Invited Experts on Cyberwarfare Question

Ambos Avatar Image Kai Ambos, Dr.jur., Privatdozent LMU München Professor of Law Georg-August-University Göttingen

Cyber-Attacks as International Crimes under the Rome Statute of the International Criminal Court?

The conventional physical bombardment of a military base or causing a complete loss of function through a cyber-attack may have the same effect, that is, the temporary suspension of the use of the military base. Still, even though the attacks are comparable in their effect, they are achieved in fundamentally different ways: while physical damage occurs in the case of conventional attacks, it is usually absent in the case of cyber attacks.

Summary

In this short comment1 I argue that cyber operations in the form of cyber-attacks may entail individual criminal responsibility under international criminal law, especially when they amount to war crimes. In Section I, I start with some conceptual remarks regarding the umbrella term cyber operations and cyberwarfare, then, in Section II, I argue that cyber attacks may amount to “attacks” in the legal sense of the term on the basis of an effects approach. In Section III, I apply this approach to the international core crimes within the meaning of Article 5 of the Rome Statute focusing mainly on war crimes. I then conclude in Section IV with some remarks on the law on individual criminal responsibility.

Argument

I. Preliminary Conceptual Remarks: Cyber Operations and Cyber Warfare

“Cyber operation” is an umbrella term referring to “employment of cyber capabilities to achieve [certain] objectives in or through cyberspace.”2 The term is more specific than the broader “cybercrime”3 and covers inter alia cyber espionage, cyber manipulation, and cyber attacks.4 Thinking of cyber operations in terms of international criminal law the focus shifts to cyber attacks given that they constitute the strongest, most aggressive form of a cyber operation and are as such the only possible candidates serious enough to qualify as international crimes (see, infra, Section III).5

“Cyberwarfare” is, more narrowly, the conduct of a cyber operation by military means in order to achieve military objectives.6 Means of cyberwarfare “are cyber weapons and their associated cyber systems.”7 Given that cyber attacks can reasonably be expected to cause injury or death to persons or damage or destruction to objects, they can be fairly described, together with the device and/or software employed, as cyber weapons and thus as means of cyberwarfare.

II. Cyber Attacks as “Attacks” Due to Their Effects

The main difference between cyber and conventional attacks is the lack of the exertion of kinetic force of the former. In contrast to conventional kinetic attacks, cyber attacks regularly do not cause damage through direct kinetic force, but rather indirectly through the alteration or destruction of data. Kinetic means, in this regard, that the damage is related to or results from the motion or the dynamic of the attack. Kinetic weaponry is weaponry that acts through mechanical transmission.

However, kinetic and cyber-attacks may be comparable in their effects or consequences. The conventional physical bombardment of a military base or causing a complete loss of function through a cyber-attack may have the same effect, that is, the temporary suspension of the use of the military base. Still, even though the attacks are comparable in their effect, they are achieved in fundamentally different ways: while physical damage occurs in the case of conventional attacks, it is usually absent in the case of cyber attacks. Notwithstanding, a cyber operation may well trigger and/or cause kinetic damage, e.g. widespread flooding caused by the deactivation of the regulating system of a large dam. For these scenarios of cyber attacks with indirect kinetic effects, the notion of “cyber-kinetic-attacks” has been coined.8 The term is somewhat misleading, though, since it lumps together apparently contradictory—cyber vs. kinetic—notions. It is thus clearer to speak of indirect, secondary or even reverberating effects of cyber attacks.9

Brown Avatar Image Gary D. Brown, J.D., LL.M. Professor of Cyber Law College of Information and Cyberspace; National Defense University

Some Nondestructive State Cyber Operations Probably Constitute the Crime of Aggression under the Rome Statute, but Attribution Difficulties and State Practice Make Effective Deterrence Unlikely

A body of law designed to deal with kinetic options is a poor fit for cyberspace, where effective operations can result in widespread effects that, while effective in advancing strategic interests, may not directly result in damage or injury. [...] Some states appear to carefully structure their cyber activities to ensure that the effects remain below the traditional understanding of a use of force in violation of the U.N. Charter. In other cases, states use cyber capabilities to undertake massive espionage campaigns which, although exponentially larger in scale than more traditional espionage, remain just espionage and therefore currently beyond the reach of international law.

Summary

Cyber activities continue to harass and confound governments and citizens alike. Although, under some circumstances, cyber operations constitute a welcome alternative to military force for advancing state interests, some disruptive cyber activities that don’t constitute a use of force under the U.N. Charter are nevertheless serious enough to cause concern. Some of these non-destructive cyber activities could constitute the crime of aggression under the Rome Statute. However, given the growing practice of states in cyberspace, the generally muted reactions to transgressive cyber behavior, and the difficulty in attributing cyber aggression to states, the Rome Statute is unlikely to have a significant deterrent effect on disruptive cyber behavior.

