The Cyberwarfare Question — Comments

Change Sort Order
Now: Recent First

Comment on the Cyberwarfare Question: “To what extent and under what conditions might cyber operations or cyberwarfare constitute crimes specified in the Rome Statute?”

The Extent to Which Cyberwarfare May Constitute Crimes Under the Rome Statute and Conditions for Accountability

The International Court of Justice held in 1996 that international humanitarian law applies to all means of warfare, including those of the future.1 Such a concept must be applicable to the Rome Statute; if means and methods of war change, so too must the laws regulating them. The regulation of cyber operations presents novel challenges for attributing criminal responsibility, particularly where advanced technology acts partially or wholly autonomously. It is possible, and necessary, to hold the perpetrators of crimes facilitated through cyber operations accountable, not least with the exponential advancement of artificial intelligence. Under certain conditions, this will be the case with a traditional interpretation of the Rome Statute; under others, the scope of criminal accountability may need to evolve alongside the means in which war crimes are committed.

I. Accountability Under the Rome Statute

Attributing accountability at the International Criminal Court (ICC) poses difficulty in prosecutions of even traditional war crimes. Article 5 of the Rome Statute limits the Court’s jurisdiction to only the most serious crimes under international law, which themselves set a high bar for both physical and mental elements.2 Genocide, for example, requires the actus reus to coincide with intent to destroy a group; the scope of crimes against humanity necessitate the act to occur within the context of a widespread or systematic attack; and the ICC has jurisdiction over war crimes insofar as they are committed as part of a plan or policy.

Once the actus reus of those crimes has been established, proving individual criminal responsibility presents the next difficulty, particularly where the high evidentiary burden is exacerbated by the challenges associated with collection of evidence during armed conflicts. For cyber operations, there is another barrier: the practical specification that accountability for crimes within the jurisdiction of the ICC relates to natural persons. The ICC’s jurisdiction is limited to natural persons;3 command responsibility requires a superior’s knowledge of crimes committed by subordinates;4 and individual criminal responsibility applies to a culpable “person.”5

Complexity therefore exists where the actus reus of a crime under the Rome Statute is directly perpetrated by cyber software or autonomous technology, such as a bug, virus, or artificial intelligence facilitating an illegal attack without the direct control of a combatant. Attributing intent, knowledge, and individual criminal responsibility where a crime is perpetrated by software is therefore both an evidentiary and substantive challenge. This inherent difficulty may cause such scenarios to slip outside of the scope of the Rome Statute where cyber operations are conducted by autonomous systems.

However, it is necessary to overcome this difficulty, evident in the exponential growth of cyber and autonomous technology utilized by states during armed—or non-armed—conflicts in the 21st century. In the dawn of artificial intelligence in military and civilian technology, the applicability of accountability pursuant to the Rome Statute will be even more necessary for war crimes that are perpetrated by these systems, whether in cyberspace or on the ground.

II. The Use of Cyberwarfare in Armed Conflict

Whilst the Russia-Ukrainian conflict has transpired predominantly with traditional methods of war, it has also served as a cyber battleground. The war has featured modern technology developed to confer a military advantage with a similar degree of destruction expected from an armed attack. The 2017 ransomware attacks on Ukraine through the malware “Petya” is considered by many, including the United States, as both the most destructive cyberattack in history, and an attack from Russia.6 Financial institutions, government ministries, and public services were temporarily destabilized. Furthermore, although military objects were targeted, Petya also attacked private and civilian property through its indiscriminate design, including even hospital systems in Pennsylvania.7 Despite the U.S. estimating over $10 billion in economic damages were caused, the more significant impacts were perhaps the destabilization of Ukraine’s national infrastructure, from government services to transport to media.8 As the White House stated in not-uncertain terms: “It was part of the Kremlin’s ongoing effort to destabilize Ukraine.”9

Whilst the link between the cyber operation and the implication for Ukraine requires an adaptation of the traditional conceptualization of kinetic attacks, such an adaptation has been recognised in international jurisprudence. Scholars note that cyber operations may reach the threshold of aggression and gravity needed for culpability under the Rome Statute; for example, if a cyber operation disrupts emergency systems for first responders leading to civilian death.10 Moreover, it is widely agreed that cyberwarfare may have kinetic consequences and a degree of harm comparable to traditional weapons, which if used to commit war crimes, should not escape the scope of the Rome Statute.11 Although no war crime was alleged, the 2010 “Stuxnet” cyberattack on Iran’s nuclear infrastructure could likely satisfy this instrument-based test based on its gravity.12 Experts drafting the Tallinn Manual on the International Law Applicable to Cyber Operations recognized the duty for states to ensure that the use of cyber operations complies with the same rules of war that bind traditional weapons.13 It is difficult to argue that this ought not apply to military commanders controlling their use on the battlefield.

III. The Issue of Accountability for Crimes Perpetrated Through Cyber Operations

For cyberwarfare, a more complex issue than merely the requisite kind and degree of a criminal act captured by the Rome Statute, is the issue of accountability. Once a crime has prima facie been perpetrated through cyberwarfare, the requirements for the necessary mens rea and individual criminal responsibility must be attributed to a natural person. For standard cyber operations, this is a difficult ask: although both Ukraine and the U.S. documented evidence that Russia was responsible for the Petya cyberattack, no perpetrator was identified and no case was brought.

The ICC has held that, for the purpose of Article 8(2)(b), no actual damage or destruction is needed; only that a perpetrator launches an attack.14 In turn, the ICTY has held that the act of direction is satisfied where a perpetrator plans, orders, aids, or abets the attack’s instigation.15 Therefore, no direct kinetic damage is needed for the actus reus of either crime related to protected persons or objects under the Rome Statute—although the destruction of data and cyber property could arguably meet this standard in realities of the 21st century—only that an attack was directed against them.

However, the barriers to criminal accountability for the kind of cyberattack constituting a crime under the Rome Statute are, firstly, the requisite mens rea and, secondly, satisfying individual criminal responsibility with the evidentiary and prescriptive challenges associated with cyberwarfare. These difficulties will be more apparent as cyberwarfare evolves: what began as viruses targeting state-owned infrastructure directed by government developers could soon become entirely created, executed, and controlled by self-learning artificial intelligence.

This scenario is made even more complex for the international legal framework with the rapid expansion of “intelligent agents”: highly autonomous systems that can self-learn, make decisions, and outperform human capabilities. In the context of criminal accountability pursuant to the ICC, such a concept presents additional difficulty where there is financial and operational collaboration between the public and private sector; for example, the critical role of Microsoft and donors like Elon Musk in funding the development of Open AI. Where private entities are responsible for military assets, such as Musk’s September 2023 Pentagon contract for military satellites or Ukraine’s plan to use Musk’s “Starlink” to attack Russian naval vessels, the application of traditional jurisprudence on military combatants and criminal responsibility becomes blurred.16

IV. The Mens Rea Issue for Cyberwarfare

As aforementioned, the mens rea standard for crimes under the Rome Statute is intent and knowledge.17 It is relevant that this mental element apply to the material elements of the charge, meaning that intent and knowledge must be attributed to all material conduct constituting the crime. For example, an alleged perpetrator must have knowledge that the execution of a cyber operation will result in the commission of a crime under the Rome Statute, and intends to engage in the necessary act or is aware that it will occur in the ordinary course of events.

In the Petya example, this is a significant difficultly when considering the likely intended target of Ukrainian infrastructure and the self-replicating, self-adjusting nature of the highly-infectious virus. For “traditional” viruses, it is likely that the use of biological warfare is inherently unlawful due to its inherently indiscriminate nature, its propensity for inhumane and disproportionate suffering, and the ICTY’s treatment of the 1925 Geneva Protocol prohibiting chemical warfare as international customary law.18 For cyberwarfare that seeks to infect property, data, and infrastructure—physical, rather than biological systems—no such rule exists, and the mental elements under Article 30 must be attributed to the consequences of the cyberattack.

This burden of proof is especially problematic where there is the issue of autonomy. The use of cyberwarfare may be direct and surgical, such as Stuxnet developers ensuring that the virus could only target certain militarily-relevant software and containing safeguards against spreading to civilian computers.19 However, particularly with the involvement of artificial intelligence, cyber operations may be executed partially or wholly through autonomous systems. In 2023, the Georgetown Center for Security and Emerging Technology published a policy brief on autonomous cyber defense systems, as a direct response to the “immense damage caused by cyberattacks and recent advances in artificial intelligence.”20 The use of autonomous defense systems necessarily envisages the use of contrary autonomous cyber weapons systems. If artificial intelligence can identify, target, and execute defense operations to protect cyber infrastructure, it is a reasonable logical extension that artificial intelligence can autonomously identify, target, and execute hostile cyber operations. If cyber operations are executed with a kinetic link to harm, it is possible that such operations could be in violation of the Rome Statute, if those responsible do not implement adequate safeguards.

V. Individual Criminal Responsibility for Cyberwarfare: Evidentiary and Legal Challenges

The second barrier to accountability lies in Article 25 of the Rome Statute: individual criminal responsibility once a crime has been established. As aforementioned, criminal culpability requires that a natural person not only meet the physical and mental elements of the crime, but also meet the requirements for individual culpability. This creates both evidentiary and conceptual difficulties in regards to crimes related to cyberwarfare.

The issue with the collection of evidence and its attribution to individual perpetrators is exacerbated with cyberwarfare. Although limited evidence exists, major cyber operations like Petya and Stuxnet have not been pinned on any perpetrator, public or private. The line between the two also adds complication, such as the evidence suggesting “private” entities Kaspersky Lab and Equation Group may be secretly state-controlled by Russia and the United States, respectively. Cyberwarfare is deliberately kept in a legal grey area, so that militaries may operate clandestinely; it was not until Edward Snowden’s whistleblowing that U.S. “offensive cyber operations” capabilities were somewhat revealed.21 Despite no physical acts of aggression, policy documents demonstrate thousands of cyber operations directed at controlling or destroying foreign infrastructure, all of which the Obama Administration declined to acknowledge.22

The other challenge for accountability is a prescriptive one; that is, meeting the legal requirements for individual criminal responsibility. If the Prosecutor were to charge an intelligence director or head of state for a crime committed through cyberwarfare, that Prosecutor must satisfy the “known or should have known” test under Article 28 of the Rome Statute to establish culpability. That burden is difficult to establish where a cyberattack, with kinetic consequences on protected persons or property, can be defended by pointing to rogue software, an unforeseeable deviation of the cyber operation from the plan, or autonomous artificial intelligence. For individual criminal responsibility under Article 25, the crime must be attributed to a “person,” who must have committed, ordered, or facilitated the actus reus of the criminal element of the cyber operation—not simply the cyber operation itself—resulting in the same legal difficulties.

VI. The Extent to Which Accountability for Crimes Under the Rome Statute Exists for Cyberwarfare

Criminal responsibility for cyber operations that constitute crimes under the Rome Statute—those with a kinetic and causal link to a violation—is possible under current legal conceptualizations. Although evidentiary and practical legal barriers exist in identifying and prosecuting individual perpetrators, those barriers can be overcome. For example, a cyber operation that targets infrastructure resulting in extensive destruction and appropriation of property not justified by military necessity, in violation of Article 8(2)(a)(iv) of the Rome Statute, may be attributed to a military intelligence officer with intent and knowledge related to the material elements of that operation.

This understanding that cyber operations may constitute crimes under the Rome Statute is widely-held. The International Committee of the Red Cross unequivocally considers that “cyber tools that spread and cause damage indiscriminately is prohibited” and that the interconnectivity of cyberspace means that a “cyberattack on a specific system may have repercussions on various other systems,” which may create the material elements of a crime.23 For example, the expansionist and aggressive nature of Petya took it from lawfully-targeted Ukrainian infrastructure to a protected hospital in the United States.

International criminal law foresaw the necessity of its application to future methods of warfare, as the International Court of Justice confirmed, such as the obligation to assess the lawfulness of new technology under Article 36 of Additional Protocol I to the Geneva Conventions.24 As such, military commanders are obligated to ensure that the development and use of cyber technology does not disproportionately or indiscriminately target civilians or civilian infrastructure, applying the rules of the Rome Statute just the same as with traditional means of warfare.

However, the extent to which criminal culpability under the Rome Statute applies to cyberwarfare may require the Prosecutor to assess the cyber operation with a degree of analysis that proves a practical barrier to liability. As Gervais notes, although cyberattacks directed at the networks of protected objects would be unlawful, incidental damage to civilian infrastructure would not constitute a violation:

[I]f the intent of a cyberattack is to achieve a military advantage by targeting computer systems used for military objectives, and if the attackers conduct such attacks with reasonable precaution for likely collateral effects.25

The Prosecutor’s investigation of an alleged crime necessitates an assessment of not only the gravity and material elements constituting the crime, but an assessment of the material elements of the cyber weapon used (including its capability for distinction, proportionality, and any mitigating components like safeguards), correct identification of the perpetrators (public or private), and a determination of the mental elements of the Rome Statute. The latter subsequently includes assessment of the likely intent of the developers and executors of the cyberweapon, and a determination of whether those perpetrators knew or ought to have known the foreseeable consequences of the cyberattack.

This would require not only a legal assessment, but a detailed technological analysis of the cyber weapon to ascertain its likely use and the foreseeability and likelihood of repercussions constituting a crime. Such a legal and investigative burden may be particularly challenging for an Office handling multiple situations, cases, and resource constraints. However, it does not deter from the fact that, to the extent that a perpetrator may be identified and evidenced to be responsible, cyberwarfare may constitute a crime under the Rome Statute.

VII. The Conditions for Accountability Where Cyber Operations Include Autonomous Systems

As previously mentioned, conditions for accountability may necessitate adaptation to international criminal law where cyberwarfare involves autonomous systems. Brownlie writes that “adapting the principles of international humanitarian law to the use of cyberattacks is not only possible but also appropriate given its growing popularity.”26 It is arguable that cyber operations, like the kind described above, do not necessitate an adaptation of principles. Instead, cyberattacks with targets or consequences that constitute the elements of a crime under the Rome Statute may be unlawful under existing principles.

I assert that cyberwarfare instead may require an adaptation of accountability pursuant to the Rome Statute. This is particularly where there are autonomous elements to the attack, such as autonomous systems or control by artificial intelligence. The distinction lies in where the individual alleged to be responsible for the attack lies along the metaphorical “loop.” In artificial intelligence jurisprudence, the “loop” refers to the chain of critical tasks performed by a system: “on-the-loop” systems include a natural person capable of exercising meaningful control over their critical functions, and “out-of-the-loop” systems can perform their critical functions without any human intervention.27

The challenge for accountability in artificial intelligence and autonomous cyber systems arises where the material elements of a crime (for example, the unlawful direction of a cyberattack against civilian property) are perpetrated without a natural person exercising meaningful control. In such a scenario, it is difficult to attribute both actus reus and mens rea to a natural person under the jurisdiction of the ICC, and establish the requirements for individual criminal responsibility.

For a natural person to be culpable under the Rome Statute for an “out-of-the-loop” cyberattack, the Prosecutor would have to overcome multiple barriers beyond proving the elements of the crime. The Prosecutor would firstly have to prove that, for example, an “attack” within the meaning of the Rome Statute was directed at a protected person or property. This necessitates an approach that considers the cyber network or infrastructure of a protected object as part of that object and falling under its protection; for example, the cyber systems of the hospital in Pennsylvania. Where there is a kinetic consequence, such as the technological failure of hospital equipment with health implications for civilians, this may be established, especially since no physical damage is required (only that an “attack” according to law was directed).

However, any of the corresponding crimes specified in the Rome Statute for targeting a protected person or object require the “intentional” direction of an attack, thereby including a mental aspect in the actus reus of the crime.28 This complexity is especially burdensome in conditions where the launching of the attack (pursuant to the judgement of the ICC)29 is directed by software controlled by artificial intelligence operating autonomously. The travaux préparatoires adopted the interpretation that this requisite intentionality applies to not only the direction of an attack, but also to the unlawful object of the attack; that is, a perpetrator must intentionally direct an attack and intentionally do so against a protected person or object, thereby requiring factual awareness of its protected status.30

The Prosecutor must then satisfy the mental elements under Article 30 of the Rome Statute. Intent to carry out the material elements of the crime is difficult to attribute where those elements were technically “directed” by an autonomous computer virus or an artificial intelligence. A military officer may intend to utilize such a cyber operation, but not intend the consequences that were natural and foreseeable with the cognitive capability of the artificial intelligence but not the individual. For example, AI software may be developed to attack lawful targets, but its inherent autonomy and ability to operate completely “out-of-the-loop” means it will cause indiscriminate harm to civilian systems. In such a scenario, the developers may point to their lack of intent or awareness to escape culpability, and it would be difficult to prove awareness of how an artificial intelligence will operate in the ordinary course of events.31

Where an artificial intelligence cyber system can also self-learn and adjust decision-making processes, it may be impossible to attribute knowledge to a human developer. Releasing Petya or Stuxnet on the battleground with the intention to attack military targets may be lawful; requiring awareness of how a cyber system with cognitive capabilities exceeding that of a human will operate in the ordinary course of events may be unjust. For the purposes of a prosecution, this may be the case even when a military commander was negligent or reckless in the development and utilization of such a software.

Finally, if the physical and mental elements of the charge are satisfied, the Prosecutor must then attribute individual criminal responsibility to a natural person. In the previous example, where AI software that conducts a cyberattack against a hospital, the Prosecutor must establish culpability under Article 25(3) of the Rome Statute. This necessitates that a person (commander or subordinate) directly commits the crime; indirectly commits it with or through another person; orders, aids, or abets the crime; or contributes within a group of persons acting with a common criminal purpose.

In all cases, Article 25 of the Rome Statute requires that a natural person be meaningfully and materially involved in the actual commission of the crime. Insofar as ordering, soliciting, or inducing under Article 25(3)(b) is applicable where a military commander “orders” the execution of an unlawful attack by a cyber operation, this may be impractical where the attack is executed by artificial intelligence, with its own cognition, capable of making decisions without direct orders to commit the criminal act.

VIII. The Possibility of Adaptation for Accountability Under the Rome Statute

As Erik Jenson writes, “Too narrow a view on accountability unnecessarily limits the application of legal norms to autonomy on the battlefield.”32 Whilst this is undoubtedly the case in the development of legal norms and application of principles, accountability in the context of crimes specified in the Rome Statute may require an unnatural stretching of its scope.

One possible solution is a broad consideration of what physical and mental elements are required to order the commission of a crime under Article 25(3)(b) of the Rome Statute where the attack is targeted and executed by artificial intelligence. This may also require the mutual understanding amongst states that if an artificial intelligence software or autonomous cyber system is developed and utilized in an armed conflict, military commanders or government leaders may be held to a high standard of awareness and foreseeability. This may unfairly attribute an understanding of artificial intelligence to leaders, who lack full knowledge of what the ordinary course of events is in an artificial intelligence’s chain of decision-making and actions. However, it would also seek to ensure that the use of cyber software with cognitive capabilities can comply with international criminal law in all circumstances, and hold military commanders and state leaders accountable for the approval of such systems.

Another normative solution is the expansion of “personhood” within the context of the Rome Statute. As aforementioned, individual criminal responsibility necessitates the natural person as both perpetrator and executor. Even in the case where the accused is responsible for committing a crime with or through another person, or acts in a group of persons who jointly commit the crime, the crime must be physically executed by at least one person. Even where the Rome Statute specifically states that only the perpetrator’s criminal liability is at question, the executor must be a “person.”33

If a military commander or state leader is responsible (in a practical sense) for the development, approval, and deployment of artificial intelligence software that results in the elements of a crime, the most natural form of culpability is indirect criminal responsibility. Specifically, a perpetrator is indirectly responsible for committing a crime through the executor that pulled the trigger (or, in the case of cyberwarfare, launched the code). The Rome Statute intentionally specified that the executor’s own criminal responsibility is irrelevant for indirect criminal responsibility. Whether a person or a machine, only the perpetrator’s culpability is considered, meaning that the ICC does not need to have jurisdiction over the executor.34

The ICC has held that indirect perpetration, or “perpetration-by-means,” occurs where the “perpetrator-by-means uses the executor as a mere tool or an instrument for the commission of the crime.”35 This complements the express provision that the executor’s intent, knowledge, and responsibility is not required. Therefore, it is only necessary to assess the perpetrator’s awareness to establish the requisite mens rea of intent and knowledge. It is arguable that in the realities of warfare and technology in the 21st century, artificial intelligence may be considered a “person” within the scope of Article 25(3)(a) of the Rome Statute.

A cyber system may be self-learning, self-operating, completely out-of-the-loop, and possess cognitive capabilities exceeding that of a natural person’s. An artificial intelligence may execute the decision-making processes of a crime autonomously, just as a person would. Although the software cannot be culpable under the Rome Statute, it does not need to be. Only the commander who possessed awareness of its use and consequences would be culpable under this conceptualization of personhood in this example. By attributing a form of legal personhood to artificial intelligence for the sole purpose of indirect criminal liability in the context of the Rome Statute, the door may be opened for accountability for developers and commanders.

IX. Conclusion

International humanitarian law applies to all means of warfare, including those of the future. When the International Court of Justice envisaged those new methods, it is likely they considered cyber operations with kinetic consequences for protected persons or property.36 It is less likely that they considered the scope and extent of artificial intelligence capabilities in armed conflict, and the degree to which armed conflict will be waged in cyberspace. The extent to which cyberwarfare may constitute crimes under the Rome Statute depends on the application of rules to cyberattacks as traditional warfare, albeit with a different conceptualization of what constitutes unlawful targets in relation to networks and cyber infrastructure.

A greater difficulty is the question of accountability, particularly as artificial intelligence is used to make systems more autonomous and more intelligence, thereby distancing any one person from the chain of decisions and actions leading to the commission of a crime. Although possible under current interpretations of the Rome Statute, notwithstanding evidentiary and practical challenges for the Prosecutor, it may be necessary to expand the scope of accountability in the future as artificial intelligence and cyberwarfare become more engrained in the means and methods in which wars are waged.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

  1. 1.

    Legality of the Threat or the Use of Nuclear Weapons, Advisory Opinion, 1996 I.C.J., ¶ 86 (Jul. 8, 1996), available online, archived.

  2. 2.

    Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9 [hereinafter Rome Statute], Art. 5, available online.

  3. 3.

    Id. at Art. 25(1).

  4. 4.

    Id. at Art. 28.

  5. 5.

    Id. at Art. 25(3).

  6. 6.

    Sarah Huckabee Sanders, White House Press Secretary, Statement on NotPetya (Feb. 15, 2018), available online.

  7. 7.

    Western PA Hospital Victim of Russian Cyber Attack, DOJ Says, WPXI News, Oct. 19, 2020, available online.

  8. 8.

    Andy Greenberg, The Untold Story of NotPetya, the Most Devastating Cyber Attack in History, Wired (Aug. 22, 2018), excerpt available online.

  9. 9.

    Sanders, supra note 6.

  10. 10.

    Michael Gervais, Cyber Attacks and the Laws of War, 30 Berkeley J. Int’l L. 525, 526 (2012), available online.

  11. 11.

    Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, 37 Colum. J. Transnat’l L. 885, 888 (1999), available online.

  12. 12.

    Ian Brownlie, International Law and the Use of Force by States 362 (Mar. 26, 1963), paywall.

  13. 13.

    Michael N. Schmitt ed., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 467 (2017), paywall, doi.

  14. 14.

    The Prosecutor v. Bosco Ntaganda, ICC-01/04-02/06, Judgment, ¶ 1136 (ICC TC VI, Jul. 8, 2019), available online.

  15. 15.

    Prosecutor v. Thomir Blaškić, IT-95-14, Judgment, ¶ 31 (ICTY TC, Mar. 3, 2000), available online.

  16. 16.

    Tara Copp, Elon Musk Blocking Starlink to Stop Ukraine Attack Troubling for DoD, AP, Sep. 12, 2023, available online.

  17. 17.

    Rome Statute, supra note 2, at Art. 30.

  18. 18.

    Prosecutor v. Dusko Tadíc, IT-94-I-AR72, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, ¶¶ 96–127 (ICTY AC, Oct. 2, 1995), available online.

  19. 19.

    William J. Broad, John Markoff & David E. Sanger, Stuxnet Worm Used Against Iran was Tested in Israel, N.Y. Times, Jan. 15, 2011, paywall.

  20. 20.

    Andrew Lohn, Anna Knack, Ant Burke & Krystal Jackson, Georgetown Center for Security and Emerging Technology, Autonomous Cyber Defence: A Roadmap from Labs to Ops 2 (Jun. 2023), available online.

  21. 21.

    Barton Gellman & Greg Miller, “Black Budget” Summary Details U.S. Spy Networks Successes and Failures, Wash. Post, Aug. 29, 2013, paywall.

  22. 22.

    Barton Gellman & Ellen Nakashima, U.S. Spy Agencies Mounted 231 Offensive Cyber Operations in 2011 Documents Show, Wash. Post, Aug. 30, 2013, paywall.

  23. 23.

    International Humanitarian Law and Cyber Operations During Armed Conflicts—ICRC Short Papers, ICRC (Mar. 7, 2023), available online.

  24. 24.

    Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, Art. 36, 1125 U.N.T.S. 3 (Jun. 8, 1977) [hereinafter Additional Protocol I], available online, archived.

  25. 25.

    Gervais, supra note 10, at 525.

  26. 26.

    Brownlie, supra note 12, at 362.

  27. 27.

    Swati Malik, Autonomous Weapon Systems: The Possibility and Probability of Accountability, 35 Wis. Int’l L.J. 609, 612 (May 24, 2018), available online.

  28. 28.

    Rome Statute, supra note 2, at Arts. 8(2)(b)(i)-(iii), 8(2)(b)(ix).

  29. 29.

    Prosecutor v. Ntaganda, supra note 14, ¶ 1136.

  30. 30.

    Prosecutor v. Blaškić, supra note 15, ¶ 185.

  31. 31.

    Rome Statute, supra note 2, at Art. 30(2)(b).

  32. 32.

    Erik Talbot Jensen, Autonomy and Precautions in the Law of Armed Conflict, 96 Int’l L. Stud. 577, 594 (2020), available online.

  33. 33.

    Rome Statute, supra note 2, at Art. 25(3)(a).

  34. 34.

    Id. at Art. 25(1).

  35. 35.

    The Prosecutor v. Germain Katanga and Mathieu Ngudjolo Chui, ICC-01/04-01/07-717, Confirmation of Charges, ¶ 495 (ICC PTC I, Sep. 30, 2008), available online.

  36. 36.

    Legality of the Threat or the Use of Nuclear Weapons, supra note 1.

When artificial intelligence and information technology exceed our humanity, we must take a stand, especially against those who use the grey area. By that, we mean that the use is unregulated and does not appear to have exceeded an applicable legal text. At the same time, the cumulative effects are devastating, especially in sowing discord and destroying the Social stability of countries, including targeting protection systems for facilities that provide necessary civil services to humans, such as electricity, water, and health.

The challenge does not lie in proving that the crime occurred through cyber attacks since the effects that can appear clearly and clearly will appear certain. The challenge is in proving the seriousness that rises to the threshold of the most severe crimes according to the Rome Statute, and more than that, the challenge appears in proving who is responsible for those.

Definition of "cyber operations" versus its sub category "cyber warfare" is pertinent for it enables recognizing, conceptualizing and setting up indicators to measure State (or inter-State) cyber operations; as distinct from State (or inter-State) Military self-defense operations from cybercrime (organized crime). In all three lines of operations civilians (a specific population or sub-set of population) are targets and victims.

Use of "Cyber operations" concept enables one to shift focus to risk analysis of full scale weaponization of Rome Statute via Integrated eGovernance using Knowledge Management as defined by.articles 73 "Third Party Documents" integrated with article 30 "Mind Element' for structural and sustained operations against ethnic or minority populations.

Knowledge Management, as it pertains to use of State Governments collecting, harvesting, archiving Sensitive Personal Information of all Citizens and Residents within a region or territory, mainly via Consortia-based contractual agreements with Third Party service providers; the 3td Party providing (total solutions) Knowledge Management Services meaning Electronic Document and Archives Management (EDMA) hand-in-hand with Customer & Content Relationship Management (CRM) solutions with technical operational capacities for real-time, on the fly, 24/7 micro-targeting all decisions and Decision Recommender Systems (DSS) regarding individuals and ethnic or minority groups enables the "Third Party" holdings of, and total control of "memory" which means total control of "legal evidence".

Article 73 this refers to documents, documentation and archives that a State, signatory to Rome Statute Jurisdiction, contracts out to a 3rd Party (either another State, integrated eGovernance other party or a technology & securities consultancy firm) in which the operative word is "secrecy" meaning the 3rd Party can not be forced to inform the Prosecutor or ICC of its methods algorithms or its potential legal evidence simulation digital platforms and archives collections based on Parallel and Multiverse (document universe) constructions using Artificial Intelligence (AI) based self-learning simulation (digital platforms) that are rendered under "commercial and trade agreement IPR-protection" - the before mentioned argument of secrecy of "cyber operational methods in use".

When one combines Rome Statute article 73 "Third Party Document and Archives' with Article 30 "Mind Element"; the act of knowing, knowingly doing, acting with knowledge, with integrated knowledge (management), with intent and with knowledge of deploying and operationalizing structural discrimination; crimes against humanity, war crimes, crimes of aggression and hate crimes as sustained strategy, operations and targeting against ethnic and minority groups with full knowledge of sustained depletion of resources, of living environments and of full scale isolation and life-cycle control of an ethnic or minority group inclusive of control of cross-generational heredity (pertaining to control of genomics & origins, stripping of property and assets, destruction of memory via archives control) then one has arrived at the true "cyber operations in use by integrated eGovernance".

The problem in dialog and discussion forums at ICC, Eurojust and other forums is that integrated eGovernance and integrated eJustice platforms are in control of 3rd Parties and Legal Profession lobby groups who also devise and set up "learning and advisory" forums for the specific purpose of controlling directionality of opinion formation - to divert attention from core issues in Crimes Against Humanity & War Crimes - by hacking into International Criminal Laws, such as Rome Statute to weaken it and weaponize laws turning advisory boards and the ICC Court into "cyber theaters" in which the voiceless, attacked by cyber operations and locked out of digital access, are controlled by the 3rd Party, not to be heard and denied a say.

A reasonable start is therefore to define terminology, such as "cyber operations", "Third Party", "Knowledge and Archives Management", "Legal Evidence", "Documents", "Dual Use operations and documents", "Parallel Use operations and documents", "Integrated eGovernance", "Government & 3rd Party holdings and control of Targeted individuals", etc. It should be clearly recognized that integrated eGovernance holding and controlling collective and individual memory (documents, archives, legal evidence) is NOT a "neutral entity" but a power construct that serves the most powerful optimizing all governance, communication and law revisions processes to serve its position.

Having said the above, Rome Statute article 72 "National Security" and or article 51 "Self Defence" may be used by States and powerful entities to justify their actions and for arguments of immunity from being prosecuted. For example a State might contract out ethnic and minority group cleansing from a 3rd Party and agree with 3rd Party that certain persons with certain profiles are used for HumanLab medical, psycho-social or neuro-cognitive experiments then culled and eliminated from the general population as of no utility; and The State could argue the operations to be for "national interest" or "of general good". For example Nazi Germany argued elimination of disabled persons, mentally ill persons and Jews is of national interest of pure and healthy Aryan race.

In a modern version of similar lines of thought, Member State of EU, State of Finland engaged in a HumanLab experiment codified in Law; Finlex 1350/2014 identifying minority (elderly, disabled, mentally ill)and special minority groups (ethnics, asylumn seekers, terrorists) for individual targeting, costs elimination and denials, -of-services without due process and to be sustained 2015- (to date). Central to HumanLab contracts is cyber operations using 3rd Party Document and knowledge management (Rome Statute article 73 and 30) to plan structural processes and decision-making algorithms and systems that will produce desired outcomes of "targeted eliminations" of the undesirable, feeble, non-pure population segments. The contracts for experiments were made by Finnish Finance Ministry and Local/Regional Governments (many of which operated as Consortia). In most cases, IT companies such as CGI (Canada) provided electronic Document and Archives processing tools for "local operators" within local government regions given "free hands" and "Criminal immunity" to achieve contractual economic goals. The results have been horrific. Evidence of operations though will not be found in 3rd Party documents or archives as part of the "contractual deals" was for each targeted Customer, the Customer narrative Relationship manager responsible for "steering" the EDMA/CRM of a targeted individual,. group or segment was responsible for securing full co-operation of all personnel in Administration and governance to agree of operational strategy, methods and narrative (alternative story line) to be written down collectively as legal evidence. The cyber operations this taking The form of Government steering of local government Consortia 'insider group" activating near community gang stalking targeting individuals for denials of service, denials of due process, enslavement, disappearances and elimination akin to model Social Credit-scheme and Extrajudicial Trials used in China,US and EU. Such methods are at Times referred to as legitimate, legalized "hybrid-economic-acts" when in fact these measures are aimed at elimination of minority and special minority groups otherwise known as eugenics or Intelligent design -selection methods for elimination or other uses.

Added to the above example from modern Day Finland, is Social and Welfare Law STM (2019) Third Party Secondary Use of Sensitive Data and its Commercialization. In essence Consortia Government has placed Citizens and Residents into Secondary legal position in relation to Universal Rights and Fundamental Freedoms (as well as Rome Statute) and The Consortia eGovernment into Primary Legal position. To be specific, Sipilae Administrative Government in 2019 (after 5 year Trial phase) enslaved its population to be used at Will of Consortia eGovernance without any choice, Options, due process or Fair Trials with The Government having "holdings" of its Customers (being all Citizens and Residents, their Sensitive data and resources) and having Rights to "own and commercialize" thereof and parts of.

I have provided a modern day case example from Europe, Member State Finland - a seemingly widely respected functioning democracy and free society based on social Welfare and Rule of Law that is ethnically a monoculture, known for obedience to authority, known to lack diversity in opinion formation, analysis and dialog of complex issues.

My comment may be provocative. Particularly, it is so given the known and documented information I have submitted to Member State Finland legal authorities in 2014, 2016 and beyond of "cyber operations living HumanLab environments against minority and special minority groups"

To recap: To what extent does integrated eGovernance Use Third Party Documents (article 73) and integrated Knowledge Management (article 30) target minority and special minority groups for sustaining/sustained outcomes of Crimes Against Humanity, War Crimes, Elements of Crimes and Crimes of Aggression by placing ethnic and minority groups Universal Human Rights and Freedoms into Secondary and Subservient position to the 3rd Party? - that is my question.

As a case example, I offer Member State Finland Finlex 1350/2014 in context of Third Party Secondary Use of Sensitive Personal Data and its Commercialization without choice, consent, being informed and by targeted individuals being labelled of "legal incapacity" for self-determination by means of cyber operations or one-sided Consortia declarations of "feeble mindedness or other incapacity" to bring a case to International Criminal Courts.

In anticipation that my dialog is not blocked by cyber operators, I submit my comment with a question I ask to be raised in 2022 into major level question and for experts to engaged this emergent topic with vigor and above all integrity and courage.

I thank for opportunity to comment, Tiina Ison from Lappeenranta, Finland

The layman that I am can only give you my opinion as a victim of torture from a first hand perspective, tortured for over a decade, and still seeking justice.

But it is my opinion that cyber warfare is not a fair description of events to which one can comment fairly easily, as a victim would not, in all reality, be a combative party whom at the least may be suffering the way one might as a targeted and suffering individual might in a war zone or as a prisoner of war might but not as some equipped to retaliate or combat these attacks effectively.

While also seeking help in these situations, one might think it impossible to end their suffering while under attack due to electronic counter measures meant to isolate the victim.

Cyber Attacks and the Crime of Aggression

With rapidly advancing technology comes the disastrous reality of cyber attacks. This comment explores whether cyber attacks can be prosecuted at the International Criminal Court (ICC) as crimes of aggression. Section I discusses the Iran Stuxnet cyber attack. Section II, explores creative interpretation of the Rome Statute, Art. 8 bis, and other relevant documents, illustrating that certain severe cyber attacks may constitute crimes of aggression. In Section III, the Iran Stuxnet cyber attack exemplifies how such cases could potentially be further investigated and pursued at the ICC. Section IV highlights the many challenges with the ICC as a forum for prosecuting cyber crime, including the issues with the limitation to State Parties and state actors, the opt-out provision, the Security Council referral, the determination of an act of aggression, the manifest violation, and the gravity requirement. Ultimately, cyber attacks can be included within Article 8 bis of the Rome Statute but many cases remain outside of the jurisdiction of the ICC—demonstrating the forum’s ineffectiveness and inefficiency for any practical application with cyber crime.

I. What is Stuxnet?

Stuxnet is a computer worm.1 It is a malicious software (malware) program that is able to work independently from its host file, and was created to spread through a USB device in order to infect a specific control system called the Programmable Logic Controller (PLC).2 These PLCs determine how a given machine or system operates.3 PLCs control certain supervisory control and data acquisition systems (SCADA).4 SCADA reports real-time data about the corresponding machine or system it monitors.5 SCADA are used to oversee the proper functioning of equipment or plants in a wide variety of industries.6 The Stuxnet worm can reprogram PLCs to operate in a different way than how the program was originally designed to function.7 At the same time, the Stuxnet worm also infects the SCADA and makes all the data appear completely normal—covering up its tracks by deceptively showing that the plant or facility is working properly when it is not.8

In the case of the specific Iran Stuxnet worm, the malware is believed to have spread through a USB thumb drive that was implanted at a facility in Natanz, Iran by a mole or double agent.9 Stuxnet targeted the PLC of the Natanz facility, tampering with the system that controlled the uranium centrifuges at the plant.10 These uranium centrifuges that the Stuxnet worm targeted are essential to the creation of nuclear reactors and nuclear energy.11 The worm caused a number of centrifuges to spin at such a high speed that they were, in the end, rendered completely useless.12 In the meantime, the worm also addressed the SCADA, which would make this increase in centrifuge speed virtually undetectable to any supervisors of the facility.13 These two components, changing the programming and then cloaking of any evidence of abnormal operation, made for an incredibly specific and destructive invasion.14 The worm, and this technology, proved to be as effective and powerful as traditional kinetic weaponry or force, yet even more precise in its targeting and stealth.15 The malware was even programmed to delete itself from the computers it infected after a certain amount of time.16 Stuxnet presents the terrifying new reality of such sophisticated malware in cyberwarfare.

