The reason the files were not recoverable is because of the way in which NotPetya encrypts a victim computer’s data. Once the malware infiltrates a computer, it gains access to the computer’s administrator rights and encrypts the master boot record, which is the part of the computer that identifies how and where an operating system is located.7 This makes the computer unusable.8 But unlike typical ransomware, the computer is not just temporarily disabled. Instead, when NotPetya encrypts a computer, it does so without creating a relationship between the identity of the specific computer and the encryption key it creates, which means there is no way to decrypt the files, even if the ransom is paid.9 In other words, the purpose of NotPetya is not extortion; it is destruction.10

NotPetya was not only designed to cause irreversible damage to the computers it infected, it was also designed to infect as many computers as possible. The malware utilizes two different mechanisms, working together, to cause this widespread destruction. The first is a tool known as EternalBlue, which exploits the vulnerabilities in a popular Microsoft Windows protocol.11 EternalBlue was created by the United States National Security Agency but leaked after a breach of the agency’s files in April 2017.12 At the time the NotPetya attack occurred, Microsoft had already released a patch for this vulnerability.13 This meant that if a computer had this patch installed, NotPetya could not infiltrate it directly.14 Unfortunately, however, many computers are connected to other computers through networks, and the second mechanism employed by NotPetya, called Mimikatz, offered a way to infect even those computers that had been patched if they were connected to such a network.15 Mimikatz was created in 2011 by a French security researcher name Benjamin Delpy, who wanted to demonstrate how Windows systems left users’ passwords in the computer’s memory.16 Once initial access to a computer is obtained, Mimikatz can locate the user’s credentials in the computer’s RAM and then use them to gain access to other computers on the network that use the same credentials.17 As Delpy himself explained:

You can infect computers that aren’t patched, and then you can grab the passwords from those computers to infect other computers that are patched.18

This means that, as long as there is just one computer on a network that does not have the EternalBlue patch installed, Mimikatz can be used to spread NotPetya to the entire network of computers.19 Because of this, when NotPetya hit in June 2017, it was the fastest-propagating malware the world had ever seen.20

B. The June 2017 Attack

Not long after the attack began it became evident that NotPetya was specifically targeting Ukraine.21 The attack started on June 27, the eve of Ukraine’s Constitution Day. Because Constitution Day is a public holiday celebrating Ukraine’s independence from the Soviet Union, this timing has been interpreted as evidence of the attack’s political motivation.22 Even more telling than when the attack began is how the attack began. NotPetya’s epicenter has been linked to M.E.Doc, a Ukrainian tax accounting software.23 The hackers behind NotPetya infiltrated the servers responsible for pushing out M.E.Doc’s routine updates, which meant that, when the M.E.Doc software underwent a legitimate update process in June 2017, the hackers had backdoor access into every computer with M.E.Doc installed.24

And in Ukraine, M.E.Doc is installed on a lot of computers.25 The tax accounting software, which is the Ukrainian equivalent of TurboTax or Quicken,26 is mandatory at many Ukrainian government agencies and businesses, and all Ukrainian tax accountants are required to use it by law.27 The software is also popular among Ukrainian banks and government offices.28 The number of computers with M.E.Doc installed, combined with NotPetya’s dual-mechanism design, meant NotPetya was able to spread across Ukraine rapidly, wreaking havoc as it went.

The Ukrainian government estimates that ten percent of all computers in the country were hit by NotPetya.29 This includes at least four hospitals just in Kiev alone, two airports, six power companies, more than twenty banks, and almost every Ukrainian federal agency.30 As the Ukrainian Minister of Infrastructure reported, “[t]he government was dead.”31 More than fifteen hundred companies filed complaints with the Ukrainian national police asking for help with infected computers.32 Even the computers at the Chernobyl nuclear plant cleanup site failed because of the attack, forcing workers to manually monitor the radiation.33 Every computer that NotPetya hit was wiped clean of its data.

NotPetya did not stop at Ukraine’s borders. It spread to at least sixty-four other countries, including the United States, Germany, and the United Kingdom, hitting some of the world’s biggest companies.34 The Danish shipping company A.P. Maersk-Moller, which is the world’s largest shipping conglomerate and is responsible for nearly a fifth of the global shipping capacity, took nearly two weeks to be fully operational after it was hit by NotPetya and cost the company an estimated $300 million.35 The pharmaceutical giant Merck reported damages of nearly $870 million.36 Other affected companies include FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, and Mondelēz, the parent company of Nabisco and Cadbury.37 The attack is estimated to have cost $10 billion dollars, making it the most economically devastating cyber attack in history.38

This was not the first cyber attack Ukraine had suffered in recent years, and the victimized nation was quick to name its usual suspect: Russia.39 Given the history of Russian cyber attacks on Ukraine, this suspicion was not unfounded. For example, in 2016 Russia hacked a power grid in Western Ukraine, cutting off power in the region for six hours.40 Russia has also been blamed for using malware to target the Ukrainian financial sector.41 These types of attacks have been attributed to Russia’s method of hybrid warfare, which utilizes cyber attacks in conjunction with traditional military tactics as part of its ongoing efforts to undermine Ukrainian stability.42 Ukraine and Russia have been engaged in an ongoing kinetic conflict since March 2014, when Russian troops invaded and annexed the Crimea region of Ukraine. This led to the subsequent outbreak of insurgency by Russian-backed separatist forces in Ukraine’s Donbas region, resulting in over ten thousand dead and twenty-eight thousand injured.43 Seven percent of Ukraine’s territory is currently under occupation by Russian forces, with more than 1.8 million Ukrainian residents displaced.44 NotPetya was yet another piece of this ongoing devastation.

This use of hybrid warfare in Ukraine exemplifies precisely why there needs to be a legal mechanism by which to hold Russia, and other future perpetrators of cyber attacks, accountable.45 As NotPetya demonstrates, cyber attacks can be extremely destructive, and that destruction can have far-reaching, international consequences. Luckily, the Court’s current framework allows for the prosecution of cyber attacks, so long as the attacks meet the jurisdictional and admissibility requirements of the Rome Statute. As the remainder of this comment will explain, NotPetya provides the perfect opportunity for the Court to show it can, and will, prosecute cyber attacks.

III. Court’s Jurisdiction over NotPetya

The Rome Statute has three jurisdictional requirements that must be met before the Court is able to exercise jurisdiction over a crime: temporal jurisdiction, territorial jurisdiction, and subject matter jurisdiction.46 Temporal jurisdiction is met as long as the crime was committed after the enactment of the Rome Statute.47 Because the Rome Statute went into effect in 2002, and the NotPetya attack occurred in 2017, this jurisdictional element is easily satisfied. The more demanding inquiries relate to the Court’s territorial and subject matter jurisdiction. As the following analysis demonstrates, both requirements are met, meaning the Court has jurisdiction to prosecute members of the Russian military for NotPetya as a war crime.