Argument1

States, the U.N., and other international organizations struggle to determine which state-sponsored cyber operations violate international law. Although it seems intuitively clear that cyber operations disrupting normal civilian life or interfering with the conduct of government business should constitute violations of international law, the law itself can be difficult to interpret in the virtual context. International law governing aggression is geared toward kinetic (physical) effects. International aggression has been closely aligned with military force, and military force results in physical destruction, injuries, and deaths. A body of law designed to deal with kinetic options is a poor fit for cyberspace, where effective operations can result in widespread effects that, while effective in advancing strategic interests, may not directly result in damage or injury. Despite scholarly attempts to address this gap in the law by generous interpretation of the applicability of sovereignty and discussion of the nonintervention principle, it remains an ambiguous and hotly debated area of law. Some states appear to carefully structure their cyber activities to ensure that the effects remain below the traditional understanding of a use of force in violation of the U.N. Charter. In other cases, states use cyber capabilities to undertake massive espionage campaigns which, although exponentially larger in scale than more traditional espionage, remain just espionage and therefore currently beyond the reach of international law.

The international law applicable to the top and bottom of the range of state cyber activities is relatively clear. At the top end, cyber activities that cross the use of force threshold violate Article 2(4) of the U.N. Charter.2 There is room for discussion about exactly where this line falls, but cyber actions directly resulting in physical damage or destruction of objects, or injury or death to people, clearly violate the Charter, just as their analogs in physical space would. At the bottom end, it is well-established that espionage, while not likely to win any friends, does not violate international law—or at least constitutes a “no-go” zone for the law.

Between these two limits there is a vast gray zone where the legality of state-sponsored cyber activities remains unclear. Two examples of these difficult categories are dual-purpose implants on critical systems and large-scale disruption of non-critical systems.

Hathaway Avatar Image Oona A. Hathaway Gerard C. and Bernice Latrobe Smith Professor of International Law Yale Law School

To What Extent and Under What Conditions Might Cyber Operations or Cyberwarfare Constitute Crimes Specified in the Rome Statute?

Some advisers, including myself, took the position that only cyber operations resulting in loss of, or injury to, human life would reach the level of a “manifest” violation. Others maintained that cyber operations with large-scale physical destruction might also reach the level of a manifest violation. Others suggested loss of functionality or incapacitation, without physical destruction, could even be sufficient. Suffice it to say that there are, as of this writing, significant differences among experts on the matter. There is agreement, however, that cyber operations with mere economic effects would not be sufficient to constitute a crime of aggression.

Argument

Introduction

This comment will focus on one of the four crimes in the Rome Statute: the crime of aggression. This crime, and whether it should be included in the Rome Statute, has of course been the subject of intense debate and discussion. This comment puts that debate to one side to focus on the question of whether the crime of aggression—whatever one may think of it—applies to cyber operations or cyberwarfare and under what conditions.

Does the Crime of Aggression Apply to Cyber Operations?

An initial question is whether the crime of aggression applies to cyber operations at all. Article 8 bis(1) defines a “crime of aggression” to include:

[T]he planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.1

Nothing in this definition limits the crime to a particular set of weapons or tools. Article 8 bis(2) goes on to define an “act of aggression” as:

[T]he use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations.2

It then includes a list of acts that “regardless of a declaration of war” qualify as an act of aggression.

This presents two questions: First, can a cyber operation constitute a manifest violation of the Charter of the United Nations? Second, is the list of actions that qualify as an “act of aggression” exhaustive or merely illustrative?

On the first question—whether a cyber operation can constitute a manifest violation of the Charter of the United Nations—the answer is clearly yes. When the possibility of aggressive cyber incidents first emerged, there was an initial debate over whether international law applied to cyber operations. Some scholars thought that it did not. Those who took what is sometimes referred to as an “instrument-based approach,” argued that:

[A] cyber-attack alone will almost never constitute an armed attack for purposes of Article 51 ‘because it lacks the physical characteristics traditionally associated with military coercion’—in other words, because it generally does not use traditional military weapons.3

That view, however, has largely given way to the view that, though the technology is relatively new and certainly post-dates the Charter, the U.N. Charter nonetheless can be applied to cyber incidents.4

Roscini Avatar Image Marco Roscini, Ph.D. Professor University of Westminster School of Law

Cyber Operations Can Constitute War Crimes Under the ICC Jurisdiction Without Need to Amend the Rome Statute

Even if it were demonstrated that Russia was behind the operations, the 2007 Distributed Denial of Service (DDoS) attacks on Estonia would not qualify as an international armed conflict between the two states: although they targeted critical infrastructures—banking and communications—no property damage or personal injury occurred and no serious disruption ensued. A different conclusion would likely be reached with regard to a cyber attack that takes down the national electrical grid for a prolonged time, given likely severe negative repercussions on the provision of medical services, transport, financial markets, and security.