The Iran Stuxnet worm was discovered at the Natanz facility in June 2010, about two years before it was programmed to self-destruct.17 It is unclear exactly how long the Stuxnet malware was operating before its discovery in 2010.18 Nevertheless, it ran long enough to render multiple uranium centrifuges nonfunctional and essentially worthless—causing significant economic and material loss.19 In addition to the wasted uranium, all of the metal in the affected centrifuges were ruined, which further contributed to a metal shortage of particular types of metal in Iran during this time.20 Also, all computer systems at the facility needed to be replaced, to ensure the worm was permanently disabled and would not continue to spread.21 Replacing all the computer systems was known to be an exceedingly difficult undertaking for a country with strict trading sanctions.22 The effects of the Stuxnet worm is believed to have set the Iranian nuclear program back several years.23 The U.S., Israel, or both working together were suspected of perpetrating the Stuxnet attack; there is even “strong evidence” that these countries conceptualized the program, facilitated its coding, and deployed this attack on Iranian nuclear facilities.24 Could the ICC Prosecutor have opened an investigation into the Stuxnet case and potentially pursued prosecution? To answer this, we must first determine if cyber attacks can ever be considered crimes of aggression at the ICC.

II. Can Cyber Attacks be Crimes of Aggression?

Cyber attacks can constitute crimes of aggression under Article 8 bis of the Rome Statute. The Kampala Amendments, which first established the ICC crime of aggression at in June of 2010, define the crime as:

[T]he planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.25

Thus, there must first be an act of aggression in order for there to be a crime of aggression at the ICC.

The aforementioned “act of aggression” in Article 8 bis originates from the United Nations (U.N.) Resolution 3314 (XXIX) and is defined as:

[T]he use of armed force by a State against the sovereignty, territorial integrity, or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations.26

The U.N. Security Council is responsible for determining whether there has been an act of aggression.27 Therefore, it is ultimately within the Security Council’s purview to decide that “the use of armed force by a State” can include certain severe cyber attacks. Cyber attacks have the potential to be extremely destructive and the impacts can be on par, or even worse, than those of kinetic weaponry and force.28 It is necessary for the interpretation of “armed force” to expand beyond just traditional kinetic understandings if the ICC is to even have a chance at keeping pace with technological innovations and its very real consequences for the international community.

Additionally, both Article 8 bis and U.N. Resolution 3314 refer to violations of the U.N. Charter. Relevant articles of the U.N. Charter include Article 2 paragraph 4:

All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.29

The “use of force” in Article 2 of the U.N. Charter should encompass cyber attacks.30 Further, these attacks are clearly inconsistent with the purposes of the U.N. which are to maintain international peace and security, to develop friendly relations, to solve social, cultural, humanitarian, and economic problems, and to be an intermediary in harmonizing nations actions to achieve these ends.31 Cyber crime is fundamentally inconsistent with all of these established international values.

The Security Council’s decision is meant to be “without prejudice” to the ICC’s findings and determination under the Rome Statute.32 Thus, the Prosecutor would subsequently also decide if cyber crime could qualify as an act of aggression at the ICC. Article 8 bis(2) lists seven examples of acts that “qualify as an act of aggression”, including “the invasion or attack by armed forces of a State of the territory of another State” and “the use of any weapons by a State against the territory of another State.”33 The Prosecutor could consider cyber attacks to be an “invasion or attack” by armed forces and, certainly, to be “the use of any weapon”. Furthermore, the list of examples is not exhaustive so cyber attacks could nonetheless be considered within the context of the crime of aggression, regardless of how they fit in the seven listed illustrations. In all, the language of the Rome Statute and its sources would allow cyber crime to be prosecuted at the ICC as a crime of aggression. If the Security Council creatively interprets “armed force”, cyber attacks can be included in the definition of an act of aggression—the “planning, preparation, initiation or execution” of which could be a crime of aggression at the ICC.

III. Could Stuxnet be Prosecuted as a Crime of Aggression?

The Stuxnet case would need to meet all jurisdiction and admissibility requirements in order to be investigated or prosecuted at the ICC.34 The prosecutor also considers if it is in the interest of justice to pursue the case.35 For many cyber crimes, and even for Stuxnet, there are significant challenges to satisfying most of these requirements. These obstacles will be addressed and discussed in Section IV.

A. Jurisdiction Requirements

The jurisdictional requirements which must be proven in order to pursue a case at the ICC are subject matter jurisdiction, temporal jurisdiction, and either territorial jurisdiction or active nationality jurisdiction.36

1. Subject Matter Jurisdiction

There must be subject matter jurisdiction for one of the four crimes in the Rome Statute.37 For the Stuxnet case, there arguably is subject matter jurisdiction because all six elements of the crime of aggression are met. First, the perpetrator “planned, prepared, initiated or executed an act of aggression.”38 This act was definitely “planned, prepared, initiated, and executed” since the Stuxnet worm was designed many months in advance, as further explained below, and obligated a precise series of actions—culminating in the execution at the Natanz facility. The invasion of the malware and its subsequent destruction constitutes an act of aggression because it was the use of armed force against the sovereignty and territorial integrity of Iran.39 The use of armed force was certainly inconsistent with the U.N. Charter.40 Additionally, this cyber attack fits into one of the Article 8 bis examples: the “use of any weapons by a State”.41 Stuxnet, designed to be as physically destructive and calamitous as weapons of the conventional understanding, would categorically be “any” weapon.

Second, the perpetrator was most likely “in a position effectively to exercise control over or to direct the political or military action of the State which committed the act of aggression.”42 Designing and creating malware of this sophistication was estimated to have taken up to ten programmers upwards of six months to code.43 This would have been an incredibly costly endeavor.44 Thus, it is strongly believed that such a precise and powerful program was most likely ideated and backed by a state government.45 As previously mentioned, there is strong evidence that Stuxnet was formulated by the United States and Israel governments.46 Further investigation by the Prosecutor, once the investigation is authorized to begin, would likely lead to specific members of leadership who had effective exercise of control over political or military action of the state.

Third, the act of aggression “was committed”.47 As established for the first element of the crime, this was an act of aggression because the Stuxnet malware could be interpreted to be a use of armed force against another state’s territorial integrity or political independence. This “was committed” when the malware infected the PLC and the SCADA at the Natanz facility, causing the destruction of multiple uranium centrifuges.

Fourth, the perpetrator would have been “aware of the factual circumstances” that make weaponizing such malware inconsistent with the U.N. Charter.48 Stuxnet was created and executed at Natanz for the sole purpose of damaging as many centrifuges at the uranium enrichment facility as possible. There is a global understanding that purposefully sending such an attack upon another country would be inconsistent with the U.N. Charter, which was established to promote peace and stability between nations.49

Fifth, the act constitutes a “manifest” violation of the U.N. Charter because of its character, gravity, and scale.50 The Kampala Conference established that no single part of character, gravity, or scale could meet the “manifest” threshold on its own.51 Therefore, there must be some combination of these factors. There is no precedent for what kind of situation would constitute a “manifest” violation or how the prosecutor would consider the character, gravity, or scale of a given cyber attack. It is possible that the Stuxnet example could meet this bar. It was not a smale invasion of unknown impact; this was an intentional attack upon the energy resources of another state, which resulted in substantial material loss of high value on a very large scale.52

Sixth, the perpetrator was “aware of the factual circumstances that established such a manifest violation.”53 Stuxnet was not accidentally created or executed. It was designed for the precise purpose of causing damage and disabling multiple uranium enrichment centrifuges.54 It is apparent that the perpetrators would have been aware that the malware, created for the very purpose of causing significant destruction, would be of a severe character, gravity, and scale—and, thus, a manifest violation. The Stuxnet example, and other cyber crimes like it, could theoretically fulfill all the elements for the crime of aggression and therefore establish subject matter jurisdiction at the ICC.

2. Temporal Jurisdiction

For an ICC investigation and possibility of prosecution to begin, there must also be temporal jurisdiction.55 The Rome Statute went into force in 2002.56 However, the exercise of jurisdiction for the crime of aggression is distinct from the rest of the Rome Statute crimes. Article 15 bis outlines the exercise of jurisdiction over the crime of aggression, and it specifies:

[The] Court may exercise jurisdiction only with respect to crimes of aggression committed one year after the ratification or acceptance of the amendments by thirty State Parties.57

This ratification by thirty State Parties only happened in June 2016.58 Moreover, Article 15 bis also establishes that there is no jurisdiction before a vote by State Parties that would take place after January 1, 2017.59 Thus, there could not be jurisdiction over the crime of aggression until at least 2017. The Stuxnet worm was first discovered in June 2010.60 Jurisdiction cannot be applied ex post facto at the ICC. Therefore, with the specific facts of the Stuxnet case, there would not be temporal jurisdiction; for the purposes of examining how Stuxnet, or a cyber attack similar to it, can be pursued at the ICC, however, we will assume temporal jurisdiction was satisfied.

3. Territorial or Active Nationality Jurisdiction

For the crime of aggression, there must also be either active nationality jurisdiction or territorial jurisdiction— and either the state accused of active nationality or the state claiming territorial jurisdiction must be a party to the Rome Statute.61 This requirement to be a party to the Statute is different from the jurisdictional requirements for any other ICC crime. For the crime of aggression, even if “committed by [a] State’s nationals or on its territory”, there will be no jurisdiction if the state has not ratified the Rome Statute.62 Neither the United States nor Israel has ratified the Rome Statute.63 This is a significant obstacle, explored in Section IV. To continue exploring how a cyber crime case could be pursued at the ICC, we will assume the involved states are parties to the Statute. There would be territorial jurisdiction because the events took place on Iranian territory when the Stuxnet worm targeted and destroyed property at the Natanz facility.64

B. Admissibility Requirements

The Prosecutor must then show that all Article 17 and Article 53 admissibility requirements are met. These requirements are complementarity and gravity.65

1. Complementarity

Complementarity is satisfied as long as there are no other investigations or previous prosecutions related to the given case conducted by states with jurisdiction over the conflict—as long as the investigations or prosecutions were not properly and legitimately conducted due to inability or unwillingness.66 For Stuxnet, the state with jurisdiction over the conflict would have been Iran. There is no concrete evidence of an investigation. Furthermore, even if there was an investigation, Iran would have been unable to proceed at a certain point because the case involves other powerful countries; there was no real avenue it could take on its own in order to further inspect the Stuxnet incident or to compel cooperation from the suspected perpetrators. Also, there was evidently no trial or actual punishment of any perpetrators. Therefore, because there are no ongoing investigations, and there was an inability to do so in the first place, the ICC would have jurisdiction. Thus, the ICC would be the court of last resort and the requirement for complementarity is fulfilled.

2. Gravity

The second legal admissibility requirement is gravity.67 There is significant overlap between gravity as a subject matter element of the crime and gravity as an admissibility requirement. In the context of admissibility, however, the Prosecutor considers relative gravity: the seriousness of this crime in comparison to other cases that could be prosecuted at the ICC.68 The Prosecutor considers all available information and can initiate an investigation, unless there is not a reasonable basis to continue.69 There is a reasonable basis if the case at hand is grave enough for the Prosecutor to prioritize it over others and spend some of the limited resources on pursuing the case.70 Proving gravity as an admissibility requirement will prove challenging for cyber attack cases in which there is solely material and economic loss, as explored in Section IV; however, the prosecutor will need to broaden the understandings of these factors if cyber crime is to be tried at the ICC. The factors to consider for the admissibility requirement are the scale, nature, manner of commission of the crimes, and impact of the situation.71

Scale can include the number of victims, extent of damage, and geographical or temporal spread which means a low intensity of crimes over a longer period of time or a high intensity of crimes in a short time frame.72 The Stuxnet worm caused large-scale damage—not only by changing the PLC coding and SCADA data, but also by destroying valuable property and resources when rendering the uranium centrifuges useless. There was economic loss and significant progress postponement. While there were no human victims, there was a large extent of damage in a relatively short time frame.

Nature is evaluated by assessing how serious each specific element of the crime is, with particular focus on crimes against human life or condition.73 The Stuxnet attack could be viewed as one of a serious nature, however it would be the first crime without direct or indirect victims to be considered of sufficient nature. Here, a state deliberately targeted and attacked the territory of another; it is believed that the Stuxnet attack was a war move that weakened Iranian power to respond to any United States embargo policy.74 The determination for whether or not the nature of the crime provides a reasonable basis to proceed with an investigation does not explicitly exclude a situation such as Stuxnet’s. The nature determination is open ended and there seems to be room for Stuxnet to be considered severe enough.

The manner of the commission assessment looks at the means employed to commit the crime, the intent behind it, and if it was systematic or part of an organized policy.75 The manner of commission for the Stuxnet malware is sufficiently fulfilled, as the perpetrators used extremely deceptive means to deploy the malware.76 Also, this attack was not an accident. It was not a case in which there was more damage caused than intended. The perpetrators evidently intended to inflict extreme damage to the Iranian nuclear facility because the worm was deliberately designed to cover up its tracks—optimizing its ability to cause the most amount of destruction possible without raising suspicions.77 The crime was most likely the result of a plan or organized policy since Stuxnet was so complex and necessitated the work of many programmers working to create a program with this particular purpose, and specific location, in mind.

Measuring the impact of a crime weighs the level of inflicted economic damage and how vulnerable a population is after the crime.78 The impact of the Stuxnet cyber attack was sizable. There was significant economic loss and considerable material damage.79 The harm was of such an extent that Iran’s program was back several years.80 The community could be considered increasingly vulnerable after the attack because repairing the damages was a large challenge for a country with strict trading sanctions. Additionally, the malware may have directly injured Iran’s ability to counter subsequent attacks, and left them with vulnerabilities . Again, there are many obstacles to proving these factors which are explored in Section IV. Overall, the Stuxnet cyber attack case could, suppositionally, be one of sufficient gravity which would justify further action by the ICC.

C. Interest of Justice

Lastly, the Prosecutor considers whether pursuing this case is in the interest of justice.81 According to Article 53, the Prosecutor can decide not to go forth with an investigation or prosecution if there is substantial reason to believe it is not in the interest of justice.82 The pre-trial chambers are able to review this decision.83 Here, there is a strong case that an investigation is in the interest of justice, as it would communicate a much-needed message that international cyber acts of aggression are taken seriously and can actually be prosecuted. There are no other mechanisms of justice in this case; the ICC is the only established international body that could pursue it at this time. Furthermore, there is an alarming reality that even more devastating cyber attacks can occur; nations may be targeted in ways that weaken, or eliminate, the ability to self-defend or counterattack to a subsequent attack.84 It is important the ICC be adaptable to the changing world and take on non-kinetic crimes of aggression. This is an increasingly important message with globalization and rapid technological innovation. The most severe cyber crimes should be investigated at the ICC—the forum created for the purpose of prosecuting the most serious international crimes.

In all, the Stuxnet worm case could have met all jurisdictional and admissibility requirements if the situation occurred after January 1, 2017 and one of the involved states was party to the Rome Statute. Thus, it is possible for certain cyber attack cases to satisfy all ICC requirements and warrant the beginning of an investigation, and even potentially be prosecuted. However, there are numerous obstacles which make it practically impossible to exercise jurisdiction over many, if not most, cyber crimes.

IV. Limitations

Most cyber attacks would face several challenges with any of the above requirements for jurisdiction at the ICC. Some of these obstacles are even depicted by the Stuxnet example. These hurdles for cyber crime at the ICC include the limitation to State Parties and state actors, the ability to opt-out from jurisdiction, the issues with a Security Council referral and its act of aggression decision, the high bar for proving manifest violation, and the difficulty in fulfilling the gravity admissibility condition.

A. State Parties and State Actors

First, a significant hindrance to the exercise of jurisdiction over cyber crime is the limitation to only State Parties. As previously explored in Section III(A)(3), Article 15 bis limits the exercise of jurisdiction for the crime of aggression.85 When a case is referred by a state or is investigated proprio motu, but the state is not a party to the Rome Statute, “the Court shall not exercise its jurisdiction […] when committed by that State’s nationals or on its territory”.86 The suspected perpetrators of Stuxnet, the United States and Israel, have not ratified the Rome Statute and, therefore, are not State Parties.87 Thus, the ICC would not actually have jurisdiction over the Stuxnet case. This also seems to negate the ability for states to grant jurisdiction to the ICC, as it bars jurisdiction for any state that is not a party to the Rome Statute. Regardless, if a state was involved but had not ratified the Rome Statute, that state would likely never voluntarily grant jurisdiction to the ICC. Article 15 bis essentially encourages states that are not already parties to the Rome Statute to remain that way in order to stay out ICC jurisdictional reach for the crime of aggression.

Additionally, jurisdiction is limited to only state actors; non-state actors cannot be implicated for the crime of aggression at the ICC.88 While further investigation into the Stuxnet case is believed to most likely implicate one or both of the United States and Israel, much of cyber crime is perpetrated by non-state actors.89 Even if a state could be attributed to the conduct, the crime of aggression is a “leadership crime”. This means that jurisdiction is even further limited to when the crime is conducted “by a person in a position effectively to exercise control over or to direct the political or military action of a State.”90 This makes the exercise of jurisdiction for the crime at the ICC very narrow in scope—limited to the leadership of state actors which are also parties to the Rome Statute.91 Not only would this be an extremely small fraction of cyber crime perpetrators, but proving leadership involvement would also be problematic. The ICC has limited resources.92 Tracing cyber attacks back to their sources is a costly undertaking in itself, and even more so when the programs are of such sophistication as Stuxnet was, for example.93 It would require the services of many cyber experts, but even experts could not guarantee that their work would uncover evidence of state attribution.94 Additionally, if the ICC begins to investigate cyber crime, state actors may be more careful about concealing their involvement and preventing traceability. States could, instead, contract third parties to do the work and ensure this commission would not lead back to a state leader.95 The limitation to leaders of states that are parties to the Rome Statute essentially incentivizes perpetrating states to be even more deceptive and prevent uncovering attribution to the state. This, along with the limited ICC resources and high cost of even attempting to uncover the perpetrators for most cyber crimes, is an overwhelming barrier to exercising jurisdiction at the ICC.

B. Opt-Out Provision

Article 15 bis(4), further weakens the already narrow scope of ICC jurisdiction over the crime of aggression.96 This provision in the Rome Statute effectively allows State Parties to opt-out of jurisdiction over the crime of aggression when the case is referred by another state or investigated proprio motu.97 States may simply “lodg[e] a declaration with the Registrar”.98 As it is, nations already do not have to ratify the Kampala Amendments, or the whole Rome Statute to begin with.99 Article 15 bis takes this even further by allowing any State that is a party to the Statute to declare its rejection of ICC jurisdiction over the crime of aggression.100 If the perpetrator of cyber crime was a party to the Rome Statute, it could simply lodge a declaration with the ICC Registrar.101 There are no repercussions or disincentives to do otherwise.102 While the goal of this provision may have been to encourage more states to ratify the Rome Statute and the Kampala Amendments, it strips the ICC from any actual power in regards to the crime of aggression. Thus, even if prosecuting cyber crime at the ICC is a possibility, Article 15 bis and this specific section 4 provision make the practical exercise of jurisdiction over the crime of aggression impossible.

C. Security Council Referral

The Security Council can refer cases to the ICC, per Article 15 ter of the Rome Statute.103 This could theoretically countervail the issue of the opt-out provision. However, it is highly unlikely the Security Council would even refer cyber crime cases to the ICC given that the five permanent members are the United States, China, Russia, the United Kingdom, and France.104 If any of these countries were involved or suspected of being involved in a case, such as the United States in the Stuxnet case, for example, that state would veto the Security Council referral. Even if one of the five permanent members were not directly involved in a specific case at hand, any of the permanent member states may be reluctant to refer a cyber attack case if involved in other cyber situations or possibly may be involved in the future. Many of these countries are already suspected, and some confirmed, to have been a part of certain cyber attacks.105 These nations would not want to expand ICC jurisdiction to cyber crimes, and potentially implicate its own country later on. Thus, the Security Council referral, while in abstract could help the ICC exercise jurisdiction over cyber crime, is highly unlikely to ever be exercised in cyber crime cases given the permanent membership of the Security Council.

D. Act of Aggression Determination

The Security Council is also responsible for deciding whether a situation rose to the level of an act of aggression.106 This gives the Security Council great gatekeeping power over what cases are pursued at the ICC. There is great potential for this deciding body to limit the ICC’s ability to proceed in a cyber attack case; giving the Security Council this decision-making power can arguably prevent many legitimate cases from being prosecuted, especially, again, considering what countries make up the five permanent members. Several of these permanent members have been suspected to be involved in cyber crime.107 Some of these member states are even confirmed to have been involved in cyber crime.108 Similarly to the Security Council referral, many, if not all, of the permanent members would have significant motive to decide there was no act of aggression in a cyber crime case—whether its country was a perpetrator in the specific case or not. Article 15 bis does outline that, when the Security Council fails to make a determination within 6 months, the prosecutor may proceed with an investigation if the Pre-Trial Division authorized it.109 Yet, this is only when there is no determination on the issue; the prosecutor cannot begin to pursue a case when the Security Council makes the decision that there has not been an act of aggression—and the Security Council arguably has strong motive to make that negative decision. The Security Council could determine cyber crime never reaches the level of an act of aggression and, therefore, prevent the ICC from exercising jurisdiction.

E. Manifest Violation and Gravity

The requirement that there be a “manifest” violation of the U.N. Charter is another barrier for many cyber attack cases. The inclusion of “manifest” language in the article was to ensure only the most flagrant violations would be considered.110 This makes sense when considering the context that the ICC was created to prosecute violators of the most serious crimes in the world. However, this is an extremely high bar that is not conducive to the emerging field of cyber crime—which is in serious need of an international body to step in and begin holding perpetrators accountable. A manifest violation is one of sufficient character, gravity or scale; even in the case of Stuxnet, while it is possible that it was an instance of a manifest violation, this is a stretch. There was no harm inflicted upon people, and no direct or indirect victims. The loss was solely material and financial. While these types of crimes should be prosecuted to deter future commissions and potentially devastating capabilities of cyber attacks, the manifest language can conceivably preclude cases if not considered of proper character or gravity.111 Many cyber attack cases, including Stuxnet, may not be able to meet this high standard.

The gravity admissibility requirement may also be an obstacle. Many cyber attacks inflict damage to incredibly specific targets and may not be as grave, in regard to number of victims or human harm, as other Rome Statute crimes. It is difficult to imagine a case such as Stuxnet being prosecuted at the ICC when other parts of the world experience horrific human rights violations and devastation to whole communities. Yes, there are cyber crime cases that could severely harm large populations such as targeted attacks upon a city’s water or power grids.112 Yet, many cyber attacks are of a less devastating nature, at least in regard to human life or condition. There has not yet been a case in which gravity is successfully tied to financial loss or destroyed resources. Until the Prosecutor pursues a cyber crime case and sets a precedent for what a sufficiently grave cyber attack looks like, it is difficult to realistically believe the vast majority of cases like Stuxnet, which do not result in any human casualties or direct bodily harm, would be of sufficient gravity for the ICC. Additionally, at the time of the Stuxnet case, Iran stated its uranium enrichment facilities were for peaceful purposes and to create nuclear power.113 But any uncovered evidence that these centrifuges would have been used for building nuclear weapons could have hindered meeting the gravity threshold.114 While the prosecutor is an apolitical actor in theory, they would likely consider the very significant backlash of investigating states such as the United States or Israel, especially if it was for damage of material that could have been used to build nuclear weapons. This could even result in decreased legitimacy and respect for the ICC as an institution. It is conceivable that this would color the entire case. It would be difficult to satisfy the gravity requirement on its own, and the political implications could make this even more arduous.

Ultimately, Article 8 bis of the Rome Statute can encompass cyber attacks and allow for cyber attack cases to be prosecuted at the ICC. However, there are significant barriers to practical application. In abstract, the Prosecutor could have opened an investigation into a case like Stuxnet, but even this case uncovers many of the challenges to actually exercising jurisdiction over the crime of aggression at the ICC: the limitation to State Parties and state actors, the opt-out provision, the Security Council referral, the act of aggression determination, proving a manifest violation, and meeting the gravity requirement. While certain cyber crime cases may be pursued at the ICC, this is evidently not the most efficient or effective forum for the investigation or prosecution of cyber crime.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

  1. 1.

    Chance Cammack, The Stuxnet Worm and Potential Prosecution by the International Criminal Court Under the Newly Defined Crime of Aggression, 20 Tul. J. Int’l & Comp. L. 303, 315 (2011), paywall.

  2. 2.

    Id.

  3. 3.

    Jeremy Richmond, Evolving Battlefields: Does Stuxnet Demonstrate a Need for Modifications to the Law of Armed Conflict?, 35 Fordham Int’l L.J. 842, 856 (2012), available online.

  4. 4.

    Id.

  5. 5.

    Marco Roscini, Gravity in the Statute of the International Criminal Court and Cyber Conduct that Constitutes, Instigates or Facilitates International Crimes, 30 Crim. L. Forum 247, 250 (2019), available online, doi.

  6. 6.

    Id.

  7. 7.

    Cammack, supra note 1, at 316.

  8. 8.

    Id.

  9. 9.

    Id.

  10. 10.

    Maskun, Achmad, Naswar, Hasbi Assidiq, Armelia Syafira, Marthen Napang & Marcel Hendrapati, Qualifying Cyber Crime as a Crime of Aggression in International Law, 13 J. East Asia & Int’l L. 397, 410-411 (2020), available online, doi.

  11. 11.

    Id.

  12. 12.

    Id.

  13. 13.

    Cammack, supra note 1, at 317.

  14. 14.

    Id.

  15. 15.

    Richmond, supra note 3, at 856.

  16. 16.

    Id.

  17. 17.

    Cammack, supra note 1, at 315.

  18. 18.

    Id.

  19. 19.

    Id. at 317.

  20. 20.

    Richmond, supra note 3, at 859.

  21. 21.

    Id.

  22. 22.

    Id.

  23. 23.

    Id.

  24. 24.

    Id. at 845.

  25. 25.

    Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 8 bis(1), available online.

  26. 26.

    Definition of Aggression, G.A. Res. 3314 (XXIX), A/Res/3314 (Dec. 14, 1974), available online.

  27. 27.

    Id. § 6.

  28. 28.

    Cammack, supra note 1, at 319.

  29. 29.

    United Nations Charter, Art. 2(4) [hereinafter U.N. Charter], available online.

  30. 30.

    Cammack, supra note 1, at 322-323.

  31. 31.

    Id.

  32. 32.

    Jennifer Trahan, The Rome Statute ’s Amendment on the Crime of Aggression: Negotiations at the Kampala Review Conference, 11 Int’l Crim. L. Rev. 49, 83 (Jan. 1, 2011), paywall, doi, earlier version online.

  33. 33.

    Rome Statute, supra note 25, Art. 8 bis(2).

  34. 34.

    Id. Arts. 5, 11, 12, 17.

  35. 35.

    Id. Art 53.

  36. 36.

    Id. Arts. 5, 11, 12.

  37. 37.

    Id. Art. 5.

  38. 38.

    International Criminal Court, Elements of Crimes, ICC-ASP /1/3, Adopted and Entry into Force 9 September 2002, updated at Kampala, 31 May-11 June 2010, Art. 8 bis (Jun. 11, 2011) [hereinafter Elements of Crimes], available online, archived.

  39. 39.

    Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue & Julia Spiegel, The Law of Cyber-Attack, 100 Cal. L. Rev. 817, 842 (2012), available online.

  40. 40.

    Id.

  41. 41.

    Rome Statute, supra note 25, Art. 8 bis(2).

  42. 42.

    Elements of Crimes, supra note 37.

  43. 43.

    Cammack, supra note 1, at 318.

  44. 44.

    Id.

  45. 45.

    Id.

  46. 46.

    Richmond, supra note 3, at 845.

  47. 47.

    Elements of Crimes, supra note 37.

  48. 48.

    Id.

  49. 49.

    U.N. Charter, supra note 29, Art. 1.

  50. 50.

    Elements of Crimes, supra note 37.

  51. 51.

    Assembly of States Parties, The Crime of Aggression, RC/Res. 6, at Annex III (Jun. 11, 2010), available online.

  52. 52.

    Roscini, supra note 5, at 265.

  53. 53.

    Elements of Crimes, supra note 37.

  54. 54.

    Richmond, supra note 3, at 893.

  55. 55.

    Rome Statute, supra note 25, Art. 11.

  56. 56.

    Trahan, supra note 32, at 55.

  57. 57.

    Rome Statute, supra note 25, Art. 15 bis(2).

  58. 58.

    Press Release, ICC, State of Palestine becomes Thirtieth State to Ratify the Kampala Amendments on the Crime of Aggression (Jun. 29, 2016), available online, archived.

  59. 59.

    Rome Statute, supra note 25, Art. 15 bis(2).

  60. 60.

    Maskun et al., supra note 10, at 410.

  61. 61.

    Rome Statute, supra note 25, Art. 15 bis(5).

  62. 62.

    Id.

  63. 63.

    Cammack, supra note 1, at 324.

  64. 64.

    Roscini, supra note 5, at 262.

  65. 65.

    Rome Statute, supra note 25, Arts. 17, 53.

  66. 66.

    Id. Art. 17.

  67. 67.

    Id. Art. 53.

  68. 68.

    Roscini, supra note 5, at 255.

  69. 69.

    Rome Statute, supra note 25, Art. 53.

  70. 70.

    Roscini, supra note 5, at 255.

  71. 71.

    Office of the Prosecutor, ICC, Policy Paper on Preliminary Examinations 3 (Nov. 2013) [hereinafter Policy Paper], available online.

  72. 72.

    Id. at 15.

  73. 73.

    Id.

  74. 74.

    Maskun et al., supra note 10, at 411.

  75. 75.

    Policy Paper, supra note 70, at 15-16.

  76. 76.

    Cammack, supra note 1, at 317.

  77. 77.

    Id.

  78. 78.

    Policy Paper, supra note 70, at 16.

  79. 79.

    Maskun et al., supra note 10, at 411.

  80. 80.

    Cammack, supra note 1, at 304.

  81. 81.

    Rome Statute, supra note 25, Art. 53(1).

  82. 82.

    Id.

  83. 83.

    Id. Art. 53(3).

  84. 84.

    Maskun et al., supra note 10, at 416.

  85. 85.

    Rome Statute, supra note 25, Art 15 bis.

  86. 86.

    Id. Art. 15 bis(5).

  87. 87.

    Richmond, supra note 3, at 845.

  88. 88.

    Hathaway et al., supra note 39, at 824.

  89. 89.

    Johan Sigholm, Non-State Actors in Cyberspace Operation s, 7 J. Mil. Stud. 1 (Nov. 22, 2016), available online, doi.

  90. 90.

    Rome Statute, supra note 25.

  91. 91.

    Id.

  92. 92.

    Sang-Hyun Song, Second President of the ICC, Keynote Speech for the 20th Anniversary of the Rome Statute, Past Achievements and Future Challenges of the ICC (Jul. 17, 2018), available online.

  93. 93.

    Maskun et al., supra note 10, at 416.

  94. 94.

    Id.

  95. 95.

    Cammack, supra note 1, at 322.

  96. 96.

    Trahan, supra note 32, at 83-84.

  97. 97.

    Rome Statute, supra note 25, Art. 15 bis(4).

  98. 98.

    Id.

  99. 99.

    Id. Art. 12.

  100. 100.

    Id. Art. 15 bis(4).

  101. 101.

    Id.

  102. 102.

    Id.

  103. 103.

    Id. Art. 15 bis(1).

  104. 104.

    Current Members, S.C., available online (last visited Feb. 25, 2022).

  105. 105.

    Sintia Radu, China, Russia Biggest Cyber Offenders, U.S. News & World Rep., Feb. 1, 2019, available online.

  106. 106.

    Rome Statute, supra note 25, Art. 15 bis(6).

  107. 107.

    Radu, supra note 104.

  108. 108.

    Id.

  109. 109.

    Rome Statute, Art. 15 bis(8).

  110. 110.

    Trahan, supra note 32, at 58.

  111. 111.

    Jonathan A. Ophardt, Cyber Warfare and the Crime of Aggression: The Need for Individual Accountability on Tomorrow’s Battlefield, 3 Duke L. & Tech. Rev. ¶ 10 (2010), available online.

  112. 112.

    Id.

  113. 113.

    Richmond, supra note 3, at 858.

  114. 114.

    Id.

Economic Cyber Crimes and the Rome Statute

Summary

This comment examines the possibility to prosecute perpetrators of economic cyber attacks under the Rome Statute. It considers economic cyber attack to be cyber attacks on financial institutions, businesses, or individuals with the primary goal of financial enrichment. The comment first assesses the possibility of prosecution under Article 8 and Article 8 bis of the Statute, concluding that an economic cyber attacks might fall under the war crime of pillaging, as long as an armed conflict is found. An assessment of the jus in bello of economic cyber attacks follows. It finds that while it is not impossible, it is unlikely that an economic cyber attacks alone could trigger an armed conflict, hence precluding the application of Art. 8 of the Statute. The comment concludes with call for acknowledging cyber attacks under international law.

I. Introduction

Imagine this: under the cover of night, a small group of soldiers crosses a rogue country’s border to its much larger neighbor. The commandos quickly move to various urban areas and start their mission immediately: they break into banks, factories, even hospitals. During their burglaries, they break or render useless everything that’s in their path. Machines, blood storage containers, computers. When the night is over, all this equipment will be defunct. But these aren’t vandals in uniform, they know exactly what they are looking for. After their mission is over, they will have made their way back to their barracks with billions of dollars in hard cash, untraceable and ready to fill their country’s coffers. Of course, a heist of this size will not remain undiscovered. Pretty quickly, the extent of destruction and the culprits are established. And the government of the victim state? Does nothing. No troops are hastily assembled at the border and no drone strikes attacking critical military infrastructure in retaliation. Only a B-list government minister makes an official announcement acknowledging and attributing the attack.

What sounds like the script of an anticlimactic action movie is in fact the reality of cyberwarfare. In 2017, a group of hackers acting on behalf of the North Korean government released the “WannaCry”-ransomware into cyberspace, which infected an approximate 200,000 devices in 150 countries and caused up to $4 billion in damages.1 The reactions were lukewarm at best. The governments of the United States, the United Kingdom, Japan, and New Zealand quickly named North Korea the culprit, but apart from one suspected North Korean hacker being charged by the U.S. Department of Justice and some new sanctions being added to the already long list of sanctions against North Korea, the attacks had little hard consequences.2 As the previous paragraph shows, this lack of response would be wildly unrealistic if the aggressor had used conventional force. A reason for this unequal treatment of cyber attacks and “regular” attacks is the lack of clarity regarding the law of cyberwarfare. How much hacking of its opponents does your average state engage in during peacetime? When is a cyber raid a regular burglary, subject to municipal law, and when is it a pillage that is met with military response and that is subject to international humanitarian law (IHL), and international criminal law (ICL)?

Treaties, conventions, state practice do not provide clear answers. Specialized conventions for cyberwarfare have not been negotiated and state practice—where it exists in the first place—is inconsistent and unclear. Hence, we need to turn to interpreting existing treaties, which were made for conflicts from another era.

The following comment will attempt to delineate the circumstances under which economic cyber crime might fall under the Rome Statute.3 When the comment makes reference to “economic cyber attacks,” it means cyber attacks attributable to sovereign states that are conducted primarily for financial gain, either by theft, extortion, or a similar method. Also, it will focus on questions of substantive law, not on questions of procedure and admissibility.

This comment first looks at economic cyber attacks as possible war crimes under Art. 8 of the Rome Statute and as a potential violation of Art. 8 bis. As war crimes require can only be committed during an armed conflict, the comment then moves on to examine if and when cyber attacks can trigger such armed conflict. The conclusion shows the impracticality of the current system and the resulting need for reform and international treaty recognition of cyber crimes and cyberwarfare.

II. The Rome Statute and Economic Cyber Crimes

So far, cyber crime and cyberwarfare in international law has been mostly confined to discussions lecture halls and war rooms instead of multilateral negotiating tables. The Rome Statute is no exception, as it does not feature special rules for crimes committed via the internet or cyber conflicts. Of course, the Statute does not prohibit considering economic cyber attacks, either. Therefore, digital hostilities might be prosecutable under several of the Statute ’s articles.

In particular, it is conceivable that an economic cyber attack constitutes a war crime under Art. 8 of the Rome Statute. Under this provision, “serious violations of the laws and customs applicable in international armed conflict” are punishable.4 The norm’s catalogue enumerates eight general war crimes in Art. 8(2)(a), another 26 acts that constitute war crimes when conducted during the course of International Armed Conflicts in Art. 8(2)(b), and 19 war crimes of Non-International Armed Conflicts in Arts. 8(2)(c) and 8(2)(e). Following the outlined conception of an economic cyber attack as a state-sponsored actor attacking financial infrastructure in another state, this comment is limited to considering International Armed Conflicts.5 This is not to say, of course, that this kind of attack is inconceivable in a non-international armed conflict and many of the following considerations apply there, too.

Within the catalogue of Art. 8, several offenses stand out: pillaging,6 the destruction and appropriation of civilian objects,7 and the intentional attack of civilian objects.8 Beyond Art. 8, the Crime of Aggression as enshrined in Art. 8 bis will also be examined.

A. The War Crime of Pillaging

Commonly, we refer to pillaging as incidents of theft and robbery in the face of catastrophes, violence or other breakdowns of the public order. In the context of wars and armed conflicts, its prohibition is an almost universally acknowledged principle of the jus in bello. While the language of Art. 8(2)(b)(xvi) of the Statute has its roots in the Hague Conventions,9 the prohibition of pillaging is much older than that. It can be found in Art. 44 of the 1863 Lieber Code, where “all pillage and sacking” was prohibited under the penalty of death.10 While this proclamation only bound American forces, the Code is considered to reflect the greater contemporary consensus on customs of war.11 The prohibition of pillaging has been a mainstay of the criminal law of armed conflict for the one and a half centuries, regardless of changes in technology or warfare. In light of this history alone, it does not seem far-fetched to acknowledge that pillaging can occur in cyberwarfare, too.

An analysis of Art. 8(2)(b)(xvi) of the Rome Statute supports this. While the provision itself does not elaborate what “pillaging” is, the Elements of Crimes define it as the appropriation of property for private or personal use against the consent of the owner.12 This should not be misunderstood: the criterion of “private or personal” use is meant to be read in opposition to militarily necessary cases of appropriation of property.13 It does not mean that state-sponsored raids during wartime fall outside the scope of the crime of pillaging. Insofar, the ICTY clarified in the Čelebići case that:

[T]he prohibition against the unjustified appropriation of public and private enemy property is general in scope, and extends both to acts of looting committed by individual soldiers for their private gain, and to the organized seizure of property undertaken within the framework of a systematic economic exploitation of occupied territory.14

In the later Hadžihasanović judgement, the ICTY confirmed this interpretation, finding that:

[T]he regulations do not allow arbitrary and unjustified plunder for army purposes or for the individual use of army members.15

Trial Chamber III of the ICC adopted this view, stating that “the prohibition of pillaging covers both individual acts of pillage and organized pillage.”16 The exception for militarily necessary appropriations will not apply in most instances of economic cyber attacks, as it is hard to imagine a clandestine cyber attack for economic gains during peacetime to further a legitimate military objective.