A. Territorial Jurisdiction

Territorial jurisdiction refers to the geographical limitations on the Court’s ability to exercise its investigative and prosecutorial powers. Under Article 15 of the Rome Statute, the Prosecutor is only able to exercise his proprio motu power to initiate an investigation if the criminal conduct at issue occurred on the territory of a state party, or if the person accused of the crime is a national of a state party.48 Normally, this would serve as a major impediment to the Court’s jurisdiction over the NotPetya attack, as neither Ukraine nor Russia are States Parties to the Rome Statute. Fortunately, however, this issue has already been resolved. On April 9, 2014, Ukraine adopted a resolution recognizing the jurisdiction of the Court for the purpose of identifying, prosecuting and judging the perpetrators and accomplices of acts committed on the territory of Ukraine pursuant to Article 12(3) of the Rome Statute.49 Ukraine subsequently extended the temporal scope of this jurisdiction in a second declaration issued in September 2015, recognizing the Court’s jurisdiction for an “indefinite duration” over all crimes against humanity and war crimes committed by officials of the Russian Federation on or after February 20, 2014.50 The fact that Ukraine has already accepted the Court’s jurisdiction over war crimes committed in the context of the ongoing conflict with Russia means that the first hurdle to investigating and prosecuting NotPetya as a war crime has been cleared.

Furthermore, the Office of the Prosecutor has already initiated and completed its preliminary examination of the situation in Ukraine. On December 11, 2020, the Prosecutor concluded there was a reasonable basis to believe that war crimes and crimes against humanity were committed in the territory of Ukraine and requested authorization from the Pre-trial Chamber to open an investigation.51 Notably, the Prosecutor’s conclusions from her preliminary examination included a disclaimer that her findings were “without prejudice to any other crimes which may be identified during the course of an investigation.”52 Thus, an investigation of NotPetya is not precluded. Rather, because the NotPetya attack meets the elements of a war crime under Article 8, as discussed in Part III(B), the cyber attack can be included within the scope of an investigation of the situation in Ukraine.

B. Subject Matter Jurisdiction

The next requirement NotPetya must satisfy to be prosecuted by the Court is that of subject matter jurisdiction. Under Article 5 of the Rome Statute, the Court has jurisdiction over four crimes: genocide, crimes against humanity, crime of aggression, and war crimes.53 Ukraine’s April 2014 resolution recognized the Court’s jurisdiction over only two of those crimes, specifically war crimes and crimes against humanity. While NotPetya would likely not qualify as a crime against humanity, the following section will demonstrate that the cyber attack does meet the elements of a war crime under Article 8 and can thus be prosecuted by the Court.

The determination of whether NotPetya constitutes a war crime under the Rome Statute necessarily entails two levels of analysis. First, the commission of a war crime is predicated on a breach of international humanitarian law (IHL).54 This section therefore begins by demonstrating how the general requirements necessary for the application of IHL are met in the case of NotPetya. Second, NotPetya must meet the elements of at least one of the fifty-three individual offenses that constitute war crimes under Article 8 of the Rome Statute. This section therefore concludes by explaining how NotPetya could be prosecuted under either Article 8(2)(a)(iv), the war crime of destruction and appropriation of property, or Article 8(2)(b)(ii), the war crime of attacking civilian objects.

1. International Humanitarian Law

Under Common Article 2 of the 1949 Geneva Conventions, the requirements of IHL apply whenever there is an international armed conflict or state of occupation.55 “An armed conflict exists whenever there is a resort to armed force between States.”56 Thus, for IHL to be applicable, there are two requirements that must be met: first, there must be an employment of armed force, and second, there must be attribution of that force to one of the parties to the conflict.57

i. Existence of Armed Conflict and State of Occupation

Much of the literature on this topic focuses on whether or not a cyber attack, on its own, could qualify as “armed force.”58 However, where a cyber attack is conducted as part of an ongoing, conventional armed conflict, the armed force threshold is already satisfied.59 In other words, cyber attacks that are conducted in the context of an ongoing armed conflict are subject to the law of armed conflict, whether or not the cyber attack itself qualifies as armed force.60

Because the NotPetya attack was conducted in the context of a traditional, kinetic conflict between Ukraine and Russia, this “armed force” threshold is met.61 As mentioned in Part II, Ukraine and Russia have been engaged in an ongoing conflict that began with the invasion and annexation of Crimea in 2014. The Prosecutor has already recognized this conflict in Crimea and the subsequent violence in Donbas as an armed conflict.62 Furthermore, both the Prosecutor and the United Nations General Assembly have recognized Russia’s attempted annexation of the Crimean region as an ongoing state of occupation.63 This is particularly noteworthy, because the Geneva Conventions also say that IHL applies in cases of partial or total occupation of a territory, even if the occupation meets no armed resistance.64 Thus, once a territory is deemed to be under occupation, the cyber operations of the occupying power also fall under the requirements of IHL.65 Because Russia’s militarization in Ukraine has been recognized as both an armed conflict and state of occupation, by both the United Nations General Assembly and the Court, the commission of NotPetya within this context brings the cyber attack under the application of IHL principles.

ii. Attribution to Russia’s Military

The more demanding issue is attribution of NotPetya to one of the parties to this armed conflict. There is nearly universal consensus that the Russian government is responsible for NotPetya as part of its hybrid warfare in Ukraine.66 Not surprisingly, however, Russia has not admitted to its involvement in the NotPetya attack. In fact, Russia was even a victim of NotPetya, because the malware caused considerable damage to the Russian oil company Rosneft.67 This fact could therefore speak to Russia’s lack of involvement.68 Even without this potentially exculpatory evidence, attribution is one of the greatest obstacles to the prosecution of any cyber crime.69 Anonymity is an inherent feature of cyberspace, especially given the decentralized nature of the internet.70 This creates significant practical issues with identifying who the individual culprit behind any given cyber operation is.71

However, this attribution problem may be over exaggerated, and does not prohibit attribution to Russia in NotPetya’s case. First, at a general level, there is a distinction between technical and legal attribution.72 The anonymity of the internet undoubtedly complicates technical attribution to specific actors.73 However, just as with any prosecutable crime, legal attribution can be pieced together through various types of circumstantial evidence, so long as that evidence meets the required standard of proof.74 Here, there is significant circumstantial evidence supporting Russia’s link to NotPetya. For example, a Ukrainian military intelligence officer was killed by a car bomb in Kiev just hours before NotPetya hit, one of several assassinations of Russian-critical officials Russia had instigated.75 As previously discussed, Russia had a history of conducting cyber attacks against Ukraine in recent years, and this attack took place on the eve of a holiday celebrating Ukrainian independence from the Soviet Union. Security companies, such as the Slovakian company ESET, linked the attack to a Russian government team.76 Such evidence can be used to support Russia’s responsibility for the NotPetya attack.

