The Cyberwarfare Question — Comments

Change Sort Order
Now: Oldest First

Comment on the Cyberwarfare Question: “To what extent and under what conditions might cyber operations or cyberwarfare constitute crimes specified in the Rome Statute?”

Accountability for NotPetya: Why the International Criminal Court Can, and Should, Prosecute the Perpetrators of the NotPetya Cyber Attack as a War Crime

I. Introduction

In June 2017, a popular Ukrainian tax accounting software called M.E.Doc underwent a routine software update. Unbeknownst to the thousands of Ukrainians who use this software, that update served as the entry point for a destructive malware that would soon gain access to their computers. Once inside their networks, the malware spread like wildfire, irreversibly corrupting data as it went.

What started as an attack on Ukraine quickly turned into an attack on the world. This malware, given the name “NotPetya,” infected over sixty different countries, causing an estimated $10 billion in damage. It is considered the most devasting cyber attack in history.1 Despite the devastation it caused, and despite universal consensus in the international community that Russia is to blame, no one has been held responsible. This begs the question: is there a way to hold the perpetrators of NotPetya, and international cyber attacks more generally, accountable?

Despite the difficulties inherent to the prosecution of cyber attacks and the obstacles posed by the Rome Statute’s demanding framework, this comment demonstrates how the NotPetya attack meets all the requirements necessary to be prosecuted as a war crime by the International Criminal Court (the Court). Part II provides the details of the NotPetya attack. It first explains the technical design of the malware, followed by an explanation of how the attack began on June 27, 2017, its far-reaching consequences, and why Russia was the immediate suspect. Part III analyzes the Court’s jurisdiction over the attack. The situation in Ukraine has provided the foundation for the Court to have both territorial and subject matter jurisdiction over NotPetya as a war crime under either Articles 8(2)(a)(iv) or 8(2)(b)(ii) of the Rome Statute. Lastly, Part IV explains why NotPetya is admissible before the Court. Finding that prosecution is not barred by Article 17’s complementarity provision, the comment explains why the attack meets the gravity threshold of Article 17 and why the Court, in its discretion, should choose to prosecute members of the Russian government for this cyber attack.

II. NotPetya

A. How it Works

The name NotPetya is derived from the malware’s resemblance to Petya, a ransomware that first appeared in 2016.2 Petya was a typical form of ransomware, disguising itself as an email attachment that gained access to a victim’s computer when the attachment was downloaded.3 Petya would then encrypt the computer’s data, holding the files hostage until the victim paid a ransom in exchange for the decryption key.4 At first, people believed the malware attacking their computers on June 27, 2017 was Petya because of the ransom message that appeared on their screens, demanding $300 worth of bitcoin to decrypt their files.5 Unlike Petya, however, the ransom message was just a means of deception. Even if the ransom was paid, the files were not recoverable.6 Hence the name, not -Petya.

Social Media May be Used to Commit Genocide Under the Rome Statute

I. Introduction

As technology progresses, cyber crime grows as a concern on a national, transnational, and international level. As the International Criminal Court pursues its goals of holding actors accountable for criminal violations of international law in 2022 and beyond, it will have to contend with a world that depends more and more on technology in all aspects of life, including the commission of crimes. In order to meet this challenge, the Court will have to consider if and when cyber crimes fall under the jurisdiction of the Court. The International Criminal Court has jurisdiction over four crimes: genocide, crimes against humanity, war crimes, and the crime of aggression.1 In order to meet its obligation to prosecute these crimes, the Court must be prepared to consider how these crimes might be conducted in cyberspace and whether such acts would fall under the Court’s jurisdiction. Due to the seriousness of the crime, this comment will focus on genocide, and whether cyber crimes might fit under the Rome Statute ’s definition of genocide.

In order to explore how cyber crimes might qualify as genocide, this comment will examine two hypotheticals, both focusing on the use of social media to commit genocide under the Rome Statute. The first hypothetical illustrates how the use of social media could be used to incite genocide. The second hypothetical illustrates how the use of social media could be used to inflict serious mental harm on a qualifying group. Both hypotheticals could potentially rise to the level of genocide. In some ways, due to the ability in cyberspace to target certain individuals regardless of location, proving the dolus specialis of intent to destroy the group in whole or in part that is required to prosecute genocide might be easier for cyber crimes than it would be in other more traditional circumstances.

