I. Expanding the Definition of Territory

This part will first begin with the traditional international understanding of the crime of aggression, starting with the 1974 General Assembly (G.A.) Resolution, which even though it is rarely applied now in determining if a State reaches the requisite level of aggression, can still be a great starting point for redefining the crime of aggression.9 Then I explore and expand on the current Special Working Group on the Crime of Aggression (SWGCA) definition of territory and point out how the unclear of definition creates jurisdictional issues for the application of the Rome Statute. I then turn to case studies of previous cyber attacks and crimes, such as those in Estonia, Georgia, and the United States and try to apply an expanded definition of territory to see if then the crime of aggression can apply.

A. The 1974 G.A. Resolution

The current norm of international law forbids the “threat or use of force against the territorial integrity […] of any state” without Security Council determinations or in cases of self-defense.10 The 1974 G.A. Resolution tried to clarify the act of aggression mentioned in Article 39 of the U.N. Charter.11 The Resolution defined it as:

The use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other matter inconsistent with the Charter of the United Nations, as set out in this Definition.12

In this definition, it highlights a conventional State-centric approach to the crime of aggression, as it has to be the use of traditional armed force against another State. It is also important to note that both sovereignty and territorial integrity would be readily understood as physical territory and control and would certainly not extend to cyberspace. Furthermore, other acts of aggression, such as economic coercion, are generally not included in this definition, as it appears that the Security Council is only concerned with armed aggression.13 This issue was prominently raised during the 1973 oil crisis, where Arab OPEC states embargoed oil and created inflationary effects, in addition to higher prices of oil.14 Even with this important loophole, the 1974 G.A. Resolution still stands as the foundation for the international norm of what constitutes an act of aggression. However, as seen since the Nuremberg Trials, no one has been prosecuted of the crime of aggression.15

B. Overview of the SWGCA Definition of the Crime of Aggression

The SWGCA definition is rich with the use of the word territory and borrows heavily from the previous definition from the 1974 G.A. Resolution.16 Article 8 bis(1) defines the crime of aggression as:

The planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.17

The key part of the definition which makes it differ from the 1974 G.A. Resolution is the inclusion of this “leadership clause.”18 This leadership clause is intended to connect the State armed force act of aggression with the individual in control of the act. A normative reading of the leadership clause would therefore severely limit the prosecution of cyber crimes. Most cyber crimes, like all crimes, are generally committed by individuals with little connection to the political or military actions of a state.19 However, it is possible to interpret this leadership clause in a unique way. Since it states if a person can exercise control over the actions of a State, it could mean that if a hacker was able to control the nuclear arsenal of another country and launch a barrage of missiles, this should equate to “effective control.” If “position” or “control” is interpreted broadly, it can be interpreted as anyone who is able to access the same resources as a high-ranking military or political official of the State. However, how would this apply to something like a DDoS attack? If the cyber attack was simply to deny access to a military command server or prevent nuclear missiles from being launched, it could also be argued that this is also exercising control over hard power assets of a State, although this is certainly a more tenuous example. This can be seen recently in the 2008 Russo-Georgian War, where cyber attacks coincided with conventional warfare.20 This cyber campaign, which still remains ambiguous in terms of attributability, launched coordinated DDoS attacks brought down over fifty Georgian government, financial, and news websites.21 Since the attacks prevented the Georgian government from communicating with their own people and the international community and hindered financial transactions, it allowed the Russian government to “shape their own narrative in the early days of the conflict.”22 The individuals or parties that launched these cyber attacks certainly controlled the political action of a State by removing the Georgian government’s ability to function as a State. Though the DDoS attacks did not target the military installations or servers of the Georgian government, if they did, then certainly such a DDoS attack that crippled the ability for the Georgian military to respond to Russian conventional force could certainly rise to a crime of aggression.

