1. For the purpose of this Statute, “crime of aggression” means the planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.

2. For the purpose of paragraph 1, “act of aggression” means the use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations. Any of the following acts, regardless of a declaration of war, shall, in accordance with United Nations General Assembly resolution 3314 (XXIX) of 14 December 1974, qualify as an act of aggression:

   1. The invasion or attack by the armed forces of a State of the territory of another State, or any military occupation, however temporary, resulting from such invasion or attack, or any annexation by the use of force of the territory of another State or part thereof;

   2. Bombardment by the armed forces of a State against the territory of another State or the use of any weapons by a State against the territory of another State;

   3. The blockade of the ports or coasts of a State by the armed forces of another State;

   4. An attack by the armed forces of a State on the land, sea or air forces, or marine and air fleets of another State;

   5. The use of armed forces of one State which are within the territory of another State with the agreement of the receiving State, in contravention of the conditions provided for in the agreement or any extension of their presence in such territory beyond the termination of the agreement;

   6. The action of a State in allowing its territory, which it has placed at the disposal of another State, to be used by that other State for perpetrating an act of aggression against a third State;

   7. The sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to the acts listed above, or its substantial involvement therein.

On reading of the article above, it becomes very apparent that the attempts to read cyberwarfare within this specific framework is a far reaching ideal and not without its shortcomings. The argument that I would like to make in this comment is that as the Rome Statute stands today, attempts of incorporating and reading cyberwarfare into this limited legal framework is a fanciful idea for various reasons that I would be enumerating below.

The Problem of Accountability

Chain of Command

This discussion is in the context of Article 285 of the Rome Statute with a focus specific to military/superior commanders under whose command cyber attacks are conducted and cause violation of international humanitarian law. Article 28, entitled “Responsibility of commanders and other superiors,” reads as follows:

In addition to other grounds of criminal responsibility under this Statute for crimes within the jurisdiction of the Court:

1. A military commander or person effectively acting as a military commander shall be criminally responsible for crimes within the jurisdiction of the Court committed by forces under his or her effective command and control, or effective authority and control as the case may be, as a result of his or her failure to exercise control properly over such forces, where:

   1. That military commander or person either knew or, owing to the circumstances at the time, should have known that the forces were committing or about to commit such crimes; and

   2. That military commander or person failed to take all necessary and reasonable measures within his or her power to prevent or repress their commission or to submit the matter to the competent authorities for investigation and prosecution.

2. With respect to superior and subordinate relationships not described in paragraph (a), a superior shall be criminally responsible for crimes within the jurisdiction of the Court committed by subordinates under his or her effective authority and control, as a result of his or her failure to exercise control properly over such subordinates, where:

   1. The superior either knew, or consciously disregarded information which clearly indicated, that the subordinates were committing or about to commit such crimes;

   2. The crimes concerned activities that were within the effective responsibility and control of the superior; and

   3. The superior failed to take all necessary and reasonable measures within his or her power to prevent or repress their commission or to submit the matter to the competent authorities for investigation and prosecution.

Article 28 lays down two forms of command responsibility—active and passive i.e., responsibility for ordering crimes and responsibility for failure to punish or prevent crimes committed by subordinates respectively. Article 28 sets a higher threshold with respect to performance of duty of superiors as it criminalises inaction i.e., lack of supervision on part of the commander. The article makes a commander criminally liable for failing to prevent or punish crimes that are committed by his/her subordinates or for actions performed by persons who are under his/her command or authority. Thus, it prompts commanders to stay informed and apprised of the actions of their subordinates. The provision extends to both military and non-military superiors.