An even more compelling justification for Russian attribution, however, is that the United States, as well as the United Kingdom and Denmark, have released official statements attributing the attack to the Russian government.77 On February 15, 2018, the White House released a statement blaming NotPetya, which it described as “the most destructive and costly cyber-attack in history,” on the Russian military as “part of the Kremlin’s ongoing effort to destabilize Ukraine.”78 This statement further warned that NotPetya was a “reckless and indiscriminate cyber-attack that will be met with international consequences.”79 A few months prior, the United States Central Intelligence Agency (CIA) concluded with “high confidence” that the GRU, the military intelligence agency of the Russian Armed Forces, created NotPetya.80 While neither the White House nor the CIA have disclosed what evidence they have supporting this attribution, the willingness of these governmental bodies to officially blame Russia strongly suggests that they have the necessary evidence to do so. This is especially true when viewed in the context of the Trump Administration’s normal policy of turning a blind eye to the threat of Russian cyber operations.81

This theory finds further support in the fact that the United States Department of Justice (DOJ) has actually indicted six individual members of the GRU for various crimes, in part based on their involvement in the creation and dissemination of NotPetya (U.S. Indictment).82 The U.S. Indictment, which alleged that these GRU officers “knowingly and intentionally conspired with each other […] to deploy destructive malware and take other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers,” was returned by a federal grand jury on October 15, 2020.83 If the DOJ did not have sufficient evidence linking these GRU officials to NotPetya, the grand jury would not have voted in favor of bringing the charges against them, lending support to the idea that the United States is in possession of the necessary evidence for attribution.84

The U.S. Indictment also helps to solve the issue of individual accountability. The Rome Statute requires individual responsibility for the crimes the Court prosecutes, rather than holding whole states or governments accountable.85 This means that just being able to attribute NotPetya to the GRU, without more, would not be sufficient.86 The charges against the six GRU officers proves not only that attribution to the Russian government is feasible, but that attribution to specific individual actors within the Russian government is possible and already determined.87 Even without this U.S. Indictment, the Prosecutor would not be without recourse for holding specific individuals accountable, because the Prosecutor could rely on the doctrine of command responsibility enshrined in Article 28 of the Rome Statute. Under this provision, the military commander in charge of the GRU could be held responsible for the acts of those persons under his effective control, where that military commander knew or should have known that his forces were going to commit the cyber attack and failed to take the necessary and reasonable measures to stop the attack from occurring.88

Therefore, because NotPetya occurred in the context of an armed conflict, and because the cyber attack can be attributed to a party to that conflict, the rules of IHL govern Russia’s commission of NotPetya. The cyber attack therefore meets the first level of analysis required to meet the framework of a war crime, and can now be analyzed under the Rome Statute itself.

2. Article 8 of the Rome Statute

The NotPetya attack can be prosecuted as two different war crimes under Article 8 of the Rome Statute: the war crime of destruction and appropriation of property under Article 8(2)(a)(iv), and the war crime of attacking civilian objects under Article 8(2)(b)(ii).89

Although two distinct crimes, the elements required for each overlap to a considerable degree.90 Both require a nexus between the international armed conflict and the conduct being prosecuted as a war crime.91 Article 8(2)(a)(iv) never explicitly uses the word “attack,” but its elements require the destruction of property, which is not justified by military necessity, and which is extensive or carried out wantonly.92 Because these are the same factors used to determine whether something is an unlawful “attack” under Article 8(2)(b)(ii), the analysis for both is effectively the same. Similarly, while Article 8(2)(b)(ii) requires that “the object of the attack was civilian objects, that is, objects which are not military objectives,” Article 8(2)(a)(iv) requires the destruction of property that “was protected under one or more of the Geneva Conventions of 1949.”93 The property protected by the Geneva Conventions are “civilian objects,” also defined as “all objects which are not military objectives.”94 Therefore, to determine whether NotPetya can be prosecuted as either of these war crimes, it must be determined whether there was a nexus between NotPetya and the international armed conflict, and whether NotPetya constitutes an attack targeted at civilian objectives.

i. Nexus to International Armed Conflict

Both Article 8(2)(a)(iv) and Article 8(2)(b)(ii) require that “the conduct took place in the context of and was associated with an international armed conflict.”95 In other words, there must be a nexus between NotPetya and the ongoing conflict between Ukraine and Russia for the cyber attack to constitute a war crime. There are a number of factors taken into account in determining if a nexus exists, such as if the perpetrator is a combatant, if the victim is a member of the opposing party, and if the act may be said to serve the ultimate goal of a military campaign.96 These factors weigh in favor of the existence of a nexus here. As previously documented, NotPetya was orchestrated by the GRU, a branch of Russia’s military. The intent to target Ukraine, and cause disruption at its highest levels, is apparent from the use of M.E.Doc as the source of the malware, given that the software is mandatory in most divisions of Ukrainian government.97 As mentioned, Russia’s method of conflict with and occupation of Ukraine has been deemed hybrid warfare, with Russia using multiple cyber attacks against Ukraine since the conflict began in 2014. Russia’s goal during this conflict has been to cause as many problems and as much unrest in Ukraine as possible,98 most likely in its attempt to plant the seeds for full-fledged invasion, as evidenced by recent developments in the conflict.99 There is therefore plenty of evidence to support the idea that NotPetya was not only associated with, but meant to help facilitate, Russia’s occupation of and armed conflict against Ukraine.

ii. Attack on Civilian Objects

Having established the nexus, it must be determined whether NotPetya can be considered an “attack” within the meaning of IHL and Article 8. Article 49(1) of Additional Protocol I of the Geneva Convention defines “attack” as “acts of violence against the adversary.”100 Two different approaches have developed as to how these “acts of violence” should be understood: the means-based approach and the effects-based approach.101 Under the “means” approach, whether an attack has occurred is determined by looking at the types of instruments employed.102 This methodology poses difficulty for cyberwarfare, because it focuses on the physical characteristics of the instruments used and typically encompasses only traditional, kinetic weapons.103 In contrast, the “effects” approach focuses on the resulting consequences, regardless of the instrumentality used.104 This “effects” approach has garnered the most support, emerging as the dominant approach used by the international law community.105 Because this approach also allows for inclusion of cyber attacks, it will be used here.

Using the effects-based method, a cyber operation amounts to an “attack” when it employs methods that have or are reasonably likely to result in violent effects.106 This idea has been adopted by the Tallinn Manual, which defines “cyber attack” in Rule 30 as “a cyber operation […] that is reasonably expected to cause injury or death to persons or damage or destruction of objects.”107 The comments to this rule explain that “acts of violence” should not be limited to activities that use kinetic force, because “the consequences of an operation, not its nature, are what generally determine the scope of the term ‘attack.’ ”108 The question, then, is whether NotPetya can be understood as an act of violence, in that its employment was reasonably expected to cause injury or death to persons, or damage or destruction to objects.

As mentioned, the wars crimes in both Article 8(2)(a)(iv) and Article 8(2)(b)(ii) require the attacks be on civilian objects, or non-military objectives. There is dispute as to whether data, itself, is a civilian object.109 There is a plausible argument that limiting the definition of objects to only tangible things is impractical, if not infeasible, in modernized society.110 Regardless, an answer to this debate is not necessary to finding that NotPetya targeted civilian objects. Where a cyber attack causes disruption by corrupting or deleting the data of a physical civilian institution or infrastructure, it is those institutions and infrastructures that are the intended object of the attack, not the data itself.111 Every computer that NotPetya hit was wiped clean of its data, and this meant that any and every institution that NotPetya affected was unable to operate for varying levels of time. Because NotPetya hit a number of Ukrainian civilian institutions, including, but not limited to, hospitals, airports, energy plants, and essentially the entire government, there is no doubt that NotPetya targeted civilian objects.

The question still remains as to whether this targeting of civilian objects constitutes an “act of violence,” as is required for NotPetya to be a war crime. Because NotPetya destroyed, rather than simply interfered with, civilian data, it is possible that this is enough on its own to qualify as a war crime under either Article 8(2)(a)(iv) or Article 8(2)(b)(ii).112 However, even if that is insufficient, NotPetya still rises to the level of an attack. The consequences of cyber attacks typically do not remain contained within cyber space itself, and NotPetya is no exception. Cyber attacks produce three types of effects in the physical world: primary, secondary, and tertiary.113 Primary effects refer to the immediate consequences on the attacked computers, meaning the corruption and deletion of data.114 Secondary effects are those on the infrastructure that operate the attacked computers, resulting in either physical damage to or incapacitation of those systems.115 Tertiary effects encompass the consequences of this destruction on the human beings who rely on these attacked systems.116

That NotPetya caused widespread primary effects is undeniable. As just discussed, every computer that NotPetya hit was wiped clean of its data, causing billions of dollars in damage to countries and companies around the world. But even if this destruction of data is not enough to arise to an “act of violence,” the tertiary effects of NotPetya certainly do. In Ukraine alone, NotPetya hit at least four hospitals, two airports, and six power companies. Attacks on these civilian infrastructures pose serious, kinetic risk to human life. For example, Kiev’s largest medical clinic, the Boris Clinic, lost all medical documentation for twenty-four hours when NotPetya brought the system down, forcing doctors to take records solely by hand for the first time since the mid 1990s.117 Fortunately for the clinic, backups of all records had been kept in a system that managed to avoid NotPetya’s infection.118 While the Boris Clinic got lucky, it is easy to imagine just how devastating, and deadly, NotPetya could have been had the clinic not had back-up documents preserved, and patient records remained inaccessible to the doctors who rely on them in order to properly treatment to their patients.

Take what happened to Maersk, for instance. The backup system that the shipping company used for its 150 domain controllers, which are the servers that house the function of Maersk’s entire network, were all programmed to sync to one another so that each could serve as a backup for all the others if need be.119 Because they were all on the same network, NotPetya was able to wipe all of Maersk’s domain controllers, all over the world, simultaneously.120 The company was only saved from completely losing this vital data because at the time of the attack, a remote office in Ghana had experienced a power outage, meaning the computers in that office were disconnected from the network when NotPetya hit.121 This stroke of luck preserved the sole copy of the domain network of the biggest shipping conglomerate in the word.

If what happened to Maersk had happened to Boris Clinic, or to Kiev’s airport, or any of the other institutions hit by NotPetya, it is not hard to imagine the violent tertiary effects on human life it could have caused, in addition to the economic devastation it did cause. A cyber operation amounts to an “act of violence” whenever the instruments caused or are reasonably likely to cause violent effects. Therefore, when NotPetya’s widespread primary effects are combined with the high possibility it created for life-threatening tertiary effects, NotPetya meets the definition of at “attack” for purposes of Article 8.

As an attack, NotPetya is unlawful if it violates traditional IHL principles. The two most relevant here are the principles of proportionality and the prohibition against indiscrimination, both of which have been incorporated into the elements of Article 8(2)(a)(iv)’s and Article 8(2)(b)(ii)’s war crimes.122 The principle of proportionality is violated when an attack causes damage to civilian objects which is excessive in relation to its anticipated military advantage.123 Indiscriminate attacks, meaning those which employ methods of warfare that cannot be directed, or that have uncontrollable effects, are also prohibited.124 NotPetya’s lack of proportionality and widespread indiscrimination are its defining features. Regardless of what Russia’s military objective was in initiating the attack, the fact that the malware was designed to spread as quickly and as far as possible, as evidenced by the dual EternalBlue and Mimikatz mechanisms, shows that it was not, nor was it intended to be, contained to that objective.125 Its inability to be controlled and its lack of discretion in choosing its victims is evidenced most prominently by the fact that NotPetya did not stay within Ukraine. Instead, any international company that maintained offices in Ukraine served as the gateway for NotPetya to spread to the rest of the world, causing billions of dollars in damages as it went. The attack was so indiscriminate, in fact, that it managed to make its way back to Russa. In essence, NotPetya was not just a war crime of disproportionate nature in Russia’s conflict with Ukraine; it was an indiscriminate, unjustified attack by Russia on anyone who did business with Ukraine, Russia’s known enemy.126 Therefore, while Russia’s violation of IHL principles is the reason that the Court can prosecute the perpetrators of the NotPetya attack, it is also the reason that the Court should prosecute the perpetrators of the NotPetya attack: to show the world that such indiscriminate attacks on the international community at large will not be allowed impunity.127

IV. Admissibility of NotPetya

While the foregoing demonstrates that the Court has jurisdiction to prosecute the NotPetya attack as a war crime, that is not the end of the inquiry. The Court can only exercise this jurisdiction if the attack is also found to be admissible under Article 17 of the Rome Statute.128 There are two admissibility thresholds under Article 17 that NotPetya must satisfy. First, the attack cannot violate the principles of complementarity, and second, the case must be of sufficient gravity.129

A. Complementarity

The complementarity principle may pose the greatest obstacle to the Court’s ability to prosecute individuals for the NotPetya attack. A potential defendant could argue that the U.S. Indictment against the members of the GRU, discussed in Part III, means the attack is inadmissible under Article 17(1). Article 17(1)(a) says that:

[A] case is inadmissible where […] the case is being investigated or prosecuted by a State which has jurisdiction over it, unless the State is unwilling or unable genuinely to carry out the investigation or prosecution.130

The crucial issue, then, is whether the charges in the U.S. Indictment rise to the level of the same “case.” The Pre-trial Chamber has said the same “case” for purposes of Article 17 means the same conduct and the same individual.131 However, this “specificity test,” as it has been named, has yet to be more clearly delineated by the Court in the realm of kinetic crimes,132 let alone in the more unsettled terrain of cyberspace. Despite the uncertainty this creates, the Pre-trial Chamber should find the U.S. indictment does not preclude admissibility of the issue before the Court.