Notably, the provision itself and the interpretation given to it by tribunals, commentators, and the Elements of Crimes remain silent as to the mode of appropriation. On the one hand, this is due to the fact to acts of pillaging have been relatively straightforward in conflicts so far, they resembled burglaries and robberies at gunpoint, just that they were conducted by soldiers during wartime. On the other hand, this reflects that the Rome Statute is open to new developments in weapon technologies. Innovation does not prevent criminal prosecution.

Lastly, unlike other provisions of Art. 8, the war crime of pillaging is not limited to instances of occupation.17 However, the ICC Pre-Trial Chamber I found that “the war crime of pillaging occurs when the enemy’s property has come under the control of the perpetrator.”18 By its wording alone, this “enemy-control” criterion must be interpreted to impose a certain threshold that falls below that of occupation. When applying this test to economic cyber attacks, this means that only widespread attacks that take over significant parts of the relevant network or system and that operate under the sustained oversight of the attacker. Hence, neither low-level individual attacks nor unguided viruses that unintentionally infect random systems would suffice. In those cases, the attacker is in no position to exercise sufficient control over the system or network against which the economic attack is launched.

This shows that it is not wholly inevitable that an economic cyber attack constitutes an act of pillaging, as long as it is of particular gravity and scale. The attack would, however, have to occur during an armed conflict, which we will turn to shortly. Before this, the relevance of other crimes under the Rome Statute will be evaluated.  

B. Cyber Attacks and the Rome Statute Beyond Pillaging

While at a first glance it seems plausible that an economic cyber attack constitutes either the war crime of extensive destruction and appropriation of property,19 the intentional attack of civilian objects20 or the Crime of Aggression,21 a closer look proves fatal to all three.

1. Extensive Destruction and Appropriation of Property

Extensive destruction and appropriation of property is subject to particularly high thresholds. They must be “extensive” and carried out “wantonly.” Particularly grave cyber attacks might meet this threshold, either by dealing significant incidental damage to computer systems (as was the case for the WannaCry virus), or through particularly large sums attained. The vast majority of attacks, however, is unlikely to meet this requirement; not all that is illegal is also “extensive.”

Also, the act must be carried out “wantonly.” That is a high standard. The Commentary on the Fourth Geneva Convention, in the context of which the crime was first formulated, finds that “an isolated incident would not be enough.”22 The International Criminal Tribunal for the Former Yugoslavia (ICTY) affirmed this view, while conceding that a single grave attack can under exceptional circumstances count as “wanton.”23 As an example, it points to the destruction of a hospital, demonstrating just how heinous and destructive a single attack would need to be to fall under Art. 8(2)(a)(iv) of the Rome Statute. A mere one-of digital heist would hardly pass this threshold.

But even acts that might pass this first hurdle will frequently fail at a second one. Assuming the targets of our cyber heist aren’t hospitals and ambulances—in other words property that is afforded special protection under the Geneva Conventions24—the norm limits itself to protecting civilian property in occupied territory.25 Since the vast majority of state-sponsored cyber attacks are aimed at targets in sovereign, independent states, Art. 8(2)(a)(iv) proves to have a very narrow practical scope.

2. Intentional Attack of Civilian Infrastructure

Furthermore, those acts also fall outside the scope of Art. 8(2)(b)(ii),26 the war crime of attacking civilian objects. This hinges on the definition of “attacks against a[n] […] object.” At first glance, a cyber attack could certainly fall under the wording of the Article. However, the Rome Statute did not create the text of this provision out of thin air. The wording derives from Art. 52 of the Additional Protocol I to the Geneva Conventions (AP I)27 and reflects International Court of Justice (ICJ) precedent and customary law.28 The meaning of “attack” in the context of Art. 8 of the Rome Statute must therefore be construed in light of this history. As for AP I, the Protocol itself defines attacks to be “acts of violence,” Art. 49(1). The 1987 Commentary to AP I further clarifies what is meant by this. While it takes a generally wide interpretation of “attacks,”29 it states that an attack is “simply […] the use of armed force to carry out a military operation.” In its Article 53(1) Report on the Situation on Registered Vessels of Comoros, Greece and Cambodia,30 the ICC has further confirmed that word “attacks” must be interpreted in accordance with its IHL origin and agreed that an element of violence must be present. The Office of the Prosecutor stated that:

[A]n attack […] must include a forcible boarding operation, by analogy with other areas of international humanitarian law in which an attack includes all acts of violence against an adversary.

The vast majority of economic cyber attack are, however, non-violent. If they do cause damage to civilian objects and infrastructure, as was the case with the aforementioned WannaCry-virus, this is damage is usually incidental and not intentional, their objective is financial gain. This precludes a prosecution for violation of Art. 8(2)(b)(ii) of the Statute.

Changing narrow definition of “attack” of Art. 8 to include non-violent offenses might be tempting, but would raise issues under the principle of nullum crimen sine lege, as enshrined in Art. 22(2) of the Rome Statute. Not only does this principle prohibit prosecution for unwritten crimes, but it also mandates that “[t]he definition of a crime shall be strictly construed.”31 Of course, this does not mean that a judge cannot clarify ambiguous terms of a statute. It does, however, mean that such clarification must be foreseeable for the accused.32 In the parallel judgments of C.R. v. United Kingdom and S.W. v. United Kingdom, the European Court of Human Rights stated regarding the similar Art. 7 of the European Convention on Human Rights that:

Article 7 […] cannot be read as outlawing the gradual clarification of the rules of criminal liability through judicial interpretation from case to case, provided that the resultant development is consistent with the essence of the offence and could reasonably be foreseen.33

In this case, however, there has been no indication that “attack” should be treated as entailing no-violent, economic crimes. Neither the ICC itself, nor international tribunals or other bodies tasked with interpreting relevant treaty law, have signaled that this interpretation is permissible. There is not even an academic debate on the issue, which might have made a change in judicial opinion predictable.

In summary, the Rome Statute ’s prior interpretation of Art. 8(2)(b)(ii) does not allow for a prosecution of economic cyber crimes. An ad hoc change of this interpretation would violate the principle nullum crimen sine lege, as enshrined in Art. 22(2) of the Statute.

3. The Crime of Aggression

An examination of Art. 8 bis Rome Statute does not fare much better. As per Art. 8 bis(2), an act of aggression:

[Is the] use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations.

This poses the question: What acts, short of an armed invasion, constitute the use of force and thus a violation of U.N. Charter Art. 2(4)?

The U.N. Charter is from 1945. Since then, conflict has changed significantly in ways which could not have been anticipated back then. Today’s battlefields are full of newly developed defense technologies and marked by shifting geopolitical power relations. An American drone attacking terrorist organization thousands of miles would have been unthinkable in the 1940s. Neither the technology nor the importance of and blurry definitions of non-state actors were expectable. Most of all, it was much easier to say when the threshold for the use of violence was crossed. This has changed significantly. There is hardly an instance where this change is more tangible than when cyber weapons are deployed.

Certainly, one could make the case that in today’s interconnected world and globalized economy, a well-placed virus attack wreaks greater havoc on societies around the world than traditional acts of aggression do.34 After all, the Rome Statute recognizes the “blockade of the ports or coasts of a State” to be acts of aggression. Doesn’t computer malware “blockade” the ports of a digital economy too? And if the U.N. Charter wants to save us from “the scourge of war,”35 shouldn’t Art. 2(4) be interpreted to prohibit as many forms of aggression as a liberal interpretation of the statute allows?36 The U.N. Charter at least does not limit what type of weapon is used in the course of a “use of force.”37 These arguments seem to be in line with a broader view favored by some academics and sates, who argue that any form of political, economic, and, of course, military force can constitute a violation of U.N. Charter Art. 2(4), as long as it reaches a certain threshold of gravity.38

But this interpretation of Art. 2(4) is rejected by most states and academics alike.39 A prominent proponent of the theory even admits that “the overwhelming majority of commentators today consider the term “force” in Art. 2(4) of the U.N. Charter as practically synonymous to “armed” or “military” force.”40 When interpreting the Rome Statute, there is even more grounds for hesitancy than in a mere jus ad bellum debate.

The Crime of Aggression has been highly controversial in the drafting history of the Rome Statute. The offense was not included in the original version of the Statute but was only added after the 2010 Kampala Review Conference. Unable to reconcile their widely differing views as to how the Crime of Aggression should be defined, in 1998 the Drafting Parties deferred the resolution of the problem to a later Review Conference.41 Eight years after the Rome Statute went into force, this Review Conference finally met in Kampala and came to an agreement on the appropriate wording of the Crime of Aggression. Consequently, today’s Art. 8 bis was inserted into the Statute by the States Parties.42

However, some doubts remain to what extent this compromise actually reflects a global consensus. So far, the ICC has heard no case involving the Crime of Aggression, which alludes to the crime’s high threshold and the Court’s hesitancy to apply it. Perhaps an early German statement, found in a 1997 Discussion Paper, best reflects the state of the actual in the international community:

In accordance with historic precedents the definition in question should focus on and try to cover only the obvious and indisputable cases of this crime (such as the aggressions committed by Hitler and the one committed against Kuwait in August 1990).43

Germany’s reason for this narrow approach to aggression seems to be in line with the Court’s views today. Says the Discussion Paper further:

It is of utmost importance that the definition does not lend itself to possible frivolous accusations of a political nature against the leadership of a Member State.44

Looking at this background of Art. 8 bis, it is not hard to understand why its drafters chose strong language and high standards and why commentators have interpreted it restrictively. It is limited to persons “in a position effectively to exercise control,” only applies to acts of aggression that, by virtue of their “character, gravity and scale,” are “manifest” violations of the U.N. Charter.45 For the sake of this present analysis, the criterion of “manifest violations” might be the most crucial. It is a somewhat elusive clause; the Elements of Crimes merely state that it is an objective rather than a subjective criterion.46 Commentators, too, have wrestled with the criterion. A prominent, albeit not uncontroversial, interpretation is that requiring an act to be a manifest” violation of the U.N. Charter, “grey areas” should not be criminalized.47 While there are limits as to how liberally one might be able to interpret “grey area,”48 the term should a at the very least be understood to prevent an all too progressive interpretation of crimes. Otherwise, the term would bear little relation to its definition as meaning “clear or obvious to the eye or mind”49 and the aforementioned Art. 22(2) concerns would apply here, too.

There might very well be some cyber attacks that meet the threshold of U.N. Charter Art. 2(4) and that might even pass the muster of Art. 8 bis of the Rome Statute. It is no coincidence that cyber weapons have been described as the “perfect weapon.”50 However, I have no doubt that mere economic cyber attacks—at least how we have experienced them so far—have not been acts of aggression that by their “character, gravity and scale, constitute[…] a manifest violation of the Charter of the United Nations.” And absent widespread physical destruction or the use of kinetic force, it is unlikely that they will rise to this level in the future. It seems like state practice agrees with this conclusion. So far, the most frequent response to economic cyber attacks has been public condemnation and occasional criminal indictments under municipal criminal law.51

III. Economic Cyber Crimes and Armed Conflicts

The previous discussion showed that a prosecutor wishing to go after the backers of an economic cyber attack would have the best case under Art. 8(1)(b)(xvi) of the Rome Statute. However, we could also see in the context of Art. 8 bis that there are substantial difficulties in applying rules of warfare made decades (or even centuries) ago to cyber attacks, particularly if those attacks are primarily committed for financial gain.

Similar issues as those discussed for the Crime of Aggression mar any consideration of war crimes too. But where we could point to the criterion of “manifest” violations and a more restrictive approach to interpreting U.N. Charter Art. 2(4), war crimes require the existence of an armed conflict, a term that is much wider interpreted than the “use of force” of U.N. Charter Art. 2(4), let alone “armed attack” of U.N. Charter Art. 51.

War crimes, both as they are generally conceived in IHL and as they are defined in Art. 8(2)(b) of the Rome Statute, require the existence of an International Armed Conflict (IAC).52 Whether or not certain hostilities amount to an IAC is a factual determination, independent of a formal declaration of war.53 In the oft-cited Tadić case, the ICTY found that “an armed conflict exists whenever there is a resort to armed force between States.”54 In the Lubanga55 and Katanga56 judgments, the ICC adopted this view. Using armed force is not equivalent to deploying the armed forces. In the words of Pre-Trial Chamber II:

[A]n international armed conflict exists in case of armed hostilities between States through their respective armed forces or other actors acting on behalf of the State. 57

Hence, it makes no difference whether a state uses military hackers or civilian personnel in its cyber attacks.58 What matters is that they are acting for the state. This definition of armed conflict poses two questions: First, can the use of a virus be considered to be a “resort to armed force?” If this is possible, what is the threshold for an “armed” cyber attack?

It is widely accepted that the Geneva Conventions apply to the use of cyber warfare during a pre-existing IAC or Non-International Armed Conflict.59 In those cases, cyber weapons are treated like any other weapon. It is much less clear if this equal treatment also extends to a conflict started by the use of a cyber weapon, let alone one exclusively fought using cyber weapons. So far, this issue has been reserved to theoretical discussions, as cyber-only attacks—economic or otherwise—have not led to an escalation of violence or resulted in a “traditional” armed conflict.60

An early, consequence-based approach by Michael N. Schmitt considered cyber-only attacks to be “armed” if the cyber attack produced results similar to those of a conventional attack, i.e., injury, death, physical damage or destruction..61 Gradually, this approach has changed. Instrumental for this gradual change was Knut Dörmann, who expanded the consequence-test to include attacks that don’t destroy but merely disable or neutralize the target.62 By now, this approach has been adopted by the International Committee of the Red Cross63 and by a majority of commentators, as Schmitt himself observes.64

However, this is no blanket justification to consider all instances of state-sponsored cyber attacks incidents of an armed conflict. Whenever a cyber attack does not lead to injury, death, physical damage or destruction, it must be of a certain gravity. This gravity-threshold would be met in instances of disruptions of vital infrastructure, like electrical grids or water supply. Vital infrastructure stands in contrast to mere critical infrastructure, which would include the banking system, financial institutions, and the majority of other businesses and institutions.65 It seems like the implicit argument behind this theory is that non-destructive attacks can bear a foreseeable and grave risk of causing incalculable human suffering, fatalities, or physical destruction. In those instances, the attack must be treated as if it had directly led to those results. The approach of outlawing an act based on its associated dangers is not foreign to the Geneva Conventions. Art. 35 of Additional Protocol I, for example, prohibits:

[T]o employ weapons, projectiles and material and methods of warfare of a nature to cause superfluous injury or unnecessary suffering.

These weapons are banned based on their abstract nature, not their concrete consequences. Similarly, wherever cyber attacks, by their character alone, are highly likely to lead to injury, death, physical damage or destruction, they may be treated like attacks that directly cause those consequences.

Economic cyber attacks to date have fallen short of this threshold. Digitally stealing money from a civilian bank account causes financial loss and certainly some hardship, but not the immediate widespread suffering that preventing access to the water grid does. A standalone economic cyber attack would have to be of a much greater scale to be considered an “armed conflict.” Consequently, attacks so far have not constituted war crimes and future economic cyber attacks are unlikely to do so, too. There is no violation of Art. 8(1)(b)(xvi) of the Rome Statute.

This is not to say that cyber attacks don’t cause major disruptions for public life and constitute threats to peace. They change the battlefield and simultaneously stretch the textual interpretation of the current laws of war. This has led one commentator to wonder if one day the term armed attack will be obsolete.66 While this may be desirable lex ferenda, today, the “armed” criterion is still part of the jus in bello and puts a limit to the kind of hostilities that can constitute an IAC. It seems that most cases of economic cyber attacks fall just short of this limit.

IV. Conclusion

As seen, it is not completely impossible to prosecute international cyber crimes under the Rome Statute. However, requiring that the attack rise to the intensity of an armed conflict is a major obstacle. But even if the threshold were met, the attack would need to pass the muster of the gravity requirement of Art. 17(1)(d) of the Rome Statute.

The comment shows that the Rome Statute is an inappropriate framework to address the realities of cyberwarfare. It is not a convenient replacement for municipal criminal justice and for international treaty negotiation. But this is not a disappointing finding. First, it strengthens the standing of the Court and the Rome Statute. Why should cyber crimes be included through treaty interpretation when other serious offenses like terrorism, drug trafficking and crimes against United Nations personnel failed to make it into the Statute?67 In a time where the Court faces allegations of illegitimacy, expanding the scope of the Rome Statute through clever interpretation would only further undermine its work. Second, as the Rome Statute is an instrument of international criminal justice, limiting the use of ambitious textual interpretation is a win for the fundamental principles of justice, not a loss. Third, cyber crime and cyberwarfare are here to stay. They will challenge the international community for years to come. Ultimately, states will have to find their way to the negotiating table to draft the rules for cyber conflicts. Only a multilateral treaty has a realistic chance to achieve widespread acceptance and to mitigate the dangers of cyber attacks. Hence, this comment is less a manual for the prosecution of economic cyber attacks and more a call to action to fill the gaps in the international law on cyber conflicts.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

  1. 1.

    What is WannaCry Ransomware?, Kaspersky, available online (last visited Feb. 26, 2022).

  2. 2.

    Press Release, U.S. Dept. of Just., Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe (Feb. 17, 2021) [hereinafter North Korean Hackers Indicted], available online; Ewen MacAskill, Alex Hern & Justin McCurry, Facebook Action Hints at Western Retaliation over WannaCry Attack, The Guardian, Dec. 19, 2017, available online; White House says WannaCry attack was carried out by North Korea, CBS, Dec. 19, 2017, available online.

  3. 3.

    Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], available online.

  4. 4.

    Id. Art. 8(2)(b).

  5. 5.

    As defined by Article 2 Common to the Geneva Conventions, Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field, 75 U.N.T.S. 31 (adopted Aug. 12, 1949, entered into force Oct. 12, 1950), available online; Geneva Convention for the Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea, 75 U.N.T.S. 85 (adopted Aug. 12, 1949, entered into force Oct. 12, 1950), available online; Geneva Convention Relative to the Treatment of Prisoners of War, 75 U.N.T.S. 135 (adopted Aug. 12, 1949, entered into force Oct. 12, 1950), available online; Geneva Convention Relative to the Protection of Civilian Persons in Time of War, 75 U.N.T.S. 287, (adopted Aug. 12, 1949, entered into force Oct. 12, 1950), available online.

    (“[T]he present Convention shall apply to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties, even if the state of war is not recognized by one of them.”).

  6. 6.

    Rome Statute, supra note 3, Art. 8(1)(b)(xvi).

  7. 7.

    Id. Art. 8(2)(a)(iv).

  8. 8.

    Id. Art. 8(1)(b)(ii).

  9. 9.

    William A. Schabas, The International Criminal Court: A Commentary on the Rome Statute, 241 (2nd ed. Sep. 2016), paywall, doi.

  10. 10.

    General Orders No. 100: Instructions for the Government of Armies of the United States in the Field, Adjutant General’s Office (Apr. 24, 1863), available online.

  11. 11.

    Dietrich Schindler & Jiri Toman, The Laws of War and Armed Conflict 3 (4th ed. 2004), paywall, doi.

  12. 12.

    International Criminal Court, Elements of Crimes, ICC-ASP /1/3, Adopted and Entry into Force 9 September 2002, updated at Kampala, 31 May-11 June 2010, 26 (Jun. 11, 2011) [hereinafter Elements of Crimes], available online, archived; Andreas Zimmermann & Robin Geiß, Article 8 in The Rome Statute of the International Criminal Court: A Commentary, 553-4 (Otto Triffterer & Kai Ambos eds., 3rd ed. 2016).

  13. 13.

    Elements of Crimes, supra note 12, at n.47; Schabas, supra note 9, at 242; Mark Klamberg, Article 8(2)(b)(xvi), in Commentary on the Law of the International Criminal Court (Mark Klamberg & Jonas Nilsson eds., last updated Jun. 30, 2016), available online.

  14. 14.

    The Prosecutor v. Zejnil Delalić, Zdravko Mucić, Hazim Delić and Esad Landžo, IT-96-21-T, Judgement (ICTY TC, Nov. 16, 1998) [hereinafter Čelebići], available online.

  15. 15.

    The Prosecutor v. Enver Hadžihasanović and Amir Kubura, IT-01-47-T, Judgement, ¶ 52 (ICTY TC, Mar. 15, 2006) [hereinafter Hadžihasanović], available online.

  16. 16.

    The Prosecutor v. Jean-Pierre Bemba Gombo, ICC-01/05-01/08-3343, Judgment pursuant to Article 74 of the Statute, ¶ 117 (TC III, Mar. 21, 2016) [hereinafter Bemba], available online.

  17. 17.

    Zimmermann & Geiß, supra note 12, at 562.

  18. 18.

    The Prosecutor v. Germain Katanga and Mathieu Ngudjolo Chui, ICC-01/04-01/07, Decision on the confirmation of charges, ¶ 330 (PTC I, Sep. 30, 2008), available online.

  19. 19.

    Rome Statute, supra note 3, Art. 8(1)(a)(iv).

  20. 20.

    Id. Art. 8(2)(b)(ii).

  21. 21.

    Id. Art. 8 bis.

  22. 22.

    Oscar M. Uhler et al., eds., ICRC, Commentary on the Geneva Convention Relative to the Treatment of Prisoners of War 601 (Jean S. Pictet, ed., 1958) [hereinafter Geneva Convention IV Commentary], available online.

  23. 23.

    The Prosecutor v. Tihomir Blaškić, IT-95-14-T, Judgement, ¶ 157 (ICTY TC, Mar. 3, 2000), available online.

  24. 24.

    Geneva Convention IV Commentary, supra note 22, at 601.

  25. 25.

    Schabas, supra note 9, at 219; The Prosecutor v. Dario Kordić and Mario Čerkez, IT-95-14/2-T, Judgement, ¶ 335-340 (ICTY TC, Feb. 26, 2001), available online.

  26. 26.

    Rome Statute, supra note 3, Art. 8(1)(b)(ii)

    (criminalizing “[i]ntentionally directing attacks against civilian objects, that is, objects which are not military objectives.”).

  27. 27.

    Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, 1175 U.N.T.S. 3 (adopted Jun. 8, 1977, entered into force Dec. 7, 1978), available online.

  28. 28.

    Schabas, supra note 9, at 227; Noëlle Quénivet, Article 8(2)(b)(ii), in Commentary on the Law of the International Criminal Court (Mark Klamberg & Jonas Nilsson eds., (last updated May 13, 2019), available online; Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion), 1996 I.C.J. Rep. 226, ¶ 78 (Jul. 8, 1996), available online; Jean-Marie Henckaerts & Louise Doswald-Beck, Customary International Humanitarian Law, Volume I: Rules Rule 7 (2005), available online.

  29. 29.

    Yves Sandoz, Christophe Swinarski & Bruno Zimmermann eds., ICRC, Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (1987), available online.

  30. 30.

    Office of the Prosecutor, International Criminal Court, Situation on Registered Vessels of Comoros, Greece and Cambodia: Article 53(1) Report, ¶ 93 (Nov. 6, 2016), available online.

  31. 31.

    Rome Statute, supra note 3, Art. 22(2).

  32. 32.

    Bruce Broomhall, Article 22, in Rome Statute of the International Criminal Court: Article-by-Article Commentary 38 (Otto Triffterer & Kai Ambos eds., 3rd ed. 2016).

  33. 33.

    S.W. v. The United Kingdom, 20166/92, Judgment ( ECHR, Nov. 22, 1995), available online; C.R. v. The United Kingdom, 20190/92, Judgment ( ECHR, Nov. 22, 1995), available online.

  34. 34.

    Heather Harrison Dinniss, Cyberwarfare and the Laws of War 62 et seq. (2014), paywall, doi

    (using a similar line of argument that cyber-only attacks can violate U.N. Charter Art. 2(4), stating that “the weapon criteria is losing its relevancy in today’s world.” However, she limits her argument to an attack that “manifest itself in the physical sphere”).

    Similar Nils Melzer, UNIDIR, Cyberwarfare and International Law 8 (2011), available online.

    (Whether financial losses fall under her conception of Art. 2(4) of the Charter is unclear).

  35. 35.

    United Nations Charter, Preamble.

  36. 36.

    Melzer, supra note 34, at 8.

  37. 37.

    Andreas Zimmermann & Elisa Freiburg, Article 8 bis, in Rome Statute of the International Criminal Court: A Commentary, 157-58 (Otto Triffterer & Kai Ambos eds., 3rd ed. 2016).

  38. 38.

    James A. Delanis “Force” under Article 2(4) of the United Nations Charter: The Question of Economic and Political Coercion, 12 Vand. J. Transnat’l L. 101 (1979), paywall.

  39. 39.

    See Daniel B. Silver, Computer Network Attack as a Use of Force Under Article 2(4) of the United Nations Charter, in Computer Network Attack and International Law 73 (Michael N. Schmitt & Brian T. O’Donnell eds., 2002), available online

    (rejecting this argument in the context of economic cyber attacks).

    Albrecht Radelzhofer & Oliver Doerr, Article 2(4), in The Charter of the United Nations: A Commentary, Volume I 17-20 (Bruno Simma et al. eds., Nov. 2012), paywall, doi

    (rejecting the inclusion of economic and political force).

    See also Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. United States), Judgment, 1986 I.C.J. Rep. 14, ¶ 195 (Jun. 27, 1986), available online.

  40. 40.

    Melzer, supra note 34, at 7.

  41. 41.

    United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Bureau Proposal, A/CONF.183/C.1/L.59, at 1 (Jul. 10, 1998) [hereinafter Bureau Proposal], available online.

  42. 42.

    Zimmermann & Freiburg, supra note 37, at 30 et seq.

  43. 43.

    United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Proposal by Germany, A/AC.249/1997/WG.I/DP.20, at 2 (Dec. 11, 1997), available online.

  44. 44.

    Id.

  45. 45.

    Rome Statute, supra note 3, Art. 8 bis(1).

  46. 46.

    Elements of Crimes, supra note 12, at 43.

  47. 47.

    Marie Aronnson-Storrier, Article 8 bis(1) in Commentary on the Law of the International Criminal Court (Mark Klamberg & Jonas Nilsson eds., last updated Apr. 10, 2017), available online; Mary Ellen O’Connell & Mirakmal Niyazmatov, What is Aggression? Comparing the Jus ad Bellum and the ICC Statute, 10 J. Int’l Crim. Just. 189 (Mar. 2012), paywall, doi; Patrycja Grzebyk, Criminal Responsibility for the Crime of Aggression 201-02 (Oct. 2013), available online, doi; Claus Kreß, Strafrecht und Angriffskrieg im Licht des “Falles Irak”, 115 Zeitschrift für die gesamte Strafrechtswissenschaft, 294, 302-07 (2003) (Ger.), paywall, doi.

  48. 48.

    Andreas Paulus, Second Thoughts on the Crime of Aggression, 20 EJIL 1117, 1122-23 (2009), available online, doi; Zimmermann & Freiburg, supra note 37, at 66.

  49. 49.

    Manifest, Lexico, available online (last visited Feb. 26, 2022).

  50. 50.

    David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (May 14, 2019), paywall.

  51. 51.

    Press Release, FCDO, Foreign Office Minister Condemns North Korean Actor for WannaCry Attacks (Dec. 19, 2017), available online; North Korean Hackers Indicted, supra note 2; Gary D. Brown, Why Iran Didn’t Admit Stuxnet Was an Attack, 63 JFQ 70 (Oct. 1, 2011), available online

    (offering possible explanations for this restraint).

  52. 52.

    As mentioned in Section II, war crimes can also be committed during a Non-International Armed conflict, which is outside the scope of this comment.

  53. 53.

    Lindsey Cameron, Bruno Demeyere, Jean-Marie Henckaerts, Eve La Haye, Iris Müller, Cordula Droege, Robin Geiss, Laurent Gisel, Article 3—Conflicts Not of an International Character in Commentary on the First Geneva Convention 211 (Philip Spoerri et al. eds., 2016), paywall, doi.

  54. 54.

    The Prosecutor v. Dusko Tadić, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, ¶ 70 (ICTY AC, Oct. 2, 1995) [hereinafter Tadić], available online, archived.

  55. 55.

    The Prosecutor v. Thomas Lubanga Dyilo, ICC-01/04-01/06, Judgment Pursuant to Article 74 of the Statute, ¶ 533, 541 (TC I, Mar. 14, 2012), available online; see also The Prosecutor v. Thomas Lubanga Dyilo, ICC-01/04-01/06, Decision on the confirmation of charges, ¶ 209 (PTC I, Jan. 29, 2007), available online.

  56. 56.

    The Prosecutor v. Germain Katanga, ICC-01/04-01/07, Judgment Pursuant to Article 74 of the Statute, ¶ 1173 (TC II, Mar. 7, 2014), available online.

  57. 57.

    Bemba, supra note 16, ¶ 223 (emphasis added); see also id. ¶ 1177.

  58. 58.

    There might be issues regarding attribution of the attack, however.

  59. 59.

    Melzer, supra note 34, at 22; Louise Doswald-Beck, Some Thoughts on Computer Network Attack and the Law of Armed Conflict, in Computer Network Attack and International Law 164-5 (Michael N. Schmitt & Brian T. O’Donnell eds., 2002), available online.

  60. 60.

    Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue & Julia Spiegel, The Law of Armed Attack, 100 Cal. L. Rev. 817, 850 (2012), available online.

  61. 61.

    Michael N. Schmitt, Wired Warfare: Computer Network Attack and Jus in Bello, 84 Int’l Rev. Red Cross 365, 374-5 (2002), available online.

  62. 62.

    Knut Dörmann, Applicability of the Additional Protocols to Computer Network Attacks, ICRC 4 (2004), available online; see also Cordula Droege, Get off my Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians, 94 Int’l Rev. Red Cross 533 (2012), available online.

  63. 63.

    International Committee of the Red Cross, 31st International Conference of the Red Cross and Red Crescent: International Humanitarian Law and the Challenges of Contemporary Armed Conflicts 36-38 (2011), available online.

  64. 64.

    Michael N. Schmitt, Rewired Warfare: Rethinking the Law of Cyber Attack, 96 Int’l Rev. Red Cross 189, 198 (2014), available online, doi.

  65. 65.

    Droege, supra note 62, at 548.

  66. 66.

    Doswald-Beck, supra note 59, at 165.

  67. 67.

    Bureau Proposal, supra note 41, at 1.

Defining the Unique Issues Prosecuting Criminal Cyber Defense Actions Under the Rome Statute Presents: A Lost Cause?

Cybersecurity has launched itself to the spotlight within both the scope of governmental organizations protecting national security and private industry keeping their own systems intact. Societal dependence on technology has brought with it the magic of efficiency, cost-effectiveness and widespread digital penetration on a scale never before seen in human history. However, this exact reliance on technological features for our everyday economic, social, and political actions has made ensuring those means be secured through proper cybersecurity methods even more of a pressing matter. Cyberwarfare presents a unique set of problems that the International Criminal Court has been both hesitant and unclear in approaching. As warfare evolves, it is important that the international justice systems that regulate and investigate the crimes that come from it evolve as well.

In maintaining an active cyber defense system, the problem of what constitutes legal self-defense mechanisms or criminal actions that violate of the Rome Statute becomes unclear.1 Due to the unconventional nature of both cybersecurity and cyberwarfare, it is difficult to maintain parallels between war crimes in a traditional sense to what may be acceptable in digital technology.2 This comment will address the jurisdictional, ethical and political concerns that arise in prosecuting governments maintaining “active cyber defense”, which commonly feature a governmental entity utilizing real-time capabilities to discover, detect, analyze and mitigate threats.3 First, the comment will review why cybersecurity poses a unique set of jurisdictional problems that make it impossible to parallel effectively to traditionally understood methods of warfare. Second, the comment will address case studies of two government entitles engaging in military cybersecurity efforts and the legality of certain actions undertaken by those government organizations under the Rome Statute: The United States Cyber Command and PLA authorized cyberwarfare forces in the People’s Republic of China. Finally, the comment will propose regulatory frameworks that can be adopted by the ICC for certain forms of cyberdefense methods which and what existing frameworks of the Rome Statute that controversial methods of cyberwarfare can fit within.

For many, the best defense is a good offense. This adage is one as old as war itself, with modern utilizations of the phrase ranging from defense commissions to football coaches.4 Mao Zedong famously asserted a policy of “active defense” in running the people’s navy, maintaining strong counter-attacking capabilities as the pinnacle of defensive strategy.5 Imperial Germany would apply this as their general strategy for the western front in World War I, where the Schlieffen Plan deduced that the easiest way to defend their heavily fortified border between France during all-out war would be to knock France out altogether with a preemptive strike through Belgium.6 While preemptive action wouldn’t suffice to qualify, the Rome Statute clearly outlines self-defense as grounds for excluding criminal responsibility, stating in Article (31)(1)(c) that if the person:

[A]cts reasonably to defend himself or herself or another person or, in the case of war crimes, property which is essential for the survival of the person or another person or property which is essential for accomplishing a military mission, against an imminent and unlawful use of force in a manner proportionate to the degree of danger to the person or the other person or property protected.7

The problem comes within the details—like much else with international frameworks, language and word choice play a substantial role in determining what actually qualifies as self-defense. Reasonability can vary wildly from one entity to another, and the definition of “person or property protected” seems like a relatively closed-book question until you start approaching the definition of property with the sophistication of networks and cyber space activity today. While this self-defense statute is for individual persons, it serves as an introductory framework for how to treat similar arguments in the name of cybersecurity—if defense measures are deemed “essential for accomplishing a military mission”, should more leeway towards aggressive defensive measures in the name of preventing cyber attacks be allowed?8 In addition, does the proportionality of the degree of danger to a state matter? For example, should nations with a significant history of cyber attacks, such as South Korea in relation to North Korean hacking attempts or the United States in its geopolitical dealings with China and Russia, be granted more international leeway in how they manage their cybersecurity efforts?9

While both Article 31(1)(c) of the Rome Statute and the Rome Statute itself address an active cyber defense in the context of armed conflict, they also open up the question of the legality of “hack back” in an ICC context.10 Hack back is often referred to as active cyber defense, which leads to confusion between how to distinguish both terms; for the purposes of this comment, an active cyber defense will be defined using the Department of Defense definition defined below, while hack back will be used to describe private-sector actions undertaken to engage in cyber attacks against those who commit attacks on them.11 While state entities is the primary target of discussion for this comment, it is essential to mention the role that private figures can play in both cybersecurity measures and the directing of cyber attacks.12 Before the incorporation of cybersecurity initiatives in a military context, the dark web and insecure infrastructure open to target by hackers were mostly engaged in by computer specialists acting either independently or in small groups, mostly for financial benefit or solely for exploration.13 Over time, these hackers would either be utilized as modern-era mercenaries in the cyber fight for foreign interests or be meshed in with current military personnel as a key part of defense operations by a state. As such, private interests serve a key role in the cyber space discussion.14 Proponents argue that protections against cyber intrusions have just as significant of an interest in property rights as the right to self-defense in case of physical intrusions into your home does.15 While cyber security threats against the electoral process have been the most high profile, state actors such as then-National Security Advisor John Bolton has addressed the United States’ willingness to expand “hack back” towards both economic and other governmental threats as well, showing a willingness by the executive branch to expand such military capabilities.16 A recent bill introduced to legalize such private actions in hack back to both identify and counter hack suspected software introducers and malware distributors was proposed in 2019 but died in committee after being introduced into the House of Representatives.17 This is, however, the last prominent mention of the legality of such hack back methods in both houses of congress.18 Whether the private sector can engage in offensive cyber action has, thus, been little debated in both a domestic and international realm—however, under 31(1)(c), it would seem feasible that private actors who face cyber criminality can just as easily retaliate as a means of defense, as long as those means can be interpreted as “reasonable” to their survival.19 This again poses a problem in differentiating between actions based on both intensity and perspective; is it a “reasonable” counter towards economic cyber attacks against a company’s intellectual property for the company to engage in active server sweeping and IP tracking for hackers that might be operating in foreign jurisdictions? In the same sense, would private parties acting in retaliation against state sponsored cyber terrorism as a proxy for another state party be merely self-retaliation or a criminal act in itself? Under current international standards within the Rome Statute, the state actor requirement severely limits the ability for organizations like the ICC to even have the jurisdictional capabilities to prosecute on private actors.20 Even in a hypothetical scenario where private actors commit cyber attacks only on signatory nations, it would be impossible to prosecute under the four core crimes unless the prosecutor was able to find evidence of an affiliation between those aforementioned hackers and a state entity.21 Such issues between the private and public sphere bring further problems with effective regulation of the cyber criminal space.