Command responsibility is triggered when cyber units are part of a nation’s army and form part of their operations. Outsourcing cyber operations to anonymous hackers can also trigger liability for command responsibility provided one can establish the link between the commander and the anonymous hackers.6 In theory, it sounds rather straightforward but practically, it would be hard to provide proof of such cyber operations and identify the brains and power behind the cyber attack. This is mostly due to the virtual and distributed nature of cyber operations that make it very hard to track down and identify the people responsible for a cyber attack. Jack Goldsmith in his article, How Cyber Changes the Laws of War summarizes the issue on the attribution problem of cyberwarfare very succinctly. He observes:

Even if we can determine with some certainty which computer in the world is behind an attack or exploitation, that fact alone does not indicate who, or even which country, is responsible for the aggression.7

The Trial Chamber of the International Criminal Court (ICC) in the case of The Prosecutor v. Jean-Pierre Bemba Gombo (Bemba Judgment), held with respect to Article 28 that:

171. […] Article 28 provides for a mode of liability, through which superiors may be held criminally responsible for crimes within the jurisdiction of the Court committed by his or her subordinates.

172. The Chamber considers that Article 28 is designed to reflect the responsibility of superiors by virtue of the powers of control they exercise over their subordinates. These responsibilities of control aim, inter alia, at ensuring the effective enforcement of fundamental principles of international humanitarian law, including the protection of protected persons and objects during armed conflict.8

The Appeal Chamber of the ICC overturned this decision of the Trial Chamber and held with respect to the theory of command responsibility that:

167. The scope of the duty to take ‘all necessary and reasonable measures’ is intrinsically connected to the extent of a commander’s material ability to prevent or repress the commission of crimes or to submit the matter to the competent authorities for investigation and prosecution. Indeed, a commander cannot be blamed for not having done something he or she had no power to do.

[…]

169. However, it is not the case that a commander must take each and every possible measure at his or her disposal. […] it is not the case that a commander is required to employ every single conceivable measure within his or her arsenal, irrespective of considerations of proportionality and feasibility. Article 28 only requires commanders to do what is necessary and reasonable under the circumstances.

170. In assessing reasonableness, the Court is required to consider other parameters, such as the operational realities on the ground at the time faced by the commander. Article 28 of the Statute is not a form of strict liability. Commanders are allowed to make a cost/benefit analysis when deciding which measures to take, bearing in mind their overall responsibility to prevent and repress crimes committed by their subordinates.9

This Bemba Judgment by the Appeal Chamber, in my opinion, has left open a floodgate of excuses for commanders to escape criminal culpability by taking advantage of the many vague, discretionary, and subjective factors that have been mentioned by the Court. How do you assess “operational realities” on the ground? or when do the “costs” of measures outweigh the “benefits” or what are the “parameters” to be considered, apart from the mentioned operational realities?

In the context of cyber attacks, the theory of command responsibility in practice is almost never going to secure any convictions because you cannot bestow criminal liability unless you can prove a nexus/link between the commander or his/her subordinates who were under his/her effective control and the offense committed. It is not a form of strict liability and owing to the nature of cyber attacks, it can be very hard to track down the source of the attack let alone the perpetrators behind it, making it almost impossible to establish a definite link and proving criminal liability on part of the commander for failing to anticipate and prevent such attacks.10

Establishing Mental Element

Article 30 of the Rome Statute11 prescribes the required mental element a perpetrator must have in order for him or her to be held criminally liable for crimes mentioned under Article 5 of the Rome Statute.12 Article 30 states:

1. Unless otherwise provided, a person shall be criminally responsible and liable for punishment for a crime within the jurisdiction of the Court only if the material elements are committed with intent and knowledge.

2. For the purposes of this article, a person has intent where:

   1. In relation to conduct, that person means to engage in the conduct;

   2. In relation to a consequence, that person means to cause that consequence or is aware that it will occur in the ordinary course of events.

3. For the purposes of this article, ‘knowledge’ means awareness that a circumstance exists or a consequence will occur in the ordinary course of events. ‘Know’ and ‘knowingly’ shall be construed accordingly.

