Cyber-Attacks as International Crimes under the Rome Statute of the International Criminal Court?
The conventional physical bombardment of a military base or causing a complete loss of function through a cyber-attack may have the same effect, that is, the temporary suspension of the use of the military base. Still, even though the attacks are comparable in their effect, they are achieved in fundamentally different ways: while physical damage occurs in the case of conventional attacks, it is usually absent in the case of cyber attacks.
In this short comment1 I argue that cyber operations in the form of cyber-attacks may entail individual criminal responsibility under international criminal law, especially when they amount to war crimes. In Section I, I start with some conceptual remarks regarding the umbrella term cyber operations and cyberwarfare, then, in Section II, I argue that cyber attacks may amount to “attacks” in the legal sense of the term on the basis of an effects approach. In Section III, I apply this approach to the international core crimes within the meaning of Article 5 of the Rome Statute focusing mainly on war crimes. I then conclude in Section IV with some remarks on the law on individual criminal responsibility.
I. Preliminary Conceptual Remarks: Cyber Operations and Cyber Warfare
“Cyber operation” is an umbrella term referring to “employment of cyber capabilities to achieve [certain] objectives in or through cyberspace.”2 The term is more specific than the broader “cybercrime”3 and covers inter alia cyber espionage, cyber manipulation, and cyber attacks.4 Thinking of cyber operations in terms of international criminal law the focus shifts to cyber attacks given that they constitute the strongest, most aggressive form of a cyber operation and are as such the only possible candidates serious enough to qualify as international crimes (see, infra, Section III).5
“Cyberwarfare” is, more narrowly, the conduct of a cyber operation by military means in order to achieve military objectives.6 Means of cyberwarfare “are cyber weapons and their associated cyber systems.”7 Given that cyber attacks can reasonably be expected to cause injury or death to persons or damage or destruction to objects, they can be fairly described, together with the device and/or software employed, as cyber weapons and thus as means of cyberwarfare.
II. Cyber Attacks as “Attacks” Due to Their Effects
The main difference between cyber and conventional attacks is the lack of the exertion of kinetic force of the former. In contrast to conventional kinetic attacks, cyber attacks regularly do not cause damage through direct kinetic force, but rather indirectly through the alteration or destruction of data. Kinetic means, in this regard, that the damage is related to or results from the motion or the dynamic of the attack. Kinetic weaponry is weaponry that acts through mechanical transmission.
However, kinetic and cyber-attacks may be comparable in their effects or consequences. The conventional physical bombardment of a military base or causing a complete loss of function through a cyber-attack may have the same effect, that is, the temporary suspension of the use of the military base. Still, even though the attacks are comparable in their effect, they are achieved in fundamentally different ways: while physical damage occurs in the case of conventional attacks, it is usually absent in the case of cyber attacks. Notwithstanding, a cyber operation may well trigger and/or cause kinetic damage, e.g. widespread flooding caused by the deactivation of the regulating system of a large dam. For these scenarios of cyber attacks with indirect kinetic effects, the notion of “cyber-kinetic-attacks” has been coined.8 The term is somewhat misleading, though, since it lumps together apparently contradictory—cyber vs. kinetic—notions. It is thus clearer to speak of indirect, secondary or even reverberating effects of cyber attacks.9
At any rate, given the fundamental difference between a conventional (kinetic) and a cyber (non-kinetic) attack, it has been argued that only the former amounts to an attack in the legal sense of the term since such an attack presupposes physical damage and the ensuing replacement of physical components of the attacked object.10 The opposing view holds that damage to an operating system (with the ensuing need to reinstall it) or destruction of particular data may suffice to be qualified as an “attack” if similar harmful consequences (loss of functionality, etc.) ensue.11 This latter view is, in principle, more convincing.12 While physical objects and mere data are certainly different, they are inseparably connected and interrelated. For this reason, cyber attacks may have an effect comparable to physical damage through functionally producing data corruption, which, in turn, has a significant negative impact on cyberinfrastructures. Indeed, in today’s cyber world, the traditional concepts of “use of force”, “armed attack” or “acts of violence”13 need to be reconsidered focusing on their effects instead of overemphasizing the means (the kind of weapon) used to bring about these effects. This is even more true in the case of damage to so-called critical infrastructures.14 Thus, in sum, interpreting cyber attacks in the light of existing international (humanitarian) law, the effect-based approach focusing on the effects or consequences of a cyber attack with regard to a concrete target is to be preferred over a mere means or instruments approach.15
III. Cyber Attacks as International Crimes
International crimes may be committed through cyber-attacks alone or in combination with kinetic acts. At any rate, such attacks must be of a sufficient gravity to fall under the ICC’s mandate as a consequence of the (autonomous) gravity threshold within the framework of the complementarity regime of Article 17(1)(d) of the Rome Statute. While no cyber situations have yet been the object of analysis of the ICC’s Prosecutor,16 cyber-attacks surely have the potential to reach the necessary gravity threshold due to their effects and the associated external impact in line with the criteria of “scale, nature, manner of the commission, and impact”.17
Let us now have a look at the crimes under the Rome Statute, focusing in particular on war crimes.