Summary

Cyber operations can constitute war crimes under the jurisdiction of the International Criminal Court (ICC) when:

  1. they have been committed in the context of and in association with an armed conflict, kinetic or otherwise;

  2. they involve the elements of the crimes listed in Article 8 of the Rome Statute;

  3. they have been perpetrated on the territory of a state party or by a national of a state party; and

  4. the case involving them is sufficiently grave.

There is nothing in the elements targeting war crimes under Article 8 which prevents their application to cyber operations and, therefore, there is no need to amend the Rome Statute to prosecute them before the Court. The main challenges are not related to the definition of the crimes or the corresponding rules of international humanitarian law but to the well-known technical obstacles to the identification of the perpetrators and the collection of evidence.

Argument

I. Introduction

The use of cyber technologies as a new means to commit, instigate, or facilitate crimes under the ICC’s jurisdiction has so far received little attention in international criminal law scholarship. Even the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, published by a group of experts in 2017, only devotes two rules (out of 154) to cyber international criminality.1 This comment explores when cyber operations can constitute war crimes under the ICC’s jurisdiction. This can occur when:

  1. they have been committed in the context of and in association with an armed conflict, kinetic or otherwise;

  2. they involve the elements of the war crimes listed in Article 8 of the Rome Statute;

  3. they have been committed on the territory of a state party or by a national of a state party; and

  4. the case involving them is sufficiently grave.

The next sections address these points in turn.

Scheffer Avatar Image Ambassador David Scheffer International Francqui Professor KU Leuven, Belgium

Amending the Rome Statute to Cover Cyberwarfare as Aggression

The many manifestations of cyber measures have become a common staple of international affairs, and yet the entire concept is absent from the Article 8 bis definition. This is unsurprising given the fact that cyber measures, and particularly cyberwarfare, essentially did not exist in 1974 when the General Assembly defined acts of inter-state aggression. But its absence from Article 8 bis is a glaring omission in modern times and will cripple the ICC in how it will investigate aggression that may consist solely or largely of cyberwarfare tactics.

Argument

During the negotiations leading to the establishment of the International Criminal Court (ICC),1 there was no discussion that I recall of cyberattacks as illegal conduct or prohibited weaponry under Article 8 (war crimes) of the Rome Statute governing the ICC.2 Nor was cyberwarfare factored into the discussions concerning the crime of aggression, either during the 1990’s or thereafter in the talks leading up to and including the Kampala Review Conference in 2010 when the definition and implementation procedures of the crime of aggression were codified as amendments to the Rome Statute subject to ratification by Member States.3 While in the lexicon of some pleading before the ICC, judges might be able to interpret the Rome Statute as covering cyber measures including cyberattacks and cyberwarfare, cyber measures are essentially a novel, uncodified, but hugely impactful means of assaulting governments, international institutions, business, and peoples and violating the sovereignty and territorial integrity of a country. Labeling serious injurious cyber measures as criminal, even at the domestic level much less the international level, remains a work in progress.

Nonetheless, there is good reason to consider how the Rome Statute could be amended to prosecute cyber measures within at least the context of the crime of aggression. In 2017, I published a book chapter in The Crime of Aggression—A Commentary,4 and an article in the Harvard International Law Journal5 wherein I proposed amendments to the Rome Statute to accommodate the rapidly rising threat of cyber measures. This comment draws from those publications and I refer the reader to all of the footnotes therein.

War during the twenty-first century often will not be fought conventionally between nations. Non-state actors like the Islamic State of Iraq and Syria (ISIS), Al Qaeda, Boko Haram, the Lord’s Resistance Army, and al-Shabab, to name only a few past and present, will dominate the theaters of conflict and hostilities. Unfortunately, because it is grounded in General Assembly Resolution 3314 (XXIX) of December 14, 1974,6 Article 8 bis(2) of the Rome Statute, defining an “act of aggression,” is already exceptionally antiquated. The definition is relevant only for the actions of states (including “armed bands, groups, irregulars or mercenaries” sent by or acting on behalf of a state).

Article 8 bis(1) of the Rome Statute defines the “crime of aggression” in terms of what a person does in holding a “position effectively to exercise control over or to direct the political or military action of a State.” There is no opportunity for the ICC to prosecute an individual for aggression when he acts in a leadership capacity to guide a non-state entity. The ICC Prosecutor thus is disarmed in connection with vast exercises of aggressive warfare waged by non-state entities across national boundaries. Internal aggression, which has been a favorite tactic of ISIS and other non-state actors determined (sometimes successfully) to seize territory within a state, also escapes the Article 8 bis definition.

The many manifestations of cyber measures have become a common staple of international affairs, and yet the entire concept is absent from the Article 8 bis definition. This is unsurprising given the fact that cyber measures, and particularly cyberwarfare, essentially did not exist in 1974 when the General Assembly defined acts of inter-state aggression. But its absence from Article 8 bis is a glaring omission in modern times and will cripple the ICC in how it will investigate aggression that may consist solely or largely of cyberwarfare tactics.