In addition, the limited space that cyber crime can fit into within the Rome Statute makes clarification necessary. Of the four core international crimes of genocide, crimes against humanity, war crimes and the crime of aggression, Only the crime of aggression can aptly be identified as best to encompass cyberspace activities.22 Article 8 of the Rome Statute clearly outlines which acts are considered to be “war crimes”, so even though much cyber criminality engaged in major global conflicts could be seen by its loosest definition as a war crime, it would be difficult to prosecute without being able to fit in one of those examples.23 While cyber criminality could be a precursor or enabler of genocidal actions, it would be just as difficult, if not more, to try to fit cyber attacks in that category as well.24 The crime of aggression’s more loosely defined standards, in contrast with crimes against humanity, where a relatively exhaustive list is defined like war crimes, makes aggression the likely fit.25

In addition, the usage of technology will inevitably continue to influence how the future of warfare may present itself, but also impose new criminal actions that may not currently fit neatly into the Rome Statute ’s definitions for prosecutable crimes. In traditional warfare, the line between self-defense and aggression can more clearly be defined; the Rome Statute itself outlines that an act of aggression applies to “the use of armed force by a state against the sovereignty, territorial integrity or political independence of another State.”26 An attack on a country’s land, sea, or air forces can easily be identified and distinguished from the mere presence of military soldiers on the border, and the blockading of ports or violation of other sovereign rights by a foreign country also requires both intent and noticeable military action by the offending party.27 However, how can the “use of armed force” be defined in cyberdefense systems? Two common methods of cyber criminal activity, denial-of-service (DoS) and malware attacks, both pose immense jurisdictional questions as they can not only be conducted by both private or state entities, but also transcend borders by being able to attack almost any device that is connected within the internet, where physical borders need not apply.28 DoS attacks disrupts traffic by overrunning a server or network through multiple attacks on a target’s IP address, where programmed bots do nothing but overwhelm the server to prevent it from being able to carry out its original task, thus instituting the namesake denial of service.29 When conducting large-scale attacks, a DoS attack can elevate to the status of a distributed denial-of-service attack (DDoS) if the source of the bots and requests to a server is made from multiple different sources, making it difficult for the attacked party to identify both where the disruption is coming from or block a single source to try to stop the attack.30 Compared to espionage, DDoS attacks are more straightforward in their legal acceptance—state parties engaging in DDoS against other state parties are almost universally condemned and considered a violation of acceptable cybersecurity standards.31 Malware, a shortened portmanteau for malicious software, requires installing software on the computer or network to function, but serves a similar goal in DoS / DDoS attacks in shutting down capabilities of the technology targeted.32

A high profile malware attack came recently in the form of Stuxnet, considered to be one of the most sophisticatedly engineered and targeted malware attacks in cyberattack history which deliberately attacked Iran’s nuclear program and spread rapidly across the country’s network.33 Its highly controlled design had both a rapidly spreading “worm” component that executed attacks against installed operating systems and a rootkit component that would hide traces of Stuxnet from computers, making it almost indetectable to those who were not searching for the malware.34 In addition, its conspicuous target against five Iranian organizations, with 60% of the infected computers worldwide being in Iran, leading to widespread concern that the attack was actually a coordinated United States—Israeli cyber attack effort.35 The code was sophisticated enough and clearly politically motivated, as the virus itself only targeted the closed computer systems of the Iranian government’s nuclear enrichment facilities, which meant that the virus spread to a target that was not connected to the public internet and instead only spread within internal Iranian networks.36 Both the United States and Israel have denied any association with the attack.37 While such state connections have not been conclusively proven, it’s difficult to see a scenario where United States involvement did not occur.38

Geopolitical problems like Stuxnet embody both how dangerous cyber attacks can be when conducted through state parties and how difficult it may be to enforce action against them, as not only are there a myriad of jurisdictional issues involved but a lack of proof against those conducting countries. A step forward was necessary—while cybersecurity wasn’t the catalyst, the definition of aggression was further clarified in the so-called Kampala Compromise, a series of amendments to the Rome Statute undergone during a 2010 review in Uganda.39 The review mostly addressed this difficult to ascertain definition for aggression, by providing procedural methods for the ICC judges to be more clearly define which actions may fall under the crime of aggression.40 Furthermore, it allows for the U.N. Security Council to step in and rule that certain actions do not constitute aggression.41 Most importantly, however, the conference and resulting amendment clarified a list of acts that would qualify as a crime of aggression.42 Aforementioned examples of blockading ports and bombarding a foreign state’s territory were added to Article 8 to provide further clarification, and also added provisions such as the “sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State” to also qualify.43 As expected, the further clarifications do not allow for cyber warfare to fit neatly in any example.44 Computer programming specialists, many of whom are non-state entities that may be recruited to design the sophisticated malware attacks carried out like Stuxnet, would generally fit under the Kampala amendments, but whether middle grounds such as cyber surveillance against foreign armed forces without disrupting their services constitute an attack is still up to interpretation.45 While Kampala provides further clarification and serves as a concrete step clearing up what acts aggression might actually be prosecutable, it requires another ICC amendment that can make vague definitions on territorial rights and attacks be placed in a uniquely new perspective, built and focused on cyber security and accounting for the simultaneous and ubiquitous nature of network connections to truly allow for cyber crimes to be properly categorized.46 In the case of Stuxnet, even if conclusive evidence linking the attack to both Israel and the United States existed, jurisdictional problems would make prosecution imposable, as neither countries are signatory parties to the ICC, nor Iran.47 The Kampala compromise’s opt-out clause also makes it virtually impossible to prosecute on the issue of aggression.48 Without a binding structure by which signatory countries must accept, cybersecurity measures no longer become what is acceptable de jure under the Kampala Amendment but rather whatever will provide a military advantage to counties, with rule of law overtaken by an impossible-to-adjudicate de facto reality.49 Thus, while Stuxnet was one of the most prominent attacks of the past decades, it will certainly not be the last.50 A state entity could just as easily install a malware program to harvest classified military data from an enemy party that would violate both (1) the sovereignty of that enemy party by installing malicious software onto computers and servers that lie within the latter’s borders and (2) serve as an internationally accepted form of espionage under the guise that, more often than not, virtually every modern nation engages in such cross-border practices as a part of an active cyber defense strategy. Thus, the compromise/amendment does little to further the problem of effectively incorporating cyber criminality within the Rome Statute frameworks.51

Further muddying the waters is the difficulty in distinguishing between what is acceptable as part of an active cyber defense and what becomes generally accepted as cybercrime. The Department of Defense (DoD) officially defines their “active cyber defense” as the DoD’s “synchronized, real-time capacity to discover, detect, analyze, and mitigate threats and vulnerabilities,” which “operates at network speed by using sensors, software, and intelligence to detect and stop malicious activity before it can affect DoD networks and systems.”52 Problems lie when further attempting to define what each of these verbs might actually mean in practice. The overbroad possibilities that “real-time capacity” can entail in addition to “software and intelligence” means that general questions must be asked that can clarify how intrusive a cyber defense mechanism might be.53 A question that could be asked to clarify is whether the cybersecurity measure has internal or external capabilities.54 Protecting a state’s own servers through IP address whitelists and blocking suspicious connections coming from foreign IP addresses would universally be accepted but identifying origin sites from incoming or outgoing network traffic to servers that aren’t located within sovereign boundaries would clearly be an external act that would be a grey area.55 Another potential distinguisher would be whether the mechanism is solely utilized for surveillance and observational purposes or has capabilities to disrupt and change an opposing country’s technological capabilities remotely.56 While software that merely observes server data and checks to see if any connections are being made that could source sensitive DoD information to a foreign country’s server might be considered an internationally accepted form of espionage, this question would make harvesting sensitive internal data from foreign countries, which would clearly constitute a cyber attack, to be a legitimate defense mechanism.57 In essence, no single definition actually exists on what qualifies as internationally accepted standards for an “active cyber defense” and what qualifies as a “cyber attack”—establishing clear boundaries from the current international standards on what is considered acceptable and not between state parties is essential to actually identify whether such actions can constitute crimes against each country.58

Another key issue comes from identification. Discovering who might be perpetrating a cyber attack poses greater challenges than conventional warfare. Even in conventional warfare, significant problems exist in being able to actually collect prosecutable evidence during the ICC’s investigative practices.59 The prosecutor is constantly stymied by what is a “failure to satisfy the burden of proof to the requisite standard,” and the difficult of collecting evidence for many humans rights violations, for which there might be few if little writing available documenting what, who and when anything happened, makes convictions even rarer.60 While Second Chief Prosecutor Fatou Bensouda’s decision to favor large-scale, open-ended investigations over the small teams of ground-level investigators that first prosecutor Luis Moreno Ocampo used might be marginally more successful, both cannot account for the insurmountably large issue of being able to actually identify who might be behind cyber crimes.61 Instead of a thick jungle wall or locals unwilling to cooperate hiding key perpetrators, a sea of code so sophisticatedly written that traces of the source might not even be found after a DoS attack can be a death knell to any attempt at prosecution.62 The Rome Statute is intentionally broad in identifying perpetrators as anyone who commits “the most serious crimes of concern to the international community as a whole.”63 This broad categorization is further specified once crimes that are within the ICC’s jurisdiction are identified, with the prosecutor-general seeking out those who “bear the greatest responsibility” for those aforementioned crimes.64 Both exist for many practical reasons in addition to jurisdictional problems—identifying who might be responsible for criminal actions is often a decades-long and arduous process fraught with extensive evidence collection and dependency on witnesses and cooperation by war-torn populations who might be hesitant on offering support to ground workers for the ICC.65 In addition, any international crime contains multiple layers of criminals who are perpetrating human rights violations, with the ICTY’s sentencing for Srebrenica involving multiple high-profile military commanders like Zdravko Tolimir and Vujadin Popović, who both face life sentences for their hole in the massacre.66 This is consistent with the “bear the greatest responsibility” standard, with prosecutors focusing on the decision-making perpetrators of the most heinous crimes.67 However, many of the most high-profile cybercriminal actions of the last few decades have resulted in ambiguous prosecutable figures coming forth, with the only evidence of action being the hacking itself.68 The Paris G20 Summit cyber attacks, which obtained documents from more than 150 of the ministry’s 170,000 computers through a malware attack, did not lead to any criminal prosecution.69 The only evidence of state action came from a ministry report that the malware’s files was directed to Chinese computers, which in itself did not serve as concrete or even verifiable proof of interference or knowledge by the Chinese government.70 Other coordinated cyber attacks, like the July 2009 DoS attack against American and South Korean government websites, have had suspected North Korean interference, but mostly from timing and geopolitical concerns instead of concrete evidence.71 Similar to the Stuxnet attacks, it was evident from the beginning that the 2009 attacks had the signs of political interference.72 Government and commercial websites came under attack, and the scale of the botnets were from relatively unsophisticated systems ranging from 50,000 to 65,000 computers that had been commandeered by hackers—much less sophisticated than Stuxnet, but something that could be expected if coming from a less technologically capable nation like North Korea.73 Thus, while the effects weren’t as damning as most website were able to reaccess key functions within the same day, the precedent set that a hostile entity can engage in such DDoS attacks against a neighboring country’s core technological infrastructure, especially in an internet-economy nation like South Korea, with little fear of prosecution makes for a dangerous future as their hacking capabilities continue to grow.74 This ease of cyber attacks launching devastating consequences on obtaining classified state information combined with the difficulty of actually tracking who or what might be causing such attacks makes for these cybercrimes to exist within a different realm than collecting evidence of proof for conventional warfare.75 As such, countries have relied more heavily on cyber defense mechanisms to obtain concrete evidence of state action in suspected cyber attacks.76 This has fed difficult-to-measure feedback loop of states being more brazen in their counter-offensive capabilities for cyber defense in order to counteract the sophistication of hidden cyber attacks, leading to cyber attacks potentially sponsored or undertaken by state interests becoming more incognito and intrusive which leads to state defense systems going through greater lengths and repeating again and again.77

Maintaining an active cyber defense and eliminating potential issues of identification through constant surveillance are both within key military goals of the United States. As such, United States Cyber Command (USCYBERCOM) serves an essential role as the front lines of cybersecurity methods on a national scale.78 USCYBERCOM was established in 2010 and serves as the cybersecurity defense and protection for the Department of Defense, with civilian networks being protected under the Department of Homeland Security.79 The growing importance of cyber security is clearly stated in both the mission statement and official documents released by the Department of Defense; the vision statement of USCYBERCOM, approved in March 2018, states that:

Defending forward as close as possible to the origin of adversary activity extends our reach to expose adversaries’ weaknesses, learn their intentions and capabilities, and counter attacks close to their origins. Continuous engagement imposes tactical friction and strategic costs on our adversaries, compelling them to shift resources to defense and reduce attacks. We will pursue attackers across networks and systems to render most malicious cyber and cyber-enabled activity inconsequential while achieving greater freedom of maneuver to counter and contest dangerous adversary activity before it impairs our national power.80

The decision to “pursue attackers across networks and systems to render most malicious and cyber-enabled activity inconsequential” may just be political war hawk language, but is clear that, if effective, indicates that organizations like USCYBERCOM intend to not only pursue cyber defensive capabilities solely within our jurisdictional borders but go on the offensive in disrupting systems through aggressive activities more likely to be classified as violations against other state security systems (if targeting foreign powers).81 It certainly uses language that would make operations like Stuxnet be considered a justified, preemptive strike “before it impairs out national power”, referencing American hegemony.82 Other countries have followed suit, with military departments in other armed forces for nations such as China and Russia also expanding on their current cybersecurity defenses and establishing entire divisions dedicated towards cyberspace operations like USCYBERCOM.83 Like USCYBERCOM, the People’s Liberation Army of China established their own separate branch dedicated towards cyber and electronic warfare in the past decade.84 The People’s Liberation Army Strategic Support Force (PLASSF) was created in 2015, with an aggressive emphasis on a dual-support network of talent recruitment at high-ranking Chinese universities and joint ventures with universities and private sector industries on research methods.85 Much of China’s cyberwarfare efforts were conducted not through government departments like PLASSF, but rather through private contractors and espionage specialist hackers who were given immunity from government prosecution by the Ministry of State Security.86 PLASSF represents a goal by the Chinese military to both professionalize their cybersecurity efforts and establish in-house operations that fit within internationally accepted cybersecurity norms.87 President Xi Jinping addressed the importance of PLASSF within China’s long-term military strategy at the 19th National Congress of the CCP in 2017, further demonstrating a necessary time crunch on both governments to bolster their cybersecurity efforts for the future and for international organizations like the ICC to speed up their ability to regulate and properly adjudicate on cyber crime related issues.88 How aggressive PLASSF will be in their activities is to be seen—Chinese military action has been notoriously secretive over the years, but history tells us that a growing Chinese cyber military threat will likely be at least as potently aggressive as what other major powers like the United States might bring to the table. A facet to consider is if state consolidation of cyber security efforts into military divisions/commands such as USCYBERCOM and PLASSF could potentially lead to state parties being held liable for the controversial cyber security methods that they partake in, what could incentivize such efforts? Outside of general military restructuring, establishing dedicated branches demonstrates an aforementioned priority towards cyber security structure, even if it may lead to jurisdictional liability. In addition, the weaknesses of enforceability by international organizations like the ICC in being able to attribute cyber crimes and cyber attacks as crimes of aggression will lead to departments like the PLASSF continuing to gain strength with little checks in power, as the benefits that accrue from a head start in cyber capabilities outweigh whatever legal liability that they will find themselves in—which, due to the above problems in enforceability, will likely remain zero under the current structure.

Finally, enforceability becomes an issue, one that is closely intertwined with the problem of identification. When private entities, such as “hack back” initiatives or PLA association with private research forces or state-sponsored and/or state-prosecution-immune hackers become the instigators of cyber attacks, determining the liability of the host countries or state parties behind the decision making becomes both controversial and outright impossible.89 The most preeminent figures in both active cyber defense and potential sovereign sources of cyber criminality, the United States, Russia and China, also happen to be three of the five permanent members of the U.N. Security Council, making the Kampala Compromise’s delegation of power between both the prosecutor and the Council come at odds.90 In addition, proving that suspected attacks which might have links towards a country leads to evidentiary concerns far more difficult than what has been faced by the ICC in the bloodiest and most uncooperative war zones, as much cyber criminality can just as easily be conducted with virtually no trace of where the attack was originated, with technological capabilities to reduce traceability continuing to improve by the year.91 In addition, the efforts that countries can undertake to try to identify who may be behind cyber attacks may themselves be considered too aggressive under the Kampala aggression definitions, leading to another contradictory loop where the only solutions to criminal actions might be state parties committing internationally recognized criminal actions themselves.92 In the end, laws are only as powerful as they are enforceable and actually influence human/state behavior—nations that see that little repercussions will occur from their objectively illicit cybersecurity actions will have little to no incentive to stop.93 The Security Council’s political involvement functionally guarantees that, under the current legal framework, cyber-aggression, at least by state entities, will go unpunished, but this should not deter policymakers from looking into what language can be used to try to deter.94 In the end, the goal of international organizations like the ICC is not only to punish crime through a retributive criminal defense mindset, but to promote peace by incentivizing nations to limit their offensive cyber defense systems.95

So, in this unclear, uncharted territory where the line between cyber crime and cybersecurity become thinner and thinner, where can the ICC go from here? Attempts to further provide clarification through compromises like the Kampala Amendments are a good start—while not enough on its entirety, providing clearer standards by which cyber criminal actions can fit within the crime of aggression will be the first step in outlining to state parties what cyber defense measures will and will not be condoned. Jurisdictional issues will continue to haunt the ICC in both cyber warfare and traditional conflict; as such, the contentious issue of how to prosecute private parties that may be acting with state decision-makers in organizing large-scale cyber attacks may pose too large of a hurdle for the ICC to combat without addressing their other key jurisdictional problems involving signatory opt-outs and enticing non-member states to join. As such, establishing stronger boundaries between surveillance actions that have been internationally condoned as part of a cyber defense system and demarking DoS and malware attacks that involve direct action against another state’s military capabilities as example crimes of aggression will apply the pressure necessary to institute changes in internal state decision-making. In addition, holding military commands dedicated to active cyber defense such as USCYBERCOM and PLASSF for signatory nations liable as the parties responsible for those aforementioned cyber attack crimes will allow for the ICC to hold nations accountable as cybersecurity measures become more centralized and sophisticated within state governments. Only time will tell whether the ICC will be capable of enacting such narrowed policies to target cyber attack problems. However, it is of no doubt that the current definitions for the crime of aggression and how cyber criminality might fit in to the Rome Statute are wholly insufficient to deal with this rising problem—a problem that will inevitably become worse as technology develops and both states and hackers develop their offensive capabilities in cyber space.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

  1. 1.

    Paul Rosenzweig, International Law and Private Actor Active Cyber Defensive Measures, 47 Stan. J. Int’l L. (May 28, 2013), available online, doi.

  2. 2.

    Id. at 2.

  3. 3.

    Active Defense, Fortinet, available online (last visited Feb. 26, 2022).

  4. 4.

    Monica E. Oss, For Crisis Recovery, the Best Defense Is A Good Offense, Open Minds (Jul. 1, 2020), paywall.

  5. 5.

    James R. Holmes, The Two Words That Explain China’s Assertive Naval Strategy, Foreign Pol. (Jun. 3, 2015), available online.

  6. 6.

    Michael Belil, A Re-Examination of the Schlieffen Plan, The Strategy Bridge (Feb. 1, 2018), available online.

  7. 7.

    Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 31(1)(c), available online.

  8. 8.

    Id.

  9. 9.

    Ed Caesar, The Incredible Rise of North Korea’s Hacking Army, The New Yorker (Apr. 19, 2021), available online.

  10. 10.

    Rosenzweig, supra note 1, at 2.

  11. 11.

    Id.

  12. 12.

    Id. at 7.

  13. 13.

    Id.

  14. 14.

    Id.

  15. 15.

    Shannon Vavra, Congress to Take Another Stab at ‘Hack Back’ Legislation, CyberScoop (Jun. 13, 2019), available online.

  16. 16.

    Id.

  17. 17.

    All Actions to Active Cyber Defense Certainty Act, H.R. 3270, 116th Cong. (2019), available online.

  18. 18.

    Vavra, supra note 15.

  19. 19.

    Rome Statute, supra note 7.

  20. 20.

    Jonathan A. Ophardt, Cyber Warfare and the Crime of Aggression: The Need for Individual Accountability on Tomorrow’s Battlefield, 9 Duke L. & Tech. Rev. (2010), available online.

  21. 21.

    Id. at 8.

  22. 22.

    Id. at 24.

  23. 23.

    Id.

  24. 24.

    Id.

  25. 25.

    Id.

  26. 26.

    Rome Statute, supra note 7, Art. 8.

  27. 27.

    Id. Art. 8 bis

    (noting that examples stated, such as the blockading of ports and the violation of other sovereign rights, were inserted by resolution RC/Res.6, infra, as the Kampala amendment/compromise).

    The Crime of Aggression, RC/Res.6 at 17, in Assembly of State Parties, Review Conference of the Rome Statute of the International Criminal Court, Kampala, 31 May-11 June 2010 Official Records II (Jun. 11, 2010), available online, archived.

  28. 28.

    Alexandra Perloff-Giles, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 23 Yale J. Int’l L. 191 (2018), available online.

  29. 29.

    Id. at 10.

  30. 30.

    Id. at 11.

  31. 31.

    Id.

  32. 32.

    What Is Malware?, Cisco Systems, available online (last visited Feb. 26, 2022).

  33. 33.

    Alexandra Perloff-Giles, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 23 Yale J. Int’l L. 191 (2018), available online.

  34. 34.

    Chance Cammack, The Stuxnet Worm and Potential Prosecution by the International Criminal Court under the Newly Defined Crime of Aggression, 20 Tul. J. Int’l & Comp. L. 303 (2011), paywall.

  35. 35.

    Id.

  36. 36.

    Id.

  37. 37.

    Id.

  38. 38.

    Id.

  39. 39.

    Kevin L. Miller, The Kampala Compromise and Cyberattacks: Can There Be an International Crime of Cyber-Aggression?, 23 S. Cal. Interdisc. L.J. 217 (Feb. 19, 2014), available online.

  40. 40.

    Id. at 221.

  41. 41.

    Id. at 220.

  42. 42.

    Id. at 233.

  43. 43.

    Rome Statute, supra note 7, Art. 8.

  44. 44.

    Ophardt, supra note 20, at 8.

  45. 45.

    Id.

  46. 46.

    Miller, supra note 39, at 222.

  47. 47.

    Id. at 257.

  48. 48.

    Id.

  49. 49.

    Id.

  50. 50.

    Id.

  51. 51.

    Id.

  52. 52.

    United States Department of Defense, Department of Defense Strategy for Operating in Cyberspace (Jul. 2011), available online.

  53. 53.

    Rosenzweig, supra note 1, at 3.

  54. 54.

    Id.

  55. 55.

    Id. at 4.

  56. 56.

    Id.

  57. 57.

    Id. at 5.

  58. 58.

    Id.

  59. 59.

    Patryk Labuda, The ICC’s ‘Evidence Problem’: The Future of International Criminal Investigations After the Gbagbo Acquittal, Völkerrechtsblog (Jan. 18, 2019), available online.

  60. 60.

    Id.

  61. 61.

    Id.

  62. 62.

    Id.

  63. 63.

    Human Rights Watch, The Selection of Situations and Cases for Trial Before the International Criminal Court (Oct. 26, 2006), available online.

  64. 64.

    Id. at 2.

  65. 65.

    Id.

  66. 66.

    Marlise Simons, Genocide Verdicts in Srebrenica Killings, N.Y. Times, Jun. 10, 2010, available online.

  67. 67.

    Id.

  68. 68.

    Ophardt, supra note 20, at 8.

  69. 69.

    Paris G20 Files Stolen in Cyber Attack, Homeland Security News Wire, Mar. 18, 2011, available online.

  70. 70.

    Id.

  71. 71.

    Choe Sang-Hun & John Markoff, Cyberattacks Jam Government and Commercial Web Sites in U.S. and South Korea, N.Y. Times, Jul. 8, 2009, available online.

  72. 72.

    Id.

  73. 73.

    Id.

  74. 74.

    Id.

  75. 75.

    Id.

  76. 76.

    Id.

  77. 77.

    Ophardt, supra note 20, at 12.

  78. 78.

    Our History, U.S. Cyber Command, available online (last visited Feb. 26, 2022).

  79. 79.

    Id.

  80. 80.

    Id.

  81. 81.

    Id.

  82. 82.

    Id.

  83. 83.

    Suyash Desai, PLA SSF: Why China Will Be Ahead of Everyone in Future Cyber, Space or Information Warfare, The Print (Dec. 31, 2019), available online.

  84. 84.

    Id.

  85. 85.

    Id.

  86. 86.

    Saikiran Kannan & Abhishek Bhalla, Inside China’s Cyber War Room: How PLA Is Plotting Global Attacks, India Today, Aug. 6, 2020, available online.

  87. 87.

    Id.

  88. 88.

    Derek Grossman & Michael S. Chase, Xi’s Consolidation of Power at the 19th Party Congress: Implications for PLA Aerospace Forces, RAND Blog (Dec. 11, 2017), available online.

  89. 89.

    Ophardt, supra note 20, at 19.

  90. 90.

    Miller, supra note 39, at 221.

  91. 91.

    Id. at 259.

  92. 92.

    Id. at 257.

  93. 93.

    Id.

  94. 94.

    Id.

  95. 95.

    Id.

Incorporation of Cyberwarfare in the Rome Statute: A Futile Endeavour

Introduction

How wars are conducted has evolved throughout history with nations adopting more and more efficient and sophisticated means of causing mass destruction. We are witnessing a transition from traditional weapons such as ammunition to cyber weapons. The Tallinn attack of 2007, the Georgia hack of 2008 and the Stuxnet worm detected in 2010 are already some existing examples of cyber attacks.1 It is predicted that more and more states in future conflicts are likely to make use of their cyber means for warfare as that can bear more significant results at much cheaper costs since production and manufacturing cost of a cyber attack is much more affordable, accessible, and available to most states. However, the inverse also comes at a cost, countries with advanced cyber capacity rely more on cyber technology to operate their infrastructure making them more vulnerable if a cyber attack is launched on them.2

For the purposes of this comment, I think it is also necessary to note the distinction between a cyber crime and a cyber attack. A cyber crime is punishable under the penal code of a nation and involves private perpetrators. It is a computer related and content related offense like fraud or forgery. The aim, however, is not to destroy, degrade or deny information that is residing in the computers or to compromise the computers. Whereas cyber attacks are launched with a focus of not just destroying information but harming connected systems and facilities that are external to a computer or network with the intent and potential to cause mass destruction and human loss.3

In recent years, there have been attempts made to formalize cyber offenses in international criminal law, however, nothing concrete has been formulated thus far in the cyber space realm. Scholars and experts have also made convincing arguments to read cyberwarfare within Article 8 bis (Crime of Aggression) of the Rome Statute. For convenience, I quote Article 8 bis4 below:

  1. For the purpose of this Statute, “crime of aggression” means the planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.

  2. For the purpose of paragraph 1, “act of aggression” means the use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations. Any of the following acts, regardless of a declaration of war, shall, in accordance with United Nations General Assembly resolution 3314 (XXIX) of 14 December 1974, qualify as an act of aggression:

    1. The invasion or attack by the armed forces of a State of the territory of another State, or any military occupation, however temporary, resulting from such invasion or attack, or any annexation by the use of force of the territory of another State or part thereof;

    2. Bombardment by the armed forces of a State against the territory of another State or the use of any weapons by a State against the territory of another State;

    3. The blockade of the ports or coasts of a State by the armed forces of another State;

    4. An attack by the armed forces of a State on the land, sea or air forces, or marine and air fleets of another State;

    5. The use of armed forces of one State which are within the territory of another State with the agreement of the receiving State, in contravention of the conditions provided for in the agreement or any extension of their presence in such territory beyond the termination of the agreement;

    6. The action of a State in allowing its territory, which it has placed at the disposal of another State, to be used by that other State for perpetrating an act of aggression against a third State;

    7. The sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to the acts listed above, or its substantial involvement therein.

On reading of the article above, it becomes very apparent that the attempts to read cyberwarfare within this specific framework is a far reaching ideal and not without its shortcomings. The argument that I would like to make in this comment is that as the Rome Statute stands today, attempts of incorporating and reading cyberwarfare into this limited legal framework is a fanciful idea for various reasons that I would be enumerating below.

The Problem of Accountability

Chain of Command

This discussion is in the context of Article 285 of the Rome Statute with a focus specific to military/superior commanders under whose command cyber attacks are conducted and cause violation of international humanitarian law. Article 28, entitled “Responsibility of commanders and other superiors,” reads as follows:

In addition to other grounds of criminal responsibility under this Statute for crimes within the jurisdiction of the Court:

  1. A military commander or person effectively acting as a military commander shall be criminally responsible for crimes within the jurisdiction of the Court committed by forces under his or her effective command and control, or effective authority and control as the case may be, as a result of his or her failure to exercise control properly over such forces, where:

    1. That military commander or person either knew or, owing to the circumstances at the time, should have known that the forces were committing or about to commit such crimes; and

    2. That military commander or person failed to take all necessary and reasonable measures within his or her power to prevent or repress their commission or to submit the matter to the competent authorities for investigation and prosecution.

  2. With respect to superior and subordinate relationships not described in paragraph (a), a superior shall be criminally responsible for crimes within the jurisdiction of the Court committed by subordinates under his or her effective authority and control, as a result of his or her failure to exercise control properly over such subordinates, where:

    1. The superior either knew, or consciously disregarded information which clearly indicated, that the subordinates were committing or about to commit such crimes;

    2. The crimes concerned activities that were within the effective responsibility and control of the superior; and

    3. The superior failed to take all necessary and reasonable measures within his or her power to prevent or repress their commission or to submit the matter to the competent authorities for investigation and prosecution.

Article 28 lays down two forms of command responsibility—active and passive i.e., responsibility for ordering crimes and responsibility for failure to punish or prevent crimes committed by subordinates respectively. Article 28 sets a higher threshold with respect to performance of duty of superiors as it criminalises inaction i.e., lack of supervision on part of the commander. The article makes a commander criminally liable for failing to prevent or punish crimes that are committed by his/her subordinates or for actions performed by persons who are under his/her command or authority. Thus, it prompts commanders to stay informed and apprised of the actions of their subordinates. The provision extends to both military and non-military superiors.

Command responsibility is triggered when cyber units are part of a nation’s army and form part of their operations. Outsourcing cyber operations to anonymous hackers can also trigger liability for command responsibility provided one can establish the link between the commander and the anonymous hackers.6 In theory, it sounds rather straightforward but practically, it would be hard to provide proof of such cyber operations and identify the brains and power behind the cyber attack. This is mostly due to the virtual and distributed nature of cyber operations that make it very hard to track down and identify the people responsible for a cyber attack. Jack Goldsmith in his article, How Cyber Changes the Laws of War summarizes the issue on the attribution problem of cyberwarfare very succinctly. He observes:

Even if we can determine with some certainty which computer in the world is behind an attack or exploitation, that fact alone does not indicate who, or even which country, is responsible for the aggression.7

The Trial Chamber of the International Criminal Court (ICC) in the case of The Prosecutor v. Jean-Pierre Bemba Gombo (Bemba Judgment), held with respect to Article 28 that:

171. […] Article 28 provides for a mode of liability, through which superiors may be held criminally responsible for crimes within the jurisdiction of the Court committed by his or her subordinates.

172. The Chamber considers that Article 28 is designed to reflect the responsibility of superiors by virtue of the powers of control they exercise over their subordinates. These responsibilities of control aim, inter alia, at ensuring the effective enforcement of fundamental principles of international humanitarian law, including the protection of protected persons and objects during armed conflict.8

The Appeal Chamber of the ICC overturned this decision of the Trial Chamber and held with respect to the theory of command responsibility that:

167. The scope of the duty to take ‘all necessary and reasonable measures’ is intrinsically connected to the extent of a commander’s material ability to prevent or repress the commission of crimes or to submit the matter to the competent authorities for investigation and prosecution. Indeed, a commander cannot be blamed for not having done something he or she had no power to do.

[…]

169. However, it is not the case that a commander must take each and every possible measure at his or her disposal. […] it is not the case that a commander is required to employ every single conceivable measure within his or her arsenal, irrespective of considerations of proportionality and feasibility. Article 28 only requires commanders to do what is necessary and reasonable under the circumstances.

170. In assessing reasonableness, the Court is required to consider other parameters, such as the operational realities on the ground at the time faced by the commander. Article 28 of the Statute is not a form of strict liability. Commanders are allowed to make a cost/benefit analysis when deciding which measures to take, bearing in mind their overall responsibility to prevent and repress crimes committed by their subordinates.9

This Bemba Judgment by the Appeal Chamber, in my opinion, has left open a floodgate of excuses for commanders to escape criminal culpability by taking advantage of the many vague, discretionary, and subjective factors that have been mentioned by the Court. How do you assess “operational realities” on the ground? or when do the “costs” of measures outweigh the “benefits” or what are the “parameters” to be considered, apart from the mentioned operational realities?

In the context of cyber attacks, the theory of command responsibility in practice is almost never going to secure any convictions because you cannot bestow criminal liability unless you can prove a nexus/link between the commander or his/her subordinates who were under his/her effective control and the offense committed. It is not a form of strict liability and owing to the nature of cyber attacks, it can be very hard to track down the source of the attack let alone the perpetrators behind it, making it almost impossible to establish a definite link and proving criminal liability on part of the commander for failing to anticipate and prevent such attacks.10

Establishing Mental Element

Article 30 of the Rome Statute11 prescribes the required mental element a perpetrator must have in order for him or her to be held criminally liable for crimes mentioned under Article 5 of the Rome Statute.12 Article 30 states:

  1. Unless otherwise provided, a person shall be criminally responsible and liable for punishment for a crime within the jurisdiction of the Court only if the material elements are committed with intent and knowledge.

  2. For the purposes of this article, a person has intent where:

    1. In relation to conduct, that person means to engage in the conduct;

    2. In relation to a consequence, that person means to cause that consequence or is aware that it will occur in the ordinary course of events.

  3. For the purposes of this article, ‘knowledge’ means awareness that a circumstance exists or a consequence will occur in the ordinary course of events. ‘Know’ and ‘knowingly’ shall be construed accordingly.

From a reading of the article above, it can be construed that Article 30 only acknowledges direct intent and not indirect intent. What that means is that the perpetrator should have been aware that in the ordinary course of events, certain consequences “will” occur and not “may” or “could” occur, following his/her conduct. A person can only be convicted of a crime if they accept that they were aware of the risk of a particular consequence occurring following their actions. They need to be absolutely certain or it must be a practical or “virtual certainty” that their conduct would lead to certain consequences. This test of virtual certainty has been adopted from the case of Regina v. Woollin13 wherein the defendant out of frustration threw his three-moth old baby because he wouldn’t stop crying, causing the baby to die. The House of Lords in this case held that the original trial judge had enlarged the element for mens rea required for murder and blurred the lines between intention and recklessness by considering whether the defendant foresaw a “substantial risk”. The House of Lords affirmed the virtual certainty test introduced in the case of Regina v. Nedrick14 since recklessness is not sufficient to convict the defendant for a charge of murder. Thus, the threshold to prove mental element under Article 30 is very high. The ICC cannot hold a person criminally liable in cases where the perpetrator acted recklessly or negligently.

In the context of cyber crimes, this lacuna in Article 30 of not being inclusive of cases of recklessness, negligence and strict or absolute liability is a serious shortcoming. It appears that the issue of including recklessness and negligence was not highly considered because of the notion that such crimes are not severe enough. However, in the light of technological advances, unintended acts can have horrific consequences, necessitating acknowledgment of elements of negligence and recklessness in cyber space.15 The evolution and innovation in cyber technology has happened and continues to happen at a much rapid rate compared to changes that take place in the physical world, making cyber activities much more unpredictable and harder to anticipate. In the near future, there will be an increase in communication and integration between our everyday devices over virtual networks and as beneficial and efficient that may be, it can also prove to be very damaging if there was to be an infiltration via cyber weapons. Due to this inter-communication, the result of a cyber attack could be catastrophic because the intended target owing to its communication with other devices may increase the range of the attack and cause unintended destruction.16

Moreover, with increased reliance on computer systems and online databases for storage of crucial information ranging from loan records to dental records to legal records and-the-like of every individual/citizen of a country makes it even more easier for any hacker or a state to plan cyber attacks and target an entire nation by accessing and misusing these records or by completely erasing them from their system. Additionally, just like corporations, artificial intelligence is also independent and cannot be held criminally liable. The programmer and operators that created that artificial intelligence cannot be blamed for it since they may not have created the AI for purposes of causing damage or destruction, but it did so anyway by misevaluating a situation.17

In all these cases enumerated above, it is very easy for a perpetrator to wiggle out of criminal responsibility and defend themselves by claiming that they did not mean to cause any damage and the consequences that occurred were just incidental and not intended and/or foreseeable. Without inclusion of recklessness or negligence under Article 30 in the Rome Statute, it would be impossible to hold anyone down for charges of cyber attack. Therefore, it is very important that we uphold and ensure a higher standard of conduct in the realm of international criminal law with respect to cyber crimes and adopt a less forgiving approach.18

Limited Jurisdiction

As we know, cyber offenses have not been formally recognised in the Rome Statute and even though there have been efforts to read cyber offenses in Article 8 bis of the Rome Statute, there has been no inclusion of a formal definition that would enable ICC to prosecute and thus, the ICC does not have any official subject-matter jurisdiction over cyber attacks. Moreover, Article 8 bis was incorporated in the Rome Statute pursuant to Kampala Conference in 2010 and since then only thirty-four States have ratified the Kampala Amendments.19 None of which are states that are equipped with advanced cyber technologies or capacities, rendering ICC no jurisdiction if there was an attack on the territory of or an attack by a state that could potentially cause a lot of damage and destruction.

Conclusion

There have been efforts made in the international realm to create some regulations to govern and prevent cyberwarfare. Despite the complexities and fundamental difficulties in defining cyber space and cyberwarfare, experts are optimistic and believe that this domain is not lawless and out of control but honestly, in my opinion, I fail to see the reasons for such optimism. International law in general is heavily based upon contractual or treaty obligations between parties which are not governed or monitored by any stringent policies. There is a lack of enforcement and investigative mechanisms and dependency on monetarily strong countries. If today, a party falters or withdraws its ratification, what recourse is available? The only incentivizing or motivating factors that countries have to keep up compliance with international obligations is to prevent criticism from both inside and outside state organisations and to maintain their international political relations that in turn benefit their national and economic interests. Some may argue that this is reason enough for states to comply with international norms and laws, I still believe it to be a little superficial. More so in the sphere of cyberwarfare and the current legal framework around it, one just cannot ignore the practical difficulties that exist in locating cyber criminals and proving their criminal conduct.20

This is not to say that one should just give up on the idea of formalising a legal framework around cyber conduct. I think we would benefit from a more focused approach towards tackling this new era of cyber space. There have been suggestions to amend the Rome Statute to expand its jurisdiction to cover grave cyber offenses or to create a dedicated international tribunal or an international convention on cyberwarfare that solely deals with issues of cyber technologies and cyber space. An existence of a proper forum that deals exclusively with international cyber crimes and cyber criminals could also prove beneficial in deterring cyber offenses.21

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

  1. 1.

    Elies van Sliedregt, Command Responsibility and Cyberattacks, 21 J. Conflict & Security L. 505 (Sep. 22, 2016), paywall, doi.

  2. 2.

    Adi Libsker-Hazut, Cybercrimes: What Is and What Ought to Be? Rethinking the Role of Recklessness and Negligence in the International Criminal Court, Cyberlaw Blogospace (Jun. 11, 2019), available online.

  3. 3.

    Sliedregt, supra note 1.

  4. 4.

    Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 8 bis, available online.

  5. 5.

    Id. Art. 28.

  6. 6.

    Sliedregt, supra note 1.

  7. 7.

    Jack Goldsmith, How Cyber Changes the Laws of War, 24 EJIL 129 (Feb. 2013), available online, doi.

  8. 8.

    The Prosecutor v. Jean-Pierre Bemba Gombo, ICC-01/05-01/08, Judgment pursuant to Article 74 of the Statute (TC III, Mar. 21, 2016), available online, archived.

  9. 9.

    The Prosecutor v. Jean-Pierre Bemba Gombo, ICC-01/05-01/08 A, Judgment on the appeal of Mr Jean-Pierre Bemba Gombo against Trial Chamber III’s “Judgment pursuant to Article 74 of the Statute” (AC, Jun. 8, 2018), available online, archived.

  10. 10.

    Sliedregt, supra note 1.

  11. 11.

    Rome Statute, supra note 4, Art. 30.

  12. 12.

    Id. Art. 5.