If an act can meet the threshold of the leadership clause in the crime of aggression, then one would look towards Article 8 bis(2) to see the types of acts of aggression that would qualify.23 This is where it gets tricky, as the various qualifying definitions refer to traditional norms of territory. For example, it refers to the “blockade of the ports or coasts of a State,” “bombardment by the armed forces of a State against the territory of another State,” and “invasion, military occupation, or any annexation by the armed forces of a State of the territory of another State.”24 These references to territory in the examples that are given clearly apply a geospatial view of territory and confine it to a physical area. It is hard to imagine the military occupation, bombardment, or blockade of the cyberspace of another State. However, cyber attacks are not limited to specific physical spaces and can easily transcend oceans. In the aforementioned Russo-Georgian War, the attacks on Georgian government servers were so damaging that they had to move the servers to the United States, in an attempt to protect Georgian internet sites.25 However, it was to no avail, and the U.S. suffered collateral damage.26 So for an attack that is being performed on a Georgian website which is physically located in the United States, whose territory is it actually in? It is physically in the United States, but it is an attack on the Georgian cyberspace. The ability for a cyber attack to be launched from anywhere, as long as there is internet access, therefore transcends traditional conceptions of physical territoriality, and this limitation must be broken down for cyber crimes to be prosecuted under the crime of aggression.

Thus, there are substantial complications for the prosecution of cyber crimes. The ICC is able to assert its jurisdiction when either the aggressor or victim are State Parties to the amendment on the crime of aggression.27 Although delegates to the 2009 SWGCA disagreed, the prevailing view is that it does not matter if one party isn’t a party, just as long as either the victim or the aggressor is a State Party to the crime of aggression provision.28 Nevertheless, imagine the following scenario: Party A is a non-party and performs a cyber attack that rises to the level of the crime of aggression on Party B, who is a State Party to the crime of aggression. If this was done through traditional means of hard power, like a naval invasion or armed forces, this would be a clear-cut case for the ICC to exert jurisdiction and prosecution of the crime of aggression. However, if Party B’s computer servers, which were the targets of the cyber attack, are physically located in Party C’s land, which is not a State Party to the crime of aggression, there might be jurisdictional issues. From only a physical and geographic perspective, it has just been two Parties that have not accepted the crime of aggression, where the ICC will not have any jurisdiction. However, by applying an expanded understanding or definition of territory to include this virtual realm, the ICC can therefore exert jurisdiction as long as the definition of territory is expanded to include the cyberspace of a signatory party to the crime of aggression.

The SWGCA has noted this particularity, through discussions of conduct “encompasses both the conduct in question and its consequence.”29 This issue of concurrent jurisdiction where an act might occur in one State, but the consequences are felt in another, however, is not really discussed or imagined in the context of cyberspace, and certainly is not explicitly delineated in the examples of the crime of aggression. The application of concurrent jurisdiction is useful in guiding an expanded definition on the traditional norm of territoriality. By focusing on the intended consequence rather than the acts of aggression onto the physical confines onto another State, cyber attacks can easily fall under the crime of aggression, and thus be within the purview of the ICC. This solves any jurisdictional issues that normative definitions of territory would create and allows for the expansion of jurisdiction into future crimes that can easily transcend physical borders just like how cyber attacks can.

C. Case Studies of Cyber Attacks

1. Estonia

In 2007, Estonia was the target of a series of cyber attacks and crimes that were committed on numerous Estonian government, finance, and news websites, that stemmed from the relocation of a Soviet statue in Tallinn.30 These attacks were largely DDoS attacks. Since the attack, only one person has been convicted of being involved in this cyber attack. It was only possible because it was a student who carried out the attack while in Estonia, so enough evidence was able to be gathered against him.31 Other than that, it has been extremely difficult to prosecute anybody else, especially since most of the attackers were within the jurisdiction of the Russian Federation.32