From a reading of the article above, it can be construed that Article 30 only acknowledges direct intent and not indirect intent. What that means is that the perpetrator should have been aware that in the ordinary course of events, certain consequences “will” occur and not “may” or “could” occur, following his/her conduct. A person can only be convicted of a crime if they accept that they were aware of the risk of a particular consequence occurring following their actions. They need to be absolutely certain or it must be a practical or “virtual certainty” that their conduct would lead to certain consequences. This test of virtual certainty has been adopted from the case of Regina v. Woollin13 wherein the defendant out of frustration threw his three-moth old baby because he wouldn’t stop crying, causing the baby to die. The House of Lords in this case held that the original trial judge had enlarged the element for mens rea required for murder and blurred the lines between intention and recklessness by considering whether the defendant foresaw a “substantial risk”. The House of Lords affirmed the virtual certainty test introduced in the case of Regina v. Nedrick14 since recklessness is not sufficient to convict the defendant for a charge of murder. Thus, the threshold to prove mental element under Article 30 is very high. The ICC cannot hold a person criminally liable in cases where the perpetrator acted recklessly or negligently.

In the context of cyber crimes, this lacuna in Article 30 of not being inclusive of cases of recklessness, negligence and strict or absolute liability is a serious shortcoming. It appears that the issue of including recklessness and negligence was not highly considered because of the notion that such crimes are not severe enough. However, in the light of technological advances, unintended acts can have horrific consequences, necessitating acknowledgment of elements of negligence and recklessness in cyber space.15 The evolution and innovation in cyber technology has happened and continues to happen at a much rapid rate compared to changes that take place in the physical world, making cyber activities much more unpredictable and harder to anticipate. In the near future, there will be an increase in communication and integration between our everyday devices over virtual networks and as beneficial and efficient that may be, it can also prove to be very damaging if there was to be an infiltration via cyber weapons. Due to this inter-communication, the result of a cyber attack could be catastrophic because the intended target owing to its communication with other devices may increase the range of the attack and cause unintended destruction.16

Moreover, with increased reliance on computer systems and online databases for storage of crucial information ranging from loan records to dental records to legal records and-the-like of every individual/citizen of a country makes it even more easier for any hacker or a state to plan cyber attacks and target an entire nation by accessing and misusing these records or by completely erasing them from their system. Additionally, just like corporations, artificial intelligence is also independent and cannot be held criminally liable. The programmer and operators that created that artificial intelligence cannot be blamed for it since they may not have created the AI for purposes of causing damage or destruction, but it did so anyway by misevaluating a situation.17

In all these cases enumerated above, it is very easy for a perpetrator to wiggle out of criminal responsibility and defend themselves by claiming that they did not mean to cause any damage and the consequences that occurred were just incidental and not intended and/or foreseeable. Without inclusion of recklessness or negligence under Article 30 in the Rome Statute, it would be impossible to hold anyone down for charges of cyber attack. Therefore, it is very important that we uphold and ensure a higher standard of conduct in the realm of international criminal law with respect to cyber crimes and adopt a less forgiving approach.18

Limited Jurisdiction

As we know, cyber offenses have not been formally recognised in the Rome Statute and even though there have been efforts to read cyber offenses in Article 8 bis of the Rome Statute, there has been no inclusion of a formal definition that would enable ICC to prosecute and thus, the ICC does not have any official subject-matter jurisdiction over cyber attacks. Moreover, Article 8 bis was incorporated in the Rome Statute pursuant to Kampala Conference in 2010 and since then only thirty-four States have ratified the Kampala Amendments.19 None of which are states that are equipped with advanced cyber technologies or capacities, rendering ICC no jurisdiction if there was an attack on the territory of or an attack by a state that could potentially cause a lot of damage and destruction.