A. Hypothetical A

Imagine an individual with the desire to incite genocide, who plans to use social media to do so. This person has a large following on her social media accounts. Imagine a celebrity, someone who has millions of followers and a large amount of influence over those followers. For the sake of clarity, the celebrity in this hypothetical will be referred to as Trinity. Trinity already knows, based on the responses to her own social media posts and the posts made by her followers, that she has followers who either share her hatred for the target group or could be manipulated into sharing her hatred. She creates a series of social media posts aimed at gradually indoctrinating her followers into hating the target group. This could be done with posts that dehumanize the target group, blame them for what her followers consider to be the current ills of society, or show graphic videos of violence against this group.

Distinguishing Cyberwarfare in the Law of Armed Conflict

I. Introduction

The dawn and parabolic expansion of the Internet over the last half-century revolutionized how individuals, businesses, organizations, and states interact with one another. As states and their militaries have become increasingly interconnected and dependent on these technologies, a new realm of warfare has evolved beyond the conventional battlefields of air, land, and sea.

This comment examines how current international humanitarian law can be applied to cyber warfare. Specifically, how does international humanitarian law treat cyber warfare when an armed conflict is already occurring? Further, can a cyber attack trigger an international or non-international armed conflict without any pre-existing conventional warfare?

Cyber operations, when occurring in conjunction with conventional methods of warfare that elicited an armed conflict, should be treated the same as conventional attacks. Although cyber operations target the enemy State through a different medium, their effects can be the same as a conventional attack. An attack’s effects on a target is a central concern in the Geneva Conventions of 1949 and its Additional Protocols, so a cyber attack’s effects merit equal status with conventional attacks.

It is more difficult for a cyber attack to rise to the threshold of armed conflict, whether international or non-international. In cyber operations, where the effects cause physical damage or destruction of military or civilian objects, a stronger case can be made, given other requirements of an armed conflict are met. When a cyber operation only affects cyber infrastructure, however, attaining the status of armed conflict is unlikely under current law.

II. Cyber Warfare in Pre-Existing Armed Conflicts

This section begins with an example of a cyber attack that occurs in conjunction with conventional attacks. It then briefly summarizes sources of international humanitarian law, and then examines cyber operations can be equated to conventional attacks through the principle of distinction.

A. 2008 Georgia Russia Conflict

In August 2008, after an extended period of tension and incidents, fighting between Georgian and Russian forces erupted in South Ossetia and extended to other parts of Georgia.1 After five days, Georgia claimed over 2,000 military and civilian casualties, and Russia claimed over 300 military casualties. Over 100,000 civilians in the area fled their homes.2 It is clear that this conflict qualified as an international armed conflict.

The evolution of warfare has seen a shift towards cyber weapons, with nations increasingly utilizing cyber means for warfare due to their potential for significant results at relatively lower costs compared to traditional weapons. Examples of cyber attacks, such as the Tallinn attack, the Georgia hack, and the Stuxnet worm, highlight the existing use of cyber warfare.

It is predicted that more states will employ cyber capabilities in future conflicts, given the accessibility and affordability of cyber attacks. However, this reliance on cyber technology also exposes countries with advanced cyber capacity to vulnerabilities if targeted by cyber attacks.

It is important to differentiate between cyber crimes and cyber attacks. Cyber crimes are offenses punishable under national penal codes and involve private perpetrators, typically related to computer-related fraud or forgery. On the other hand, cyber attacks aim to cause mass destruction, harm connected systems and facilities, and potentially result in human loss.

While attempts have been made to incorporate cyber offenses into international criminal law, there has been no concrete formulation in the realm of cyber warfare. Some scholars and experts argue for the inclusion of cyber warfare within Article 8 bis (Crime of Aggression) of the Rome Statute, which addresses acts of aggression.

The development of legal frameworks to address cyber warfare is an ongoing process, and it requires careful consideration of the unique challenges posed by cyber attacks in order to ensure accountability and effective deterrence in this evolving landscape.

Tackling Territoriality: Fitting Cyber Crimes into the Crime of Aggression

Introduction

Territoriality has always been a key issue in national sovereignty. Wars have been fought over borders of nations, as territorial disagreements are often the precursor to war.1 This has led to conclusions where: “if you want to avoid war, learn how to settle territorial disputes non-violently.”2 However, the uniqueness of cyber activities allow even non-state actors to wage effective attacks and wars.3 Furthermore, it also allows nation-state actors that are more tolerant of political risk, like those from North Korea, Iran, or China, to wage devastating cyber operations.4 If these cyber operations were done with hard power assets or with other traditional norms of warfare, retaliation would certainly be swift.5 Since cyberspace transcends physical realms due to its apparent disconnect from a physical server and where it is accessed, however, it inherently challenges traditional norms of the concept of territoriality.6 So, the rise of the internet has brought new issues to the forefront: How does the international community tackle cyberspace? Can customary international law apply to this unknown realm of cyberspace and cyber attacks? Can the Rome Statute, under the crime of aggression, properly handle cyber attacks?

In Part I of my comment, I examine the historical and current framework under the Rome Statute in possibly fitting cyber attacks into the crime of aggression and try to apply an expanded definition of territory to various case studies of previous cyber attacks. In Part II, I discuss any potential duties that States Parties to the Rome Statute might have in cyberspace, namely any duty of prevention, which can arise out of the attributability issue of a cyber attack . In Part III, I scrutinize current prosecutions that arise under cyber attacks and analyze how, if at all, territory requirements are met in current prosecution domestically or internationally. Finally, I conclude with the current feasibility of broadening the scope of territory under the crime of aggression, as well as other potential solutions if the territory issue cannot be resolved under this specific crime under the Rome Statute.

Also, for technical reference in this comment, Denial of Service (DoS) attacks occur when the host or network is “flooded” with traffic.7 When multiple machines carry out this attack, this is known as a Distributed Denial of Service Attack (DDoS).8

Incorporation of Cyberwarfare in the Rome Statute: A Futile Endeavour

Introduction

How wars are conducted has evolved throughout history with nations adopting more and more efficient and sophisticated means of causing mass destruction. We are witnessing a transition from traditional weapons such as ammunition to cyber weapons. The Tallinn attack of 2007, the Georgia hack of 2008 and the Stuxnet worm detected in 2010 are already some existing examples of cyber attacks.1 It is predicted that more and more states in future conflicts are likely to make use of their cyber means for warfare as that can bear more significant results at much cheaper costs since production and manufacturing cost of a cyber attack is much more affordable, accessible, and available to most states. However, the inverse also comes at a cost, countries with advanced cyber capacity rely more on cyber technology to operate their infrastructure making them more vulnerable if a cyber attack is launched on them.2

For the purposes of this comment, I think it is also necessary to note the distinction between a cyber crime and a cyber attack. A cyber crime is punishable under the penal code of a nation and involves private perpetrators. It is a computer related and content related offense like fraud or forgery. The aim, however, is not to destroy, degrade or deny information that is residing in the computers or to compromise the computers. Whereas cyber attacks are launched with a focus of not just destroying information but harming connected systems and facilities that are external to a computer or network with the intent and potential to cause mass destruction and human loss.3

In recent years, there have been attempts made to formalize cyber offenses in international criminal law, however, nothing concrete has been formulated thus far in the cyber space realm. Scholars and experts have also made convincing arguments to read cyberwarfare within Article 8 bis (Crime of Aggression) of the Rome Statute. For convenience, I quote Article 8 bis4 below:

Defining the Unique Issues Prosecuting Criminal Cyber Defense Actions Under the Rome Statute Presents: A Lost Cause?

Cybersecurity has launched itself to the spotlight within both the scope of governmental organizations protecting national security and private industry keeping their own systems intact. Societal dependence on technology has brought with it the magic of efficiency, cost-effectiveness and widespread digital penetration on a scale never before seen in human history. However, this exact reliance on technological features for our everyday economic, social, and political actions has made ensuring those means be secured through proper cybersecurity methods even more of a pressing matter. Cyberwarfare presents a unique set of problems that the International Criminal Court has been both hesitant and unclear in approaching. As warfare evolves, it is important that the international justice systems that regulate and investigate the crimes that come from it evolve as well.

In maintaining an active cyber defense system, the problem of what constitutes legal self-defense mechanisms or criminal actions that violate of the Rome Statute becomes unclear.1 Due to the unconventional nature of both cybersecurity and cyberwarfare, it is difficult to maintain parallels between war crimes in a traditional sense to what may be acceptable in digital technology.2 This comment will address the jurisdictional, ethical and political concerns that arise in prosecuting governments maintaining “active cyber defense”, which commonly feature a governmental entity utilizing real-time capabilities to discover, detect, analyze and mitigate threats.3 First, the comment will review why cybersecurity poses a unique set of jurisdictional problems that make it impossible to parallel effectively to traditionally understood methods of warfare. Second, the comment will address case studies of two government entitles engaging in military cybersecurity efforts and the legality of certain actions undertaken by those government organizations under the Rome Statute: The United States Cyber Command and PLA authorized cyberwarfare forces in the People’s Republic of China. Finally, the comment will propose regulatory frameworks that can be adopted by the ICC for certain forms of cyberdefense methods which and what existing frameworks of the Rome Statute that controversial methods of cyberwarfare can fit within.

For many, the best defense is a good offense. This adage is one as old as war itself, with modern utilizations of the phrase ranging from defense commissions to football coaches.4 Mao Zedong famously asserted a policy of “active defense” in running the people’s navy, maintaining strong counter-attacking capabilities as the pinnacle of defensive strategy.5 Imperial Germany would apply this as their general strategy for the western front in World War I, where the Schlieffen Plan deduced that the easiest way to defend their heavily fortified border between France during all-out war would be to knock France out altogether with a preemptive strike through Belgium.6 While preemptive action wouldn’t suffice to qualify, the Rome Statute clearly outlines self-defense as grounds for excluding criminal responsibility, stating in Article (31)(1)(c) that if the person:

Economic Cyber Crimes and the Rome Statute

Summary

This comment examines the possibility to prosecute perpetrators of economic cyber attacks under the Rome Statute. It considers economic cyber attack to be cyber attacks on financial institutions, businesses, or individuals with the primary goal of financial enrichment. The comment first assesses the possibility of prosecution under Article 8 and Article 8 bis of the Statute, concluding that an economic cyber attacks might fall under the war crime of pillaging, as long as an armed conflict is found. An assessment of the jus in bello of economic cyber attacks follows. It finds that while it is not impossible, it is unlikely that an economic cyber attacks alone could trigger an armed conflict, hence precluding the application of Art. 8 of the Statute. The comment concludes with call for acknowledging cyber attacks under international law.

I. Introduction

Imagine this: under the cover of night, a small group of soldiers crosses a rogue country’s border to its much larger neighbor. The commandos quickly move to various urban areas and start their mission immediately: they break into banks, factories, even hospitals. During their burglaries, they break or render useless everything that’s in their path. Machines, blood storage containers, computers. When the night is over, all this equipment will be defunct. But these aren’t vandals in uniform, they know exactly what they are looking for. After their mission is over, they will have made their way back to their barracks with billions of dollars in hard cash, untraceable and ready to fill their country’s coffers. Of course, a heist of this size will not remain undiscovered. Pretty quickly, the extent of destruction and the culprits are established. And the government of the victim state? Does nothing. No troops are hastily assembled at the border and no drone strikes attacking critical military infrastructure in retaliation. Only a B-list government minister makes an official announcement acknowledging and attributing the attack.

What sounds like the script of an anticlimactic action movie is in fact the reality of cyberwarfare. In 2017, a group of hackers acting on behalf of the North Korean government released the “WannaCry”-ransomware into cyberspace, which infected an approximate 200,000 devices in 150 countries and caused up to $4 billion in damages.1 The reactions were lukewarm at best. The governments of the United States, the United Kingdom, Japan, and New Zealand quickly named North Korea the culprit, but apart from one suspected North Korean hacker being charged by the U.S. Department of Justice and some new sanctions being added to the already long list of sanctions against North Korea, the attacks had little hard consequences.2 As the previous paragraph shows, this lack of response would be wildly unrealistic if the aggressor had used conventional force. A reason for this unequal treatment of cyber attacks and “regular” attacks is the lack of clarity regarding the law of cyberwarfare. How much hacking of its opponents does your average state engage in during peacetime? When is a cyber raid a regular burglary, subject to municipal law, and when is it a pillage that is met with military response and that is subject to international humanitarian law (IHL), and international criminal law (ICL)?

Cyber Attacks and the Crime of Aggression

With rapidly advancing technology comes the disastrous reality of cyber attacks. This comment explores whether cyber attacks can be prosecuted at the International Criminal Court (ICC) as crimes of aggression. Section I discusses the Iran Stuxnet cyber attack. Section II, explores creative interpretation of the Rome Statute, Art. 8 bis, and other relevant documents, illustrating that certain severe cyber attacks may constitute crimes of aggression. In Section III, the Iran Stuxnet cyber attack exemplifies how such cases could potentially be further investigated and pursued at the ICC. Section IV highlights the many challenges with the ICC as a forum for prosecuting cyber crime, including the issues with the limitation to State Parties and state actors, the opt-out provision, the Security Council referral, the determination of an act of aggression, the manifest violation, and the gravity requirement. Ultimately, cyber attacks can be included within Article 8 bis of the Rome Statute but many cases remain outside of the jurisdiction of the ICC—demonstrating the forum’s ineffectiveness and inefficiency for any practical application with cyber crime.

I. What is Stuxnet?

Stuxnet is a computer worm.1 It is a malicious software (malware) program that is able to work independently from its host file, and was created to spread through a USB device in order to infect a specific control system called the Programmable Logic Controller (PLC).2 These PLCs determine how a given machine or system operates.3 PLCs control certain supervisory control and data acquisition systems (SCADA).4 SCADA reports real-time data about the corresponding machine or system it monitors.5 SCADA are used to oversee the proper functioning of equipment or plants in a wide variety of industries.6 The Stuxnet worm can reprogram PLCs to operate in a different way than how the program was originally designed to function.7 At the same time, the Stuxnet worm also infects the SCADA and makes all the data appear completely normal—covering up its tracks by deceptively showing that the plant or facility is working properly when it is not.8

In the case of the specific Iran Stuxnet worm, the malware is believed to have spread through a USB thumb drive that was implanted at a facility in Natanz, Iran by a mole or double agent.9 Stuxnet targeted the PLC of the Natanz facility, tampering with the system that controlled the uranium centrifuges at the plant.10 These uranium centrifuges that the Stuxnet worm targeted are essential to the creation of nuclear reactors and nuclear energy.11 The worm caused a number of centrifuges to spin at such a high speed that they were, in the end, rendered completely useless.12 In the meantime, the worm also addressed the SCADA, which would make this increase in centrifuge speed virtually undetectable to any supervisors of the facility.13 These two components, changing the programming and then cloaking of any evidence of abnormal operation, made for an incredibly specific and destructive invasion.14 The worm, and this technology, proved to be as effective and powerful as traditional kinetic weaponry or force, yet even more precise in its targeting and stealth.15 The malware was even programmed to delete itself from the computers it infected after a certain amount of time.16 Stuxnet presents the terrifying new reality of such sophisticated malware in cyberwarfare.

The layman that I am can only give you my opinion as a victim of torture from a first hand perspective, tortured for over a decade, and still seeking justice.

But it is my opinion that cyber warfare is not a fair description of events to which one can comment fairly easily, as a victim would not, in all reality, be a combative party whom at the least may be suffering the way one might as a targeted and suffering individual might in a war zone or as a prisoner of war might but not as some equipped to retaliate or combat these attacks effectively.

While also seeking help in these situations, one might think it impossible to end their suffering while under attack due to electronic counter measures meant to isolate the victim.

Definition of "cyber operations" versus its sub category "cyber warfare" is pertinent for it enables recognizing, conceptualizing and setting up indicators to measure State (or inter-State) cyber operations; as distinct from State (or inter-State) Military self-defense operations from cybercrime (organized crime). In all three lines of operations civilians (a specific population or sub-set of population) are targets and victims.

Use of "Cyber operations" concept enables one to shift focus to risk analysis of full scale weaponization of Rome Statute via Integrated eGovernance using Knowledge Management as defined by.articles 73 "Third Party Documents" integrated with article 30 "Mind Element' for structural and sustained operations against ethnic or minority populations.