A. War Crimes (Article 8 of the Rome Statute)
The basic requirement for the application of the war crime regime is that an armed conflict exists (common Article 2 of the Geneva Conventions (GC) ), i.e., that armed force has been employed between parties to a conflict and it can be attributed to one of them.18 As argued above, the question of whether a pure cyber attack can be qualified “armed force” needs to be answered from the perspective of the effects of such attacks as compared to traditional kinetic attacks. This effect-based reading is also in line with the definition of “armed attacks” as “acts of violence” in the sense of Article 49(1) of the Additional Protocol [AP] I GC provided that a cyber attack produces violent effects, for example, by harming a physical part of a computer network which results in its replacement. In contrast, if a cyber attack does not produce any (lasting) physical or serious functional damage, it does not reach the armed conflict threshold. At any rate, generally it can be said that cyber attacks hardly reach the armed conflict threshold on their own but only in combination with traditional kinetic attacks; yet, cyber means of warfare may be employed in the context of a traditional armed conflict.19
It is more difficult to meet the second element of the armed conflict requirement, namely the attribution of a cyber attack to one of the parties to the conflict. While there are rules of attribution which may serve as guidance, e.g. in the International Law Commissions’s Draft on State Responsibility20 or, more specifically, in the Tallinn Manual,21 the difficulties are mainly of a factual and evidentiary nature. They lie in the identification of the attacker and/or the attribution of the attack to a party to the respective armed conflict. On the one hand, the attack may come out of the anonymity of the Internet and thus may not be traceable to a specific person or group; or it may be traced to the wrong person or group. At best, it may be possible to identify the computer responsible for the attack via its IP address and thus establish its territorial location. Yet, while this may arguably allow one to presume the responsibility of the territorial State, such a presumption may be rebutted by this State, for example, by pointing to a group of non-state actors which it does not control.22 On the other hand, the attacker may be identified but s/he may not belong to or be affiliated with a party to the conflict and thus the attack may not be attributable to such a group; in addition, the attackers themselves may not qualify as an armed group within the meaning of International Humanitarian Law (IHL)—lacking the necessary degree of organization, i.e., command, control, discipline, and hierarchy—and thus would not, on their own, constitute an autonomous party to the conflict. For example, groups of hackers usually lack the IHL criteria just mentioned; a spontaneous collective attack, e.g. a denial-of-service attack, does not comply with the organization requirement either. One may avoid these problems of attribution invoking a due diligence obligation of the (territorial) State to prevent cyber-attacks from happening in the first place or to intervene to stop them since such an approach focuses on the primary obligation of due diligence and its breach.23 However, this approach entails other problems. In particular, to establish a fair control standard—what can be fairly expected from a State in terms of control of cyber activities on its territory—and a sufficiently precise mental or cognitive standard.24
In line with the effects approach, it is conceivable that cyber-attacks that disrupt the function of critical infrastructure—e.g. the health care system—cross the armed conflict and attack thresholds and amount to war crimes under Article 8 of the Rome Statute by “wilfully causing great suffering, or serious injury to body or health,” “attacks against the civilian population as such or against individual civilians not taking direct part in hostilities” or “[i]ntentionally directing attacks against […] medical units.” Any person acting on behalf of a party to the conflict may commit such a war crime and thus be a responsible agent. In the cyber context, the participation of civilians is of particular relevance since the reliance on civilian expertise is indispensable. These civilians may be members of formal armed forces but also of non-State actors and thus be targetable according to the (highly controversial) general rules of participation in hostilities. Here, too, certain particularities are to be noted, above all how cyber-active civilians are to be distinguished from ordinary civilians in terms of their participation in hostilities. Generally, it can be said that the decision about the participation (with the ensuing loss of immunity from attacks) depends on the importance of the cyber civilian’s contribution and his/her expertise. Thus, if an attack would not have been possible without this contribution, a participation is to be affirmed while a mere support function, e.g. maintenance of a computer network, does not justify such an affirmation. While the decision depends ultimately on the circumstances of the concrete case, it is clear that a (too) broad reading of the participation requirement may undermine the protective purpose of IHL,25 as especially expressed by the principle of distinction to which we now turn.
The usual IHL principles , i.e., humanity, necessity, proportionality,26 precaution, and distinction,27 also apply to cyber attacks if they amount to “attacks” under IHL28. Take, for example, the war crime of “[i]ntentionally directing attacks against civilian objects, that is, objects which are not military objectives” from Article 8(2)(b)(ii) of the Rome Statute. This provision constitutes a concrete implementation of the principle of distinction, embodied in Article 48 AP I GC and part of customary international law applicable in both international and non-international armed conflicts. Civilian objects are (only) defined negatively in delimitation to “military objectives” and these are “limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose […] neutralization […] offers a definitive military advantage” (Article 52 AP I GC [emphasis added]). While it is fairly uncontroversial that the principle of distinction also applies to cyber attacks, its concrete application is shrouded by controversy and uncertainty.29 Apart from the usual difficulties to distinguish between civilian and military objects pursuant to the just mentioned blurred definition, the situation is even more complicated in the cyber area given that any computer system can be used for both civilian and military purposes at the same time or interchangeably—the dual-use problem .30 Thus, ultimately, the decision whether a certain object is “military” and can therefore be targeted is very much case-based on the specific circumstances.
B. Other International Core Crimes
In line with the effects approach, it is easily conceivable that cyber attacks may produce the objective effects of a genocidal attack on a protected group pursuant to Article 6(a)–(e) of the Rome Statute, or bring about the results of the underlying crimes of crimes against humanity pursuant to Article 7 of the Rome Statute. In the former case it will, as always, be difficult to overcome the high subjective threshold in the form the specific intent to destroy one of the protected groups. In the latter case, the cyber-attack would have to be carried out pursuant to a certain policy and, further, to be widespread or systematic. With regard to the organizational requirement in Article 7(2)(a) of the Rome Statute, similar questions as under war crimes, with a view to a minimum organisational threshold, arise.
Last but not least, the crime of aggression under Article 8 bis is only of limited, if any, relevance in the cyber context. This is so mainly for three reasons. First, Article 8 bis does not cover non-State actors but these are often behind cyber attacks. Secondly, a cyber attack may only exceptionally amount to a “use of armed force” within the meaning of Article 8 bis(2).31 Third, it is even less conceivable that such attacks constitute “a manifest violation” of the U.N. Charter as required by Article 8 bis(1).
IV. Individual Criminal Responsibility
Individual criminal responsibility presupposes the existence of international crimes and the relevant participation in these crimes by natural persons. The Tallinn Manual 2.0 now explicitly recognizes individual and superior (criminal) responsibility, albeit limited to war crimes, in line with Articles 25 and 28 of the Rome Statute;32 as to superiors, it additionally provides a responsibility for “ordering cyber operations that constitute war crimes.”33
Participants in cyber-attacks are criminally responsible, under various subsections of Articles 25 and 28 of the Rome Statute, according to the nature and degree of involvement in the attack either as perpetrators acting alone, jointly with another, or through another person—or as secondary participants—inducing the attack or collaborating in it. Superiors may order the attack or fail to properly supervise subordinates carrying out such an attack. Liability for ordering is based on the general provision of Article 25(3)(b) of the Rome Statute, i.e., it is not limited to superiors within the meaning of Article 28, although there is, in factual terms, good reason to argue that only such superiors are in the position to order. At any rate, the just mentioned Tallinn Manual’s specific Rule 85(a) turns out to be redundant in light of the ordering alternative in Article 25(3)(b) of the Rome Statute. Apparently, the Tallinn drafters wanted to incorporate both the superior’s active conduct and failure to act in one specific Rule, i.e., Rule 85.34
In the case of the crime of aggression, criminal responsibility only arises, pursuant to the so-called leadership clause in Article 8 bis(1) of the Rome Statute, with regard to “a person in a position effectively to exercise control over or to direct the political or military action of a State.” This means that the persons effectively carrying out a cyber attack would not be criminally liable but, at best, their superiors would be, if they belong to the leadership level and can be held responsible for the acts of the actual “cyber warriors”.
Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).
This comment draws upon the following two sources. The research assistance of Luca Petersen is gratefully acknowledged.
International Criminal Responsibility in Cyberspace, in Research Handbook on Cyberspace and International Law 118 ( 2021), & eds., 2d ed. earlier version available online; Individual Criminal Responsibility for Cyber Aggression, 21 J. Conflict & Security L. 495 (Aug. 7, 2016), paywall, doi. ↩
Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 564 ( Feb. 2017) [hereinafter ed., Tallinn Manual], paywall, doi; Accord , The Notion of Cyber Operations, in Research Handbook on Cyberspace and International Law 211 ( Jun. 26, 2015), & eds., paywall, doi, later version with (Apr. 14, 2020) available online. ↩
International Legal Dimension of Cybercrime, in Research Handbook on Cyberspace and International Law 190 ( Jun. 26, 2015), & eds., available online, doi&
(“Cybercrime” refers to any criminal activity involving computer technology, committed by means of or against a computer).
Convention on Cybercrime, ETS No. 185 (Nov. 23, 2001) [hereinafter Budapest Convention], available online
(At the international level, the most comprehensive regulation of Cybercrime has been the Budapest Convention, said to have influenced the criminal law legislation of about 120 States).
Cf. , The Global State of Cybercrime Legislation 2013–2021: A Cursory Overview (Jun. 30, 2021), available online. ↩
See , supra note 2.
(In a profound analysis, Ducheine demonstrates the similar strategic objectives and common operational means and methods of State and Non-State actors and set out six typical phases of a cyber operation, i.e., reconnaissance, design, intrusion, action, camouflage, and exfiltration). ↩
See Cyber Operations as Use of Force, in Research Handbook on Cyberspace and International Law 233 ( Jun. 26, 2015), & eds., available online, earlier version, doi.
(In contrast, the previously mentioned cyber espionage or manipulation is, as a rule, non-destructive and only employed to enter a computer system to extract information). ↩
Tallinn Manual, supra note 2, at 564
(This is a military extension of the definition of “cyber operation”).
2, 290 n.112, supra note
(offering a critical discussion, but also, however, create the impression that the Tallinn Manual, quoting the first edition from 2013, provides a definition of “cyber warfare”).
Cyber Warfare and the Laws of War 294 (2012), paywall,
(referring to “electronic warfare” as “Military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy.”). ↩
See e.g. , The Dawn of Kinetic Cyber, in 5th International Conference on Cyber Conflict ( 2013), , & eds., available online. ↩
Cf. , Is the Principle of Distinction Still Relevant in Cyberwarfare?, in Research Handbook on Cyberspace and International Law 343 ( Jun. 26, 2015), & eds., available online, doi
(with further references). ↩
Tallinn Manual, supra note 2, at 417.
See also , Weapons and the Law of Armed Conflict 239 (2d ed. 2016), paywall, doi. ↩
Tallinn Manual, supra note 2, at 417–18
(“Some of the experts”).
See also , Das Kampfführungsrecht im internationalen Cyberkrieg 97–98 (2018), paywall; see also , International Humanitarian Law Applied to Cyber-Warfare: Precautions, Proportionality and the Notion of “Attack” Under the Humanitarian Law of Armed Conflict, in Research Handbook on Cyberspace and International Law 366 ( Jun. 26, 2015), & eds., paywall, doi
(discussing effects which may turn data destruction into an attack).
See , supra note 9
(discussing loss of functionality). ↩
(for a narrower view with regard to attacks on data as use of force).
See also , supra note 9
(on the opposing views regarding data). ↩
Cf. supra note 5
(on the synonymity of these concepts). ↩
Improving Critical Infrastructure Cybersecurity, § 2 (Feb. 12, 2013), available online,
(According to § 2, a “critical infrastructure” “means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This definition is still valid).
Improving the Nation’s Cybersecurity (May 12, 2021), available online; , Critical Infrastructure Security and Resilience Month, 2021 (Oct. 29, 2021), available online,
(confirming the Biden administration’s commitment to secure the critical infrastructure, focusing, inter alia, on critical software). ↩
See , supra note 9
(For the same view with several further references but rightly pointing to the evidentiary problems with regard to the proof of damage caused by a cyber operation and the precise extent of this damage).
