Paper, supra note 23, ¶ 63. ↩

26. 26.

    The Prosecutor v. Ahmad al-Faqi al-Mahdi, ICC-01/12-01/15-171, Judgment and Sentence, ¶ 77 (TC VIII, Sep. 27, 2016), available online. ↩

27. 27.

    Id. ↩

28. 28.

    Policy Paper, supra note 23, ¶ 64. ↩

29. 29.

    Id. ¶ 65; see also Situation in the Republic of Kenya, ICC-01/09-3, Request for Authorisation of an Investigation pursuant to Article 15, ¶¶ 56, 59 (PTC II, Nov. 26, 2009), available online. ↩

30. 30.

    Situation on the Registered Vessels of the Union of the Comoros, the Hellenic Republic and the Kingdom of Cambodia, ICC-01/13-34, Decision on the request of the Union of the Comoros to review the Prosecutor’s decision not to initiate an investigation, ¶ 47 (PTC I, Jul. 16, 2015), available online. ↩

31. 31.

    See The Prosecutor v. Bahr Idriss Abu Garda, ICC-02/05-02/09-243-Red, Decision on the Confirmation of Charges, ¶ 33 (PTC I, Feb. 8, 2010), available online; Situation in Georgia, ICC-01/15-12, Decision on the Prosecutor’s request for authorization of an investigation, ¶ 55 (PTC I, Jan. 27, 2016), available online. ↩

32. 32.

    Talita De Souza Dias, Propaganda and Accountability for International Crimes in the Age of Social Media: Revisiting Accomplice Liability in International Criminal Law, Opinio Juris (Apr. 4, 2018), available online. ↩

33. Suggested Citation for this Comment:

    Marco Roscini, Cyber Operations Can Constitute War Crimes Under the ICC Jurisdiction Without Need to Amend the Rome Statute, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar#Roscini.

    Suggested Citation for this Issue Generally:

    When Might Cyber Operations Constitute Crimes Under the Rome Statute?, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar.