Therefore, in defining the crime of aggression for the Rome Statute, we must first look to the prevailing international norms around cyber warfare, especially those promulgated by the United Nations and related organs. These legal standards themselves are somewhat sparse and largely imported by analogy from other fields of warfare law. States are bound not to use force against other states by the UN Charter; instead they are supposed to use diplomatic channels to resolve international disputes.5 In the international realm, uses of force are split into two categories as they relate to self-defense: uses of force and armed attacks.

The use of force standard employed by the United Nations is best defined by two sources: the ICJ Nicaragua judgment, and the UN Resolution defining aggression (which are incorporated into the Kampala Amendments; Article 8 bis Paragraph 2 (a–g)). The Nicaragua judgment used a test considering the scale and effects of an attack to determine if there was a use of force.6 As such, it determined that the United States’s actions—in arming, assisting, and training a guerilla force to depose the current government—constituted a use of force. The resolution defining aggression provided several examples of uses of force, e.g.:7

1. The invasion or attack by the armed forces of a State of the territory of another State, or any military occupation, however temporary, resulting from such invasion or attack, or any annexation by the use of force of the territory of another State or part thereof;

2. Bombardment by the armed forces of a State against the territory of another State or the use of any weapons by a State against the territory of another State;

3. The blockade of the ports or coasts of a State by the armed forces of another State;

4. An attack by the armed forces of a State on the land, sea or air forces, or marine and air fleets of another State;

5. The use of armed forces of one State which are within the territory of another State with the agreement of the receiving State, in contravention of the conditions provided for in the agreement or any extension of their presence in such territory beyond the termination of the agreement;

6. The action of a State in allowing its territory, which it has placed at the disposal of another State, to be used by that other State for perpetrating an act of aggression against a third State;

7. The sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to the acts listed above, or its substantial involvement therein.

Therefore, we can assume that a cyber attack, which has the same scale and effects on a state as the above enumerated acts, would constitute a use of force for both international law and for the crime of aggression. It is important to note that these are merely examples of uses of force or aggression and not an exhaustive list. However, it is unclear if it would rise to the character, gravity, and scale requirements of the Article 8 bis test. Therefore, the best comparison for those actions which would meet the crime of aggression standard may be the traditional armed attack standard employed for determining whether a state’s right to self-defense has been triggered.

The armed attack standard is less defined by current international norms than the use of force; nonetheless, the Nicaragua judgment, Nuclear Weapons Advisory Opinion, and various international statements are informative. In the Nicaragua judgment, the ICJ considered whether Nicaragua had committed an armed attack against El Salvador to trigger El Salvador’s collective self-defense rights (thereby allowing the US to defend El Salvador).8 The ICJ noted that even where providing weaponry to dissident/rebellious forces was imputable to a nation state, that alone would not be considered an armed attack.9 Additionally, in defining armed attack, the court referred to an armed attack as “the most grave use of force” as distinguished from “other less grave forms.”10 Therefore, it seems to be proper for the crime of aggression to settle in between the armed attack standard and the traditional use of force standard.

III. Using International Norms of State Responsibility to Define the Scope of Possible Prosecution

The scope of those responsible for cyber warfare defies conventional norms of state actor responsibility. The Kampala Amendments institute a limited scope of persons to be held responsible in the case of an attack as follows:

[A] person in a position effectively to exercise control over or to direct the political or military action of a State.11

Though this scope is extremely limited in text, the possibility for enforcement in the cyber context goes far beyond traditional warfare. States, in governing, usually limit the ability for citizens to access means of employing force. For example, many European nations enforce gun control restriction’s, and few nations allow for private citizens to access military vehicles such as tanks or fighter planes. These restrictions are effectively enforced both at the state level and because of practical economic limitations of private citizens. As of a few years ago, a Sherman tank on the open market cost anywhere from $95,000 to $400,000, far beyond the ability of most private citizens to purchase even before considering the cost and difficulty in attaining the ammunition.12 Conventional military attacks generally involve many persons including the attackers themselves, their training/trainers, support staff, and logistical support. Therefore, it is hard to envision a conventional attack rising to the level imagined by the Kampala Amendments without some state involvement or support. Cyber attacks, by contrast, may be performed by as little as one person with hardware easily purchased.13 Therefore, the scope of potentially responsible persons committing cyber attacks is far greater than conventional warfare.