    (“Crimes within the jurisdiction of the Court, The jurisdiction of the Court shall be limited to the most serious crimes of concern to the international community as a whole. The Court has jurisdiction in accordance with this Statute with respect to the following crimes: (a) The crime of genocide; (b) Crimes against humanity; (c) War crimes; (d) The crime of aggression.”).

  13. 13.

    Regina v. Woollin, UKHL 28, 3 WRL 382 (Jul. 22, 1998), available online.

  14. 14.

    Regina v. Nedrick, EWCA, 1986 WRL 1025 (Jul. 10, 1986), available online.

  15. 15.

    Libsker-Hazut, supra note 2.

  16. 16.

    Id.

  17. 17.

    Id.

  18. 18.

    Id.

  19. 19.

    Alexandra Perloff-Giles, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 43 Yale J. Int’l L. 191 (2018), available online.

  20. 20.

    Libsker-Hazut, supra note 2.

  21. 21.

    Perloff-Giles, supra note 19.

Tackling Territoriality: Fitting Cyber Crimes into the Crime of Aggression

Introduction

Territoriality has always been a key issue in national sovereignty. Wars have been fought over borders of nations, as territorial disagreements are often the precursor to war.1 This has led to conclusions where: “if you want to avoid war, learn how to settle territorial disputes non-violently.”2 However, the uniqueness of cyber activities allow even non-state actors to wage effective attacks and wars.3 Furthermore, it also allows nation-state actors that are more tolerant of political risk, like those from North Korea, Iran, or China, to wage devastating cyber operations.4 If these cyber operations were done with hard power assets or with other traditional norms of warfare, retaliation would certainly be swift.5 Since cyberspace transcends physical realms due to its apparent disconnect from a physical server and where it is accessed, however, it inherently challenges traditional norms of the concept of territoriality.6 So, the rise of the internet has brought new issues to the forefront: How does the international community tackle cyberspace? Can customary international law apply to this unknown realm of cyberspace and cyber attacks? Can the Rome Statute, under the crime of aggression, properly handle cyber attacks?

In Part I of my comment, I examine the historical and current framework under the Rome Statute in possibly fitting cyber attacks into the crime of aggression and try to apply an expanded definition of territory to various case studies of previous cyber attacks. In Part II, I discuss any potential duties that States Parties to the Rome Statute might have in cyberspace, namely any duty of prevention, which can arise out of the attributability issue of a cyber attack . In Part III, I scrutinize current prosecutions that arise under cyber attacks and analyze how, if at all, territory requirements are met in current prosecution domestically or internationally. Finally, I conclude with the current feasibility of broadening the scope of territory under the crime of aggression, as well as other potential solutions if the territory issue cannot be resolved under this specific crime under the Rome Statute.

Also, for technical reference in this comment, Denial of Service (DoS) attacks occur when the host or network is “flooded” with traffic.7 When multiple machines carry out this attack, this is known as a Distributed Denial of Service Attack (DDoS).8

I. Expanding the Definition of Territory

This part will first begin with the traditional international understanding of the crime of aggression, starting with the 1974 General Assembly (G.A.) Resolution, which even though it is rarely applied now in determining if a State reaches the requisite level of aggression, can still be a great starting point for redefining the crime of aggression.9 Then I explore and expand on the current Special Working Group on the Crime of Aggression (SWGCA) definition of territory and point out how the unclear of definition creates jurisdictional issues for the application of the Rome Statute. I then turn to case studies of previous cyber attacks and crimes, such as those in Estonia, Georgia, and the United States and try to apply an expanded definition of territory to see if then the crime of aggression can apply.

A. The 1974 G.A. Resolution

The current norm of international law forbids the “threat or use of force against the territorial integrity […] of any state” without Security Council determinations or in cases of self-defense.10 The 1974 G.A. Resolution tried to clarify the act of aggression mentioned in Article 39 of the U.N. Charter.11 The Resolution defined it as:

The use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other matter inconsistent with the Charter of the United Nations, as set out in this Definition.12

In this definition, it highlights a conventional State-centric approach to the crime of aggression, as it has to be the use of traditional armed force against another State. It is also important to note that both sovereignty and territorial integrity would be readily understood as physical territory and control and would certainly not extend to cyberspace. Furthermore, other acts of aggression, such as economic coercion, are generally not included in this definition, as it appears that the Security Council is only concerned with armed aggression.13 This issue was prominently raised during the 1973 oil crisis, where Arab OPEC states embargoed oil and created inflationary effects, in addition to higher prices of oil.14 Even with this important loophole, the 1974 G.A. Resolution still stands as the foundation for the international norm of what constitutes an act of aggression. However, as seen since the Nuremberg Trials, no one has been prosecuted of the crime of aggression.15

B. Overview of the SWGCA Definition of the Crime of Aggression

The SWGCA definition is rich with the use of the word territory and borrows heavily from the previous definition from the 1974 G.A. Resolution.16 Article 8 bis(1) defines the crime of aggression as:

The planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.17

The key part of the definition which makes it differ from the 1974 G.A. Resolution is the inclusion of this “leadership clause.”18 This leadership clause is intended to connect the State armed force act of aggression with the individual in control of the act. A normative reading of the leadership clause would therefore severely limit the prosecution of cyber crimes. Most cyber crimes, like all crimes, are generally committed by individuals with little connection to the political or military actions of a state.19 However, it is possible to interpret this leadership clause in a unique way. Since it states if a person can exercise control over the actions of a State, it could mean that if a hacker was able to control the nuclear arsenal of another country and launch a barrage of missiles, this should equate to “effective control.” If “position” or “control” is interpreted broadly, it can be interpreted as anyone who is able to access the same resources as a high-ranking military or political official of the State. However, how would this apply to something like a DDoS attack? If the cyber attack was simply to deny access to a military command server or prevent nuclear missiles from being launched, it could also be argued that this is also exercising control over hard power assets of a State, although this is certainly a more tenuous example. This can be seen recently in the 2008 Russo-Georgian War, where cyber attacks coincided with conventional warfare.20 This cyber campaign, which still remains ambiguous in terms of attributability, launched coordinated DDoS attacks brought down over fifty Georgian government, financial, and news websites.21 Since the attacks prevented the Georgian government from communicating with their own people and the international community and hindered financial transactions, it allowed the Russian government to “shape their own narrative in the early days of the conflict.”22 The individuals or parties that launched these cyber attacks certainly controlled the political action of a State by removing the Georgian government’s ability to function as a State. Though the DDoS attacks did not target the military installations or servers of the Georgian government, if they did, then certainly such a DDoS attack that crippled the ability for the Georgian military to respond to Russian conventional force could certainly rise to a crime of aggression.

If an act can meet the threshold of the leadership clause in the crime of aggression, then one would look towards Article 8 bis(2) to see the types of acts of aggression that would qualify.23 This is where it gets tricky, as the various qualifying definitions refer to traditional norms of territory. For example, it refers to the “blockade of the ports or coasts of a State,” “bombardment by the armed forces of a State against the territory of another State,” and “invasion, military occupation, or any annexation by the armed forces of a State of the territory of another State.”24 These references to territory in the examples that are given clearly apply a geospatial view of territory and confine it to a physical area. It is hard to imagine the military occupation, bombardment, or blockade of the cyberspace of another State. However, cyber attacks are not limited to specific physical spaces and can easily transcend oceans. In the aforementioned Russo-Georgian War, the attacks on Georgian government servers were so damaging that they had to move the servers to the United States, in an attempt to protect Georgian internet sites.25 However, it was to no avail, and the U.S. suffered collateral damage.26 So for an attack that is being performed on a Georgian website which is physically located in the United States, whose territory is it actually in? It is physically in the United States, but it is an attack on the Georgian cyberspace. The ability for a cyber attack to be launched from anywhere, as long as there is internet access, therefore transcends traditional conceptions of physical territoriality, and this limitation must be broken down for cyber crimes to be prosecuted under the crime of aggression.

Thus, there are substantial complications for the prosecution of cyber crimes. The ICC is able to assert its jurisdiction when either the aggressor or victim are State Parties to the amendment on the crime of aggression.27 Although delegates to the 2009 SWGCA disagreed, the prevailing view is that it does not matter if one party isn’t a party, just as long as either the victim or the aggressor is a State Party to the crime of aggression provision.28 Nevertheless, imagine the following scenario: Party A is a non-party and performs a cyber attack that rises to the level of the crime of aggression on Party B, who is a State Party to the crime of aggression. If this was done through traditional means of hard power, like a naval invasion or armed forces, this would be a clear-cut case for the ICC to exert jurisdiction and prosecution of the crime of aggression. However, if Party B’s computer servers, which were the targets of the cyber attack, are physically located in Party C’s land, which is not a State Party to the crime of aggression, there might be jurisdictional issues. From only a physical and geographic perspective, it has just been two Parties that have not accepted the crime of aggression, where the ICC will not have any jurisdiction. However, by applying an expanded understanding or definition of territory to include this virtual realm, the ICC can therefore exert jurisdiction as long as the definition of territory is expanded to include the cyberspace of a signatory party to the crime of aggression.

The SWGCA has noted this particularity, through discussions of conduct “encompasses both the conduct in question and its consequence.”29 This issue of concurrent jurisdiction where an act might occur in one State, but the consequences are felt in another, however, is not really discussed or imagined in the context of cyberspace, and certainly is not explicitly delineated in the examples of the crime of aggression. The application of concurrent jurisdiction is useful in guiding an expanded definition on the traditional norm of territoriality. By focusing on the intended consequence rather than the acts of aggression onto the physical confines onto another State, cyber attacks can easily fall under the crime of aggression, and thus be within the purview of the ICC. This solves any jurisdictional issues that normative definitions of territory would create and allows for the expansion of jurisdiction into future crimes that can easily transcend physical borders just like how cyber attacks can.

C. Case Studies of Cyber Attacks

1. Estonia

In 2007, Estonia was the target of a series of cyber attacks and crimes that were committed on numerous Estonian government, finance, and news websites, that stemmed from the relocation of a Soviet statue in Tallinn.30 These attacks were largely DDoS attacks. Since the attack, only one person has been convicted of being involved in this cyber attack. It was only possible because it was a student who carried out the attack while in Estonia, so enough evidence was able to be gathered against him.31 Other than that, it has been extremely difficult to prosecute anybody else, especially since most of the attackers were within the jurisdiction of the Russian Federation.32

Now that the foundational basis for the attacks is set, do these attacks rise to the level of the crime of aggression? The crime of aggression necessarily requires the crime, by its character, gravity and scale, to constitute a manifest violation of the U.N. Charter. Assuming the territoriality requirement can be met given the previous discussion, which would make a Russian hacker, while in Russia, liable for the crimes committed in Estonian cyberspace, the only question then becomes if this cyber attack amounts to an act of aggression. Does taking over government websites, the banking systems of a state, as well as numerous national news organizations constitute “invasion, annexation, military occupation,” or any of the other currently defined acts of aggression? The current consensus seems to be that it does not, but maybe it should be looked into further. The damage to Estonia’s economy was relatively limited given that they are not as connected to cyber networks compared to other countries, like the United States.33 There was no actual military intervention or follow up attack by hard power assets, and to this date, the Russian government has denied any direct involvement in the Estonian cyber attacks. Given this attributability issue, as well as the unclarity of what constitutes an aggressive act in the context of cyber crime, it would certainly be difficult for the ICC to assert its jurisdiction for this case in Estonia. Shortly after the attacks were committed, NATO set up a Cooperative Cyber Defense Centre to study what a theoretical military response to a cyber attack could constitute, which eventually led to the publication of the Tallinn Manual.

The Tallinn Manual defines numerous cases where a cyber crime would not constitute a crime of aggression, for example computer espionage, as espionage itself does not amount to a crime of aggression so cyber-based espionage shouldn’t.34 The Tallin Manual’s eight characteristics of cyber operations could be a good starting point of defining where the gravity level of the crime of aggression is reached, especially looking into the severity of the cyber operation as the key indication of aggression.35 However, this is beyond the scope of this comment, as I am more focused on the territoriality aspect of the crime of aggression in a cyber context.

2. Georgia

During the Russo-Georgian War in 2008, numerous cyber attacks disabled Georgian websites, similar to what happened in Estonia. As most of the details have already been hashed out earlier in this comment, I will not repeat them. The most important thing to note, however, is that these cyber attacks coincided with a ground military operation. So, this differs from the Estonia example in that the gravity of the situation is much larger. Similar to the Estonia attack, Georgian government, financial, and news sites were all taken down through DDoS attacks. Thus, the same question if this gravity rises to the scale where it constitutes a manifest violation of the U.N. Charter still exist. Codification of what kind of cyber attacks or crimes that rise above this de minimis threshold would be helpful for the international community in prosecuting cyber crimes. Examples of cyber crimes which could meet this threshold would be a hacker that obtains the nuclear arsenal of a state, cripples a nation’s infrastructure, or is able to obtain military command of significant importance.

Both of these cyber attacks in Georgia and Estonia have not met this arbitrary threshold, but both cases are instances whereby applying an intended consequence standard, at the very least the territoriality requirement is met. In both cases, the victim’s cyberspace is the intended target, so regardless of where the attacker is located, as long as the expanded definition of territoriality is applied to the cyberspace, then ICC jurisdiction can be applied.

3. United States

The United States, while often a victim of cyber attacks conducted by North Korea, Russia, or China, also conducts its own cyber operations.36 One of the most notable operations, but still unacknowledged, is Operation Olympic Games.37 Operation Olympic Games utilized “Stuxnet”, a computer worm, to wreak havoc on Iranian centrifuges that were used to enrich uranium, as part of an overall strategy to cripple the Iranian nuclear program.38 This cyber attack was viewed as one of the first to “effect physical destruction” rather than just stealing or impeding data from a computer.39 Stuxnet would collect information on the Iranian centrifuges, and then literally cause them to spin itself to explosion.40 This certainly could qualify as an act of aggression, as this cyber attack caused physical destruction to Iranian nuclear facilities, and violated territorial integrity, which would be in violation of the U.N. Charter. Although Stuxnet was well programmed to the extent that it would only damage the centrifuges even if this malware were to make it onto other computers, the U.N. Security Council certainly did not authorize this sort of an attack on the Iranian facilities. Stuxnet is a concrete example of a cyber attack that should meet the prima facie case of the crime of aggression. This was a clear violation of Iranian sovereignty, which the United States would argue that this was necessary for self-defense, although it would certainly fail the U.N. definition for self-defense.41 Moreover, even if the ICC can hear the subject matter since it is a crime of aggression, it will be all for naught since both parties have not ratified the Kampala amendment. Nevertheless, Stuxnet is a prime example of a potential crime of aggression, due to its capabilities in crippling an entire nation’s military structure; it was just that the United States (and Israel) only targeted the Iranian nuclear program.

The United States should pave the way and create conventions on cyberwarfare, similar to those of the multilateral conventions on nuclear weapons or nuclear safety. While it may seem hypocritical at first, given the prolificity of Stuxnet, now is a better time than any to attempt to codify the limitations on cyber warfare. Nuclear weapons were, and still are, limited to copious amounts of research and technologies that can take decades to develop. Cyber warfare, on the other hand, can easily be performed by non-state actors with limited budgets, so enacting an international treaty regarding the use of cyber tools would pave the way to a safter future.

II. Obligation of States Parties to the Rome Statute in Cyberspace

This part will detail the necessity of obligations that State Parties should have in cyberspace. Not all obligations will be covered, but just those of a general duty of prevention that arise under Article 2(7) of the U.N. Charter as well as dealing with the general attributability issue of cyber crimes.

A. Duty of Prevention

Article 2(7) of the U.N. Charter states:

Nothing contained in the present Charter shall authorize the United Nations to intervene in matters which are essentially within the domestic jurisdiction of any state or shall require the Members to submit such matters to settlement under the present Charter.42

This follows upon the traditional norms of territorial sovereignty, where each State respects the territorial sovereignty of other States.43 With this understanding and applying it to the cyber realm, each State has their own sovereignty of how to manage their own cyberspace. And just like how States are not allowed to use their territories as staging grounds for land invasions that amount to acts of aggression, neither should States be allowed to turn a blind eye to cyber crimes of the nature that could amount to acts of aggression. So, while this duty might not be to actively seek out hackers and bad actors in the cyber realm, it should certainly mean prosecuting individuals responsible for grave cyber crimes as well as cooperation with victimized States or individuals that were severely harmed by aggressive cyber conduct.

A State might argue that they had no knowledge of malicious cyber conduct that arose from within their territory. However, if enough evidence can link it to infrastructure or servers that originate from State-led or State-funded organizations, it should then be on that State to rebut the presumption that they should have at the very least known that such a cyber attack is originating from within. By making the normative duty of prevention also applicable to cyber crimes, it creates a stronger international regime in which to handle cyberspace.44

Similar to the duty of prevention there is also the norm of the responsibility to protect.45 After the Rwandan Genocide and the Yugoslav Wars, there was a clear problem in which the international community did not step up to the plate and protect other fellow members of human rights violations.46 This culminated in the 2005 World Summit, where many Heads of State and Government created the “Responsibility to Protect” principle which protected their “own populations from genocide, war crimes, ethnic cleansing and crimes against humanity” while also recognizing the concerted need to group responsibility to uphold these values of human rights.47 While cyber crimes, or even crimes of aggression, for that matter, are not mentioned in the Responsibility to Protect doctrine, it could be possible that States apply a similar version of R2P to cyber issues.48 An interesting point is that it has been suggested that even the victim State has a responsibility of certain actions, like disclosing that an attack even occurred or that the State should engage in future plans and rehabilitation to ensure that such an attack would be mitigated or eliminated in the future.49 Furthermore, due to the connectivity of cyberspace, an attack on one State could easily have repercussions in another, which requires that cybersecurity efforts would require cooperation between foreign governments, implicating the need for robust prosecution or extradition agreements. At the very least, such international cyber regulation should exist in that States should cooperate and provide each other with appropriate assistance in response to a cyber attack, most especially in evidence gathering.50

B. Attributability Issue of Cyber Crimes

Given the inherent nature of cyber attacks, it is extremely difficult to properly attribute a cyberattack.51 While it might be possible to trace it back to a server in a state, “conclusively ascertaining the identity of the attacked requires a time-consuming investigation with assistance from the state of origin.”52 Given the previous examples of the cyber attacks in Georgia and Estonia, where Russia has basically been completely noncooperative in assisting any investigations as to the source of the cyberattacks. Similarly, the most serious cyber attack to occur on the U.S. military, the 2008 cyber attack, caused the Pentagon to spend more than a year in cleaning up their computer infrastructure.53 Even though it was suspected to be guided by Russian intelligence servers or state-sponsored hackers, there has been no prosecution or investigations into this matter by the Russian government.54 With little deterrence possible, there really is not much stopping countries that have high tolerance for political or diplomatic risk to engage in these covert cyber operations on a continuous basis. Does gaining access to every military computer constitute a crime of aggression? What if the hackers were also able to shut down over computer at their own leisure? So, while the issue with finding jurisdiction through territoriality has might be solved by applying the consequence principle, it only further opens up another problem in which the international community must define what sort of cyber crimes reach the threshold of aggression. Once that is defined, however, there must be models in place to accurately and effectively prosecute individuals who commit cyber crimes that rise to that threshold, otherwise this would just be another piece of ineffective international legislation.

The ease of an individual to slip through the cracks and evade prosecution is just another inherent issue when dealing with cyber crimes. The international community must be willing to adapt its norms to fit growing technological concerns of the future. Nevertheless, there is still a lot of work to be done, especially given the limited jurisdictional scope of the crime of aggression. There are currently only forty-one states that have ratified to the amendments on the crime of aggression, which severely limits the jurisdictions in which the ICC can prosecute the crime of aggression, let alone even worry about exactly whom to prosecute.55 So, while it could be relevant for a case on hand to be able to properly attribute the source of a cyber hacker, it may be more useful for the ICC to broaden its jurisdiction first, by getting as many signatories to the Kampala amendments before tackling cyber crimes. Most of the countries that are currently acceded to these amendments are not large players in the cyber arena, which means that it still becomes a rather futile exercise due to the limited scope of jurisdiction.

III. Current Application of Territory in Cyber Crimes

Given that prosecution of cyber crimes is still a newer legal area, I look at how current domestic laws are applied to cyber crimes and see if that could be applied on an international scale. Furthermore, I explore if any jurisdictional issues are raised out of the oddity of territoriality in cyberspace.

A. United States

The United States has a traditional legal norm of not having extraterritorial application to its laws, but the prosecution may overcome this presumption by showing “clear evidence of congressional intent to apply a statute beyond our borders.”56 In response to the September 11 attacks, Congress passed the Patriot Act, which explicitly provides for extraterritorial jurisdiction in specific cases.57 For example, amendments to 18 U.S.C. § 1029 added language where:

Any person who, outside the jurisdiction of the United States […] shall be subject to fines, penalties, imprisonment if (1) the offense involves an access device […] owned by a financial institution, account issuer, credit card member, or other entity within the jurisdiction of the United States; and (2) the person transports, delivers, conveys […] within the jurisdiction of the United States, any article used to assist in the commission of the offense or the proceeds of such offense or property derived therefrom.58

There were other amendments that included:

[A computer that is] used in interstate or foreign commerce, including a computer located outside the United States that is used in a manner that affects […] commerce or communication of the United States.59

Through these amendments, the United States is able to effectively prosecute cyber crimes that might originate from other locations but that have direct effect on the commerce or communications of the United States. Inclusion of language or interpretations that are based on the intended or actual effects on the United States, similar to the consequences standard, also enable the United States to effectively prosecute extraterritorial crimes.60 Going back to the earlier Russo-Georgia cyber attack example, even though the cyber attacks were targeting Georgia cyberspace, the United States might able to assert its own domestic jurisdiction given that U.S. servers were part of the collateral damage.

Of course, issues may arise where the Georgian government might want to assert their own jurisdiction given the damage to their own cyberspace. Robust extradition agreements or other prosecution agreements, as mentioned before, would remedy this situation, but it is not always easy to have those in place. Even so, even if the Georgian government were to cede jurisdiction, there is still the problem of obtaining enough evidence against the hackers to begin with, which would be nigh impossible without cooperation from the Russian government. Thus, issues for prosecuting cyber crimes exist far beyond just meeting territoriality or jurisdictional requirements, given the relative difficulty it can be to pinpoint exact individuals without international cooperation.

B. China

China has adopted many relevant laws and rules in order to facilitate the prosecution of cyber crimes.61 China has adopted rules to clarify the “situs of a crime”, including:

[T]he location of a web server, location where the network is connected, the location of the website builder or administrator, the location of the infiltrated computer system or its administrator, the location where the computer system is used by the criminal suspect, the location of the victim, and the location of the property loss.62

All of these clarifications of the situs of a crime is well-encompassing and allows China to exert its domestic jurisdiction regardless of where the crime is originated from (either within or China or not) as well as the location of the victim (most likely in China). This robust regime, however, still faces the same issues not with jurisdiction, but rather through the “difficulty of attribution and identification of criminal suspects” due to the inherent nature of cybercrime.63 The use of proxy services, encryption, and VPNs make it increasingly difficult for law enforcement to root out cyber crime offenders.64 Another key issue is the relative lack of international cooperation, given the need to collect trans-border evidence. Due to current inefficiencies either through different legal systems or relative lack of cybersecurity resources, it is difficult to obtain key evidences that are located outside the domestic jurisdiction of China.65

China, like the United States, has largely solved the jurisdictional issue in the area of cyber crimes by allowing the prosecution to enter through any crack, as long as it is somehow tangentially related to the domestic situs of China. However, there are still similar issues in international cooperation to obtain evidence beyond domestic jurisdictions, as well as the attributability issue of cyber crimes. To create a better international regime for cyber crimes, unity towards international cooperation is a must.

IV. Conclusion

Territorial sovereignty has been a recurring norm that has been the fundamental basis of understanding how States interact with each other. As technology continues to further evolve, however, cyber attacks will only become more prevalent. The nature of cyber attacks, which allows for devastating acts by non-State actors and State actors alike, at little physical cost, impugns upon any traditional concepts of warfare, territoriality, and international relations. By creating a broader framework around territoriality to encompass an understanding that the intended consequence is what matters rather than just a physical definition of territory, the ICC could be well equipped in asserting its jurisdiction of the crime of aggression to the cyber realm. While there are limitations due to the ICC only having jurisdiction over States that have ratified the aggression amendments, this is a step forward in this march of progress for a better international legal system in dealing with cyber crimes. It should not be difficult for the ICC to broaden this definition of territory, especially given its role as a court of last resort. The Court should be equipped with all legal weapons it can to remain relevant as the world adapts to an online age. This principle can be extended to crimes that are well beyond the scope of cyber as well, and so the ICC should maintain a fluid stance with its definitions, enabling it to adapt to new norms and changes in the world.

If the norm of territory cannot be molded to fit for cyber crimes, the ICC can look towards other defined crimes to use as a jurisdictional basis. An example could be through Article Eight on war crimes, through the intentional targeting of the civilization population and civilian objects, the incidental loss of life or injury to civilians (e.g., hacking a hospital system or a power grid could certainly have devastating effects to the civilian population), or even through pillaging, as often cyber crimes are committed with pecuniary intent. If the ICC lacks the jurisdictional capabilities of the crimes outlined in the Rome Statute, the other obvious solution is for States themselves to exercise their own territorial jurisdiction to enforce their own domestic laws. However, this becomes impossible if these were State-sponsored cyber attacks, and the ICC, as the court of last resort, should attempt to assert its own jurisdiction in handling these cases. As the threat of an all-out cyber war looms, the international community must be readily equipped to deal with the fallout.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

  1. 1.

    See Tuomas Forsberg, Explaining Territorial Disputes: From Power Politics to Normative Reasons, 33 J. Peace Research 433 (Nov. 1996), paywall, doi

    (analyzing territorial disputes not through a “power-political perspective”, but rather a normative one, due to the strong norm of territorial status quo).

  2. 2.

    Id. at 443.

  3. 3.

    See generally Analytic Exchange Program, Commodification of Cyber Capabilities: A Grand Cyber Arms Bazaar (Sep. 17, 2019), available online

    (warning of the blurred trend between traditional state spying and non-state hackers due to the proliferation of “sophisticated cyber capabilities”).

  4. 4.

    Id. at 21.

  5. 5.

    See Christopher Greenwood, New World Order or Old? The Invasion of Kuwait and the Rule of Law, 55 Modern L. Rev. 153 (Mar. 1992), available online

    (detailing the decisive action that the international community took against the Invasion of Kuwait).

  6. 6.

    See generally Jennifer Daskal, The Un-Territoriality of Data, 125 Yale L.J. 326, 389-97 (2015), available online

    (addressing the challenges given the unique status of data and dismisses a unilateral law enforcement approach of compelling data regardless of sovereign interests).

  7. 7.

    Understanding Denial-of-Service Attacks, CISA, available online (last visited Feb. 25, 2022).

  8. 8.

    Id.

  9. 9.

    Elizabeth Wilmshurst, Definition of Aggression, UN Audiovisual Lib. of Int’l L. (Aug. 2008), available online

    (providing an overview of the 1974 G.A. resolution, noting that it serves as more of a tool for dealing with “aggression by States not individual actors” and that it’s for the “Security Council rather than for judicial use”).

  10. 10.

    United Nations Charter, Art. 2 ¶ 2 [hereinafter U.N. Charter], available online; see also id. Arts. 39, 51.

  11. 11.

    Definition of Aggression, G.A. Res. 3314 (XXIX), A/RES/3314 (Dec. 14, 1974), available online.

  12. 12.

    Id. Article 1.

  13. 13.

    Julius Stone, Holes and Loopholes in the 1974 Definition of Aggression, 71 Am. J. Int’l L. 224, 230 (Apr. 1977), paywall.

  14. 14.

    Id.; see also Michael Corbett, Oil Shock of 1973-1974, Fed. Res. Hist. (Nov. 22, 2013), available online

    (describing the macroeconomic implications of the 1973 oil embargo by Arab producers of oil).

  15. 15.

    Anouk T. Boas, The Definition of the Crime of Aggression and its Relevance for Contemporary Armed Conflict, Int’l Crimes Database 4 (Jun. 2013), available online.

  16. 16.

    See Assembly of State Parties, Report of the Special Working Group on the Crime of Aggression, ICC-ASP /7/20/Add.1 (May 2009) [hereinafter SWGCA 2009 Report], available online.

  17. 17.

    Id. at 30.

  18. 18.

    See, e.g., Kevin Jon Heller, Retreat From Nuremberg: The Leadership Requirement in the Crime of Aggression, 18 EJIL 477, 478 (Jun. 1, 2007), available online, doi.

  19. 19.

    See, e.g., Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue & Julia Spiegel, The Law of Cyber-Attack, 100 Cal. L. Rev. 817, 834 (Aug. 2012), available online.

  20. 20.

    See generally Sarah White, Understanding Cyberwarfare: Lessons from the Russian-Georgian War, Modern War Inst. 1 (Mar. 20, 2018), available online

    (describing Russia’s use of a cyber campaign, specifically DDoS attacks, to undermine the Georgian government as well as Georgian internet).

  21. 21.

    Id. at 1-7.

  22. 22.

    Id. at 2.

  23. 23.

    Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 8 bis(2), available online.

  24. 24.

    Id.

  25. 25.

    Stephen W. Korns & Joshua E. Kastenberg, Georgia’s Cyber Left Hook, U.S. Army (Apr. 7, 2009), available online.

  26. 26.

    Id.

  27. 27.

    SWGCA 2009 Report, supra note 16, at 35.

  28. 28.

    Id. at 33-34.

  29. 29.

    Id. at 27.

  30. 30.

    Rain Ottis, Analysis of the 2007 Cyber Attacks against Estonia from the Information Warfare Perspective, CCDCOE (Mar. 2, 2008), available online.

  31. 31.

    Id. at 2.

  32. 32.

    Id. at 3.

  33. 33.

    Jonathan A. Ophardt, Cyber Warfare and the Crime of Aggression: The Need for Individual Accountability on Tomorrow’s Battlefield, 9 Duke L. & Tech. Rev. 1, 5 (2010), available online; See also Marching Off to Cyberwar, The Economist (Dec. 6, 2008), available online

    (noting that some definitions of a cyberwar or a serious cyber attack must coincide with physical military operations and that it is now imperative for the international community to properly define the “use of force” in a cyber context).

  34. 34.

    Rafaela Miranda, Cyber Warfare in the Context of International Criminal Law, 17 (Universidade Católica Portuguesa Master’s Dissertation, 2016), available online.

  35. 35.

    Id.

  36. 36.

    Michael West, Putting the Seals Back onto Pandora’s Box: The Iran Nuclear Question and Public International Law, Tentative Grounds for Operation Olympic Games (Jul. 15, 2016), paywall.

  37. 37.

    Id.

  38. 38.

    Ernesto J. Sanchez, Operation Olympic Games—A Legal Setback and a Strategic Opportunity, Lawfare (Sep. 6, 2012), available online.

  39. 39.

    Id.

    (quoting NSA and CIA director Michael Hayden).

  40. 40.

    Id.

  41. 41.

    See, e.g., U.N. Charter, Art. 51, available online

    (“Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defense shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.”).

  42. 42.

    U.N. Charter, Art. 2 ¶ 7, available online.

  43. 43.

    See Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. United States), Judgment, 1986 I.C.J. Rep. 14 ¶ 202 (Jun. 27, 1986), available online

    (observing that “between independent States, respect for territorial sovereignty is an essential foundation of international relations” and that the principle of non-intervention prevails).

  44. 44.

    See also The Role of Cybercrime Law, UNODC, available online (last visited Feb. 25, 2022)

    (noting the utility of preventive law in the risk mitigation of cyber crimes, through both data protection laws and cybersecurity laws).

  45. 45.

    Responsibility to Protect, OGPRtoP, available online (last visited Feb. 25, 2022)

    (outlining the responsibility to protect and specifically delineate Member States’ obligations to international humanitarian and human rights law, especially about genocide, war crimes, ethnic cleansing, and crimes against humanity).

  46. 46.

    Id.

  47. 47.

    Id.

  48. 48.

    Oren Gross, Cyber Responsibility to Protect: Legal Obligations of States Directly Affected by Cyber-Incidents, 48 Cornell Int’l L.J. 481, 483-484 (2015), available online

    (suggesting that imposing responsibilities and obligation for the Victim State can also be necessary for a stronger legal regime).

  49. 49.

    Id. at 510.

  50. 50.

    See, e.g., Security Council Resolution 1373, S/Res/1373 (Sep. 28, 2001), available online

    (providing that “States shall afford one another the greatest measure of assistance in connection with criminal investigations or proceedings”).

  51. 51.

    Matthew J. Sklerov, Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent, 201 Mil. L. Rev. 1, 2 (2009), available online.

  52. 52.

    Id.

  53. 53.

    Phil Stewart, Spies Behind 2008 Cyber Attack, U.S. Official Says, Reuters, Aug. 25, 2010, available online.

  54. 54.

    Id.

  55. 55.

    Status of Amendments on the Crime of Aggression to the Rome Statute, UNTC, available online (last visited Feb. 25, 2022).

  56. 56.

    See United States of America v. James Milton Cotton and William Lowell Roberts, 471 F.2d 744, 750 (9th Cir. 1973), available online; see also United States of America v. Milton Gatlin, 216 F.3d 207, 211 (2d Cir. 2000), available online.

  57. 57.

    U.S. Dept. of Just., Prosecuting Computer Crimes 115 (Oct. 6, 2010), available online.

  58. 58.

    18 U.S.C. §1029(h), available online.

  59. 59.

    18 U.S.C. §1030(e)(2)(B), available online.

  60. 60.

    See, e.g. United States of America v. Michael Muench, Michelle Lewis, and Albert Foreman, 694 F.2d 28, 33 (2d Cir. 1982), available online

    (holding that “the intent to cause effects within the United States […] makes it reasonable to apply to persons outside United States territory a statute which is not extraterritorial in scope”).

  61. 61.

    Comments of China, UNODC 1, 2 (Aug. 22, 2016), available online.

  62. 62.

    Id.

  63. 63.

    Id. at 3.

  64. 64.

    Id.

  65. 65.

    Id.

Distinguishing Cyberwarfare in the Law of Armed Conflict

I. Introduction

The dawn and parabolic expansion of the Internet over the last half-century revolutionized how individuals, businesses, organizations, and states interact with one another. As states and their militaries have become increasingly interconnected and dependent on these technologies, a new realm of warfare has evolved beyond the conventional battlefields of air, land, and sea.

This comment examines how current international humanitarian law can be applied to cyber warfare. Specifically, how does international humanitarian law treat cyber warfare when an armed conflict is already occurring? Further, can a cyber attack trigger an international or non-international armed conflict without any pre-existing conventional warfare?

Cyber operations, when occurring in conjunction with conventional methods of warfare that elicited an armed conflict, should be treated the same as conventional attacks. Although cyber operations target the enemy State through a different medium, their effects can be the same as a conventional attack. An attack’s effects on a target is a central concern in the Geneva Conventions of 1949 and its Additional Protocols, so a cyber attack’s effects merit equal status with conventional attacks.

It is more difficult for a cyber attack to rise to the threshold of armed conflict, whether international or non-international. In cyber operations, where the effects cause physical damage or destruction of military or civilian objects, a stronger case can be made, given other requirements of an armed conflict are met. When a cyber operation only affects cyber infrastructure, however, attaining the status of armed conflict is unlikely under current law.

II. Cyber Warfare in Pre-Existing Armed Conflicts

This section begins with an example of a cyber attack that occurs in conjunction with conventional attacks. It then briefly summarizes sources of international humanitarian law, and then examines cyber operations can be equated to conventional attacks through the principle of distinction.

A. 2008 Georgia Russia Conflict

In August 2008, after an extended period of tension and incidents, fighting between Georgian and Russian forces erupted in South Ossetia and extended to other parts of Georgia.1 After five days, Georgia claimed over 2,000 military and civilian casualties, and Russia claimed over 300 military casualties. Over 100,000 civilians in the area fled their homes.2 It is clear that this conflict qualified as an international armed conflict.

During the conflict, several defacement and denial-of-service cyber operations were directed against Georgia. The targets included the President’s website, Georgian Parliament, Defense and Education ministries, Foreign Affairs, media outlets, banks, and private servers.3 Websites were replaced with pictures of Adolf Hitler and Georgian President Mikheil Saakashvili. While no physical damage occurred, the Georgian government was unable to broadcast information about the conflict and Georgian banks went offline for ten days.4

Most of the cyber operations during this conflict were traced to Russia, but no conclusive evidence determined that the Russian government conducted the attacks or was officially involved. Some of the operations were even traced back to Russian government computers, but the possibility that these computers were taken over by the attackers is not ruled out.5

B. International Humanitarian Law and the Rome Statute

The Rome Statute defines four categories of war crimes, two concerning international armed conflicts and two concerning non-international armed conflicts.6 The first category of war crimes with respect to international armed conflicts is grave breaches of the 1949 Geneva Conventions.7 The second category enumerates other serious violations of the laws and customs in international armed conflicts “within the established framework of international law.”8 This reference to international law implies that individuals are responsible whenever they violate principles of international humanitarian law, such as the principle of distinction between combatants and civilians, the principle of proportionality, or the principle of military necessity.9

C. The Principle of Distinction in International Humanitarian Law

Article 48 of the 1977 Additional Protocol I to the Geneva Convention (“Additional Protocol I”) states that all parties to a conflict must:

[A]t all times distinguish between civilian population and combatants and between civilian objects and military objectives and accordingly direct their operations only against military objectives.10

Military commanders must limit attacks to strictly military targets, which are defined as those that:

[M]ake an effective contribution to military action and whose total or partial destruction, capture, or neutralization, in the circumstances ruling at the time, offers a definite military advantage.11

The word “operation” is not entirely inclusive in Article 48.12 Operations targeting civilians that are purely psychological are lawful under international humanitarian law.13 Operations must cause physical harm or suffering in order to be prohibited.14

Subsequent articles elaborate on the basic rule of Article 48 by setting prohibitions, limitations, and requirements on attacks. Article 51 begins by stating:

[The] civilian population and individual citizens shall enjoy general protection against dangers arising from military operations.15

Subsequent paragraphs of Article 51 focus on the word “attack.” It prohibits “indiscriminate attacks,” making civilians “the object of attack.”16 Under Article 52(4), indiscriminate attacks take two forms.17 First, an indiscriminate attack could be:

[A]n attack by bombardment by any methods or means which treats as a single military objective a number of clearly separated and distinct military objectives located in a city, town, village or other area containing a similar concentration of civilians or civilian objects.18

Second, it could be an attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.”19

While Article 51 focuses on prohibiting attacks on citizens, Article 52 prohibits attacks on civilian objects and limits attacks to military objects and purposes.20 It also bars parties from rendering useless objects that are indispensable to the survival of the civilian population such as foodstuffs, agricultural areas, or drinking water installations in Article 54. Article 55 forbids attacks on the natural environment.21 Article 56 requires militaries to use discernment when deciding whether to attack works of dangerous forces such as dams or nuclear electrical generating stations even when they are military objectives so as not to cause severe losses of civilians.22

Some objects serve both civilian and military purposes. These dual-use objects slightly complicate the principle of distinction by affecting military decision makers. Dual-use objects could be power-generating stations, telecommunications, bridges, and other civilian infrastructure used by military in times of war.23 If an object makes a substantial contribution to military action, the object’s military use may convert a civilian object into a legitimate military object.24

Article 48 uses the term operation, while the subsequent articles frame operations by using the term “attack.” The first paragraph of Article 57 states:

In the conduct of military operations, constant care shall be taken to spare the civilian population, civilians and civilian objects.25

The following paragraph begins “with respect to attacks” and lists all of the precautions when an aggressor is deciding whether to launch an attack.26 Restricting operations in terms of “attack” occurs elsewhere in Additional Protocol I. Medical units are prohibited from being the “object of attack,”27 and combatants must:

[D]istinguish themselves from the civilian population while they are engaged in an attack or in a military operation preparatory to attack.28

How does international humanitarian law define attack? Article 49 of Additional Protocol I defines attacks as “acts of violence against the adversary in offense or defense.”29 The International Committee of the Red Cross’s commentary states:

[T]he word operation should be understood in the context of the whole section; it refers to military operations during which violence is used.30

The text of Article 49 seems to describe the act itself as violent, rather than the consequence of the act being violent. This would limit an attack to a kinetic force. The ICRC commentary also suggests that an attack implies combat action.31 While these sources appear to limit the definition of an attack, one could look at the Protocol’s purpose to determine another meaning. With so much attention given to civilians and civilian objects, the Protocol’s purpose seems to be more concerned with an act’s effects rather than its medium.