Now that the foundational basis for the attacks is set, do these attacks rise to the level of the crime of aggression? The crime of aggression necessarily requires the crime, by its character, gravity and scale, to constitute a manifest violation of the U.N. Charter. Assuming the territoriality requirement can be met given the previous discussion, which would make a Russian hacker, while in Russia, liable for the crimes committed in Estonian cyberspace, the only question then becomes if this cyber attack amounts to an act of aggression. Does taking over government websites, the banking systems of a state, as well as numerous national news organizations constitute “invasion, annexation, military occupation,” or any of the other currently defined acts of aggression? The current consensus seems to be that it does not, but maybe it should be looked into further. The damage to Estonia’s economy was relatively limited given that they are not as connected to cyber networks compared to other countries, like the United States.33 There was no actual military intervention or follow up attack by hard power assets, and to this date, the Russian government has denied any direct involvement in the Estonian cyber attacks. Given this attributability issue, as well as the unclarity of what constitutes an aggressive act in the context of cyber crime, it would certainly be difficult for the ICC to assert its jurisdiction for this case in Estonia. Shortly after the attacks were committed, NATO set up a Cooperative Cyber Defense Centre to study what a theoretical military response to a cyber attack could constitute, which eventually led to the publication of the Tallinn Manual.

The Tallinn Manual defines numerous cases where a cyber crime would not constitute a crime of aggression, for example computer espionage, as espionage itself does not amount to a crime of aggression so cyber-based espionage shouldn’t.34 The Tallin Manual’s eight characteristics of cyber operations could be a good starting point of defining where the gravity level of the crime of aggression is reached, especially looking into the severity of the cyber operation as the key indication of aggression.35 However, this is beyond the scope of this comment, as I am more focused on the territoriality aspect of the crime of aggression in a cyber context.

2. Georgia

During the Russo-Georgian War in 2008, numerous cyber attacks disabled Georgian websites, similar to what happened in Estonia. As most of the details have already been hashed out earlier in this comment, I will not repeat them. The most important thing to note, however, is that these cyber attacks coincided with a ground military operation. So, this differs from the Estonia example in that the gravity of the situation is much larger. Similar to the Estonia attack, Georgian government, financial, and news sites were all taken down through DDoS attacks. Thus, the same question if this gravity rises to the scale where it constitutes a manifest violation of the U.N. Charter still exist. Codification of what kind of cyber attacks or crimes that rise above this de minimis threshold would be helpful for the international community in prosecuting cyber crimes. Examples of cyber crimes which could meet this threshold would be a hacker that obtains the nuclear arsenal of a state, cripples a nation’s infrastructure, or is able to obtain military command of significant importance.

Both of these cyber attacks in Georgia and Estonia have not met this arbitrary threshold, but both cases are instances whereby applying an intended consequence standard, at the very least the territoriality requirement is met. In both cases, the victim’s cyberspace is the intended target, so regardless of where the attacker is located, as long as the expanded definition of territoriality is applied to the cyberspace, then ICC jurisdiction can be applied.

3. United States

The United States, while often a victim of cyber attacks conducted by North Korea, Russia, or China, also conducts its own cyber operations.36 One of the most notable operations, but still unacknowledged, is Operation Olympic Games.37 Operation Olympic Games utilized “Stuxnet”, a computer worm, to wreak havoc on Iranian centrifuges that were used to enrich uranium, as part of an overall strategy to cripple the Iranian nuclear program.38 This cyber attack was viewed as one of the first to “effect physical destruction” rather than just stealing or impeding data from a computer.39 Stuxnet would collect information on the Iranian centrifuges, and then literally cause them to spin itself to explosion.40 This certainly could qualify as an act of aggression, as this cyber attack caused physical destruction to Iranian nuclear facilities, and violated territorial integrity, which would be in violation of the U.N. Charter. Although Stuxnet was well programmed to the extent that it would only damage the centrifuges even if this malware were to make it onto other computers, the U.N. Security Council certainly did not authorize this sort of an attack on the Iranian facilities. Stuxnet is a concrete example of a cyber attack that should meet the prima facie case of the crime of aggression. This was a clear violation of Iranian sovereignty, which the United States would argue that this was necessary for self-defense, although it would certainly fail the U.N. definition for self-defense.41 Moreover, even if the ICC can hear the subject matter since it is a crime of aggression, it will be all for naught since both parties have not ratified the Kampala amendment. Nevertheless, Stuxnet is a prime example of a potential crime of aggression, due to its capabilities in crippling an entire nation’s military structure; it was just that the United States (and Israel) only targeted the Iranian nuclear program.