The text of the Kampala Amendments attempts to limit this pool of potential offenders to those who can control or direct the political or military action of a state. However, the text does not provide us with any guidance as to military action or political control. Therefore, we must look to prevailing international norms of state responsibility to determine those who will be potential cyber offenders. Though not an international treaty, the Responsibility of States for Internationally Wrongful Acts as adopted by the International Law Commission in 2001, attempted to codify prevailing customary law and has been adopted as the international standard of responsibility through custom. Under this framework, states are responsible for two categories of actions: those performed by the state itself and those attributable to the state through some other theory. State action directly is tested by whether the actions were taken by the organs of the state as determined by the state’s own definition of who may act on the state’s behalf.14 States may also later adopt an action of a party as their own.15 The state may also be held responsible for those who they directed, controlled, or acted in the absence of government authority.16 Therefore, many cyber actors may effectively control some part of the military apparatus of a state through the direct and control standards presented. For example, consider the US direction of the Contra Forces at issue in the Nicaragua judgment.17 The ICJ reasoned that US involvement was a necessary component and intended to assist the guerilla actions. As such, they were imputable to the United States.18

Consider Russia’s alleged attack on Georgia in 2008 where a large scale DDoS attack took place on Georgian government and public websites effectively slowed the internet to a crawl.19 As the digital attack took place, Russian troops moved into Georgia occupying the territory.20 Lists of attack targets were posted on the Russian internet at sites like StopGeorgia.ru, though the control server for the attack was actually located within the United States.21 Security researchers attributed the attack to a number of actors within Russia, but, upon questioning, the Russian government denied its own involvement.22 Digital security professionals opined that the attacks were too successful and coordinated to originate from amateurs, believing the attacks may have had some superior direction.23 The closest group associated with the attack was a Russian cybermafia group known as the Russian Business Network who contract out their digital services for cash.24 It is difficult to know whether these actions were at the direction of the Russian government itself; nonetheless, they certainly assisted with the Russian state’s aim of crippling the Georgian forces. If the RBN story is to be believed, then private individuals were a central component of a cyber attack on a foreign state. At the least, these acts are imputable to state actors, but there is the possibility that the actors themselves were sufficiently independent to fall under the direction of political or military action of the state as well. Therefore, the possible pool of persons responsible under a cyber aggression standard is much broader than conventional warfare.

IV. Applying the International Standard to Cyber

A. What Should the Prosecutor Do?

It is unclear whether the Kampala Amendments wanted the crime of aggression defined by severity requirements similar to a use of force or by the higher standard of armed attack given the gravity requirement instituted. Of course, the Kampala Amendments could have been setting out a different standard from these two internationally recognized standards as well. Likely, the standard was intended to mean use of force plus or severe uses of force. Therefore, in defining cyber aggression, the prosecutor should look to instances that would constitute a severe use of force but perhaps not meet the armed attack threshold, to determine those cases where prosecution should occur. The prosecutor should be especially conservative in the digital context where the law is already poorly defined given the young status of the court. Being conservative in this manner also respects the scale, gravity, and character requirements of Article 8 bis.

The prosecutor, considering the new era of cyber war, should not however feel beholden to follow the United Nations in its potential redefining of international law. Although, it may prove useful to observe the moving international standard of cyber attack, it is important for the court to define its own precedent that it believes best captures the intentions of the state parties to the Rome Statute. The ICC has the unique ability to define its own precedent, and that ability, coupled with the young era of cyber law, may allow the court to make its mark on international law. If the court feels as though there is a good case to tackle the new era of cyber warfare, then it should not shy away and wait for others to act first.