Other rules in Additional Protocol I corroborate a more flexible definition of attack. Article 51 states civilians are protected from “dangers” due to military action and limits acts whose main goal is “to spread terror among the civilian population.”32 This implies that the result of the act matters more than the act itself. Further, Article 57 requires methods to be carefully selected to avoid “incidental loss of civilian life, injury to civilians and damage to civilian objects.”33 In the conduct of military operations, parties have a duty to exercise constant care to minimize the loss of civilian lives and damage to civilian objects, regardless of the attack’s method.34

It also requires advance warning be given “which may affect the civilian population.” Paragraph 3 of that article requires militaries to choose the attack that will “cause the least danger to civilian lives.”35 This language is oriented toward the effect, rather than the cause, supporting the more flexible definition of attack.

D. Cyber Attacks and the Principle of Distinction

Considering the more inclusive interpretation of an attack, cyber operations should be considered an attack if the effects of that attack cause physical damage and destruction or even intend to cause physical damage or destruction. Therefore, analyzing a cyber attack’s compliance with the principle of distinction should be similar to a conventional or kinetic attack.36 Relevant principles of international humanitarian law apply to cyber weapons just as they do to other types of warfare.37 Some attacks will clearly comply with or violate the principle of distinction, while others will be more challenging to analyze.

A party conducting a cyber attack on a purely military target is allowable.38 For example, a party could target an air defense station and disable its systems for a period of time in order to accomplish a larger military objective.39 Doing this in lieu of a conventional attack that might cause excessive collateral damage to civilian objects is governed by international humanitarian law, but does not violate it.40

In another hypothetical, military planners could devise an attack to insert false messages and targets into another military’s defense command network. This attack would limit the defense’s ability to target planes. This is a bit murkier, because the false signals could cause the defense network to target relief planes or civilian planes. International humanitarian law requires militaries to know where the strike will take place and know all of the repercussions of the strike.41 If the false signals did in fact endanger civilians or civilian objects, the commander would have to reconsider the operation entirely, or choose to launch a different attack in order to follow international humanitarian law.42

Continuing along the spectrum of civilian and military objects, a cyber attack that disrupted an air traffic control system that caused a civilian plane to crash would certainly violate international humanitarian law. Such an attack would be the direct cause of civilian death and destruction. A high civilian death toll, unnecessary injury, and the lack of a clear military advantage gained from an attack suggest a violation of international humanitarian law.43

Given this interpretation of what constitutes an attack, the aforementioned Russian operations against Georgia can be analyzed under the conventional principle of distinction. This method can be used for any cyber operations. The operations disrupted communication to the public, caused many entities to go offline, and likely caused psychological damage to civilians. However, no physical damage or destruction occurred directly because of these cyber operations. Therefore, it does not violate international humanitarian law.

While this interpretation of the principle of distinction permits Russia’s cyber attacks against Georgia, the difference in consequences between cyber attacks and conventional attacks should not be ignored. International humanitarian law needs to create more nuanced language concerning the unique types of disruption that cyber warfare can cause. This will allow entities to know what is legal under international humanitarian law. Just as important, States will know when they can retaliate in self-defense.

III. Can Cyber Warfare Alone Trigger an Armed Conflict?

According to the International Committee of the Red Cross Commentary of 2020, when a State relies on cyber operations against another in conjunction with conventional forces, it is clear that this situation amounts to an international armed conflict.44 It is less clear, however, when cyber operations are the only means by which a State takes hostile action.45 The situation becomes even more complicated when these cyber operations are isolated acts. This section will examine whether cyberwarfare alone, without any conventional or kinetic warfare occurring, can establish an international or non-international armed conflict.

Although cyberwarfare is not explicitly addressed in the Geneva Conventions or other sources of international humanitarian law, the analysis in the previous section paves the way toward equating the standard of what triggers international armed conflict for cyber attacks and conventional attacks.

A. WannaCry Attack

On May 12, 2017 a ransomware cryptoworm known as WannaCry encrypted hundreds of thousands of computers in more than 150 countries over a span of just three hours.46 The ransomware encrypted each computer’s files and demanded cryptocurrency in ransom to unlock the files.47 The attack ended later that day when a cyber researcher discovered and activated the ransomware’s kill switch, stopping the spread of the malicious software.48

WannaCry is a self-propagated malware, classified as crypto-ransomware that spread around the Internet affecting more than 200,000 computers.49 A malware is malicious software that is intentionally designed to do harmful actions to a computer system.50 A crypto-ransomware is a program that encrypts user’s files for money extortion purposes.51 WannaCry also has a computer worm component.52 A computer worm is a harmful program that can spread to other computers through computer networks.53 WannaCry utilized Bitcoin for receiving victims’ payment.54 Bitcoin is a digital currency that allows anonymous transactions.

Additionally, WannaCry uses the Tor network to communicate between the malware operator and the malware itself.55 The Tor network is a network of routers that allows anonymous Internet communication.

Weeks earlier, a hacking group called the Shadow Brokers stole and published hacking tools developed by the National Security Agency.56 These tools were used to target Microsoft Windows users that had not updated their software.57 The cryptoworm spread through those computers’ public networks, infecting hospitals, government systems, railway networks, and private companies.58

Although not a direct target, the United Kingdom’s National Health Service (NHS) was particularly affected.59 Over one third of all trusts were affected across England either because the systems were infected or because the systems were turned off as a precaution.60 At least 603 primary care and other NHS organizations were also infected.61 An estimated 19,000 appointments and operations were cancelled due to this attack and the attack cost NHS over £92 million in disruption to services and associated IT upgrades.62

In December 2017, the United States government formally ascribed the attack to North Korean actors.63 In September 2018, a criminal complaint was unsealed charging North Korean citizen Park Jin Hyok for his involvement in multiple cyber-attacks, including WannaCry.64 The complaint alleged that Park worked for a government-sponsored hacking team called the Lazarus Group as well as a North Korean government front company, Chosun Expo Joint Venture.65

B. Defining International Armed Conflict

In order to determine whether cyber operations alone could trigger an international armed conflict, the resort to armed force and the degree of a State’s control must be assessed.

1. Resorts to Armed Force Between States

The International Criminal Tribunal for the Former Yugoslavia established a generally accepted interpretation of armed conflict in Tadić.66 It found that:

[A]rmed conflict exists whenever there is a resort to armed force between States or protracted armed violence between governmental authorities and organized armed groups or between such groups within a State.67

This definition is different than an armed attack, which is the necessary condition for acts in self-defense.68 Unlike an armed attack, an international armed conflict does not require certain scale or effects from the hostilities.69

By establishing that an armed conflict exists whenever there is a resort to armed force between States, this implies that the threshold for an international armed conflict is relatively low.70 In most cases, any use of armed force between States will qualify as an international armed conflict. The ICRC commentary to the Geneva Conventions states that:

Any difference arising between two States and leading to the intervention of members of the armed forces is an armed conflict within the meaning of Article 2, even if one of the Parties denies the existence of a state of war. It makes no difference how long the conflict lasts, how much slaughter takes place, or how numerous are the participating forces; it suffices for the armed forces of one Power to have captured adversaries falling within the scope of Article 4. Even if there has been no fighting, the fact that persons covered by the Conventions are detained is sufficient for its application. The number of persons captured in such circumstances is, of course, immaterial.71

Article 2 of the Geneva Conventions of 1949 states that the Conventions apply:

[T]o all cases of declared war or of any other armed conflict which may arise between two or more High Contracting Parties, even if the state of war is not recognized by one of them.72

An armed conflict exists even if the parties do not consider themselves at war.73 The wording of Article 2 suggests that an armed conflict exists even if a state of war is not recognized by one of the parties, but international humanitarian law applies even when neither party recognizes a state of war.74 More important today is the existence of an armed conflict rather than a declared state of war. The Geneva Conventions do apply to cases of declared war, even if no fighting takes place, but conflicts after World War II have been less concerned with formal statements of war.75

In 2013, the Tallinn Manual on the International Law Applicable to Cyber Warfare established a newer definition that acknowledged the prevalence of cyber operations as a means of force.76 While it does not carry as much weight in international humanitarian law, it states that an international armed conflict exists “whenever there are hostilities, which may include or be limited to cyber operations, occurring between two or more States.”77

An alternative view argues that an international armed conflict comes into effect only when it reaches a certain intensity threshold.78 This is more in line with a non-international armed conflict, which will be discussed later. Others contend, however, that this alternative view is mistaken in analogizing to the definition of a non-international armed conflict.79 Akande asserts that requiring an intensity threshold for an international armed conflict leaves any conduct that doesn’t meet that threshold ungovernable.80 This differs from non-international armed conflicts, where domestic law and international human rights law govern activity that does not meet its intensity threshold.81 Therefore, the threshold for an international armed conflict remains low.

As mentioned earlier, Additional Protocol I defines violence through attacks as “acts of violence against the adversary in offense or defense.”82 According to Article 49(1), violence is defined in terms of the consequence of physical or mental damage, where physical damage applies in the case of objects and physical persons and mental damage applies only in the case of physical persons.83 This definition of violence is directed toward specific consequences to the object of the attack rather than the violent act itself. Under this definition, it is clear that any operation by a State or attributable to a State that results in damage or destruction of objects of another State would trigger an international armed conflict.

Another definition of an attack, albeit more liberal, includes cyber operations that target civilians and civilian objects regardless of whether physical damage or injury occurred.84 This inclusion lowers the threshold of an international armed conflict and would give targeted countries greater margin to retaliate against highly disruptive but non-destructive attacks. This lower threshold presents two hurdles. First, it has much less credibility under international humanitarian law.85 Second, its greater inclusivity has little to no means of distinguishing an attack from a non-attack.86

Not all cyber attacks cause violence, but instead substantially disrupt or inconvenience military or civilian operations—disrupting a network or causing loss of access to Internet are just two examples. Cyber espionage is another common act that is more concerned with gathering intelligence but does not cause tangible or harmful effects. This nuance makes defining “armed force” more complicated when analyzing cyber operations.

Sources of international humanitarian law have not committed to whether cyber operations that do not physically destroy or damage military or civilian infrastructure is armed force, thus triggering an international armed conflict given that it occurred between two States.87 Under current interpretation, it seems that a cyber attack that is invasive but non-destructive would not trigger an international armed conflict.88 The WannaCry attack, therefore, would not be considered sufficient to trigger an international armed conflict. This should not be the case. Under the current interpretation of an attack, an attack occurs when a target experiences physical damage to a military or civilian object. The definitions of physical damage and military or civil objects, however, have not included a State’s infrastructure in the digital realm. This level of nuance can likely only be clarified by discussions among States and incremental clarity on a case-by-case basis through court decisions. Invasive cyber operations should be responded to by target States with the principle of proportionality in mind.

2. State Control

Non-state actors commonly launch cyber attacks, but a non-state actor cannot trigger an international armed conflict without linkage to a State. In some situations, States provide support to a non-state armed group, and this support causes the armed conflict to take on international character.89 In order to determine that a relationship of subordination exists between the State and non-state actor, one needs to prove that the non-state actor is acting on behalf of the State.90

The particular level of control the State exhibits over the non-state actor has been debated. In its judgment on genocide in Bosnia, the International Court of Justice discussed whether armed forces acted on behalf of the Federal Republic of Yugoslavia. The Court applied the “effective control” test that was used in Nicaragua.91 In Nicaragua, the Court differentiated two categories of individuals that act on behalf of the State without being a core to the military operations of the State.92 The first category is totally dependent on the State.93 They are paid, equipped, supported, and operate according to the planning and direction of the State.94 The second category of individuals is also paid and equipped by the State, but maintains some independence in their actions.95 The Court determined that acts committed by the first category were attributable to the State.96 For the second category, the Court established a higher standard.97 In order for the second category’s actions to be attributable to the State, those specific actions must have been directed or enforced by the State.98 The issuance of directions from the State must exist as well as the enforcement of those directions.99

In Tadić, the International Criminal Tribunal’s Appeals Chamber had to establish whether the armed conflict was international in order for the Trial Chamber to exercise jurisdiction.100 The Court in this case identified multiple degrees of control. The first degree of control is essentially the “effective control” test, but only applies to individuals who were engaged by the State to commit specific illegal acts against another State. The second degree of control applies to organized armed groups and does not require as high of a standard. Specific instructions are not required for each operation, but equipping, financing, and providing operational support are still required.

Regardless of which test is implemented, the relationship between the non-state actor and State should fulfill these requirements regardless of whether the attack was via cyber operations or a conventional method. It is worth noting that for cyber attacks, attribution could prove to be more difficult since hackers can remain anonymous more easily. In the WannaCry attack, enough information was gathered to identify one of the hackers. There is also potentially enough information to connect this hacker to the North Korean government, although that remains less certain.

C. Cyber Operations and Non-International Armed Conflict

In order to determine whether cyber operations alone could trigger a non-international armed conflict, the requisite threshold of violence and the degree of the armed group’s organization must be assessed.

1. Threshold of Violence

Non-international armed conflicts have a relatively higher threshold than international armed conflicts. In the Tadić judgment, the ICTY stated that a conflict exists only when there is “protracted armed violence.”101 Situations of internal disturbances, riots, and isolated and sporadic acts of violence do not constitute a non-international armed conflict.102 The ICTY considers various factors in its assessment of whether protracted violence occurred, including the number of victims, the gravity and recurrence of the attacks, and the temporal and territorial expansion of violence.103

When considering these factors, it is very difficult for a cyber attack to rise to this threshold. The ICTY seems to put more weight on the intensity of the violence than the duration of it.104 However, Article 1(2) of Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of Non-International Armed Conflicts of 8 June 1977 states the Protocol does not apply to “isolated and sporadic acts of violence and other acts of a similar nature,” thus nullifying an isolated cyber attack regardless of its intensity.105 Therefore, network intrusions, data theft and manipulation, and random denial-of-service attacks executed by a non-State actor would not trigger a non-international armed conflict, although they could potentially be considered “attacks” under Article 49 of Additional Protocol I if performed during a pre-existing armed conflict.106

The WannaCry attack was an isolated incident and only lasted a few hours. Further, no known deaths or even physical damage resulted from this attack. WannaCry could be considered “isolated or sporadic” and therefore does not attain the threshold of violence required to trigger a non-international armed conflict. This type of attack on cyber infrastructure is increasingly common, and could have the nuance of invading cyber infrastructure should be addressed.

2. Degree of Organization

Second, for a non-international armed conflict to exist, parties to a conflict must be sufficiently organized.107 Sufficient organization entails an established command structure and a capacity to sustain military operations.108 The International Criminal Court (“ICC”) Pre-Trial Chamber held that:

[T]he involvement of armed groups with some degree of organization and the ability to plan and carry out sustained military operations would allow for the conflict to be characterized as an armed conflict not of international character.109

“Some degree of organization” allows for multiple interpretations. The flexibility has never been clarified, and the purpose of this standard also remains uncertain.110 The 2008 Report of the International law Association’s Use of Force Committee suggests:

The criteria of organization and intensity are clearly related and should be considered together when assessing whether a particular situation amounts to an armed conflict. It seems that the higher the level of organization the less degree of intensity may be required and vice versa.111

While a minimum standard is not determined, a balancing test offers some clarity. On the extremes of the organization spectrum, the Taliban or Revolutionary Armed Forces of Colombia would meet the organization threshold if they were to conduct cyber attacks, but a similar cyber attack by a private individual would not meet that threshold.112

The ICTY referred to factors such as the existence of headquarters, internal regulations and disciplinary rules, the issuance of orders, political statements, and a spokesperson, when evaluating the Kosovo Liberation Army’s structure.113 Virtual groups, groups that are exclusively online and consist of people in different locations, are becoming more common in an increasingly digital world. A virtual group’s status as an organized armed group does not transpose well to the ICTY’s factors. Even without considering the geographic question, a virtual group has no physical headquarters or tangible meeting points. It is also difficult to identify natural persons in a virtual group, although that could improve as forensic investigations become more technologically capable of identifying natural persons.114 A means of issuing orders is clearly possible in a virtual group, but the capacity to truly enforce those orders is more dubious. These factors make it unlikely that, under current international humanitarian law, a completely virtual group would constitute an organized armed group.115 Groups exist that are not entirely virtual and these should be evaluated on a case-by-case basis.

IV. Conclusion

Cyber operations, when occurring in conjunction with conventional methods of warfare that elicited an armed conflict, should be treated the same as conventional attacks. The principle of distinction in Additional Protocol 1 governs all types of operations and attacks and is primarily concerned with an attack’s violent consequences. Although cyber operations target the enemy State through a different medium, their effects can be the same as a conventional attack. As States and other entities rely more on cyber infrastructure and, conversely, become more vulnerable to cyber attacks, deference to cyber operations should only increase.

It is more difficult for a cyber attack to rise to the threshold of armed conflict, whether international or non-international. In cyber operations where the effects cause physical damage or destruction of military or civilian objects, a stronger case can be made, given other requirements of an armed conflict are met. When a cyber operation only affects cyber infrastructure, however, attaining the status of armed conflict is unlikely.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

  1. 1.

    Council of the European Union, Independent International Fact-Finding Mission on the Conflict in Georgia, 1 O.J. (Sep. 2009), available online.

  2. 2.

    Id.

  3. 3.

    Przemyslaw Roguski, Russian Cyber Attacks Against Georgia, Public Attributions and Sovereignty in Cyberspace, Just Security (Mar. 6, 2020), available online.

  4. 4.

    Id.

  5. 5.

    Id.

  6. 6.

    Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 8, available online.

  7. 7.

    Id.

  8. 8.

    Id.

  9. 9.

    Hortensia D. T. Gutierrez Posse, The Relationship Between International Humanitarian Law and the International Criminal Tribunals, 88 Int’l Rev. Red Cross 65, 81 (Mar. 2006), available online.

  10. 10.

    Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, Art. 48 (Jun. 8, 1977), [hereinafter Additional Protocol I], available online.

  11. 11.

    Id. art. 52.2.

  12. 12.

    Michael N. Schmitt, Cyber Operations and the Jus in Bello: Key Issues, 87 ILS 89, 92 (2011), available online.

  13. 13.

    Id. at 93.

  14. 14.

    Id.

  15. 15.

    Additional Protocol I, supra note 10, art. 51.1.

  16. 16.

    Id. arts. 51.2, 51.4.

  17. 17.

    Id. art. 51.5.

  18. 18.

    Id.

  19. 19.

    Id.

  20. 20.

    Id. art. 52.

  21. 21.

    Id. arts. 54.2, 55.

  22. 22.

    Id. art. 56.

  23. 23.

    Marco Sassòli, Legitimate Targets of Attacks Under International Humanitarian Law, Harv. Humanitarian Init. 7 (Jan. 27, 2003), available online.

  24. 24.

    Id.

  25. 25.

    Additional Protocol I, supra note 10, art. 57.1.

  26. 26.

    Id. art. 57.2.

  27. 27.

    Id. art. 12.

  28. 28.

    Id. art. 44.3.

  29. 29.

    Id. art. 49.1.

  30. 30.

    Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949, ICRC ¶ 1875 (Yves Sandoz, Christophe Swinarski & Bruno Zimmermann, eds., 1987), available online.

  31. 31.

    Id.

  32. 32.

    Additional Protocol I, supra note 10, arts. 51.1, 51.2.

  33. 33.

    Id. art. 57.2.

  34. 34.

    Id.

  35. 35.

    Id. arts. 57.2, 57.3.

  36. 36.

    Jeffrey T.G. Kelsey, Hacking into International Humanitarian Law: The Principles of Distinction and Neutrality in the Age of Cyber Warfare, 106 Mich. L. Rev. 1427, 1447 (2008), available online.

  37. 37.

    Id.

  38. 38.

    Id. at 1438.

  39. 39.

    Brian T. O’Donnell & James C. Kraska, International Law of Armed Conflict and Computer Network Attack: Developing the Rules of Engagement, 76 Int’l L. Stud. 395, 402 (2002), available online.

  40. 40.

    Additional Protocol I, supra note 10, art. 57.

  41. 41.

    Id. art. 51.

  42. 42.

    See Kelsey, supra note 36, at 1438.

  43. 43.

    Id.

  44. 44.

    Knut Dörmann, Cordula Droege, Helen Durham, Liesbeth Lijnzaad, Marco Sassòli, Philip Spoerri & Kenneth Watkin, eds., ICRC, Commentary of 2020 on Convention (III) Relative to the Treatment of Prisoners of War Geneva, 12 August 1949, ¶ 287 (2020) [hereinafter ICRC Commentary 2020], available online.

  45. 45.

    Id.

  46. 46.

    Zach Whittaker, Two Years After WannaCry, a Million Computers Remain at Risk, TechCrunch, May 12, 2019, available online.

  47. 47.

    Id.

  48. 48.

    Id.

  49. 49.

    Waleed Alraddadi & Harshini Sarvotham, A Comprehensive Analysis of WannaCry: Technical Analysis, Reverse Engineering, and Motivation, available online.

  50. 50.

    Id.

  51. 51.

    Id.

  52. 52.

    Id.

  53. 53.

    Id.

  54. 54.

    Id.

  55. 55.

    Id.

  56. 56.

    Kate Conger & Taylor Hatmaker, The Shadow Brokers Are Back With Exploits for Windows and Global Banking Systems, TechCrunch, Apr. 14, 2017, available online.

  57. 57.

    Id.

  58. 58.

    Id.

  59. 59.

    National Audit Office, Investigation: WannaCry Cyber Attack and the NHS (Apr. 24, 2018), available online.

  60. 60.

    Id.

  61. 61.

    Id.

  62. 62.

    Id.

  63. 63.

    Thomas P. Bossert, It’s Official: North Korea is Behind WannaCry, Wall St. J., Dec. 18, 2017, paywall.

  64. 64.

    Press Release, U.S. Dept. of Just., North Korean Regime-Backed Programmer Charged with Conspiracy to Conduct Multiple Cyber Attacks and Intrusions (Sep. 6, 2018), available online.

  65. 65.

    Id.

  66. 66.

    The Prosecutor v. Dusko Tadić, IT-94-1-A, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction ¶ 70 (ICTY AC, Oct. 2, 1995) [hereinafter Tadić], available online, archived.

  67. 67.

    Id.

  68. 68.

    United Nations Charter, art. 51.

  69. 69.

    See Schmitt, supra note 12, at 93.

  70. 70.

    Sylvain Vité, Typology of Armed Conflicts in Humanitarian Law: Legal Concepts and Actual Situations, 91 Int’l Rev. Red Cross 69, 72 (Mar. 2009), available online.

  71. 71.

    Jean S. Pictet, ed., ICRC, Commentary on the Geneva Convention Relative to the Treatment of Prisoners of War 23 (1960), available online.

  72. 72.

    Geneva Convention IV Relative to the Protection of Civilian Persons in Time of War, 75 U.N.T.S. 287, Art. 2 (Aug. 12, 1949, entry into force Oct. 21, 1950) [hereinafter Fourth Geneva Convention], available online.

  73. 73.

    Id.

  74. 74.

    Id.

  75. 75.

    Christopher Greenwood, The Concept of War in Modern International Law, 36 ICLQ 283 (1987), paywall, doi.

  76. 76.

    Tallinn Manual on the International Law Applicable to Cyber Warfare 71 (Michael N. Schmitt ed., 2013) [hereinafter Tallinn Manual].

  77. 77.

    Id.

  78. 78.

    Dapo Akande, Classification of Armed Conflicts: Relevant Legal Concepts, in International Law and the Classification of Conflicts 14 (Elizabeth Wilmhurst ed., Jul. 2012), available online, doi.

  79. 79.

    Id.

  80. 80.

    Id.

  81. 81.

    Id.

  82. 82.

    Additional Protocol I, supra note 10, art. 49.1.

  83. 83.

    Id.

  84. 84.

    See Schmitt, supra note 12, at 94.

  85. 85.

    Id.

  86. 86.

    Id.

  87. 87.

    Helen Durham, Cyber Operations During Armed Conflict: 7 Essential Law and Policy Questions, ICRC (Mar. 26, 2020), available online.

  88. 88.

    Id.

  89. 89.

    ICRC Commentary 2020, supra note 44.

  90. 90.

    Id.

  91. 91.

    Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. United States), Judgment, 1986 I.C.J. Rep. 14, ¶ 105–15 (Jun. 27, 1986), available online.

  92. 92.

    Id.

  93. 93.

    Id.

  94. 94.

    Id.

  95. 95.

    Id.

  96. 96.

    Id.

  97. 97.

    Id.

  98. 98.

    Id.

  99. 99.

    Id.

  100. 100.

    Antonio Cassese, The Nicaragua and Tadić Tests Revisited in Light of the ICJ Judgment on Genocide in Bosnia, 18 EJIL 649 (Sep. 1, 2007), available online, doi.

  101. 101.

    Tadić, supra note 66, ¶ 70.

  102. 102.

    Rome Statute, Art. 8.2(e).

  103. 103.

    Robin Geiss, Cyber Warfare: Implications for Non-international Armed Conflicts, 89 Int’l L. Stud. 627, 632 (2013), available online.

  104. 104.

    Id. at 633.

  105. 105.

    Id. at 634; Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of Non-International Armed Conflicts, 1977 U.N.T.S. 609 (Jun. 8, 1977) [hereinafter Additional Protocol II], available online.

  106. 106.

    Additional Protocol I, supra note 10, art. 49.

  107. 107.

    Tadić, supra note 66, ¶ 70.

  108. 108.

    The Prosecutor v. Fatmir Limaj, Haradin Bala, and Isak Musliu, IT-03-66-T, Judgement ¶ 129 (ICTY TC II, Nov. 30, 2005) [hereinafter Limaj], available online.

  109. 109.

    The Prosecutor v. Thomas Lubanga Dyilo, ICC-01/04-01/06, Decision on the Confirmation of Charges ¶ 233 (PTC I, Jan. 29, 2007), available online.

  110. 110.

    See Geiss, supra note 103, at 634.

  111. 111.

    Mary Ellen O’Connell & Judith Gardam, ILA, Initial Report on the Meaning of Armed Conflict in International Law (2008), available online.

  112. 112.

    See Geiss, supra note 103, at 634.

  113. 113.

    Limaj, supra note 108, ¶¶ 98, 113–17.

  114. 114.

    See Geiss, supra note 103, at 634.

  115. 115.

    Id.

The evolution of warfare has seen a shift towards cyber weapons, with nations increasingly utilizing cyber means for warfare due to their potential for significant results at relatively lower costs compared to traditional weapons. Examples of cyber attacks, such as the Tallinn attack, the Georgia hack, and the Stuxnet worm, highlight the existing use of cyber warfare.

It is predicted that more states will employ cyber capabilities in future conflicts, given the accessibility and affordability of cyber attacks. However, this reliance on cyber technology also exposes countries with advanced cyber capacity to vulnerabilities if targeted by cyber attacks.

It is important to differentiate between cyber crimes and cyber attacks. Cyber crimes are offenses punishable under national penal codes and involve private perpetrators, typically related to computer-related fraud or forgery. On the other hand, cyber attacks aim to cause mass destruction, harm connected systems and facilities, and potentially result in human loss.

While attempts have been made to incorporate cyber offenses into international criminal law, there has been no concrete formulation in the realm of cyber warfare. Some scholars and experts argue for the inclusion of cyber warfare within Article 8 bis (Crime of Aggression) of the Rome Statute, which addresses acts of aggression.

The development of legal frameworks to address cyber warfare is an ongoing process, and it requires careful consideration of the unique challenges posed by cyber attacks in order to ensure accountability and effective deterrence in this evolving landscape.

Social Media May be Used to Commit Genocide Under the Rome Statute

I. Introduction

As technology progresses, cyber crime grows as a concern on a national, transnational, and international level. As the International Criminal Court pursues its goals of holding actors accountable for criminal violations of international law in 2022 and beyond, it will have to contend with a world that depends more and more on technology in all aspects of life, including the commission of crimes. In order to meet this challenge, the Court will have to consider if and when cyber crimes fall under the jurisdiction of the Court. The International Criminal Court has jurisdiction over four crimes: genocide, crimes against humanity, war crimes, and the crime of aggression.1 In order to meet its obligation to prosecute these crimes, the Court must be prepared to consider how these crimes might be conducted in cyberspace and whether such acts would fall under the Court’s jurisdiction. Due to the seriousness of the crime, this comment will focus on genocide, and whether cyber crimes might fit under the Rome Statute ’s definition of genocide.

In order to explore how cyber crimes might qualify as genocide, this comment will examine two hypotheticals, both focusing on the use of social media to commit genocide under the Rome Statute. The first hypothetical illustrates how the use of social media could be used to incite genocide. The second hypothetical illustrates how the use of social media could be used to inflict serious mental harm on a qualifying group. Both hypotheticals could potentially rise to the level of genocide. In some ways, due to the ability in cyberspace to target certain individuals regardless of location, proving the dolus specialis of intent to destroy the group in whole or in part that is required to prosecute genocide might be easier for cyber crimes than it would be in other more traditional circumstances.

A. Hypothetical A

Imagine an individual with the desire to incite genocide, who plans to use social media to do so. This person has a large following on her social media accounts. Imagine a celebrity, someone who has millions of followers and a large amount of influence over those followers. For the sake of clarity, the celebrity in this hypothetical will be referred to as Trinity. Trinity already knows, based on the responses to her own social media posts and the posts made by her followers, that she has followers who either share her hatred for the target group or could be manipulated into sharing her hatred. She creates a series of social media posts aimed at gradually indoctrinating her followers into hating the target group. This could be done with posts that dehumanize the target group, blame them for what her followers consider to be the current ills of society, or show graphic videos of violence against this group.

Through frequent posting and an understanding of what emotionally moves her followers (which she already has, since she has managed already to amass millions of followers who consistently engage with her content), Trinity would be able to create in her followers the desire to commit genocide against the target group. Once she has cultivated the genocidal attitude she wants, she will have potentially thousands of people across the world who share her desire to destroy the group. At this point, she will be able to begin the process of inciting real violence toward the group.

This hypothetical relies on the efforts of one individual with a large following, but the use of social media by terrorist groups in order to spread the group’s message, and even to incite violence, has been already occurred. ISIS, for example, has used social media to recruit and to spread propaganda.2 Propaganda has of course been used in the incitement of genocide in the past, but what makes the use of social media to incite genocide particularly dangerous is the fact that it can reach greater amounts of people across the world. This hypothetical focuses on one person who already has a large follower base rather than a group for the sake of simplicity and clarity.

B. Hypothetical B

Imagine an individual who desires not to incite genocide through the use of social media, but instead, to commit genocide. The individual’s goal is to use social media to reach members of the target group and cause serious mental harm, with the end goal of destroying the target group. He would create content that mentally manipulates members of the target group with the ultimate goal of leading members of the target group to commit self harm and suicide. For the sake of clarity, this individual will be referred to as Thomas.

Like the first hypothetical, this act would require some kind of a large following, or, in this case, any way to spread the content that would make sure it reaches members of the target group. Content that harms the target group enough that it could eventually lead to physical harm to the group would have to be very serious. It would need to be more than mere hate speech, and would be specifically tailored to achieve a significant reaction among members of the group. For this hypothetical, imagine that Thomas utilizes videos meant to influence young members of the target group, teens and young adults, to commit suicide. Studies on the effects of social media on youth show that the graphic and frequent portrayal of self harm leads to increased likelihood that teens and young adults will engage in these behaviors.3 By creating videos that appeal to individuals of the target group or by manipulating the social media pages of those in the target group to ensure that they see the content, Thomas could show young members of the target group videos that depict self harm and methods of committing suicide with enough frequency to lead the members of the target group to engage in those practices. Alternatively, he could create a series of posts or videos similar to the blue whale challenge. Using the formula of the blue whale challenge, Thomas would create videos that give tasks to viewers, which in Thomas’s case would be members of the target group, that culminate in the viewers being led to commit suicide.

The blue whale challenge has been reported as a game on social media that targets youth. The game directs participants through a series of videos to secretly complete tasks which become progressively more harmful, ultimately ending with the participants being directed to commit suicide in order to finish the game.4 Discussions of this game do not indicate that it was targeted at any particular group other than young people in general, but content like the blue whale challenge could be used to target members of a certain group by someone who wished to commit genocide against them. This could be done by posting content of the game on forums or social media groups aimed at the target group, or by taking advantage of social media algorithms to reach members of the target group on their accounts. Once the game is shown to those in the target group, it could be conducted similarly to the blue whale challenge, and members of the target group rather than youth in general would be encouraged to engage in self harm and eventually suicide. This is the method that Hypothetical B focuses on.

II. Hypothetical A Could Fall Under the Rome Statute’s Definition of Genocide

Article 25(3)(e) of the Rome Statute states that:

[I]n accordance with this Statute, a person shall be criminally responsible and liable for punishment for a crime within the jurisdiction of the Court if that person: […] (e) in respect of the crime of genocide, directly and publicly incites others to commit genocide.5

Hypothetical A, depending on the circumstances of the act, could fall under this definition. Trinity (the celebrity from Hypothetical A) could be found to be criminally liable for committing genocide if she directly and publicly incited others to commit genocide, which she would do through her social media accounts.

The Genocide Convention’s definition of incitement to commit genocide requires that the incitement be direct and public.6 International courts like the International Criminal Tribunal for Rwanda and the International Criminal Tribunal for the Former Yugoslavia (ICTY) have interpreted the meaning of these terms in prosecuting incitement to commit genocide. In The Prosecutor v. Pauline Nyiramasuhuko et al., the International Criminal Tribunal for Rwanda stated that in order for the incitement to be direct, it must specifically provoke another person to engage in acts that qualify as genocide under the statute:

It must be more than a vague or indirect suggestion, and an accused cannot be held accountable for this crime based on hate speech that does not directly call for the commission of genocide.7

This means that Trinity would have to do more than create posts that make hateful or derogatory comments about the target group. It would not be enough to post often about Trinity’s hatred for the target group or to make negative statements about the target group.

However, the Tribunal did emphasize that the call to the commission of genocide does not have to be explicit if in the context of the statement, it is clear that the meaning of the statement was a direct appeal to commit genocide.8 For example, if Trinity posted one day that “we should all start treating [the target group] the way they really deserve to be treated” that would not be a direct incitement to commit genocide because it does not necessarily suggest the commission of any genocidal act. That statement is so vague that it could refer to anything. On the other hand, Article 6 of the Rome Statute states that killing members of the target group (with the requisite intent to destroy the group) is genocide.9 If Trinity posted videos of members of the target group being killed and said “when I say you should treat [members of the target group] the way they deserve to be treated, this is what I mean,” then in context, that could be considered direct incitement to kill members of the target group. However, in order for this statement to qualify as direct incitement, the statement would have to not be ambiguous within that context.10 If Trinity posted about “treating them the way they deserve to be treated” and it was very clear in context that she meant to kill members of the target group, then that could qualify as direct incitement. If it was ambiguous, either because she only used the term as a euphemism for kill once and it was not clearly meant to convey that meaning, or because she also used the term “treat them the way they deserve to be treated” to mean other things in other posts, it would likely not qualify as direct incitement.

In order to tell the difference, the Tribunal offered one way to determine what the speech means in context. It suggested that the speech be evaluated based on how it was understood by the intended audience. If there were thousands of comments from her followers expressly stating that they understood she meant kill when she used the term “treat them the way they deserve to be treated” (for example, if followers had discussions about how Trinity had to use the term “treat them the way they deserve to be treated” when she meant kill in order to not be removed from the social media platform), then the context of her statements would make it clear that she was engaging in the direct incitement to commit genocide because her followers understood her to be directing them to kill. Therefore, whether or not her incitement was direct could be easily understood if her language was clear, or it could be ascertained using the context of her statement and the way it was understood by her followers. Both could result in her statement being found to be a direct incitement to commit genocide.

In addition to being direct, Trinity’s statements would also have to be public in order to fit under the definition of incitement to commit genocide. The Appeals Chamber in The Prosecutor v. Pauline Nyiramasuhuko et al. stated that:

[A]ll convictions before the Tribunal for direct and public incitement to commit genocide involve speeches made to large, fully public assemblies, messages disseminated by the media, and communications made through a public address system over a broad public area.11

Under this definition of public, the public requirement for incitement to commit genocide would be relatively easy to meet for this hypothetical. When Trinity posts, her content is seen by her millions of followers as well as anyone with whom those followers might share her posts. Although social media posts are not made through the traditional media or the other public sources utilized by perpetrators convicted of genocide in the past, it is likely that Trinity’s posts would quality because they would be seen by just as many if not more people. Her posts would also be available to viewers across the world rather than limited to one area the way a speech given to a large, public assembly would be. Her posts would almost certainly meet the definition of public.