The United States should pave the way and create conventions on cyberwarfare, similar to those of the multilateral conventions on nuclear weapons or nuclear safety. While it may seem hypocritical at first, given the prolificity of Stuxnet, now is a better time than any to attempt to codify the limitations on cyber warfare. Nuclear weapons were, and still are, limited to copious amounts of research and technologies that can take decades to develop. Cyber warfare, on the other hand, can easily be performed by non-state actors with limited budgets, so enacting an international treaty regarding the use of cyber tools would pave the way to a safter future.

II. Obligation of States Parties to the Rome Statute in Cyberspace

This part will detail the necessity of obligations that State Parties should have in cyberspace. Not all obligations will be covered, but just those of a general duty of prevention that arise under Article 2(7) of the U.N. Charter as well as dealing with the general attributability issue of cyber crimes.

A. Duty of Prevention

Article 2(7) of the U.N. Charter states:

Nothing contained in the present Charter shall authorize the United Nations to intervene in matters which are essentially within the domestic jurisdiction of any state or shall require the Members to submit such matters to settlement under the present Charter.42

This follows upon the traditional norms of territorial sovereignty, where each State respects the territorial sovereignty of other States.43 With this understanding and applying it to the cyber realm, each State has their own sovereignty of how to manage their own cyberspace. And just like how States are not allowed to use their territories as staging grounds for land invasions that amount to acts of aggression, neither should States be allowed to turn a blind eye to cyber crimes of the nature that could amount to acts of aggression. So, while this duty might not be to actively seek out hackers and bad actors in the cyber realm, it should certainly mean prosecuting individuals responsible for grave cyber crimes as well as cooperation with victimized States or individuals that were severely harmed by aggressive cyber conduct.

A State might argue that they had no knowledge of malicious cyber conduct that arose from within their territory. However, if enough evidence can link it to infrastructure or servers that originate from State-led or State-funded organizations, it should then be on that State to rebut the presumption that they should have at the very least known that such a cyber attack is originating from within. By making the normative duty of prevention also applicable to cyber crimes, it creates a stronger international regime in which to handle cyberspace.44

Similar to the duty of prevention there is also the norm of the responsibility to protect.45 After the Rwandan Genocide and the Yugoslav Wars, there was a clear problem in which the international community did not step up to the plate and protect other fellow members of human rights violations.46 This culminated in the 2005 World Summit, where many Heads of State and Government created the “Responsibility to Protect” principle which protected their “own populations from genocide, war crimes, ethnic cleansing and crimes against humanity” while also recognizing the concerted need to group responsibility to uphold these values of human rights.47 While cyber crimes, or even crimes of aggression, for that matter, are not mentioned in the Responsibility to Protect doctrine, it could be possible that States apply a similar version of R2P to cyber issues.48 An interesting point is that it has been suggested that even the victim State has a responsibility of certain actions, like disclosing that an attack even occurred or that the State should engage in future plans and rehabilitation to ensure that such an attack would be mitigated or eliminated in the future.49 Furthermore, due to the connectivity of cyberspace, an attack on one State could easily have repercussions in another, which requires that cybersecurity efforts would require cooperation between foreign governments, implicating the need for robust prosecution or extradition agreements. At the very least, such international cyber regulation should exist in that States should cooperate and provide each other with appropriate assistance in response to a cyber attack, most especially in evidence gathering.50

B. Attributability Issue of Cyber Crimes

Given the inherent nature of cyber attacks, it is extremely difficult to properly attribute a cyberattack.51 While it might be possible to trace it back to a server in a state, “conclusively ascertaining the identity of the attacked requires a time-consuming investigation with assistance from the state of origin.”52 Given the previous examples of the cyber attacks in Georgia and Estonia, where Russia has basically been completely noncooperative in assisting any investigations as to the source of the cyberattacks. Similarly, the most serious cyber attack to occur on the U.S. military, the 2008 cyber attack, caused the Pentagon to spend more than a year in cleaning up their computer infrastructure.53 Even though it was suspected to be guided by Russian intelligence servers or state-sponsored hackers, there has been no prosecution or investigations into this matter by the Russian government.54 With little deterrence possible, there really is not much stopping countries that have high tolerance for political or diplomatic risk to engage in these covert cyber operations on a continuous basis. Does gaining access to every military computer constitute a crime of aggression? What if the hackers were also able to shut down over computer at their own leisure? So, while the issue with finding jurisdiction through territoriality has might be solved by applying the consequence principle, it only further opens up another problem in which the international community must define what sort of cyber crimes reach the threshold of aggression. Once that is defined, however, there must be models in place to accurately and effectively prosecute individuals who commit cyber crimes that rise to that threshold, otherwise this would just be another piece of ineffective international legislation.