The prosecutor should pursue not only state actors responsible for military actions in the cyber space, but also be open to the pursuit of private individuals who carry out these attacks on a state’s behalf or with some state involvement. This would serve to increase the scope of the court’s effectiveness and its deterrent goals. It is especially important to note that state’s may be responsible for allowing their private citizens to host such attacks on foreign nations. It is easy to see how technologically advanced nations such as the United States, who have a strong internet infrastructure, could become a source for hackers working as mercenaries for international actors. The ability for the court to levy a deterrent effect on these private groups would severely limit states’ ability to perform cyber attacks and would serve as leverage in ascertaining the ultimately responsible party for any given attack.

Proper enforcement of the crime of aggression in the cyber context would pile on the already severe consequences of engaging in unwarranted armed conflict, as the aggressor must fear not only the invaded state’s response and international blowback, but also the threat of individual prosecution. This is especially true in the context of cyber warfare where private actors are more likely to be engaged than in conventional warfare. Additionally, it is an apt field for the court to consider governing the actions of states as they fail to control their citizens’ attacks on the citizens of other states.

B. Limitations

The prosecutor should, however, be cognizant of the political environment within which they act. This is especially important with cyber attacks, because the perpetrator is not always known and evidence may be hard to come by. Take, for example, the previously referenced attack on Georgia. Although there was strong suspicion that it was a Russian attack, in the immediate aftermath it looked as though the control server was located in the United States. Unlike conventional warfare, it is frequently hard to discern the exact origin point of a cyber attack. The political blow-back on the young court would be immense if they mistakenly identified a state as being the bad actor in an international attack. Therefore, perhaps it is best that prosecution in these cases be long after the attack has been fully understood by the international community. However, investigations must occur or any deterrent effect of the activation of the crime of aggression would quickly deteriorate.

Another concern for the prosecutor will be evidence gathering. Unlike conventional attacks, cyber attacks are likely to happen over a large number of countries simultaneously. Consider the previous example of the Georgia attack where United States’ servers were employed by Russian hackers to attack the Georgian networks. The prosecutor would have to appeal to Georgia, Russia, and the United States for evidence of the crime. The prosecutor would inevitably have to ask more countries for their assistance as cyber weapons could have traversed or hopped through various servers in various nations, vastly increasing the amount of countries to gather evidence in. However, this is not a new problem for cyber experts where much of the evidence gathering may be performed remotely with the consent of the controlling party. Therefore, the prosecutor should endeavor to keep states who may need to turn over evidence friendly with the court, and the prosecutor may wish to offer to reimburse these states for the significant potential costs associated with gathering the relevant digital evidence.

Finally, traditional notions of armed attack rely on the kinetic effects of an attack in determining gravity. Therefore, the prosecutor should expect some political push back in declaring a cyber attack of sufficient magnitude to investigate. If the prosecutor chooses a case where the effects are not easily shown to be analogous to previous kinetic attacks, then she risks invalidating the court and the crime’s serious nature. In many ways, the young court must be careful to treat the cyber field as a young crime which should rely not on hard cases but clear ones to set the proper precedent before engaging in overall enforcement.

C. Case Example: Stuxnet

Consider the somewhat recent actions of the United States and Israeli governments launching the “Stuxnet” virus in Iran.25 Let us leave aside the fact that neither the United States nor Israel are parties to the Rome Statute.2627 The governments were able to deploy a virus into the Iranian nuclear facilities that destroyed uranium centrifuges, eventually destroying 1,000 of 6,000 total centrifuges.28 This targeted attack served to delay potential weapons creation by Iran, though Iran has claimed the uranium was only to be used for power generation.29 Nonetheless, if such an attack occurred between states who were signatories to the Rome Statute, a crime of aggression would certainly have occurred. A nation causing kinetic damage to the military capabilities of another state falls squarely within Article 8 bis usage of weapons on the territory of another nation. Such a usage of weapons is especially grave as the attack targeted the military capabilities and utilities infrastructure of another state. Were such an attack to occur between state signatories to the Rome Statute, the prosecutor should step in to curb the aggressive behavior and hold those who commanded, and those who participated in the attack, accountable.