Conclusion

There have been efforts made in the international realm to create some regulations to govern and prevent cyberwarfare. Despite the complexities and fundamental difficulties in defining cyber space and cyberwarfare, experts are optimistic and believe that this domain is not lawless and out of control but honestly, in my opinion, I fail to see the reasons for such optimism. International law in general is heavily based upon contractual or treaty obligations between parties which are not governed or monitored by any stringent policies. There is a lack of enforcement and investigative mechanisms and dependency on monetarily strong countries. If today, a party falters or withdraws its ratification, what recourse is available? The only incentivizing or motivating factors that countries have to keep up compliance with international obligations is to prevent criticism from both inside and outside state organisations and to maintain their international political relations that in turn benefit their national and economic interests. Some may argue that this is reason enough for states to comply with international norms and laws, I still believe it to be a little superficial. More so in the sphere of cyberwarfare and the current legal framework around it, one just cannot ignore the practical difficulties that exist in locating cyber criminals and proving their criminal conduct.20

This is not to say that one should just give up on the idea of formalising a legal framework around cyber conduct. I think we would benefit from a more focused approach towards tackling this new era of cyber space. There have been suggestions to amend the Rome Statute to expand its jurisdiction to cover grave cyber offenses or to create a dedicated international tribunal or an international convention on cyberwarfare that solely deals with issues of cyber technologies and cyber space. An existence of a proper forum that deals exclusively with international cyber crimes and cyber criminals could also prove beneficial in deterring cyber offenses.21

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1. 1.

   Elies van Sliedregt, Command Responsibility and Cyberattacks, 21 J. Conflict & Security L. 505 (Sep. 22, 2016), paywall, doi. ↩

2. 2.

   Adi Libsker-Hazut, Cybercrimes: What Is and What Ought to Be? Rethinking the Role of Recklessness and Negligence in the International Criminal Court, Cyberlaw Blogospace (Jun. 11, 2019), available online. ↩

3. 3.

   Sliedregt, supra note 1. ↩

4. 4.

   Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 8 bis, available online. ↩

5. 5.

   Id. Art. 28. ↩

6. 6.

   Sliedregt, supra note 1. ↩

7. 7.

   Jack Goldsmith, How Cyber Changes the Laws of War, 24 EJIL 129 (Feb. 2013), available online, doi. ↩

8. 8.

   The Prosecutor v. Jean-Pierre Bemba Gombo, ICC-01/05-01/08, Judgment pursuant to Article 74 of the Statute (TC III, Mar. 21, 2016), available online, archived. ↩

9. 9.

   The Prosecutor v. Jean-Pierre Bemba Gombo, ICC-01/05-01/08 A, Judgment on the appeal of Mr Jean-Pierre Bemba Gombo against Trial Chamber III’s “Judgment pursuant to Article 74 of the Statute” (AC, Jun. 8, 2018), available online, archived. ↩

10. 10.

    Sliedregt, supra note 1. ↩

11. 11.

    Rome Statute, supra note 4, Art. 30. ↩

12. 12.

    Id. Art. 5.

    (“Crimes within the jurisdiction of the Court, The jurisdiction of the Court shall be limited to the most serious crimes of concern to the international community as a whole. The Court has jurisdiction in accordance with this Statute with respect to the following crimes: (a) The crime of genocide; (b) Crimes against humanity; (c) War crimes; (d) The crime of aggression.”). ↩

13. 13.

    Regina v. Woollin, UKHL 28, 3 WRL 382 (Jul. 22, 1998), available online. ↩

14. 14.

    Regina v. Nedrick, EWCA, 1986 WRL 1025 (Jul. 10, 1986), available online. ↩

15. 15.

    Libsker-Hazut, supra note 2. ↩

16. 16.

    Id. ↩

17. 17.

    Id. ↩

18. 18.

    Id. ↩

19. 19.

    Alexandra Perloff-Giles, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 43 Yale J. Int’l L. 191 (2018), available online. ↩

20. 20.

    Libsker-Hazut, supra note 2. ↩

21. 21.

    Perloff-Giles, supra note 19. ↩