The ease of an individual to slip through the cracks and evade prosecution is just another inherent issue when dealing with cyber crimes. The international community must be willing to adapt its norms to fit growing technological concerns of the future. Nevertheless, there is still a lot of work to be done, especially given the limited jurisdictional scope of the crime of aggression. There are currently only forty-one states that have ratified to the amendments on the crime of aggression, which severely limits the jurisdictions in which the ICC can prosecute the crime of aggression, let alone even worry about exactly whom to prosecute.55 So, while it could be relevant for a case on hand to be able to properly attribute the source of a cyber hacker, it may be more useful for the ICC to broaden its jurisdiction first, by getting as many signatories to the Kampala amendments before tackling cyber crimes. Most of the countries that are currently acceded to these amendments are not large players in the cyber arena, which means that it still becomes a rather futile exercise due to the limited scope of jurisdiction.

III. Current Application of Territory in Cyber Crimes

Given that prosecution of cyber crimes is still a newer legal area, I look at how current domestic laws are applied to cyber crimes and see if that could be applied on an international scale. Furthermore, I explore if any jurisdictional issues are raised out of the oddity of territoriality in cyberspace.

A. United States

The United States has a traditional legal norm of not having extraterritorial application to its laws, but the prosecution may overcome this presumption by showing “clear evidence of congressional intent to apply a statute beyond our borders.”56 In response to the September 11 attacks, Congress passed the Patriot Act, which explicitly provides for extraterritorial jurisdiction in specific cases.57 For example, amendments to 18 U.S.C. § 1029 added language where:

Any person who, outside the jurisdiction of the United States […] shall be subject to fines, penalties, imprisonment if (1) the offense involves an access device […] owned by a financial institution, account issuer, credit card member, or other entity within the jurisdiction of the United States; and (2) the person transports, delivers, conveys […] within the jurisdiction of the United States, any article used to assist in the commission of the offense or the proceeds of such offense or property derived therefrom.58

There were other amendments that included:

[A computer that is] used in interstate or foreign commerce, including a computer located outside the United States that is used in a manner that affects […] commerce or communication of the United States.59

Through these amendments, the United States is able to effectively prosecute cyber crimes that might originate from other locations but that have direct effect on the commerce or communications of the United States. Inclusion of language or interpretations that are based on the intended or actual effects on the United States, similar to the consequences standard, also enable the United States to effectively prosecute extraterritorial crimes.60 Going back to the earlier Russo-Georgia cyber attack example, even though the cyber attacks were targeting Georgia cyberspace, the United States might able to assert its own domestic jurisdiction given that U.S. servers were part of the collateral damage.

Of course, issues may arise where the Georgian government might want to assert their own jurisdiction given the damage to their own cyberspace. Robust extradition agreements or other prosecution agreements, as mentioned before, would remedy this situation, but it is not always easy to have those in place. Even so, even if the Georgian government were to cede jurisdiction, there is still the problem of obtaining enough evidence against the hackers to begin with, which would be nigh impossible without cooperation from the Russian government. Thus, issues for prosecuting cyber crimes exist far beyond just meeting territoriality or jurisdictional requirements, given the relative difficulty it can be to pinpoint exact individuals without international cooperation.