V. Conclusion

The crime of aggression should be equally employed in the cyber context as any other it might be used in. Despite some significant differences in application requirements, international law may generally apply by analogy to the cyber field. In fact, the cyber context presents a unique opportunity for the court to impact the actions of many states and expand its domain from the traditional African-focused sphere to operations occurring in other areas of the globe. However, the prosecutor should remain cognizant that the crime should only be charged in the most serious of cases where there are sufficient facts to constitute a jurisdictional hook for the court.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1. 1.

   List of States Who Have Ratified Amendments on the Crime of Aggression, U.N.T.S., [hereinafter List of Ratifying States], available online (last visited Feb. 14, 2018). ↩

2. 2.

   Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, UN Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 8 bis available online. ↩

3. 3.

   Assembly of State Parties, The Crime of Aggression, RC/Res.6, at Annex 3(6) (Jun. 11, 2010), available online. ↩

4. 4.

   Rome Statute, supra note 2. ↩

5. 5.

   Charter of the United Nations, Art. 2 ¶ 4, available online. ↩

6. 6.

   Case Concerning Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. U.S.), Merits, Judgment, 1986 I.C.J. Rep. 14 (Jun. 27, 1986) [hereinafter Nicaragua v. U.S.], available online. ↩

7. 7.

   Definition of Aggression, G.A. Res. 3314, A/Res/29/3314, at Art. 3 Dec. 14, 1974, available online. ↩

8. 8.

   Nicaragua v. U.S., supra note 6, at 191. ↩

9. 9.

   Id. at 230. ↩

10. 10.

    Id. at 191. ↩

11. 11.

    Rome Statute, supra note 2. ↩

12. 12.

    So, You Want to Buy a Sherman Tank, Military Trader, May 21, 2010, available online;

    Katie DeLong, Happen to be Looking for a 1941 Sherman Tank? There’s One for Sale on Good Hope Road!, Fox6 Now, Jun. 24, 2014, available online. ↩

13. 13.

    Kim Zetter, Teen Who Hacked CIA Director’s Email Tells How He Did It, Wired, Oct. 19, 2015, available online. ↩

14. 14.

    Responsibility of States for Internationally Wrongful Acts, G.A. Res. 56/83, A/Res/56/83 at Annex Art. 4, Jan. 28, 2002, available online. ↩

15. 15.

    Id. at Art. 11. ↩

16. 16.

    Id. at Arts. 8, 9. ↩

17. 17.

    Nicaragua v. U.S., supra note 6, at 111. ↩

18. 18.

    Id. ↩

19. 19.

    John Markoff, Before the Gunfire, Cyberattacks, N.Y. Times, Aug. 12, 2008, available online; Travis Wentworth, How Russia May Have Attacked Georgia’s Internet, Newsweek, Aug. 22, 2008, available online; David J. Smith, Russian Cyber Strategy and the War Against Georgia, Atlantic Council, Jan. 17, 2014, available online. ↩

20. 20.

    Id. ↩

21. 21.

    Id. ↩

22. 22.

    Id. ↩

23. 23.

    Id. ↩

24. 24.

    Id. ↩

25. 25.

    Ellen Nakashima & Joby Warrick, Stuxnet was Work of U.S. and Israeli Experts, Officials Say, Wash. Post, Jun. 2, 2012, available online. ↩

26. 26.

    List of Ratifying States, supra note 1. ↩

27. 27.

    (Although perhaps this could evidence an awareness by these countries that their cyber activities would be bound by relevant international law and the ICC’s individual accountability). ↩

28. 28.

    Nakashima & Warrick, supra note 25. ↩

29. 29.

    Id. ↩