See also supra note 5.
(A combination of the instruments (weapons) and effects (of these weapons) approaches, as advocated by, does not yield different results since ultimately the decisive question is whether the cyber attacks cause a significant (physical) damage or a significant loss of functionality affirming a use of force in these cases while only seeing a violation of the principle of non-intervention in case of “other” cyber attacks). ↩
However, while the issue did not give rise, so far, to a preliminary examination or even investigation, it is likely to increasingly come up in Article 15 communications and appears to be considered as part of overall investigative/protection strategies and information security management. ↩
Regulations of the Office of the Prosecutor, ICC-BD/05-01-09, Reg. 29(2) (Apr. 23, 2009), available online, archived; see , The Criminalization of Cyber-operations Under the Rome Statute, 19 J. Int’l Crim. Just. 1133, 1138–46 (Nov. 8, 2021), paywall, doi; see also Gravity in the Statute of the International Criminal Court and Cyber Conduct That Constitutes, Instigates or Facilitates International Crimes, 30 Crim. L. Forum 247 (Jun. 1, 2019), available online, doi. ↩,
Cf. The Prosecutor v. Dusko Tadić, IT-94-1-AR, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction ¶ 70 (ICTY AC, Oct. 2, 1995), available online; see & , Article 8, War Crimes in Commentary of the Rome Statute of the ICC ( 2022) ed., 4th ed.
(detailed discussion with further case law). ↩
Cf. , supra note 11; see also , supra note 9
(stating that “it has never been proven” that the use of cyber operations during armed conflict had the same harmful consequences as the use of kinetic weapons);
but see supra note 17, at 1155
(considering the (Russian) cyber attacks on Eastern Ukraine as ”possible“ war crimes). ↩
Articles on Responsibility of States for Internationally Wrongful Acts, with Commentaries, U.N. Doc. A/56/10, Arts. 4–9 (Aug. 2001), available online,
(establishing the rules of attribution of acts of State organs or private groups or agents to a State). ↩
See , State Responsibility in Cyberspace, in Research Handbook on Cyberspace and International Law 55 ( Jun. 26, 2015), & eds., paywall, doi
(for a discussion). ↩
(While a strict knowledge standard would make it difficult if not impossible to establish the territorial State’s responsibility, lower standards, like the infamous constructive knowledge, are highly controversial and thus difficult to agree on). ↩
See , supra note 9
(“kind of Trojan horse” leading to a “total cyber war”). ↩
(on proportionality in particular, Gill argues that the principle largely applies in the same way in case of cyber attacks). ↩
Cf. , Group of Governmental Experts on Development in the Field of Information and Telecommunication in the Context of International Security, U.N. Doc. A/70/174, at ¶ 28(d) (Jul. 22, 2015), available online
(mentioning the principles of humanity, necessity, proportionality, and distinction). ↩
Cf. Tallinn Manual, supra note 2, at 422
(“Only when a cyber operation […] rises to the level of an attack it is prohibited by the principle of distinction”).
(providing a more nuanced, dynamic interpretation, arguing that IHL principles may also apply to cyber operation below the attack threshold). ↩
See , supra note 9.
(In a recent, profound analysis, Bannelier-Christakis stresses the uncertainty and examines State practice and non-State/academic views in detail). ↩
(In a deeper analysis, Bannelier-Christakis concludes that it is “rather illusory” to strictly limit attacks to military objects given that the “interconnection between civilian and military networks is so deep”). ↩
Cf. & , Article 8 bis, in Commentary of the Rome Statute of the ICC ( 2022). ed., 4th ed.
(Note that the drafters preferred a narrow understanding focusing on kinetic force, notwithstanding, in line with the effects approach defended above, “the use of computer networks as weapons” may be qualified as the use of armed force within the meaning of the provision). ↩
Cf. Id. at 397 n.958.
(In fact, the commentary to Rule 84 on Individual Criminal Responsibility omits to mention the ordering alternative when discussing Article 25(3)(b) and moves this discussion to Rule 85(a) ). ↩
Suggested Citation for this Comment:
Cyber-Attacks as International Crimes under the Rome Statute of the International Criminal Court?, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar#Ambos.,
Suggested Citation for this Issue Generally:
When Might Cyber Operations Constitute Crimes Under the Rome Statute?, ICC Forum (Mar. 7, 2022), available at https://iccforum.com/cyberwar.