B. China

China has adopted many relevant laws and rules in order to facilitate the prosecution of cyber crimes.61 China has adopted rules to clarify the “situs of a crime”, including:

[T]he location of a web server, location where the network is connected, the location of the website builder or administrator, the location of the infiltrated computer system or its administrator, the location where the computer system is used by the criminal suspect, the location of the victim, and the location of the property loss.62

All of these clarifications of the situs of a crime is well-encompassing and allows China to exert its domestic jurisdiction regardless of where the crime is originated from (either within or China or not) as well as the location of the victim (most likely in China). This robust regime, however, still faces the same issues not with jurisdiction, but rather through the “difficulty of attribution and identification of criminal suspects” due to the inherent nature of cybercrime.63 The use of proxy services, encryption, and VPNs make it increasingly difficult for law enforcement to root out cyber crime offenders.64 Another key issue is the relative lack of international cooperation, given the need to collect trans-border evidence. Due to current inefficiencies either through different legal systems or relative lack of cybersecurity resources, it is difficult to obtain key evidences that are located outside the domestic jurisdiction of China.65

China, like the United States, has largely solved the jurisdictional issue in the area of cyber crimes by allowing the prosecution to enter through any crack, as long as it is somehow tangentially related to the domestic situs of China. However, there are still similar issues in international cooperation to obtain evidence beyond domestic jurisdictions, as well as the attributability issue of cyber crimes. To create a better international regime for cyber crimes, unity towards international cooperation is a must.

IV. Conclusion

Territorial sovereignty has been a recurring norm that has been the fundamental basis of understanding how States interact with each other. As technology continues to further evolve, however, cyber attacks will only become more prevalent. The nature of cyber attacks, which allows for devastating acts by non-State actors and State actors alike, at little physical cost, impugns upon any traditional concepts of warfare, territoriality, and international relations. By creating a broader framework around territoriality to encompass an understanding that the intended consequence is what matters rather than just a physical definition of territory, the ICC could be well equipped in asserting its jurisdiction of the crime of aggression to the cyber realm. While there are limitations due to the ICC only having jurisdiction over States that have ratified the aggression amendments, this is a step forward in this march of progress for a better international legal system in dealing with cyber crimes. It should not be difficult for the ICC to broaden this definition of territory, especially given its role as a court of last resort. The Court should be equipped with all legal weapons it can to remain relevant as the world adapts to an online age. This principle can be extended to crimes that are well beyond the scope of cyber as well, and so the ICC should maintain a fluid stance with its definitions, enabling it to adapt to new norms and changes in the world.

If the norm of territory cannot be molded to fit for cyber crimes, the ICC can look towards other defined crimes to use as a jurisdictional basis. An example could be through Article Eight on war crimes, through the intentional targeting of the civilization population and civilian objects, the incidental loss of life or injury to civilians (e.g., hacking a hospital system or a power grid could certainly have devastating effects to the civilian population), or even through pillaging, as often cyber crimes are committed with pecuniary intent. If the ICC lacks the jurisdictional capabilities of the crimes outlined in the Rome Statute, the other obvious solution is for States themselves to exercise their own territorial jurisdiction to enforce their own domestic laws. However, this becomes impossible if these were State-sponsored cyber attacks, and the ICC, as the court of last resort, should attempt to assert its own jurisdiction in handling these cases. As the threat of an all-out cyber war looms, the international community must be readily equipped to deal with the fallout.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1. 1.

   See Tuomas Forsberg, Explaining Territorial Disputes: From Power Politics to Normative Reasons, 33 J. Peace Research 433 (Nov. 1996), paywall, doi

   (analyzing territorial disputes not through a “power-political perspective”, but rather a normative one, due to the strong norm of territorial status quo). ↩

2. 2.

   Id. at 443. ↩

3. 3.

   See generally Analytic Exchange Program, Commodification of Cyber Capabilities: A Grand Cyber Arms Bazaar (Sep. 17, 2019), available online

   (warning of the blurred trend between traditional state spying and non-state hackers due to the proliferation of “sophisticated cyber capabilities”). ↩

4. 4.

   Id. at 21. ↩

5. 5.

   See Christopher Greenwood, New World Order or Old? The Invasion of Kuwait and the Rule of Law, 55 Modern L. Rev. 153 (Mar. 1992), available online

   (detailing the decisive action that the international community took against the Invasion of Kuwait). ↩

6. 6.