The U.S. Indictment charges the GRU members with seven charges, most notably damage to protected computers, wire fraud, and conspiracy to commit these crimes. There are two reasons that these charges are insufficient to establish complementarity: the conduct that is being criminalized is not the same, and the victims are not the same. It is helpful to think of this in terms of analogy. If a person gets behind the wheel of a car while intoxicated, they commit the crime of driving under the influence. If they hit and kill someone while driving under the influence, they have also committed the crime of manslaughter. Even though the drunk driving crime is the instrumentality that led to the manslaughter crime, we would never find that these two charges merge into one. Both are prosecutable as separate charges.

The same applies here. As discussed in the previous section, what makes NotPetya an “attack,” and thus a war crime, under Article 8 is not the instrumentalities used to perpetrate it, but the effects that it had, particularly the tertiary effects. In contrast, the crimes charged in the U.S. Indictment seek to punish the instrumentalities utilized, rather than the effects. The wire fraud claim is premised on the allegation that NotPetya:

[S]tole the victim’s user authentication credentials to move laterally to other parts of the victim’s network.133

This solely criminalizes how NotPetya worked, not the malware’s consequences. While the computer fraud charge addresses the damage caused, this is limited only to the computers themselves, not the tertiary effects.134 Therefore, just as the means of the drunk driving would not be sufficient to bar prosecution of the effect of manslaughter, the U.S. Indictment charging the GRU members with crimes targeting the means of NotPetya does bar the Court’s prosecution for the widespread effects of NotPetya. Thus, the U.S. Indictment is a different “case” for purposes of Article 17.

An even more compelling reason for why complementarity is not satisfied here is that, for both the wire and computer fraud charges, the only incident being prosecuted is NotPetya’s infiltration of the Heritage Valley Health System, a single hospital in Pennsylvania.135 Again, the metaphor of the drunk driver proves useful. If this person were to hit and kill two people, rather than one, we would not find it sufficient that he be prosecuted for only one charge of manslaughter. Two victims require two separate counts, so that each victim receives the retribution deserved. The fact that the U.S. Indictment may bring retribution to the Heritage Valley Health System does nothing for the hundreds of thousands of Ukrainians who fell victim to NotPetya. While the Pennsylvania hospital may be a victim of wire fraud and computer fraud, the people of Ukraine are victims of a Russian-propagated war crime. To say that the former bars retribution for the latter is to undermine the principles of complementarity in Article 17.136

B. Gravity

Lastly, the Rome Statute requires that NotPetya be sufficiently grave to be admissible before the Court. In practice, there are two types of gravity enshrined in the Rome Statute: legal gravity, which looks at a crime’s admissibility under Article 17, and relative gravity, which speaks to the Prosecutor’s discretion in selecting and prioritizing cases.137

In terms of legal gravity, Marco Roscini conducted a survey of the Court’s case law and delineated a list of the qualitative and quantitative factors that the Court relies on in determining whether a case is admissible under Article 17.138 These factors include the nature, scale, manner of commission, and impact of the crime.139 In terms of nature, crimes against property are typically considered less grave than crimes against persons, especially those involving murder or torture.140 However, this does not prohibit the admissibility of cyber attacks, especially NotPetya, before the Court. In terms of scale, impact, and manner of commission, the gravity of NotPetya is undeniable. The “scale” factor includes the number of victims, the extent of the damage caused by the crime, and its geographical and temporal speed.141 NotPetya’s scale is unparalleled: it was the most economically devastating cyber attack in history, affecting over sixty countries and causing billions of dollars of damage.142 It was purposefully designed to spread far as possible, as quickly as possible, and to cause destruction and disruption to as many computers as possible. These widespread consequences speak to the severity of NotPetya’s impact, not only on Ukraine, but the world at large.143 Lastly, the manner of commission of the crime also speaks to its gravity.144 A malware of this nature is not created and executed in a matter of days. Rather, it was discovered that M.E.Doc had been compromised more than six weeks prior to the attack being launched.145 The complexity of the malware’s design, in conjunction with the wait time between infiltration of the M.E.Doc systems to when the actual attack took place, speaks to the intricate planning it took for the GRU to perpetrate this attack.

These factors demonstrate that the legal gravity of NotPetya is sufficient for purposes of Article 17. It helps that the threshold for legal gravity is not considered to be very high.146 In contrast, the Prosecutor’s discretion in determining relative gravity imposes a much higher burden.147 Even so, there are three reasons why the Office of the Prosecutor should choose to prosecute members of the Russian military for this cyber attack. First is a matter of practicability. Not only has Ukraine expressly recognized the Court’s jurisdiction over war crimes committed by Russia during the ongoing conflict between the two states, but the Prosecutor has already requested authorization from the Pre-trial Chamber to open an investigation. The fact that NotPetya can be included as part of this already ongoing preliminary investigation before the Court, rather than requiring the initiation of an entirely new case, makes prosecution of NotPetya at least somewhat easier than other possible cyber attacks.

Second, because the practical difficulties are somewhat alleviated in the case of NotPetya, it offers the perfect pioneering opportunity for the Court to show that it can, and will, prosecute cyber attacks. As the foregoing analysis shows, NotPetya satisfies the elements of a war crime under Article 8. The Court can therefore use NotPetya to demonstrate to the international community that cyber attacks can be prosecuted under the Rome Statute, and that the Court is not afraid to do so. This could have the benefit of both specific and general deterrence.148 If the Court opens an investigation into NotPetya, it will demonstrate to the international community, and Russia in particular, that impunity for cyber attacks will not be tolerated any longer.

Lastly, the Prosecutor should find that NotPetya is of sufficient relative gravity because its prosecution will likely be supported by the international community. Given the worldwide devastation NotPetya caused there are many states who would undoubtedly like to see the perpetrators of NotPetya held responsible. Even the United States would likely be supportive, given the White House’s statement that NotPetya was a “reckless and indiscriminate cyber-attack that will be met with international consequences.”149 So far, no such international consequences have come to fruition. Therefore, as an international criminal tribunal, the Court serves as a perfect forum to finally get retribution for the many victims, across the globe, of Russia’s NotPetya attack.

V. Conclusion

As modern society’s reliance on computer technology continues to grow, the number of attacks on that technology grows along with it. Although prosecuting individuals for cyber operations is difficult, the increasing threat posed by such attacks demands a legal framework by which to hold the perpetrators accountable. This is particularly true when the cyber attacks have far-reaching, international consequences, as did NotPetya.