The hypothetical in which Trinity is a celebrity with millions of followers would make it possible for her posts to meet both the direct and public requirements, but if a different individual, someone with only a thousand followers, or only five followers, made posts with the intention of inciting genocide, the analysis might be different. For someone with only a few followers, the speech would have to be more explicit to be considered a direct incitement, because with a smaller audience, or no audience participation at all, it would be more difficult to rely on context and the way the audience understood the message. Still, a post made by someone with only five followers could still qualify as direct, because it could explicitly tell others to commit acts that would fit the definition of genocide.

The public requirement would be the more serious challenge for prosecuting a poster with a small number of followers. Trinity is clearly making a public statement when she addresses millions of followers. Not every follower is going to see her post, but many of them will, and many people who do not follow her will see her posts when the posts are shared or interacted with by her followers. Someone with only a few followers, however, might make a post that is only seen by those five followers, only a few of them, or even none of them. Given that the requirement is that the incitement be public, not simply that it be heard by someone other than the speaker, it seems unlikely that someone who had five followers would be thought of as making a public statement. This is especially true considering the fact that all of the convictions for the International Criminal Tribunal for Rwanda, which has played a role in interpreting these terms, involved speeches given to a large public audience, broadcasted by the media, or made through a public address system over a large area. Making a post on social media that will probably only be seen by a few followers would be akin to making the statement at a small party, and that would probably not be enough to amount to a public statement.

If five followers is not enough, however, the question becomes how many are enough? Would one thousand followers be enough, taking into account the fact that not every follower is going to see the post? If someone like Trinity shared the post made by someone with only a few followers, would the original poster’s statement then be considered public because it had the capacity to be shared to a wide group and then actually was, even though the poster did not choose for that to happen? Due to the nature of social media, namely the fact that posts can be shared, it is not clear what would meet the public requirement and what would not.

One aspect of the Rome Statute that might limit the practical importance of these questions is the gravity requirement. Article 17(1)(d) states that a case will be inadmissible where “the case is not of sufficient gravity to justify further action by the Court.”12 Even if a post made by someone with five followers might qualify as public due to the potential for the post to be shared and then seen by many more people, the Prosecutor might find that the post is so unlikely to gain any traction that it would not justify further action by the Court. However, the gravity requirement is argued to be a very low threshold, meant to keep out offenses such as small, isolated war crimes, rather than excluding crimes like genocide that are grave per se.13 Marco Roscini, a professor of international law at the University of Westminster Law School argues that “cyber conduct constituting, instigating or facilitating an act of genocide will not need to result in a high number of casualties to be considered admissible.”14 Thus, the legal gravity requirement is thought to be very low, and is arguably likely to be met by any incitement to genocide should the Prosecutor use his discretion to take the case.

In fact, it is the Prosecutor’s discretion that offers another reason to think that a post technically inciting genocide in a direct and public way still might not meet the gravity requirement. In addition to the legal gravity requirement in Article 17(1)(d), there is also the practical consideration that the Prosecutor has limited resources and cannot, and arguably should not, take on every case that falls under the jurisdiction of the Court. The Prosecutor has to make decisions about what cases, according to his own judgment, best serve the interests of justice and the Court. Therefore, there is a relative gravity requirement as well in choosing what cases to take on.15 The relative gravity requirement is higher than the legal gravity requirement; not every case that technically qualifies as incitement to genocide would be considered worthy of pursuit by the Prosecutor. The relative gravity requirement would probably make it unlikely that the Court would indict someone for incitement of genocide if he made a social media post that would only be seen by five followers. Even once a certain number of viewers was deemed “public” for the purpose of the definition, it would be up to the Prosecutor’s discretion to determine how many viewers (among other circumstances) would be enough to make the case important enough to pursue.

Posts inciting genocide made by Trinity, which would potentially meet the direct and public requirements, would be subject to the same discretion of the Prosecutor. If Trinity reached a large audience in her incitement to genocide but there was no loss of life in the target group, then the Prosecutor might find that, given the seriousness and high death toll of other crimes under his jurisdiction, this case did not warrant investigation by the Court. On the other hand, he might find that given the publicity of Trinity’s posts and the rise in attention to cyber crimes across the world that investigating Trinity’s crimes would be an important deterrent of future cyber crimes of this nature.16 In that case, a low death toll, or no death toll at all, might still warrant investigation and indictment by the Court. Therefore, it is certainly possible that Hypothetical A would meet the Rome Statute ’s definition of genocide and be investigated by the International Criminal Court, assuming that the case met the intent requirement.

III. Hypothetical B Could Qualify as Genocide Under the Rome Statute

Article 6(b) states that:

[F]or the purpose of this Statute, ‘genocide’ means any of the following acts committed with intent to destroy, in whole or in part, a national, ethnical, racial or religious group, as such: […] (b) Causing serious bodily or mental harm to members of the group.17

Hypothetical B focuses on how Thomas could use social media to cause harm to members of the target group by making videos similar to the blue whale challenge that influence those members to commit serious bodily injury to themselves.

If Thomas’s conduct meets the definition of genocide under the Rome Statute, it would most likely be because it falls under Article 6(b), causing serious mental harm to members of the target group. Many scholars argue that for mental harm to qualify under the Statute, it must be manifested physically.18 Nema Milaninia, a trial attorney with the Office of the Prosecutor for the International Criminal Court, argues that nothing in the Genocide Convention states this requirement, and such a requirement would render the rule redundant. Thomas’s content would qualify as serious mental harm that does manifest physically, so under either interpretation, Thomas’s content could potentially be an act of genocide. Courts have recognized “threats of death and knowledge of impending death; acts causing intense fear or terror; surviving killing operations; forcible displacement; and ‘mental torture’ ” as causing mental harm under the Statute.19 A series of videos or posts that encourage the target group to engage in self harm or suicide would likely qualify as mental harm.

In addition to qualifying as mental harm, the harm also has to be considered serious. The analysis of whether an act of mental harm is considered serious is done by looking at the totality of the circumstances, in which the Court will look at all of the related acts together to evaluate whether the acts caused serious mental harm, rather than looking at the acts one by one.20 For example, in The Prosecutor v. Rukundo, the International Criminal Tribunal for Rwanda did not have direct evidence of the mental state of a victim of sexual assault, but they looked at the circumstances of the assault to determine whether serious mental harm existed.21 The Court considered the victim’s relationship to the accused, her sexual inexperience, and the fact that the perpetrator had carried a weapon.22 Using all of these factors considered together, the Court determined that the victim would have suffered serious mental harm from the assault.

If Thomas made a series of videos each progressing in seriousness that were meant to be viewed in succession by a member of the target group (a system where the victims watched the first video, did the assigned task, and then progressed to the next video), then the Court, in evaluating whether serious mental harm had been inflicted on the victim, would have to look at all of the videos together, as well as any other posts or circumstances that would play a role in the victim’s mental state. The Court might take into account what the videos said, whether any graphic content in the video would be particularly disturbing for the victim, and any potentially harmful effects of the videos being aimed at the target group in particular, to decide if under these circumstances the mental harm would be serious. Alternatively or in addition, of course, the Court could use victims’ own statements of the harms that they suffered. In The Prosecutor v. Popovićet al., the Court relied on other circumstances because it had very little evidence of the victim’s mental state from her own words. If victims were willing and able to come forward, then their testimony would help the Court determine the seriousness as well.

The Trial Chamber for the ICTY suggested in its analysis of the case The Prosecutor v. Tolimir that in order to find serious mental harm that qualifies as genocide, the perpetrator’s act must be a proximate and direct cause of the mental harm.23 For Thomas’s content to be considered to have caused serious mental harm, his content would have to be the direct cause of the harm, meaning that the harm would not have occurred but for his act of posting the content. His content would also have to be the proximate cause of the harm, meaning that the mental harm done to the victims was a foreseeable consequence of Thomas’s actions. If victims participated in Thomas’s challenge and sustained serious mental harm as a result, that would make his actions a but-for cause of the harm. Also, since the purpose of his content is to cause members of the target group to sustain harm, it would be very difficult to argue that such harm was not foreseeable, so his actions would also be a proximate cause. Therefore, Thomas’s actions would likely fit the causal requirements implicit in the Trial Chamber’s analysis.

One potential argument against this hypothetical qualifying as serious mental harm is the fact that victims can choose at any point to disengage from the game, or not to take part in it in the first place. It could be argued that if the harm they were suffering really was serious, then they could at any time log off and not watch the videos. This makes it very different from a situation in which victims of a target group are tortured or forcibly removed from their homes, because in those situations, the victims have no opportunity to escape the treatment. However, psychological studies on youth have shown that social media can contribute significantly to suicidality in teens and young adults, especially those with pre-existing mental health issues.24 These harms occur despite the fact that users can cease their use of social media at any time. Whether or not the victims could stop viewing Thomas’s content at any time should be irrelevant to the analysis, because if the victims have viewed it, and they suffered serious mental harm as a result, it is still Thomas’s genocidal act that caused their harm. The victims’ choice to view the content has not prevented the individual with genocidal intent from causing serious mental harm to the target group. There is nothing in the Statute that requires that the victims be unable to escape the harm.

Nonetheless, the Prosecutor could consider the existence of choice in his analysis of the relative gravity of the crime. He might find that the Court’s resources are better spent on instances of genocide in which the victims did not have any avenues of escape, allowing responses from other governmental agencies or organizations to respond to social media attacks like Thomas’s. Perhaps due to the choice involved in these kinds of challenges, outreach efforts created to spread awareness of the attacks and warn potential victims how to spot and avoid this content would be sufficient to protect the target group. The existence of this possibility may lead the Prosecutor to determine that there are other cases that more warrant the resources of the Court. On the other hand, researchers have found that even posts attempting to spread awareness of the blue whale challenge in order to protect people from its content still have the potential to contribute to the self harm contagion, a phenomenon in which internet users with mental illness are influenced to engage in more self harm or suicide ideation due to the way these topics are addressed in media and on social media.25 The potential for attempts at spreading awareness to cause more harm than good might lead the Prosecutor to find a case like Thomas’s to be worth pursuing.

The potential for an attack like Thomas’s to be committed anonymously raises further issues for the Prosecutor to consider in investigating the case. Cyber attacks can be more difficult to prosecute than more traditional forms of genocide because the perpetrator can make the attack without revealing his identity to anyone. Attribution is a difficult problem in prosecuting cyber attacks in general because it is difficult to find the source and perpetrator of the attack.26 This obviously increases the costs of prosecuting the attack, but it could be argued that it makes it more worthy of pursuit. Since anonymity makes a cyber attack more appealing for would-be perpetrators, it may be even more important for the Court to make an example out of the perpetrators that they are able to identify. By pursuing instances of genocide conducted through social media, the Prosecutor can send a message that there is a lot of risk in such attacks because the Court will make the effort to find and punish the perpetrators. Still, knowing that they can act anonymously may cause perpetrators to feel that even if someone else is convicted by the Court for a social media focused cyber attack, the risk of getting caught is low and the act is still worth attempting. These are the kinds of issues that the Prosecutor will have to take into account in considering whether a case like Thomas’s should be investigated by the Court.

Although Hypothetical B focuses on posting content similar to the blue whale challenge, it is not difficult to imagine other uses of social media that might lead to serious mental harm and fall under the Statute ’s definition of genocide. Given that cyberbullying has been shown to have a significant adverse effect on the mental health of victims,27 it might be argued that if a perpetrator targeted individual members of a target group through cyberbullying that that might qualify as genocide as well. The constant posting of extremely graphic videos depicting violence against the target group, especially when sent to the members of the target group themselves rather than posted publicly, might also be found to be a serious enough harm. What makes Hypothetical B a useful example, however, is that it would likely qualify as genocide even if a physical manifestation of the harm is required, since it clearly leads to physical harm to the target group. Therefore, it shows how social media could be used to commit what would qualify as genocide under the Rome Statute.

IV. Both Hypotheticals Could Meet the Intent Requirement Depending on the Circumstances

To prosecute a perpetrator for genocide, the Rome Statute requires more than proof that the act was committed and that the perpetrator intended to commit that act. In addition, there is the dolus specialis, the requirement of a special intent to destroy a protected group in whole or in part.28

It is not enough that Thomas in Hypothetical B wanted to create a program like the blue whale challenge in order to influence teens and young adults to commit self harm. In order for that act to qualify as genocide, the Prosecutor must prove that Thomas created this program to influence teens and young adults of the target group to commit self harm because he wanted to destroy the target group in whole or in part. The Prosecutor must prove that Thomas actually intended for the content to reach the target group and cause them harm because he had the desire for his content to contribute to the destruction of the target group.

The acts must be committed against members of the target group because they are members of the target group. The International Law Commission stated that the “[t]he action taken against the individual members of the group is the means used to achieve the ultimate criminal objective with respect to the group,”29 and that “the intention must be to destroy the group ‘as such’, meaning as a separate and distinct entity, and not merely some individuals because of their membership in a particular group.”30 For Trinity in Hypothetical A, for example, this means that the Prosecutor would have to prove that Trinity wanted her followers to commit acts of violence against members of the target group, not only because she wants harm to be caused to be members of the target group, but because she has a desire to destroy the target group itself.

Intent is a difficult requirement in prosecuting the crime of genocide because it requires that the mental state of the perpetrator be proven when the defendant may not have ever admitted such a mindset.31 In fact, Josef Kunz has stated that:

[I]t has been said that this specific criminal intent makes the Convention useless; that governments, less stupid than that of National Socialist Germany, will never admit the intent to destroy a group as such, but will tell the world that they are acting against traitors and so on.32

He argues that it is very unlikely that perpetrators of genocide will admit that they had the requisite intent. Further, it can be difficult to prove someone’s mental state when their words claim a different motivation. However, even without a confession as to the intent of the crime, international tribunals have found the intent to commit genocide using other evidence. The International Criminal Tribunal for Rwanda has looked at factors like “the scale of atrocities committed, their general nature, a local region or country, or furthermore, the fact of deliberately and systematically targeting victims on account of their membership of a particular group, while excluding the members of other groups” in order to find intent.33

Instances of genocide committed through the use of social media face this same requirement and some of the challenges that it brings. Like other perpetrators of genocide, perpetrators using social media to incite others to commit genocide or to commit acts of genocide themselves may deny having a genocidal intent, and in that case the Prosecutor would need to find other evidence to establish the requisite intent. However, in certain situations, proving genocidal intent for an act conducted through social media might be easier than proving intent for more traditional forms of genocide. In the case of more traditional forms of genocide, there are often other possible motivations for the potentially genocidal behavior. Perpetrators who murder members of the target group could be doing so due to a desire to destroy that group, or they could be doing so because they are at war with the people in that area over a piece of land, and the people involved in that war happen to be of the target group. In that case the reason for the behavior would not be to destroy the target group but something else entirely. For example, in The Prosecutor v. Tolimir, the Appeal and Trial Chambers found that the Bosnian women and children had suffered serious mental harm as a result of forced displacement and the harmful circumstances involved in that displacement.34 In a case like Tolimir that involves forced displacement, a tribunal might find the dolus specialis of intent to destroy the target group, but that same act by a different perpetrator might have been motivated by concerns that are not related to genocide. It could be a matter of the perpetrators wanting to remove the group in order to take land for themselves.

In the case of genocide committed through social media, however, it might be easier to prove that the motivation was genocidal. When perpetrators are explicit about their hatred of the target group and their desire to destroy that group, it is obviously easier to prove intent. The large amount of documentation by German leaders of their intent to eradicate Jewish peoples during the Holocaust is an unusual example of perpetrators of genocide being forthcoming with their intent.35 In cases like that, it is easy to prove the dolus specialis. Genocide committed through social media might be another instance of genocidal intent being broadcasted more openly. Because the internet is not limited to one’s own region of the world, users can reach people outside of their own country or area. If perpetrators seek out members of the target group regardless of where in the world they are living, then it will be much harder to argue that the perpetrators only tried to harm those particular people because they are at war with them or because they have certain territory that the perpetrators want. By using the internet to connect with members of the target group around the world, perpetrators will make it more clear that destroying the target group was their intention.

In Hypothetical A, Trinity’s posts call for violence against members of the target group. Since her posts can be seen by viewers all over the world, it will be clear that the reason she is targeting these individuals is because of their membership in the target group and not for reasons related to their location, like her desire to remove a group from land that she wants to occupy. Her intent to target this group may also be clearly proven because her posts specify that group itself. She does not call for violence against people who do not support her, or people who engage in certain behaviors. She explicitly calls for violence against members of the target group, so her intent to cause harm to members of the target group will be clear from her posts. The Prosecutor would still have to prove that her intent in inciting violence against members of the group was specifically to destroy the group itself and not just to harm individual members of the group, but the fact that she has already made her intentions to cause harm to the target group clear would make the proving a lot easier.

In Hypothetical B, whether it would be easier to prove Thomas’s intent to destroy the group than it would be to prove the intent of any other perpetrator of genocide depends on how Thomas goes about reaching the members of the target group. If Thomas’s videos are explicitly labeled as being aimed at the target group, or if the content of the video addresses members of the target group directly, then it would be reasonably easy to prove his intent to destroy members of the group. Depending on what is said in the videos, it might even be easy to prove that he is trying to destroy the group itself rather than just individual members of the group. If Thomas does not explicitly refer to the target group in the videos and has other methods of ensuring that they are the ones who view his content, like manipulating the algorithms on whatever social media site he uses to make sure that his videos are shown to the desired group members, that might make proof more difficult. Still, the Prosecutor could introduce evidence of whatever efforts Thomas makes to reach the target group in order to prove that he intended for them to be harmed specifically.

For both hypotheticals, the fact that the genocidal act is being done through social media helps to make proving the dolus specialis of intent easier than it would be with more traditional forms of genocide like murder, displacement, and other acts of violence. The fact that the perpetrators in these hypotheticals use words rather than physical violence provides useful evidence of intent.

V. Conclusion

As use of the internet progresses, the world will have to contend with the proliferation of cyber crimes by state actors and by individuals. In the Preamble to the Rome Statute, the State Parties declared their determination to “put an end to impunity for the perpetrators of these crimes and thus to contribute to the prevention of such crimes.”36 In order to live up to this goal, the International Criminal Court must be prepared to address the crimes under its jurisdiction in all forms, including in the form of cyber crime. Genocide, perhaps the most serious crime over which the Court has jurisdiction, may be perpetrated through cyber attacks, and the Court ought to be prepared. Perpetrators with the intent to commit genocide may choose to do so using social media. As long as the act falls under the definition of genocide under the Statute, the crime should be considered genocide by the Court even though it is undertaken through social media rather than through more traditional means.

Hypothetical A may fit under the definition of genocide as an incitement to commit genocide. Social media offers perpetrators a platform to directly and publicly incite violence against a target group because it allows posters with a large follower base to reach millions of people with their message. Such behavior could fall under the definition of genocide depending on the particular circumstances of the case.

Hypothetical B also has the potential to fall under the Statute ’s definition of genocide. By making videos similar to the blue whale challenge that influence viewers to commit self harm and even suicide and using this content to cause serious mental harm to members of the target group, a perpetrator may commit an act of genocide using social media.

Although social media has the potential to offer perpetrators the opportunity to reach a larger group of victims from the target group, it may also be easier for the Prosecutor to prove the dolus specialis of intent to destroy the target group in whole or in part and prosecute the perpetrators.

In order to fulfill its mission of punishing perpetrators of genocide and deterring future genocidal acts, the Court ought to be aware of the possibility that genocidal actors may seek to harm others through the use of social media. Awareness of this potential threat may allow the Court to adjust to the world of cyberspace and prevent the perpetration of these crimes.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

  1. 1.

    Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 5, available online.

  2. 2.

    Piotr Łubiński, Social Media Incitement to Genocide: ECHR Countries’ Perspective, in The Concept of Genocide in International Criminal Law 262, 268 (Marco Odello & Piotr Łubiński eds., 2015), available online.

  3. 3.

    Amro Khasawneh, Kapil Chalil Madathil, Emma Dixon, Pamela Wiśniewski, Heidi Zinzow & Rebecca Roth, Examining the Self-Harm and Suicide Contagion Effects of the Blue Whale Challenge on YouTube and Twitter: Qualitative Study, 7 JMIR Mental Health (Sep. 6, 2020), available online, doi.

  4. 4.

    Id.

  5. 5.

    Rome Statute, supra note 1, Art. 25(3)(e).

  6. 6.

    Łubiński, supra note 2.

  7. 7.

    Id. at 269 quoting The Prosecutor v. Pauline Nyiramasuhuko et al., ICTR-98-42-T, Judgement and Sentence, n.5986 (TC II, Jun. 24, 2011) [hereinafter Nyiramasuhuko], available online.

  8. 8.

    Id.

  9. 9.

    Rome Statute, supra note 1, Art. 6(a).

  10. 10.

    Łubiński, supra note 2, quoting Nyiramasuhuko.

  11. 11.

    Id.

  12. 12.

    Rome Statute, supra note 1, Art 17(1)(d).

  13. 13.

    Marco Roscini, Gravity in the Statute of the International Criminal Court and Cyber Conduct that Constitutes, Instigates or Facilitates International Crimes, 30 Crim. L. Forum 247, 269–70 (2019), available online, doi.

  14. 14.

    Id. at 270.

  15. 15.

    Id.

  16. 16.

    Id.

  17. 17.

    Rome Statute, supra note 1, Art. 6(b).

  18. 18.

    Nema Milaninia, Understanding Serious Bodily or Mental Harm as an Act of Genocide, 51 Vand. J. Transnat’l L. 1381, 1393 (2018), available online.

  19. 19.

    Id. at 1394.

  20. 20.

    Id. at 1397.

  21. 21.

    Milaninia, supra note 18, at 1397 quoting The Prosecutor v. Rukundo, ICTR-2001-70-T, Judgement, ¶ 388 (TC II, Feb. 27, 2009), available online.

  22. 22.

    Id.

  23. 23.

    Milaninia, supra note 18, at 1398 quoting The Prosecutor v. Tolimir, IT-05-88/2-A, Judgement, ¶ 761 (TC II, Dec. 12, 2012), available online.

  24. 24.

    Khasawneh et al., supra note 3.

  25. 25.

    Id.

  26. 26.

    Gary D. Brown & Keira Poellet, The Customary International Law of Cyberspace, 6 SSQ 126, 133 (2012), available online.

  27. 27.

    Khasawneh et al., supra note 3.

  28. 28.

    Article 17. Crime of Genocide in Report of the International Law Commission on the Work of its Forty-eighth session, 6 May-26 July 1996, U.N. Doc. A/51/10, 44, ¶ 19 (1996), available online.

  29. 29.

    Id. ¶ 6.

  30. 30.

    Id. ¶ 7.

  31. 31.

    Habtamu Dugo & Joanne Eisen, Proving Genocide in Ethiopia: The Dolus Specialis of Intent to Destroy a Group, 10 A:JPAS 133, 135 (Sep. 2017), available online.

  32. 32.

    Id. quoting Josef L. Kunz, The United Nations Convention on Genocide, 43 Am. J. Int’l L. 738, 743 (Oct. 1949), available online, doi.

  33. 33.

    Id.

  34. 34.

    Prosecutor v. Tolimir, supra note 23.

  35. 35.

    Dugo & Eisen, supra note 31, at 143.

  36. 36.

    Rome Statute, supra note 1, at Preamble.

Accountability for NotPetya: Why the International Criminal Court Can, and Should, Prosecute the Perpetrators of the NotPetya Cyber Attack as a War Crime

I. Introduction

In June 2017, a popular Ukrainian tax accounting software called M.E.Doc underwent a routine software update. Unbeknownst to the thousands of Ukrainians who use this software, that update served as the entry point for a destructive malware that would soon gain access to their computers. Once inside their networks, the malware spread like wildfire, irreversibly corrupting data as it went.

What started as an attack on Ukraine quickly turned into an attack on the world. This malware, given the name “NotPetya,” infected over sixty different countries, causing an estimated $10 billion in damage. It is considered the most devasting cyber attack in history.1 Despite the devastation it caused, and despite universal consensus in the international community that Russia is to blame, no one has been held responsible. This begs the question: is there a way to hold the perpetrators of NotPetya, and international cyber attacks more generally, accountable?

Despite the difficulties inherent to the prosecution of cyber attacks and the obstacles posed by the Rome Statute’s demanding framework, this comment demonstrates how the NotPetya attack meets all the requirements necessary to be prosecuted as a war crime by the International Criminal Court (the Court). Part II provides the details of the NotPetya attack. It first explains the technical design of the malware, followed by an explanation of how the attack began on June 27, 2017, its far-reaching consequences, and why Russia was the immediate suspect. Part III analyzes the Court’s jurisdiction over the attack. The situation in Ukraine has provided the foundation for the Court to have both territorial and subject matter jurisdiction over NotPetya as a war crime under either Articles 8(2)(a)(iv) or 8(2)(b)(ii) of the Rome Statute. Lastly, Part IV explains why NotPetya is admissible before the Court. Finding that prosecution is not barred by Article 17’s complementarity provision, the comment explains why the attack meets the gravity threshold of Article 17 and why the Court, in its discretion, should choose to prosecute members of the Russian government for this cyber attack.

II. NotPetya

A. How it Works

The name NotPetya is derived from the malware’s resemblance to Petya, a ransomware that first appeared in 2016.2 Petya was a typical form of ransomware, disguising itself as an email attachment that gained access to a victim’s computer when the attachment was downloaded.3 Petya would then encrypt the computer’s data, holding the files hostage until the victim paid a ransom in exchange for the decryption key.4 At first, people believed the malware attacking their computers on June 27, 2017 was Petya because of the ransom message that appeared on their screens, demanding $300 worth of bitcoin to decrypt their files.5 Unlike Petya, however, the ransom message was just a means of deception. Even if the ransom was paid, the files were not recoverable.6 Hence the name, not -Petya.

The reason the files were not recoverable is because of the way in which NotPetya encrypts a victim computer’s data. Once the malware infiltrates a computer, it gains access to the computer’s administrator rights and encrypts the master boot record, which is the part of the computer that identifies how and where an operating system is located.7 This makes the computer unusable.8 But unlike typical ransomware, the computer is not just temporarily disabled. Instead, when NotPetya encrypts a computer, it does so without creating a relationship between the identity of the specific computer and the encryption key it creates, which means there is no way to decrypt the files, even if the ransom is paid.9 In other words, the purpose of NotPetya is not extortion; it is destruction.10

NotPetya was not only designed to cause irreversible damage to the computers it infected, it was also designed to infect as many computers as possible. The malware utilizes two different mechanisms, working together, to cause this widespread destruction. The first is a tool known as EternalBlue, which exploits the vulnerabilities in a popular Microsoft Windows protocol.11 EternalBlue was created by the United States National Security Agency but leaked after a breach of the agency’s files in April 2017.12 At the time the NotPetya attack occurred, Microsoft had already released a patch for this vulnerability.13 This meant that if a computer had this patch installed, NotPetya could not infiltrate it directly.14 Unfortunately, however, many computers are connected to other computers through networks, and the second mechanism employed by NotPetya, called Mimikatz, offered a way to infect even those computers that had been patched if they were connected to such a network.15 Mimikatz was created in 2011 by a French security researcher name Benjamin Delpy, who wanted to demonstrate how Windows systems left users’ passwords in the computer’s memory.16 Once initial access to a computer is obtained, Mimikatz can locate the user’s credentials in the computer’s RAM and then use them to gain access to other computers on the network that use the same credentials.17 As Delpy himself explained:

You can infect computers that aren’t patched, and then you can grab the passwords from those computers to infect other computers that are patched.18

This means that, as long as there is just one computer on a network that does not have the EternalBlue patch installed, Mimikatz can be used to spread NotPetya to the entire network of computers.19 Because of this, when NotPetya hit in June 2017, it was the fastest-propagating malware the world had ever seen.20

B. The June 2017 Attack

Not long after the attack began it became evident that NotPetya was specifically targeting Ukraine.21 The attack started on June 27, the eve of Ukraine’s Constitution Day. Because Constitution Day is a public holiday celebrating Ukraine’s independence from the Soviet Union, this timing has been interpreted as evidence of the attack’s political motivation.22 Even more telling than when the attack began is how the attack began. NotPetya’s epicenter has been linked to M.E.Doc, a Ukrainian tax accounting software.23 The hackers behind NotPetya infiltrated the servers responsible for pushing out M.E.Doc’s routine updates, which meant that, when the M.E.Doc software underwent a legitimate update process in June 2017, the hackers had backdoor access into every computer with M.E.Doc installed.24

And in Ukraine, M.E.Doc is installed on a lot of computers.25 The tax accounting software, which is the Ukrainian equivalent of TurboTax or Quicken,26 is mandatory at many Ukrainian government agencies and businesses, and all Ukrainian tax accountants are required to use it by law.27 The software is also popular among Ukrainian banks and government offices.28 The number of computers with M.E.Doc installed, combined with NotPetya’s dual-mechanism design, meant NotPetya was able to spread across Ukraine rapidly, wreaking havoc as it went.

The Ukrainian government estimates that ten percent of all computers in the country were hit by NotPetya.29 This includes at least four hospitals just in Kiev alone, two airports, six power companies, more than twenty banks, and almost every Ukrainian federal agency.30 As the Ukrainian Minister of Infrastructure reported, “[t]he government was dead.”31 More than fifteen hundred companies filed complaints with the Ukrainian national police asking for help with infected computers.32 Even the computers at the Chernobyl nuclear plant cleanup site failed because of the attack, forcing workers to manually monitor the radiation.33 Every computer that NotPetya hit was wiped clean of its data.

NotPetya did not stop at Ukraine’s borders. It spread to at least sixty-four other countries, including the United States, Germany, and the United Kingdom, hitting some of the world’s biggest companies.34 The Danish shipping company A.P. Maersk-Moller, which is the world’s largest shipping conglomerate and is responsible for nearly a fifth of the global shipping capacity, took nearly two weeks to be fully operational after it was hit by NotPetya and cost the company an estimated $300 million.35 The pharmaceutical giant Merck reported damages of nearly $870 million.36 Other affected companies include FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, and Mondelēz, the parent company of Nabisco and Cadbury.37 The attack is estimated to have cost $10 billion dollars, making it the most economically devastating cyber attack in history.38

This was not the first cyber attack Ukraine had suffered in recent years, and the victimized nation was quick to name its usual suspect: Russia.39 Given the history of Russian cyber attacks on Ukraine, this suspicion was not unfounded. For example, in 2016 Russia hacked a power grid in Western Ukraine, cutting off power in the region for six hours.40 Russia has also been blamed for using malware to target the Ukrainian financial sector.41 These types of attacks have been attributed to Russia’s method of hybrid warfare, which utilizes cyber attacks in conjunction with traditional military tactics as part of its ongoing efforts to undermine Ukrainian stability.42 Ukraine and Russia have been engaged in an ongoing kinetic conflict since March 2014, when Russian troops invaded and annexed the Crimea region of Ukraine. This led to the subsequent outbreak of insurgency by Russian-backed separatist forces in Ukraine’s Donbas region, resulting in over ten thousand dead and twenty-eight thousand injured.43 Seven percent of Ukraine’s territory is currently under occupation by Russian forces, with more than 1.8 million Ukrainian residents displaced.44 NotPetya was yet another piece of this ongoing devastation.

This use of hybrid warfare in Ukraine exemplifies precisely why there needs to be a legal mechanism by which to hold Russia, and other future perpetrators of cyber attacks, accountable.45 As NotPetya demonstrates, cyber attacks can be extremely destructive, and that destruction can have far-reaching, international consequences. Luckily, the Court’s current framework allows for the prosecution of cyber attacks, so long as the attacks meet the jurisdictional and admissibility requirements of the Rome Statute. As the remainder of this comment will explain, NotPetya provides the perfect opportunity for the Court to show it can, and will, prosecute cyber attacks.

III. Court’s Jurisdiction over NotPetya

The Rome Statute has three jurisdictional requirements that must be met before the Court is able to exercise jurisdiction over a crime: temporal jurisdiction, territorial jurisdiction, and subject matter jurisdiction.46 Temporal jurisdiction is met as long as the crime was committed after the enactment of the Rome Statute.47 Because the Rome Statute went into effect in 2002, and the NotPetya attack occurred in 2017, this jurisdictional element is easily satisfied. The more demanding inquiries relate to the Court’s territorial and subject matter jurisdiction. As the following analysis demonstrates, both requirements are met, meaning the Court has jurisdiction to prosecute members of the Russian military for NotPetya as a war crime.

A. Territorial Jurisdiction

Territorial jurisdiction refers to the geographical limitations on the Court’s ability to exercise its investigative and prosecutorial powers. Under Article 15 of the Rome Statute, the Prosecutor is only able to exercise his proprio motu power to initiate an investigation if the criminal conduct at issue occurred on the territory of a state party, or if the person accused of the crime is a national of a state party.48 Normally, this would serve as a major impediment to the Court’s jurisdiction over the NotPetya attack, as neither Ukraine nor Russia are States Parties to the Rome Statute. Fortunately, however, this issue has already been resolved. On April 9, 2014, Ukraine adopted a resolution recognizing the jurisdiction of the Court for the purpose of identifying, prosecuting and judging the perpetrators and accomplices of acts committed on the territory of Ukraine pursuant to Article 12(3) of the Rome Statute.49 Ukraine subsequently extended the temporal scope of this jurisdiction in a second declaration issued in September 2015, recognizing the Court’s jurisdiction for an “indefinite duration” over all crimes against humanity and war crimes committed by officials of the Russian Federation on or after February 20, 2014.50 The fact that Ukraine has already accepted the Court’s jurisdiction over war crimes committed in the context of the ongoing conflict with Russia means that the first hurdle to investigating and prosecuting NotPetya as a war crime has been cleared.

Furthermore, the Office of the Prosecutor has already initiated and completed its preliminary examination of the situation in Ukraine. On December 11, 2020, the Prosecutor concluded there was a reasonable basis to believe that war crimes and crimes against humanity were committed in the territory of Ukraine and requested authorization from the Pre-trial Chamber to open an investigation.51 Notably, the Prosecutor’s conclusions from her preliminary examination included a disclaimer that her findings were “without prejudice to any other crimes which may be identified during the course of an investigation.”52 Thus, an investigation of NotPetya is not precluded. Rather, because the NotPetya attack meets the elements of a war crime under Article 8, as discussed in Part III(B), the cyber attack can be included within the scope of an investigation of the situation in Ukraine.

B. Subject Matter Jurisdiction

The next requirement NotPetya must satisfy to be prosecuted by the Court is that of subject matter jurisdiction. Under Article 5 of the Rome Statute, the Court has jurisdiction over four crimes: genocide, crimes against humanity, crime of aggression, and war crimes.53 Ukraine’s April 2014 resolution recognized the Court’s jurisdiction over only two of those crimes, specifically war crimes and crimes against humanity. While NotPetya would likely not qualify as a crime against humanity, the following section will demonstrate that the cyber attack does meet the elements of a war crime under Article 8 and can thus be prosecuted by the Court.

The determination of whether NotPetya constitutes a war crime under the Rome Statute necessarily entails two levels of analysis. First, the commission of a war crime is predicated on a breach of international humanitarian law (IHL).54 This section therefore begins by demonstrating how the general requirements necessary for the application of IHL are met in the case of NotPetya. Second, NotPetya must meet the elements of at least one of the fifty-three individual offenses that constitute war crimes under Article 8 of the Rome Statute. This section therefore concludes by explaining how NotPetya could be prosecuted under either Article 8(2)(a)(iv), the war crime of destruction and appropriation of property, or Article 8(2)(b)(ii), the war crime of attacking civilian objects.

1. International Humanitarian Law

Under Common Article 2 of the 1949 Geneva Conventions, the requirements of IHL apply whenever there is an international armed conflict or state of occupation.55 “An armed conflict exists whenever there is a resort to armed force between States.”56 Thus, for IHL to be applicable, there are two requirements that must be met: first, there must be an employment of armed force, and second, there must be attribution of that force to one of the parties to the conflict.57

i. Existence of Armed Conflict and State of Occupation

Much of the literature on this topic focuses on whether or not a cyber attack, on its own, could qualify as “armed force.”58 However, where a cyber attack is conducted as part of an ongoing, conventional armed conflict, the armed force threshold is already satisfied.59 In other words, cyber attacks that are conducted in the context of an ongoing armed conflict are subject to the law of armed conflict, whether or not the cyber attack itself qualifies as armed force.60

Because the NotPetya attack was conducted in the context of a traditional, kinetic conflict between Ukraine and Russia, this “armed force” threshold is met.61 As mentioned in Part II, Ukraine and Russia have been engaged in an ongoing conflict that began with the invasion and annexation of Crimea in 2014. The Prosecutor has already recognized this conflict in Crimea and the subsequent violence in Donbas as an armed conflict.62 Furthermore, both the Prosecutor and the United Nations General Assembly have recognized Russia’s attempted annexation of the Crimean region as an ongoing state of occupation.63 This is particularly noteworthy, because the Geneva Conventions also say that IHL applies in cases of partial or total occupation of a territory, even if the occupation meets no armed resistance.64 Thus, once a territory is deemed to be under occupation, the cyber operations of the occupying power also fall under the requirements of IHL.65 Because Russia’s militarization in Ukraine has been recognized as both an armed conflict and state of occupation, by both the United Nations General Assembly and the Court, the commission of NotPetya within this context brings the cyber attack under the application of IHL principles.

ii. Attribution to Russia’s Military

The more demanding issue is attribution of NotPetya to one of the parties to this armed conflict. There is nearly universal consensus that the Russian government is responsible for NotPetya as part of its hybrid warfare in Ukraine.66 Not surprisingly, however, Russia has not admitted to its involvement in the NotPetya attack. In fact, Russia was even a victim of NotPetya, because the malware caused considerable damage to the Russian oil company Rosneft.67 This fact could therefore speak to Russia’s lack of involvement.68 Even without this potentially exculpatory evidence, attribution is one of the greatest obstacles to the prosecution of any cyber crime.69 Anonymity is an inherent feature of cyberspace, especially given the decentralized nature of the internet.70 This creates significant practical issues with identifying who the individual culprit behind any given cyber operation is.71

However, this attribution problem may be over exaggerated, and does not prohibit attribution to Russia in NotPetya’s case. First, at a general level, there is a distinction between technical and legal attribution.72 The anonymity of the internet undoubtedly complicates technical attribution to specific actors.73 However, just as with any prosecutable crime, legal attribution can be pieced together through various types of circumstantial evidence, so long as that evidence meets the required standard of proof.74 Here, there is significant circumstantial evidence supporting Russia’s link to NotPetya. For example, a Ukrainian military intelligence officer was killed by a car bomb in Kiev just hours before NotPetya hit, one of several assassinations of Russian-critical officials Russia had instigated.75 As previously discussed, Russia had a history of conducting cyber attacks against Ukraine in recent years, and this attack took place on the eve of a holiday celebrating Ukrainian independence from the Soviet Union. Security companies, such as the Slovakian company ESET, linked the attack to a Russian government team.76 Such evidence can be used to support Russia’s responsibility for the NotPetya attack.