   See generally Jennifer Daskal, The Un-Territoriality of Data, 125 Yale L.J. 326, 389-97 (2015), available online

   (addressing the challenges given the unique status of data and dismisses a unilateral law enforcement approach of compelling data regardless of sovereign interests). ↩

7. 7.

   Understanding Denial-of-Service Attacks, CISA, available online (last visited Feb. 25, 2022). ↩

8. 8.

   Id. ↩

9. 9.

   Elizabeth Wilmshurst, Definition of Aggression, UN Audiovisual Lib. of Int’l L. (Aug. 2008), available online

   (providing an overview of the 1974 G.A. resolution, noting that it serves as more of a tool for dealing with “aggression by States not individual actors” and that it’s for the “Security Council rather than for judicial use”). ↩

10. 10.

    United Nations Charter, Art. 2 ¶ 2 [hereinafter U.N. Charter], available online; see also id. Arts. 39, 51. ↩

11. 11.

    Definition of Aggression, G.A. Res. 3314 (XXIX), A/RES/3314 (Dec. 14, 1974), available online. ↩

12. 12.

    Id. Article 1. ↩

13. 13.

    Julius Stone, Holes and Loopholes in the 1974 Definition of Aggression, 71 Am. J. Int’l L. 224, 230 (Apr. 1977), paywall. ↩

14. 14.

    Id.; see also Michael Corbett, Oil Shock of 1973-1974, Fed. Res. Hist. (Nov. 22, 2013), available online

    (describing the macroeconomic implications of the 1973 oil embargo by Arab producers of oil). ↩

15. 15.

    Anouk T. Boas, The Definition of the Crime of Aggression and its Relevance for Contemporary Armed Conflict, Int’l Crimes Database 4 (Jun. 2013), available online. ↩

16. 16.

    See Assembly of State Parties, Report of the Special Working Group on the Crime of Aggression, ICC-ASP /7/20/Add.1 (May 2009) [hereinafter SWGCA 2009 Report], available online. ↩

17. 17.

    Id. at 30. ↩

18. 18.

    See, e.g., Kevin Jon Heller, Retreat From Nuremberg: The Leadership Requirement in the Crime of Aggression, 18 EJIL 477, 478 (Jun. 1, 2007), available online, doi. ↩

19. 19.

    See, e.g., Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue & Julia Spiegel, The Law of Cyber-Attack, 100 Cal. L. Rev. 817, 834 (Aug. 2012), available online. ↩

20. 20.

    See generally Sarah White, Understanding Cyberwarfare: Lessons from the Russian-Georgian War, Modern War Inst. 1 (Mar. 20, 2018), available online

    (describing Russia’s use of a cyber campaign, specifically DDoS attacks, to undermine the Georgian government as well as Georgian internet). ↩

21. 21.

    Id. at 1-7. ↩

22. 22.

    Id. at 2. ↩

23. 23.

    Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 8 bis(2), available online. ↩

24. 24.

    Id. ↩

25. 25.

    Stephen W. Korns & Joshua E. Kastenberg, Georgia’s Cyber Left Hook, U.S. Army (Apr. 7, 2009), available online. ↩

26. 26.

    Id. ↩

27. 27.

    SWGCA 2009 Report, supra note 16, at 35. ↩

28. 28.

    Id. at 33-34. ↩

29. 29.

    Id. at 27. ↩

30. 30.

    Rain Ottis, Analysis of the 2007 Cyber Attacks against Estonia from the Information Warfare Perspective, CCDCOE (Mar. 2, 2008), available online. ↩

31. 31.

    Id. at 2. ↩

32. 32.

    Id. at 3. ↩

33. 33.

    Jonathan A. Ophardt, Cyber Warfare and the Crime of Aggression: The Need for Individual Accountability on Tomorrow’s Battlefield, 9 Duke L. & Tech. Rev. 1, 5 (2010), available online; See also Marching Off to Cyberwar, The Economist (Dec. 6, 2008), available online

    (noting that some definitions of a cyberwar or a serious cyber attack must coincide with physical military operations and that it is now imperative for the international community to properly define the “use of force” in a cyber context). ↩

34. 34.