This comment demonstrates that there is already a viable framework in place to prosecute the perpetrators of NotPetya: the Rome Statute. Given the context of the armed conflict and state of occupation in which this attack occurred, in addition to Ukraine’s recognition of the Court’s jurisdiction over war crimes committed during this conflict, the NotPetya attack provides the Court with a unique opportunity to demonstrate that it can, and will, hold the perpetrators of cyber attacks accountable. Because NotPetya meets the elements of a war crime under the Rome Statute, the Court should prosecute members of the Russian military for their commission of NotPetya to show the international community that cyber attacks of this severity will no longer be allowed impunity.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1. 1.

   Andy Greenberg, The Untold Story of NotPetya, the Most Devastating Cyberattack in History, Wired (Aug. 22, 2018), paywall. ↩

2. 2.

   Lawrence J. Trautman & Peter C. Ormerod, WannaCry, Ransomware, and the Emerging Threat to Corporations, 86 Tenn. L. Rev. 503, 531–32 (2019), available online. ↩

3. 3.

   Id. at 531. ↩

4. 4.

   Id.; see also Alexandra Perloff-Giles, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 43 Yale J. Int’l L. 191, 197 (2018), available online, archived

   (providing a helpful explanation of the different types of malwares and how they work). ↩

5. 5.

   Greenberg, supra note 1. ↩

6. 6.

   Trautman & Ormerod, supra note 2, at 532. ↩

7. 7.

   Press Release, CISA, Alert (TA17-181A) Petya Ransomware (Feb. 15, 2018) [hereinafter CISA Press Release], available online; Greenberg, supra note 1. ↩

8. 8.

   CISA Press Release, supra note 7. ↩

9. 9.

   Id. ↩

10. 10.

    Greenberg, supra note 1; see also Andrew E. Kramer, Ukraine Cyberattack Was Meant to Paralyze, not Profit, Evidence Shows, N.Y. Times, Jun. 28, 2018, available online. ↩

11. 11.

    Trautman & Ormerod, supra note 2, at 524, 532. ↩

12. 12.

    Id. at 524. ↩

13. 13.

    Id. at 524. ↩

14. 14.

    Lily Hay Newman, A Scary New Ransomware Outbreak Uses WannaCry’s Old Tricks, Wired (Jun. 27, 2017), available online

    (expressing uncorroborated optimism, Newman wrote on the day of the NotPetya attack that “[e]nough people may have patched since WannaCry to forestall a breakout on the same scale”).

    See Trautman & Ormerod, supra note 2, at 522–31

    (discussing the WannaCry ransomware campaign). ↩

15. 15.

    Trautman & Ormerod, supra note 2, at 534. ↩

16. 16.

    Greenberg, supra note 1. ↩

17. 17.

    Id. ↩

18. 18.

    Id. ↩

19. 19.

    Trautman & Ormerod, supra note 2, at 534. ↩

20. 20.

    Greenberg, supra note 1. ↩

21. 21.

    Kramer, supra note 10; Nicole Perlroth, Mark Scott & Sheera Frenkel, Cyberattack Hits Ukraine Then Spreads Internationally, N.Y. Times, Jun. 27, 2017, available online; Frank Bajak & Raphael Satter, Companies Still Hobbled from Fearsome Cyberattack, AP, Jun. 30, 2017, available online; Christian Borys, Ukraine Braces for Further Cyber-attacks, BBC News, Jul. 26, 2017, available online. ↩

22. 22.

    Kramer, supra note 10. ↩

23. 23.

    Id.

    (noting that Microsoft issued a statement the day following the attack saying it “now has evidence that a few active infections of the ransomware initially started from the legitimate M.E.Doc update process”).

    See also CISA Press Release, supra note 7. ↩

24. 24.

    Greenberg, supra note 1. ↩

25. 25.

    Borys, supra note 21

    (estimating that M.E.Doc’s filing services are used by more than 400,000 Ukrainian customers, which represents about 90% of the country’s domestic companies). ↩

26. 26.

    Greenberg, supra note 1. ↩

27. 27.

    Id. ↩

28. 28.

    Kramer, supra note 10. ↩

29. 29.

    Greenberg, supra note 1. ↩

30. 30.

    Id. ↩

31. 31.

    Id. ↩

32. 32.

    Kramer, supra note 10. ↩

33. 33.

    Perlroth et al., supra note 21. ↩

34. 34.

    Bajak & Satter, supra note 21; Newman, supra note 14. ↩

35. 35.

    Greenberg, supra note 1. ↩

36. 36.

    Id. ↩

37. 37.

    Id. ↩

38. 38.

    Id.

    (For comparison, the ransomware attack that crippled Atlanta’s city government in March 2018 was estimated to have caused only $10 million in damage, while even the infamous WannaCry attack in May 2017 was estimated to have caused between $4 billion to $8 billion in damage). ↩

39. 39.

    Kramer, supra note 10. ↩

40. 40.

    Kim Zetter, Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid, Wired (Mar. 3, 2016), available online. ↩

41. 41.

    Anton Cherepanov, The Rise of Telebots: Analyzing Disruptive KillDisk Attacks, welivesecurity (Dec. 13, 2016), available online. ↩

42. 42.

    Ellen Nakashima, Russian Military was Behind ‘NotPetya’ Cyberattack in Ukraine, CIA Concludes, Wash. Post, Jan. 12, 2018, available online; Pavel Polityuk, Ukraine Points Finger at Russian Security Services in Recent Cyber Attack, Reuters, Jul. 1, 2017, available online. ↩

43. 43.

    Press Release, U.N., Speakers Urge Peaceful Settlement to Conflict in Ukraine, Underline Support for Sovereignty, Territorial Integrity of Crimea, Donbas Region (Feb. 20, 2019) [hereinafter U.N. Press Release], available online. ↩

44. 44.

    Id. ↩

45. 45.

    See Stephanie Gosnell Handler, The New Cyber Face of Battle: Developing a Legal Approach to Accommodate Emerging Trends in Warfare, 48 Stan. J. Int’l L. 209, 212 (Dec. 2012), paywall

    (“Determining whether such cyberattacks should be considered under the law of war—even absent direct kinetic effects—is important as it is most probable that military campaigns of the future will follow the Russian precedent and utilize cyberattacks in concert with traditional weapons to achieve their strategic goals.”). ↩

46. 46.

    See generally, Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], available online.. ↩

47. 47.

    Id. at Article 11(1). ↩

48. 48.

    Id. at Article 12. ↩

49. 49.