An even more compelling justification for Russian attribution, however, is that the United States, as well as the United Kingdom and Denmark, have released official statements attributing the attack to the Russian government.77 On February 15, 2018, the White House released a statement blaming NotPetya, which it described as “the most destructive and costly cyber-attack in history,” on the Russian military as “part of the Kremlin’s ongoing effort to destabilize Ukraine.”78 This statement further warned that NotPetya was a “reckless and indiscriminate cyber-attack that will be met with international consequences.”79 A few months prior, the United States Central Intelligence Agency (CIA) concluded with “high confidence” that the GRU, the military intelligence agency of the Russian Armed Forces, created NotPetya.80 While neither the White House nor the CIA have disclosed what evidence they have supporting this attribution, the willingness of these governmental bodies to officially blame Russia strongly suggests that they have the necessary evidence to do so. This is especially true when viewed in the context of the Trump Administration’s normal policy of turning a blind eye to the threat of Russian cyber operations.81

This theory finds further support in the fact that the United States Department of Justice (DOJ) has actually indicted six individual members of the GRU for various crimes, in part based on their involvement in the creation and dissemination of NotPetya (U.S. Indictment).82 The U.S. Indictment, which alleged that these GRU officers “knowingly and intentionally conspired with each other […] to deploy destructive malware and take other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers,” was returned by a federal grand jury on October 15, 2020.83 If the DOJ did not have sufficient evidence linking these GRU officials to NotPetya, the grand jury would not have voted in favor of bringing the charges against them, lending support to the idea that the United States is in possession of the necessary evidence for attribution.84

The U.S. Indictment also helps to solve the issue of individual accountability. The Rome Statute requires individual responsibility for the crimes the Court prosecutes, rather than holding whole states or governments accountable.85 This means that just being able to attribute NotPetya to the GRU, without more, would not be sufficient.86 The charges against the six GRU officers proves not only that attribution to the Russian government is feasible, but that attribution to specific individual actors within the Russian government is possible and already determined.87 Even without this U.S. Indictment, the Prosecutor would not be without recourse for holding specific individuals accountable, because the Prosecutor could rely on the doctrine of command responsibility enshrined in Article 28 of the Rome Statute. Under this provision, the military commander in charge of the GRU could be held responsible for the acts of those persons under his effective control, where that military commander knew or should have known that his forces were going to commit the cyber attack and failed to take the necessary and reasonable measures to stop the attack from occurring.88

Therefore, because NotPetya occurred in the context of an armed conflict, and because the cyber attack can be attributed to a party to that conflict, the rules of IHL govern Russia’s commission of NotPetya. The cyber attack therefore meets the first level of analysis required to meet the framework of a war crime, and can now be analyzed under the Rome Statute itself.

2. Article 8 of the Rome Statute

The NotPetya attack can be prosecuted as two different war crimes under Article 8 of the Rome Statute: the war crime of destruction and appropriation of property under Article 8(2)(a)(iv), and the war crime of attacking civilian objects under Article 8(2)(b)(ii).89

Although two distinct crimes, the elements required for each overlap to a considerable degree.90 Both require a nexus between the international armed conflict and the conduct being prosecuted as a war crime.91 Article 8(2)(a)(iv) never explicitly uses the word “attack,” but its elements require the destruction of property, which is not justified by military necessity, and which is extensive or carried out wantonly.92 Because these are the same factors used to determine whether something is an unlawful “attack” under Article 8(2)(b)(ii), the analysis for both is effectively the same. Similarly, while Article 8(2)(b)(ii) requires that “the object of the attack was civilian objects, that is, objects which are not military objectives,” Article 8(2)(a)(iv) requires the destruction of property that “was protected under one or more of the Geneva Conventions of 1949.”93 The property protected by the Geneva Conventions are “civilian objects,” also defined as “all objects which are not military objectives.”94 Therefore, to determine whether NotPetya can be prosecuted as either of these war crimes, it must be determined whether there was a nexus between NotPetya and the international armed conflict, and whether NotPetya constitutes an attack targeted at civilian objectives.

i. Nexus to International Armed Conflict

Both Article 8(2)(a)(iv) and Article 8(2)(b)(ii) require that “the conduct took place in the context of and was associated with an international armed conflict.”95 In other words, there must be a nexus between NotPetya and the ongoing conflict between Ukraine and Russia for the cyber attack to constitute a war crime. There are a number of factors taken into account in determining if a nexus exists, such as if the perpetrator is a combatant, if the victim is a member of the opposing party, and if the act may be said to serve the ultimate goal of a military campaign.96 These factors weigh in favor of the existence of a nexus here. As previously documented, NotPetya was orchestrated by the GRU, a branch of Russia’s military. The intent to target Ukraine, and cause disruption at its highest levels, is apparent from the use of M.E.Doc as the source of the malware, given that the software is mandatory in most divisions of Ukrainian government.97 As mentioned, Russia’s method of conflict with and occupation of Ukraine has been deemed hybrid warfare, with Russia using multiple cyber attacks against Ukraine since the conflict began in 2014. Russia’s goal during this conflict has been to cause as many problems and as much unrest in Ukraine as possible,98 most likely in its attempt to plant the seeds for full-fledged invasion, as evidenced by recent developments in the conflict.99 There is therefore plenty of evidence to support the idea that NotPetya was not only associated with, but meant to help facilitate, Russia’s occupation of and armed conflict against Ukraine.

ii. Attack on Civilian Objects

Having established the nexus, it must be determined whether NotPetya can be considered an “attack” within the meaning of IHL and Article 8. Article 49(1) of Additional Protocol I of the Geneva Convention defines “attack” as “acts of violence against the adversary.”100 Two different approaches have developed as to how these “acts of violence” should be understood: the means-based approach and the effects-based approach.101 Under the “means” approach, whether an attack has occurred is determined by looking at the types of instruments employed.102 This methodology poses difficulty for cyberwarfare, because it focuses on the physical characteristics of the instruments used and typically encompasses only traditional, kinetic weapons.103 In contrast, the “effects” approach focuses on the resulting consequences, regardless of the instrumentality used.104 This “effects” approach has garnered the most support, emerging as the dominant approach used by the international law community.105 Because this approach also allows for inclusion of cyber attacks, it will be used here.

Using the effects-based method, a cyber operation amounts to an “attack” when it employs methods that have or are reasonably likely to result in violent effects.106 This idea has been adopted by the Tallinn Manual, which defines “cyber attack” in Rule 30 as “a cyber operation […] that is reasonably expected to cause injury or death to persons or damage or destruction of objects.”107 The comments to this rule explain that “acts of violence” should not be limited to activities that use kinetic force, because “the consequences of an operation, not its nature, are what generally determine the scope of the term ‘attack.’ ”108 The question, then, is whether NotPetya can be understood as an act of violence, in that its employment was reasonably expected to cause injury or death to persons, or damage or destruction to objects.

As mentioned, the wars crimes in both Article 8(2)(a)(iv) and Article 8(2)(b)(ii) require the attacks be on civilian objects, or non-military objectives. There is dispute as to whether data, itself, is a civilian object.109 There is a plausible argument that limiting the definition of objects to only tangible things is impractical, if not infeasible, in modernized society.110 Regardless, an answer to this debate is not necessary to finding that NotPetya targeted civilian objects. Where a cyber attack causes disruption by corrupting or deleting the data of a physical civilian institution or infrastructure, it is those institutions and infrastructures that are the intended object of the attack, not the data itself.111 Every computer that NotPetya hit was wiped clean of its data, and this meant that any and every institution that NotPetya affected was unable to operate for varying levels of time. Because NotPetya hit a number of Ukrainian civilian institutions, including, but not limited to, hospitals, airports, energy plants, and essentially the entire government, there is no doubt that NotPetya targeted civilian objects.

The question still remains as to whether this targeting of civilian objects constitutes an “act of violence,” as is required for NotPetya to be a war crime. Because NotPetya destroyed, rather than simply interfered with, civilian data, it is possible that this is enough on its own to qualify as a war crime under either Article 8(2)(a)(iv) or Article 8(2)(b)(ii).112 However, even if that is insufficient, NotPetya still rises to the level of an attack. The consequences of cyber attacks typically do not remain contained within cyber space itself, and NotPetya is no exception. Cyber attacks produce three types of effects in the physical world: primary, secondary, and tertiary.113 Primary effects refer to the immediate consequences on the attacked computers, meaning the corruption and deletion of data.114 Secondary effects are those on the infrastructure that operate the attacked computers, resulting in either physical damage to or incapacitation of those systems.115 Tertiary effects encompass the consequences of this destruction on the human beings who rely on these attacked systems.116

That NotPetya caused widespread primary effects is undeniable. As just discussed, every computer that NotPetya hit was wiped clean of its data, causing billions of dollars in damage to countries and companies around the world. But even if this destruction of data is not enough to arise to an “act of violence,” the tertiary effects of NotPetya certainly do. In Ukraine alone, NotPetya hit at least four hospitals, two airports, and six power companies. Attacks on these civilian infrastructures pose serious, kinetic risk to human life. For example, Kiev’s largest medical clinic, the Boris Clinic, lost all medical documentation for twenty-four hours when NotPetya brought the system down, forcing doctors to take records solely by hand for the first time since the mid 1990s.117 Fortunately for the clinic, backups of all records had been kept in a system that managed to avoid NotPetya’s infection.118 While the Boris Clinic got lucky, it is easy to imagine just how devastating, and deadly, NotPetya could have been had the clinic not had back-up documents preserved, and patient records remained inaccessible to the doctors who rely on them in order to properly treatment to their patients.

Take what happened to Maersk, for instance. The backup system that the shipping company used for its 150 domain controllers, which are the servers that house the function of Maersk’s entire network, were all programmed to sync to one another so that each could serve as a backup for all the others if need be.119 Because they were all on the same network, NotPetya was able to wipe all of Maersk’s domain controllers, all over the world, simultaneously.120 The company was only saved from completely losing this vital data because at the time of the attack, a remote office in Ghana had experienced a power outage, meaning the computers in that office were disconnected from the network when NotPetya hit.121 This stroke of luck preserved the sole copy of the domain network of the biggest shipping conglomerate in the word.

If what happened to Maersk had happened to Boris Clinic, or to Kiev’s airport, or any of the other institutions hit by NotPetya, it is not hard to imagine the violent tertiary effects on human life it could have caused, in addition to the economic devastation it did cause. A cyber operation amounts to an “act of violence” whenever the instruments caused or are reasonably likely to cause violent effects. Therefore, when NotPetya’s widespread primary effects are combined with the high possibility it created for life-threatening tertiary effects, NotPetya meets the definition of at “attack” for purposes of Article 8.

As an attack, NotPetya is unlawful if it violates traditional IHL principles. The two most relevant here are the principles of proportionality and the prohibition against indiscrimination, both of which have been incorporated into the elements of Article 8(2)(a)(iv)’s and Article 8(2)(b)(ii)’s war crimes.122 The principle of proportionality is violated when an attack causes damage to civilian objects which is excessive in relation to its anticipated military advantage.123 Indiscriminate attacks, meaning those which employ methods of warfare that cannot be directed, or that have uncontrollable effects, are also prohibited.124 NotPetya’s lack of proportionality and widespread indiscrimination are its defining features. Regardless of what Russia’s military objective was in initiating the attack, the fact that the malware was designed to spread as quickly and as far as possible, as evidenced by the dual EternalBlue and Mimikatz mechanisms, shows that it was not, nor was it intended to be, contained to that objective.125 Its inability to be controlled and its lack of discretion in choosing its victims is evidenced most prominently by the fact that NotPetya did not stay within Ukraine. Instead, any international company that maintained offices in Ukraine served as the gateway for NotPetya to spread to the rest of the world, causing billions of dollars in damages as it went. The attack was so indiscriminate, in fact, that it managed to make its way back to Russa. In essence, NotPetya was not just a war crime of disproportionate nature in Russia’s conflict with Ukraine; it was an indiscriminate, unjustified attack by Russia on anyone who did business with Ukraine, Russia’s known enemy.126 Therefore, while Russia’s violation of IHL principles is the reason that the Court can prosecute the perpetrators of the NotPetya attack, it is also the reason that the Court should prosecute the perpetrators of the NotPetya attack: to show the world that such indiscriminate attacks on the international community at large will not be allowed impunity.127

IV. Admissibility of NotPetya

While the foregoing demonstrates that the Court has jurisdiction to prosecute the NotPetya attack as a war crime, that is not the end of the inquiry. The Court can only exercise this jurisdiction if the attack is also found to be admissible under Article 17 of the Rome Statute.128 There are two admissibility thresholds under Article 17 that NotPetya must satisfy. First, the attack cannot violate the principles of complementarity, and second, the case must be of sufficient gravity.129

A. Complementarity

The complementarity principle may pose the greatest obstacle to the Court’s ability to prosecute individuals for the NotPetya attack. A potential defendant could argue that the U.S. Indictment against the members of the GRU, discussed in Part III, means the attack is inadmissible under Article 17(1). Article 17(1)(a) says that:

[A] case is inadmissible where […] the case is being investigated or prosecuted by a State which has jurisdiction over it, unless the State is unwilling or unable genuinely to carry out the investigation or prosecution.130

The crucial issue, then, is whether the charges in the U.S. Indictment rise to the level of the same “case.” The Pre-trial Chamber has said the same “case” for purposes of Article 17 means the same conduct and the same individual.131 However, this “specificity test,” as it has been named, has yet to be more clearly delineated by the Court in the realm of kinetic crimes,132 let alone in the more unsettled terrain of cyberspace. Despite the uncertainty this creates, the Pre-trial Chamber should find the U.S. indictment does not preclude admissibility of the issue before the Court.

The U.S. Indictment charges the GRU members with seven charges, most notably damage to protected computers, wire fraud, and conspiracy to commit these crimes. There are two reasons that these charges are insufficient to establish complementarity: the conduct that is being criminalized is not the same, and the victims are not the same. It is helpful to think of this in terms of analogy. If a person gets behind the wheel of a car while intoxicated, they commit the crime of driving under the influence. If they hit and kill someone while driving under the influence, they have also committed the crime of manslaughter. Even though the drunk driving crime is the instrumentality that led to the manslaughter crime, we would never find that these two charges merge into one. Both are prosecutable as separate charges.

The same applies here. As discussed in the previous section, what makes NotPetya an “attack,” and thus a war crime, under Article 8 is not the instrumentalities used to perpetrate it, but the effects that it had, particularly the tertiary effects. In contrast, the crimes charged in the U.S. Indictment seek to punish the instrumentalities utilized, rather than the effects. The wire fraud claim is premised on the allegation that NotPetya:

[S]tole the victim’s user authentication credentials to move laterally to other parts of the victim’s network.133

This solely criminalizes how NotPetya worked, not the malware’s consequences. While the computer fraud charge addresses the damage caused, this is limited only to the computers themselves, not the tertiary effects.134 Therefore, just as the means of the drunk driving would not be sufficient to bar prosecution of the effect of manslaughter, the U.S. Indictment charging the GRU members with crimes targeting the means of NotPetya does bar the Court’s prosecution for the widespread effects of NotPetya. Thus, the U.S. Indictment is a different “case” for purposes of Article 17.

An even more compelling reason for why complementarity is not satisfied here is that, for both the wire and computer fraud charges, the only incident being prosecuted is NotPetya’s infiltration of the Heritage Valley Health System, a single hospital in Pennsylvania.135 Again, the metaphor of the drunk driver proves useful. If this person were to hit and kill two people, rather than one, we would not find it sufficient that he be prosecuted for only one charge of manslaughter. Two victims require two separate counts, so that each victim receives the retribution deserved. The fact that the U.S. Indictment may bring retribution to the Heritage Valley Health System does nothing for the hundreds of thousands of Ukrainians who fell victim to NotPetya. While the Pennsylvania hospital may be a victim of wire fraud and computer fraud, the people of Ukraine are victims of a Russian-propagated war crime. To say that the former bars retribution for the latter is to undermine the principles of complementarity in Article 17.136

B. Gravity

Lastly, the Rome Statute requires that NotPetya be sufficiently grave to be admissible before the Court. In practice, there are two types of gravity enshrined in the Rome Statute: legal gravity, which looks at a crime’s admissibility under Article 17, and relative gravity, which speaks to the Prosecutor’s discretion in selecting and prioritizing cases.137

In terms of legal gravity, Marco Roscini conducted a survey of the Court’s case law and delineated a list of the qualitative and quantitative factors that the Court relies on in determining whether a case is admissible under Article 17.138 These factors include the nature, scale, manner of commission, and impact of the crime.139 In terms of nature, crimes against property are typically considered less grave than crimes against persons, especially those involving murder or torture.140 However, this does not prohibit the admissibility of cyber attacks, especially NotPetya, before the Court. In terms of scale, impact, and manner of commission, the gravity of NotPetya is undeniable. The “scale” factor includes the number of victims, the extent of the damage caused by the crime, and its geographical and temporal speed.141 NotPetya’s scale is unparalleled: it was the most economically devastating cyber attack in history, affecting over sixty countries and causing billions of dollars of damage.142 It was purposefully designed to spread far as possible, as quickly as possible, and to cause destruction and disruption to as many computers as possible. These widespread consequences speak to the severity of NotPetya’s impact, not only on Ukraine, but the world at large.143 Lastly, the manner of commission of the crime also speaks to its gravity.144 A malware of this nature is not created and executed in a matter of days. Rather, it was discovered that M.E.Doc had been compromised more than six weeks prior to the attack being launched.145 The complexity of the malware’s design, in conjunction with the wait time between infiltration of the M.E.Doc systems to when the actual attack took place, speaks to the intricate planning it took for the GRU to perpetrate this attack.

These factors demonstrate that the legal gravity of NotPetya is sufficient for purposes of Article 17. It helps that the threshold for legal gravity is not considered to be very high.146 In contrast, the Prosecutor’s discretion in determining relative gravity imposes a much higher burden.147 Even so, there are three reasons why the Office of the Prosecutor should choose to prosecute members of the Russian military for this cyber attack. First is a matter of practicability. Not only has Ukraine expressly recognized the Court’s jurisdiction over war crimes committed by Russia during the ongoing conflict between the two states, but the Prosecutor has already requested authorization from the Pre-trial Chamber to open an investigation. The fact that NotPetya can be included as part of this already ongoing preliminary investigation before the Court, rather than requiring the initiation of an entirely new case, makes prosecution of NotPetya at least somewhat easier than other possible cyber attacks.

Second, because the practical difficulties are somewhat alleviated in the case of NotPetya, it offers the perfect pioneering opportunity for the Court to show that it can, and will, prosecute cyber attacks. As the foregoing analysis shows, NotPetya satisfies the elements of a war crime under Article 8. The Court can therefore use NotPetya to demonstrate to the international community that cyber attacks can be prosecuted under the Rome Statute, and that the Court is not afraid to do so. This could have the benefit of both specific and general deterrence.148 If the Court opens an investigation into NotPetya, it will demonstrate to the international community, and Russia in particular, that impunity for cyber attacks will not be tolerated any longer.

Lastly, the Prosecutor should find that NotPetya is of sufficient relative gravity because its prosecution will likely be supported by the international community. Given the worldwide devastation NotPetya caused there are many states who would undoubtedly like to see the perpetrators of NotPetya held responsible. Even the United States would likely be supportive, given the White House’s statement that NotPetya was a “reckless and indiscriminate cyber-attack that will be met with international consequences.”149 So far, no such international consequences have come to fruition. Therefore, as an international criminal tribunal, the Court serves as a perfect forum to finally get retribution for the many victims, across the globe, of Russia’s NotPetya attack.

V. Conclusion

As modern society’s reliance on computer technology continues to grow, the number of attacks on that technology grows along with it. Although prosecuting individuals for cyber operations is difficult, the increasing threat posed by such attacks demands a legal framework by which to hold the perpetrators accountable. This is particularly true when the cyber attacks have far-reaching, international consequences, as did NotPetya.

This comment demonstrates that there is already a viable framework in place to prosecute the perpetrators of NotPetya: the Rome Statute. Given the context of the armed conflict and state of occupation in which this attack occurred, in addition to Ukraine’s recognition of the Court’s jurisdiction over war crimes committed during this conflict, the NotPetya attack provides the Court with a unique opportunity to demonstrate that it can, and will, hold the perpetrators of cyber attacks accountable. Because NotPetya meets the elements of a war crime under the Rome Statute, the Court should prosecute members of the Russian military for their commission of NotPetya to show the international community that cyber attacks of this severity will no longer be allowed impunity.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

  1. 1.

    Andy Greenberg, The Untold Story of NotPetya, the Most Devastating Cyberattack in History, Wired (Aug. 22, 2018), paywall.

  2. 2.

    Lawrence J. Trautman & Peter C. Ormerod, WannaCry, Ransomware, and the Emerging Threat to Corporations, 86 Tenn. L. Rev. 503, 531–32 (2019), available online.

  3. 3.

    Id. at 531.

  4. 4.

    Id.; see also Alexandra Perloff-Giles, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 43 Yale J. Int’l L. 191, 197 (2018), available online, archived

    (providing a helpful explanation of the different types of malwares and how they work).

  5. 5.

    Greenberg, supra note 1.

  6. 6.

    Trautman & Ormerod, supra note 2, at 532.

  7. 7.

    Press Release, CISA, Alert (TA17-181A) Petya Ransomware (Feb. 15, 2018) [hereinafter CISA Press Release], available online; Greenberg, supra note 1.

  8. 8.

    CISA Press Release, supra note 7.

  9. 9.

    Id.

  10. 10.

    Greenberg, supra note 1; see also Andrew E. Kramer, Ukraine Cyberattack Was Meant to Paralyze, not Profit, Evidence Shows, N.Y. Times, Jun. 28, 2018, available online.

  11. 11.

    Trautman & Ormerod, supra note 2, at 524, 532.

  12. 12.

    Id. at 524.

  13. 13.

    Id. at 524.

  14. 14.

    Lily Hay Newman, A Scary New Ransomware Outbreak Uses WannaCry’s Old Tricks, Wired (Jun. 27, 2017), available online

    (expressing uncorroborated optimism, Newman wrote on the day of the NotPetya attack that “[e]nough people may have patched since WannaCry to forestall a breakout on the same scale”).

    See Trautman & Ormerod, supra note 2, at 522–31

    (discussing the WannaCry ransomware campaign).

  15. 15.

    Trautman & Ormerod, supra note 2, at 534.

  16. 16.

    Greenberg, supra note 1.

  17. 17.

    Id.

  18. 18.

    Id.

  19. 19.

    Trautman & Ormerod, supra note 2, at 534.

  20. 20.

    Greenberg, supra note 1.

  21. 21.

    Kramer, supra note 10; Nicole Perlroth, Mark Scott & Sheera Frenkel, Cyberattack Hits Ukraine Then Spreads Internationally, N.Y. Times, Jun. 27, 2017, available online; Frank Bajak & Raphael Satter, Companies Still Hobbled from Fearsome Cyberattack, AP, Jun. 30, 2017, available online; Christian Borys, Ukraine Braces for Further Cyber-attacks, BBC News, Jul. 26, 2017, available online.

  22. 22.

    Kramer, supra note 10.

  23. 23.

    Id.

    (noting that Microsoft issued a statement the day following the attack saying it “now has evidence that a few active infections of the ransomware initially started from the legitimate M.E.Doc update process”).

    See also CISA Press Release, supra note 7.

  24. 24.

    Greenberg, supra note 1.

  25. 25.

    Borys, supra note 21

    (estimating that M.E.Doc’s filing services are used by more than 400,000 Ukrainian customers, which represents about 90% of the country’s domestic companies).

  26. 26.

    Greenberg, supra note 1.

  27. 27.

    Id.

  28. 28.

    Kramer, supra note 10.

  29. 29.

    Greenberg, supra note 1.

  30. 30.

    Id.

  31. 31.

    Id.

  32. 32.

    Kramer, supra note 10.

  33. 33.

    Perlroth et al., supra note 21.

  34. 34.

    Bajak & Satter, supra note 21; Newman, supra note 14.

  35. 35.

    Greenberg, supra note 1.

  36. 36.

    Id.

  37. 37.

    Id.

  38. 38.

    Id.

    (For comparison, the ransomware attack that crippled Atlanta’s city government in March 2018 was estimated to have caused only $10 million in damage, while even the infamous WannaCry attack in May 2017 was estimated to have caused between $4 billion to $8 billion in damage).

  39. 39.

    Kramer, supra note 10.

  40. 40.

    Kim Zetter, Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid, Wired (Mar. 3, 2016), available online.

  41. 41.

    Anton Cherepanov, The Rise of Telebots: Analyzing Disruptive KillDisk Attacks, welivesecurity (Dec. 13, 2016), available online.

  42. 42.

    Ellen Nakashima, Russian Military was Behind ‘NotPetya’ Cyberattack in Ukraine, CIA Concludes, Wash. Post, Jan. 12, 2018, available online; Pavel Polityuk, Ukraine Points Finger at Russian Security Services in Recent Cyber Attack, Reuters, Jul. 1, 2017, available online.

  43. 43.

    Press Release, U.N., Speakers Urge Peaceful Settlement to Conflict in Ukraine, Underline Support for Sovereignty, Territorial Integrity of Crimea, Donbas Region (Feb. 20, 2019) [hereinafter U.N. Press Release], available online.

  44. 44.

    Id.

  45. 45.

    See Stephanie Gosnell Handler, The New Cyber Face of Battle: Developing a Legal Approach to Accommodate Emerging Trends in Warfare, 48 Stan. J. Int’l L. 209, 212 (Dec. 2012), paywall

    (“Determining whether such cyberattacks should be considered under the law of war—even absent direct kinetic effects—is important as it is most probable that military campaigns of the future will follow the Russian precedent and utilize cyberattacks in concert with traditional weapons to achieve their strategic goals.”).

  46. 46.

    See generally, Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], available online..

  47. 47.

    Id. at Article 11(1).

  48. 48.

    Id. at Article 12.

  49. 49.

    Press Release, ICC, Ukraine Accepts ICC Jurisdiction Over Alleged Crimes Committed Between 21 November 2013 and 22 February 2014 (Apr. 17, 2014), available online; Rome Statute, supra note 46, at Article 12(3)

    (“If the acceptance of a State which is not a Party to this Statute is required under paragraph 2, that State may, by declaration lodged with the Registrar, accept the exercise of jurisdiction by the Court with respect to the crime in question. The accepting State shall cooperate with the Court without any delay or exception in accordance with Part 9.”).

  50. 50.

    Press Release, ICC, Ukraine Accepts ICC Jurisdiction Over Alleged Crimes Committed Since 20 February 2014 (Sep. 8, 2015), available online.

  51. 51.

    Fatou Bensouda, ICC, Statement on the Conclusion of the Preliminary Examination in the Situation in Ukraine (Dec. 11, 2020), available online.

  52. 52.

    Id.

  53. 53.

    Rome Statute, supra note 46, Article 5.

  54. 54.

    Kai Ambos, International Criminal Responsibility in Cyberspace, in Research Handbook on International Law and Cyberspace 181, 121 (Nicholas Tsagourias & Russell Buchan eds., 2015), available online.

  55. 55.

    Geneva Convention IV Relative to the Protection of Civilian Persons in Time of War, Article 2, 75 U.N.T.S. 287 (Aug. 12, 1949, entry into force Oct. 21, 1950) [hereinafter Fourth Geneva Convention], available online.

  56. 56.

    The Prosecutor v. Duško Tadić, IT-94-1, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, ¶ 90 (ICTY AC, Oct. 2, 1995), available online, archived.

  57. 57.

    Ambos, supra note 54, at 122.

  58. 58.

    See, e.g., id. at 122–25; David Weissbrodt, Cyber Conflict, Cyber-Crime, and Cyber-Espionage, 22 Minn. J. Int’l L., 347, 355–66 (2013), available online; Perloff-Giles, supra note 4, at 201–02.

  59. 59.

    Ambos, supra note 54, at 122.

  60. 60.

    Tallinn Manual on the International Law Applicable to Cyber Warfare 68 (Michael N. Schmitt ed., 2013) [hereinafter Tallinn Manual]

    (explaining in the commentary of Rule 20 that the law of armed conflict governed the cyber attacks that occurred in Georgia in 2008 because they were undertaken in furtherance of the ongoing armed conflict between Georgia and Russia).

  61. 61.

    For discussion of the nexus between the NotPetya attack and the ongoing armed conflict and occupation of Ukraine, see Part III(B)(2).

  62. 62.

    U.N. Press Release, supra note 43.

  63. 63.

    Id.

  64. 64.

    Fourth Geneva Convention, supra note 55.

  65. 65.

    Marco Roscini, Cyber Operations and the Use of Force in International Law 144 (2014), paywall.

  66. 66.

    Trautman & Ormerod, supra note 2, at 534.

  67. 67.

    Id.

  68. 68.

    Id. at 534–35

    (explaining how this evidence has instead been interpreted as a sign that NotPetya was more successful than its creators originally intended for it to be).

  69. 69.

    See, e.g., Marco Roscini, Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations, 50 Tex. Int’l L.J. 233, 234 (2015), available online; see also Ambos, supra note 54, at 125–26.

  70. 70.

    Marco Roscini, Gravity in the Statute of the International Criminal Court and Cyber Conduct that Constitutes, Instigates or Facilitates International Crimes, 30 Crim. L. Forum 247, 258 (2019), available online, doi; see also Perloff-Giles, supra note 4, at 193–95.

  71. 71.

    See, e.g., Roscini, supra note 69, at 234.

  72. 72.

    Perloff-Giles, supra note 4, at 215.

  73. 73.

    Ambos, supra note 54, at 125.

  74. 74.

    Perloff-Giles, supra note 4, at 215–16.

  75. 75.

    Kramer, supra note 10.

  76. 76.

    Andy Greenberg, The White House Blames Russia for NotPetya, the ‘Most Costly Cyberattack in History’, Wired (Feb. 15, 2018), available online.

  77. 77.

    Id.

  78. 78.

    Press Release, The White House, Statement from the Press Secretary (Feb. 15, 2018) [hereinafter White House Press Release], available online.

  79. 79.

    Id.

  80. 80.

    Nakashima, supra note 42.

  81. 81.

    Greenberg, supra note 76.

  82. 82.

    United States v. Andrienko et al., 20–316, Indictment ( W.D. Pa., Oct. 15, 2020) [hereinafter U.S. Indictment], available online.

  83. 83.

    Id. ¶ 2.

  84. 84.

    See Press Release, U.S. Dept. of Just., Six Russian GRU officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace (Oct. 19, 2020), available online.

    (FBI Deputy Director David Bodwich explained that “this indictment […] highlights the FBI’s capabilities. We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them.”).

  85. 85.

    See Rome Statute, supra note 46, Article 25.

  86. 86.

    See id.

  87. 87.

    For potential issues this could raise in regard to complementarity, see Part IV(A).

  88. 88.

    See Rome Statute, supra note 46, Article 28; see also Roscini, supra note 70, at 265.

  89. 89.

    Rome Statute, supra note 46, Articles 8(2)(a)(iv), 8(2)(b)(ii).

  90. 90.

    International Criminal Court, Elements of Crimes, ICC-ASP /1/3, Adopted and Entry into Force 9 September 2002, updated at Kampala, 31 May-11 June 2010, 15, 18 (Jun. 11, 2011) [hereinafter Elements of Crimes], available online, archived.

  91. 91.

    Id.

  92. 92.

    Id.

  93. 93.

    Id.

  94. 94.

    Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, 1125 U.N.T.S. 3 (Jun. 8, 1977) [hereinafter Additional Protocol I], available online.

  95. 95.

    Elements of Crimes, supra note 90.

  96. 96.

    Ambos, supra note 54, at n.67.

  97. 97.

    Nakashima, supra note 42

    (discussing NotPetya as “an effort to disrupt [Ukraine’s] financial system amid its ongoing war with separatists loyal to the Kremlin”).

  98. 98.

    Kramer, supra note 10

    (quoting Ivan Lozowsky, the director of the Institute of Statehood and Democracy in Ukraine, who said in regards to NotPetya, “[t]he Russians are interested in Ukraine having as many problems as possible”).

  99. 99.

    Christopher A Hartwell, Invading Ukraine is a Trap for Vladimir Putin, Wall St. J., Dec. 10, 2020, paywall.

  100. 100.

    Additional Protocol I, supra note 94.

  101. 101.

    Ambos, supra note 54, at n.26

    (“The three relevant approaches (instrumentality-, target– and consequence-effects-based) have been developed with regard to the ius ad bellum concept of an ‘armed attack’ […] but can be applied in the ius in bello context of the armed conflict threshold as well.”).

  102. 102.

    Id. at 122.

  103. 103.

    Weissbrodt, supra note 58, at 365.

  104. 104.

    Id.

  105. 105.

    Id.

  106. 106.

    Roscini, supra note 65, at 179.

  107. 107.

    Tallinn Manual, supra note 60, at 91.

  108. 108.

    Id.

  109. 109.

    Roscini, supra note 65, at 183.

  110. 110.

    Ambos, supra note 54, at 131.

  111. 111.

    Roscini, supra note 65, at 183.

  112. 112.

    Perloff-Giles, supra note 4, at 222.

  113. 113.

    Williams A. Owens, Kenneth W. Dam & Herbert D. Lin, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 80 (2009), available online.

  114. 114.

    Roscini, supra note 65, at 169.

  115. 115.

    Id.

  116. 116.

    Id.

  117. 117.

    Borys, supra note 21.

  118. 118.

    Id.

  119. 119.

    Greenberg, supra note 1.

  120. 120.

    Id.

  121. 121.

    Id.

  122. 122.

    See Rome Statute, supra note 46, at Article 8(2)(b).

    ( Article 8(2)(a)(iv) explicitly requires violation of these principles by requiring that the destruction or appropriation of property is “not justified by military necessity” and “extensive and carried out wantonly,” while Article 8(2)(b)(ii) implicitly incorporates these IHL principles because the war crime must constitute a “serious violation of the laws and customs applicable in international armed conflict, within the established framework of international law”).

    Elements of Crimes, supra note 90, at 15, 18.

  123. 123.

    Ambos, supra note 54, at 134.

  124. 124.

    Additional Protocol I, supra note 94; see also Tallinn Manual, supra note 60, at 130

    (“Cyber attacks that are not directed at a lawful target, and consequently are of a nature to strike lawful targets and civilian or civilian objects without distinction, are prohibited.”).

  125. 125.

    See Perloff-Giles, supra note 4, at 203–04.

    (Interestingly, the Stuxnet worm that hit Natanz nuclear enrichment facility in Iran is often looked at by scholars as the paradigmatic example of a cyber attack that could rise to the level of an armed attack, and thus fall under the dictates of IHL. However, Stuxnet was specifically designed to only cause damage to its intended target. NotPetya’s indiscriminate nature is therefore a compelling reason for the Court to show that it will prosecute those who employ cyber attacks that do not at least attempt, as the Stuxnet creators did, to abide by the conventional norms of international conflict).

  126. 126.

    Greenberg, supra note 1

    (“ ‘Anyone who thinks this was accidental is engaged in wishful thinking,’ [Cisco’s Craig] Williams says. ‘This was a piece of malware designed to send a political message: If you do business in Ukraine, bad things are going to happen to you.’ ”).

  127. 127.

    See Rome Statute, supra note 46, Art. 8(2)(b)(xx).

    (It should be noted that there is a war crime under Article 8 that specifically criminalizes “[e]mploying weapons, projectiles and material and methods of warfare which are of a nature to cause superfluous injury or unnecessary suffering or which are inherently indiscriminate in violation of the international law of armed conflict.” Because NotPetya could be considered “inherently indiscriminate,” this provision would theoretically be the easiest way of proving NotPetya to be a war crime. However, this war crime is subject to the condition that, “such weapons, projectiles, and material of method of warfare are subject to a comprehensive prohibition and are included in an annex to this Statute.” No such list has yet been included as an annex to the Rome Statute, and thus this crime cannot be used at this point in time).

  128. 128.

    Markus Benzing, The Complementarity Regime of the International Criminal Court: International Criminal Justice between State Sovereignty and the Fight Against Impunity, in 7 Max Planck Yearbook of the United National Law 591, 592 (Armin von Bogdandy & Rüdiger Wolfrum eds., 2003), available online.

  129. 129.

    Rome Statute, supra note 46, Arts. 17(1)(a), 17(1)(d).

  130. 130.

    Id. Art. 17(a)(1).

  131. 131.

    Rod Rastan, What is a ‘Case’ for the Purpose of the Rome Statute?, 19 Crim. L. Forum 435, 436 (Oct. 15, 2008), available online, doi.

  132. 132.

    Id. at 437.

  133. 133.

    U.S. Indictment, supra note 82, ¶ 80.

  134. 134.

    Id. ¶ 82.

  135. 135.

    Id. ¶¶ 79–82.

  136. 136.

    It should be noted that the United States has its own war crime statute, 18 U.S.C. § 2441, which it chose not to prosecute the GRU members with. The fact that the United States had the capability to hold these members accountable for the much graver charge of a war crime, but chose instead to go with simple fraud charges, shows that this is not an adequate basis for a finding of complementarity.

  137. 137.

    Ignaz Stegmiller, The Pre-Investigation Stage of the ICC: Criteria for Situation Selection 316 (2011), paywall.

  138. 138.

    Roscini, supra note 70, at n.33.

  139. 139.

    Id. at 260–68.

  140. 140.

    Margaret M. deGuzman, Gravity and the Legitimacy of the International Criminal Court, 32 Fordham Int’l L.J. 1400, 1452 (2008), available online.

  141. 141.

    Roscini, supra note 70, at 260–61.

  142. 142.

    Greenberg, supra note 1.

  143. 143.

    Roscini, supra note 70, at 267.

  144. 144.

    Id. at 265.

  145. 145.

    Dan Goodin, Backdoor Built in to Widely Used Tax App Seeded Last Week’s NotPetya Outbreak, Ars Technica, Jul. 5, 2017, available online

    (reporting that a senior malware researcher for ESET explained their analysis supported the fact that NotPetya was “a thoroughly well-planned and well-executed operation”).

  146. 146.

    Roscini, supra note 70, at 269–70

    (“The result is that, in practice, legal gravity should essentially preclude investigation and prosecution only of small scale isolated war crimes […] Only an isolated cyber attack against protected persons or objects in the context of and associated with an armed conflict which results in negligible damage and little impact, therefore, would not cross the legal gravity threshold.”).

  147. 147.

    Id. at 270.

  148. 148.

    Id. at 271

    (“[I]t is not to be excluded that the Prosecutor might decide to select certain situations and cases involving the commission, instigation or facilitation of international crimes through cyber conduct because of their impact or to deter them in the future, even if they resulted in a lower number of victims that in other cases.”).

  149. 149.

    White House Press Release, supra note 78.