Knowledge Management, as it pertains to use of State Governments collecting, harvesting, archiving Sensitive Personal Information of all Citizens and Residents within a region or territory, mainly via Consortia-based contractual agreements with Third Party service providers; the 3td Party providing (total solutions) Knowledge Management Services meaning Electronic Document and Archives Management (EDMA) hand-in-hand with Customer & Content Relationship Management (CRM) solutions with technical operational capacities for real-time, on the fly, 24/7 micro-targeting all decisions and Decision Recommender Systems (DSS) regarding individuals and ethnic or minority groups enables the "Third Party" holdings of, and total control of "memory" which means total control of "legal evidence".

Article 73 this refers to documents, documentation and archives that a State, signatory to Rome Statute Jurisdiction, contracts out to a 3rd Party (either another State, integrated eGovernance other party or a technology & securities consultancy firm) in which the operative word is "secrecy" meaning the 3rd Party can not be forced to inform the Prosecutor or ICC of its methods algorithms or its potential legal evidence simulation digital platforms and archives collections based on Parallel and Multiverse (document universe) constructions using Artificial Intelligence (AI) based self-learning simulation (digital platforms) that are rendered under "commercial and trade agreement IPR-protection" - the before mentioned argument of secrecy of "cyber operational methods in use".

When artificial intelligence and information technology exceed our humanity, we must take a stand, especially against those who use the grey area. By that, we mean that the use is unregulated and does not appear to have exceeded an applicable legal text. At the same time, the cumulative effects are devastating, especially in sowing discord and destroying the Social stability of countries, including targeting protection systems for facilities that provide necessary civil services to humans, such as electricity, water, and health.

The challenge does not lie in proving that the crime occurred through cyber attacks since the effects that can appear clearly and clearly will appear certain. The challenge is in proving the seriousness that rises to the threshold of the most severe crimes according to the Rome Statute, and more than that, the challenge appears in proving who is responsible for those.

The Extent to Which Cyberwarfare May Constitute Crimes Under the Rome Statute and Conditions for Accountability

The International Court of Justice held in 1996 that international humanitarian law applies to all means of warfare, including those of the future.1 Such a concept must be applicable to the Rome Statute; if means and methods of war change, so too must the laws regulating them. The regulation of cyber operations presents novel challenges for attributing criminal responsibility, particularly where advanced technology acts partially or wholly autonomously. It is possible, and necessary, to hold the perpetrators of crimes facilitated through cyber operations accountable, not least with the exponential advancement of artificial intelligence. Under certain conditions, this will be the case with a traditional interpretation of the Rome Statute; under others, the scope of criminal accountability may need to evolve alongside the means in which war crimes are committed.

I. Accountability Under the Rome Statute

Attributing accountability at the International Criminal Court (ICC) poses difficulty in prosecutions of even traditional war crimes. Article 5 of the Rome Statute limits the Court’s jurisdiction to only the most serious crimes under international law, which themselves set a high bar for both physical and mental elements.2 Genocide, for example, requires the actus reus to coincide with intent to destroy a group; the scope of crimes against humanity necessitate the act to occur within the context of a widespread or systematic attack; and the ICC has jurisdiction over war crimes insofar as they are committed as part of a plan or policy.

Once the actus reus of those crimes has been established, proving individual criminal responsibility presents the next difficulty, particularly where the high evidentiary burden is exacerbated by the challenges associated with collection of evidence during armed conflicts. For cyber operations, there is another barrier: the practical specification that accountability for crimes within the jurisdiction of the ICC relates to natural persons. The ICC’s jurisdiction is limited to natural persons;3 command responsibility requires a superior’s knowledge of crimes committed by subordinates;4 and individual criminal responsibility applies to a culpable “person.”5

Complexity therefore exists where the actus reus of a crime under the Rome Statute is directly perpetrated by cyber software or autonomous technology, such as a bug, virus, or artificial intelligence facilitating an illegal attack without the direct control of a combatant. Attributing intent, knowledge, and individual criminal responsibility where a crime is perpetrated by software is therefore both an evidentiary and substantive challenge. This inherent difficulty may cause such scenarios to slip outside of the scope of the Rome Statute where cyber operations are conducted by autonomous systems.

However, it is necessary to overcome this difficulty, evident in the exponential growth of cyber and autonomous technology utilized by states during armed—or non-armed—conflicts in the 21st century. In the dawn of artificial intelligence in military and civilian technology, the applicability of accountability pursuant to the Rome Statute will be even more necessary for war crimes that are perpetrated by these systems, whether in cyberspace or on the ground.