    Press Release, ICC, Ukraine Accepts ICC Jurisdiction Over Alleged Crimes Committed Between 21 November 2013 and 22 February 2014 (Apr. 17, 2014), available online; Rome Statute, supra note 46, at Article 12(3)

    (“If the acceptance of a State which is not a Party to this Statute is required under paragraph 2, that State may, by declaration lodged with the Registrar, accept the exercise of jurisdiction by the Court with respect to the crime in question. The accepting State shall cooperate with the Court without any delay or exception in accordance with Part 9.”). ↩

50. 50.

    Press Release, ICC, Ukraine Accepts ICC Jurisdiction Over Alleged Crimes Committed Since 20 February 2014 (Sep. 8, 2015), available online. ↩

51. 51.

    Fatou Bensouda, ICC, Statement on the Conclusion of the Preliminary Examination in the Situation in Ukraine (Dec. 11, 2020), available online. ↩

52. 52.

    Id. ↩

53. 53.

    Rome Statute, supra note 46, Article 5. ↩

54. 54.

    Kai Ambos, International Criminal Responsibility in Cyberspace, in Research Handbook on International Law and Cyberspace 181, 121 (Nicholas Tsagourias & Russell Buchan eds., 2015), available online. ↩

55. 55.

    Geneva Convention IV Relative to the Protection of Civilian Persons in Time of War, Article 2, 75 U.N.T.S. 287 (Aug. 12, 1949, entry into force Oct. 21, 1950) [hereinafter Fourth Geneva Convention], available online. ↩

56. 56.

    The Prosecutor v. Duško Tadić, IT-94-1, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, ¶ 90 (ICTY AC, Oct. 2, 1995), available online, archived. ↩

57. 57.

    Ambos, supra note 54, at 122. ↩

58. 58.

    See, e.g., id. at 122–25; David Weissbrodt, Cyber Conflict, Cyber-Crime, and Cyber-Espionage, 22 Minn. J. Int’l L., 347, 355–66 (2013), available online; Perloff-Giles, supra note 4, at 201–02. ↩

59. 59.

    Ambos, supra note 54, at 122. ↩

60. 60.

    Tallinn Manual on the International Law Applicable to Cyber Warfare 68 (Michael N. Schmitt ed., 2013) [hereinafter Tallinn Manual]

    (explaining in the commentary of Rule 20 that the law of armed conflict governed the cyber attacks that occurred in Georgia in 2008 because they were undertaken in furtherance of the ongoing armed conflict between Georgia and Russia). ↩

61. 61.

    For discussion of the nexus between the NotPetya attack and the ongoing armed conflict and occupation of Ukraine, see Part III(B)(2). ↩

62. 62.

    U.N. Press Release, supra note 43. ↩

63. 63.

    Id. ↩

64. 64.

    Fourth Geneva Convention, supra note 55. ↩

65. 65.

    Marco Roscini, Cyber Operations and the Use of Force in International Law 144 (2014), paywall. ↩

66. 66.

    Trautman & Ormerod, supra note 2, at 534. ↩

67. 67.

    Id. ↩

68. 68.

    Id. at 534–35

    (explaining how this evidence has instead been interpreted as a sign that NotPetya was more successful than its creators originally intended for it to be). ↩

69. 69.

    See, e.g., Marco Roscini, Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations, 50 Tex. Int’l L.J. 233, 234 (2015), available online; see also Ambos, supra note 54, at 125–26. ↩

70. 70.

    Marco Roscini, Gravity in the Statute of the International Criminal Court and Cyber Conduct that Constitutes, Instigates or Facilitates International Crimes, 30 Crim. L. Forum 247, 258 (2019), available online, doi; see also Perloff-Giles, supra note 4, at 193–95. ↩

71. 71.

    See, e.g., Roscini, supra note 69, at 234. ↩

72. 72.

    Perloff-Giles, supra note 4, at 215. ↩

73. 73.

    Ambos, supra note 54, at 125. ↩

74. 74.

    Perloff-Giles, supra note 4, at 215–16. ↩

75. 75.

    Kramer, supra note 10. ↩

76. 76.

    Andy Greenberg, The White House Blames Russia for NotPetya, the ‘Most Costly Cyberattack in History’, Wired (Feb. 15, 2018), available online. ↩

77. 77.

    Id. ↩

78. 78.

    Press Release, The White House, Statement from the Press Secretary (Feb. 15, 2018) [hereinafter White House Press Release], available online. ↩

79. 79.

    Id. ↩

80. 80.

    Nakashima, supra note 42. ↩

81. 81.

    Greenberg, supra note 76. ↩

82. 82.

    United States v. Andrienko et al., 20–316, Indictment ( W.D. Pa., Oct. 15, 2020) [hereinafter U.S. Indictment], available online. ↩

83. 83.

    Id. ¶ 2. ↩

84. 84.

    See Press Release, U.S. Dept. of Just., Six Russian GRU officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace (Oct. 19, 2020), available online.

    (FBI Deputy Director David Bodwich explained that “this indictment […] highlights the FBI’s capabilities. We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them.”). ↩

85. 85.

    See Rome Statute, supra note 46, Article 25. ↩

86. 86.

    See id. ↩

87. 87.

    For potential issues this could raise in regard to complementarity, see Part IV(A). ↩

88. 88.

    See Rome Statute, supra note 46, Article 28; see also Roscini, supra note 70, at 265. ↩

89. 89.

    Rome Statute, supra note 46, Articles 8(2)(a)(iv), 8(2)(b)(ii). ↩

90. 90.

    International Criminal Court, Elements of Crimes, ICC-ASP /1/3, Adopted and Entry into Force 9 September 2002, updated at Kampala, 31 May-11 June 2010, 15, 18 (Jun. 11, 2011) [hereinafter Elements of Crimes], available online, archived. ↩

91. 91.

    Id. ↩

92. 92.

    Id. ↩

93. 93.

    Id. ↩

94. 94.

    Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, 1125 U.N.T.S. 3 (Jun. 8, 1977) [hereinafter Additional Protocol I], available online. ↩

95. 95.

    Elements of Crimes, supra note 90. ↩

96. 96.

    Ambos, supra note 54, at n.67. ↩

97. 97.

    Nakashima, supra note 42

    (discussing NotPetya as “an effort to disrupt [Ukraine’s] financial system amid its ongoing war with separatists loyal to the Kremlin”). ↩

98. 98.

    Kramer, supra note 10

    (quoting Ivan Lozowsky, the director of the Institute of Statehood and Democracy in Ukraine, who said in regards to NotPetya, “[t]he Russians are interested in Ukraine having as many problems as possible”). ↩

99. 99.

    Christopher A Hartwell, Invading Ukraine is a Trap for Vladimir Putin, Wall St. J., Dec. 10, 2020, paywall. ↩

100. 100.

     Additional Protocol I, supra note 94. ↩

101. 101.