    Rafaela Miranda, Cyber Warfare in the Context of International Criminal Law, 17 (Universidade Católica Portuguesa Master’s Dissertation, 2016), available online. ↩

35. 35.

    Id. ↩

36. 36.

    Michael West, Putting the Seals Back onto Pandora’s Box: The Iran Nuclear Question and Public International Law, Tentative Grounds for Operation Olympic Games (Jul. 15, 2016), paywall. ↩

37. 37.

    Id. ↩

38. 38.

    Ernesto J. Sanchez, Operation Olympic Games—A Legal Setback and a Strategic Opportunity, Lawfare (Sep. 6, 2012), available online. ↩

39. 39.

    Id.

    (quoting NSA and CIA director Michael Hayden). ↩

40. 40.

    Id. ↩

41. 41.

    See, e.g., U.N. Charter, Art. 51, available online

    (“Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defense shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.”). ↩

42. 42.

    U.N. Charter, Art. 2 ¶ 7, available online. ↩

43. 43.

    See Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. United States), Judgment, 1986 I.C.J. Rep. 14 ¶ 202 (Jun. 27, 1986), available online

    (observing that “between independent States, respect for territorial sovereignty is an essential foundation of international relations” and that the principle of non-intervention prevails). ↩

44. 44.

    See also The Role of Cybercrime Law, UNODC, available online (last visited Feb. 25, 2022)

    (noting the utility of preventive law in the risk mitigation of cyber crimes, through both data protection laws and cybersecurity laws). ↩

45. 45.

    Responsibility to Protect, OGPRtoP, available online (last visited Feb. 25, 2022)

    (outlining the responsibility to protect and specifically delineate Member States’ obligations to international humanitarian and human rights law, especially about genocide, war crimes, ethnic cleansing, and crimes against humanity). ↩

46. 46.

    Id. ↩

47. 47.

    Id. ↩

48. 48.

    Oren Gross, Cyber Responsibility to Protect: Legal Obligations of States Directly Affected by Cyber-Incidents, 48 Cornell Int’l L.J. 481, 483-484 (2015), available online

    (suggesting that imposing responsibilities and obligation for the Victim State can also be necessary for a stronger legal regime). ↩

49. 49.

    Id. at 510. ↩

50. 50.

    See, e.g., Security Council Resolution 1373, S/Res/1373 (Sep. 28, 2001), available online

    (providing that “States shall afford one another the greatest measure of assistance in connection with criminal investigations or proceedings”). ↩

51. 51.

    Matthew J. Sklerov, Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent, 201 Mil. L. Rev. 1, 2 (2009), available online. ↩

52. 52.

    Id. ↩

53. 53.

    Phil Stewart, Spies Behind 2008 Cyber Attack, U.S. Official Says, Reuters, Aug. 25, 2010, available online. ↩

54. 54.

    Id. ↩

55. 55.

    Status of Amendments on the Crime of Aggression to the Rome Statute, UNTC, available online (last visited Feb. 25, 2022). ↩

56. 56.

    See United States of America v. James Milton Cotton and William Lowell Roberts, 471 F.2d 744, 750 (9th Cir. 1973), available online; see also United States of America v. Milton Gatlin, 216 F.3d 207, 211 (2d Cir. 2000), available online. ↩

57. 57.

    U.S. Dept. of Just., Prosecuting Computer Crimes 115 (Oct. 6, 2010), available online. ↩

58. 58.

    18 U.S.C. §1029(h), available online. ↩

59. 59.

    18 U.S.C. §1030(e)(2)(B), available online. ↩

60. 60.

    See, e.g. United States of America v. Michael Muench, Michelle Lewis, and Albert Foreman, 694 F.2d 28, 33 (2d Cir. 1982), available online

    (holding that “the intent to cause effects within the United States […] makes it reasonable to apply to persons outside United States territory a statute which is not extraterritorial in scope”). ↩

61. 61.

    Comments of China, UNODC 1, 2 (Aug. 22, 2016), available online. ↩

62. 62.

    Id. ↩

63. 63.

    Id. at 3. ↩

64. 64.

    Id. ↩

65. 65.

    Id. ↩