     Ambos, supra note 54, at n.26

     (“The three relevant approaches (instrumentality-, target– and consequence-effects-based) have been developed with regard to the ius ad bellum concept of an ‘armed attack’ […] but can be applied in the ius in bello context of the armed conflict threshold as well.”). ↩

102. 102.

     Id. at 122. ↩

103. 103.

     Weissbrodt, supra note 58, at 365. ↩

104. 104.

     Id. ↩

105. 105.

     Id. ↩

106. 106.

     Roscini, supra note 65, at 179. ↩

107. 107.

     Tallinn Manual, supra note 60, at 91. ↩

108. 108.

     Id. ↩

109. 109.

     Roscini, supra note 65, at 183. ↩

110. 110.

     Ambos, supra note 54, at 131. ↩

111. 111.

     Roscini, supra note 65, at 183. ↩

112. 112.

     Perloff-Giles, supra note 4, at 222. ↩

113. 113.

     Williams A. Owens, Kenneth W. Dam & Herbert D. Lin, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 80 (2009), available online. ↩

114. 114.

     Roscini, supra note 65, at 169. ↩

115. 115.

     Id. ↩

116. 116.

     Id. ↩

117. 117.

     Borys, supra note 21. ↩

118. 118.

     Id. ↩

119. 119.

     Greenberg, supra note 1. ↩

120. 120.

     Id. ↩

121. 121.

     Id. ↩

122. 122.

     See Rome Statute, supra note 46, at Article 8(2)(b).

     ( Article 8(2)(a)(iv) explicitly requires violation of these principles by requiring that the destruction or appropriation of property is “not justified by military necessity” and “extensive and carried out wantonly,” while Article 8(2)(b)(ii) implicitly incorporates these IHL principles because the war crime must constitute a “serious violation of the laws and customs applicable in international armed conflict, within the established framework of international law”).

     Elements of Crimes, supra note 90, at 15, 18. ↩

123. 123.

     Ambos, supra note 54, at 134. ↩

124. 124.

     Additional Protocol I, supra note 94; see also Tallinn Manual, supra note 60, at 130

     (“Cyber attacks that are not directed at a lawful target, and consequently are of a nature to strike lawful targets and civilian or civilian objects without distinction, are prohibited.”). ↩

125. 125.

     See Perloff-Giles, supra note 4, at 203–04.

     (Interestingly, the Stuxnet worm that hit Natanz nuclear enrichment facility in Iran is often looked at by scholars as the paradigmatic example of a cyber attack that could rise to the level of an armed attack, and thus fall under the dictates of IHL. However, Stuxnet was specifically designed to only cause damage to its intended target. NotPetya’s indiscriminate nature is therefore a compelling reason for the Court to show that it will prosecute those who employ cyber attacks that do not at least attempt, as the Stuxnet creators did, to abide by the conventional norms of international conflict). ↩

126. 126.

     Greenberg, supra note 1

     (“ ‘Anyone who thinks this was accidental is engaged in wishful thinking,’ [Cisco’s Craig] Williams says. ‘This was a piece of malware designed to send a political message: If you do business in Ukraine, bad things are going to happen to you.’ ”). ↩

127. 127.

     See Rome Statute, supra note 46, Art. 8(2)(b)(xx).

     (It should be noted that there is a war crime under Article 8 that specifically criminalizes “[e]mploying weapons, projectiles and material and methods of warfare which are of a nature to cause superfluous injury or unnecessary suffering or which are inherently indiscriminate in violation of the international law of armed conflict.” Because NotPetya could be considered “inherently indiscriminate,” this provision would theoretically be the easiest way of proving NotPetya to be a war crime. However, this war crime is subject to the condition that, “such weapons, projectiles, and material of method of warfare are subject to a comprehensive prohibition and are included in an annex to this Statute.” No such list has yet been included as an annex to the Rome Statute, and thus this crime cannot be used at this point in time). ↩

128. 128.

     Markus Benzing, The Complementarity Regime of the International Criminal Court: International Criminal Justice between State Sovereignty and the Fight Against Impunity, in 7 Max Planck Yearbook of the United National Law 591, 592 (Armin von Bogdandy & Rüdiger Wolfrum eds., 2003), available online. ↩

129. 129.

     Rome Statute, supra note 46, Arts. 17(1)(a), 17(1)(d). ↩

130. 130.

     Id. Art. 17(a)(1). ↩

131. 131.

     Rod Rastan, What is a ‘Case’ for the Purpose of the Rome Statute?, 19 Crim. L. Forum 435, 436 (Oct. 15, 2008), available online, doi. ↩

132. 132.

     Id. at 437. ↩

133. 133.

     U.S. Indictment, supra note 82, ¶ 80. ↩

134. 134.

     Id. ¶ 82. ↩

135. 135.

     Id. ¶¶ 79–82. ↩

136. 136.

     It should be noted that the United States has its own war crime statute, 18 U.S.C. § 2441, which it chose not to prosecute the GRU members with. The fact that the United States had the capability to hold these members accountable for the much graver charge of a war crime, but chose instead to go with simple fraud charges, shows that this is not an adequate basis for a finding of complementarity. ↩

137. 137.

     Ignaz Stegmiller, The Pre-Investigation Stage of the ICC: Criteria for Situation Selection 316 (2011), paywall. ↩

138. 138.

     Roscini, supra note 70, at n.33. ↩

139. 139.

     Id. at 260–68. ↩

140. 140.

     Margaret M. deGuzman, Gravity and the Legitimacy of the International Criminal Court, 32 Fordham Int’l L.J. 1400, 1452 (2008), available online. ↩

141. 141.

     Roscini, supra note 70, at 260–61. ↩

142. 142.

     Greenberg, supra note 1. ↩

143. 143.

     Roscini, supra note 70, at 267. ↩

144. 144.

     Id. at 265. ↩

145. 145.

     Dan Goodin, Backdoor Built in to Widely Used Tax App Seeded Last Week’s NotPetya Outbreak, Ars Technica, Jul. 5, 2017, available online

     (reporting that a senior malware researcher for ESET explained their analysis supported the fact that NotPetya was “a thoroughly well-planned and well-executed operation”). ↩

146. 146.

     Roscini, supra note 70, at 269–70

     (“The result is that, in practice, legal gravity should essentially preclude investigation and prosecution only of small scale isolated war crimes […] Only an isolated cyber attack against protected persons or objects in the context of and associated with an armed conflict which results in negligible damage and little impact, therefore, would not cross the legal gravity threshold.”). ↩

147. 147.

     Id. at 270. ↩

148. 148.

     Id. at 271

     (“[I]t is not to be excluded that the Prosecutor might decide to select certain situations and cases involving the commission, instigation or facilitation of international crimes through cyber conduct because of their impact or to deter them in the future, even if they resulted in a lower number of victims that in other cases.”). ↩

149. 149.

     White House Press Release, supra note 78. ↩