[A]cts reasonably to defend himself or herself or another person or, in the case of war crimes, property which is essential for the survival of the person or another person or property which is essential for accomplishing a military mission, against an imminent and unlawful use of force in a manner proportionate to the degree of danger to the person or the other person or property protected.7

The problem comes within the details—like much else with international frameworks, language and word choice play a substantial role in determining what actually qualifies as self-defense. Reasonability can vary wildly from one entity to another, and the definition of “person or property protected” seems like a relatively closed-book question until you start approaching the definition of property with the sophistication of networks and cyber space activity today. While this self-defense statute is for individual persons, it serves as an introductory framework for how to treat similar arguments in the name of cybersecurity—if defense measures are deemed “essential for accomplishing a military mission”, should more leeway towards aggressive defensive measures in the name of preventing cyber attacks be allowed?8 In addition, does the proportionality of the degree of danger to a state matter? For example, should nations with a significant history of cyber attacks, such as South Korea in relation to North Korean hacking attempts or the United States in its geopolitical dealings with China and Russia, be granted more international leeway in how they manage their cybersecurity efforts?9

While both Article 31(1)(c) of the Rome Statute and the Rome Statute itself address an active cyber defense in the context of armed conflict, they also open up the question of the legality of “hack back” in an ICC context.10 Hack back is often referred to as active cyber defense, which leads to confusion between how to distinguish both terms; for the purposes of this comment, an active cyber defense will be defined using the Department of Defense definition defined below, while hack back will be used to describe private-sector actions undertaken to engage in cyber attacks against those who commit attacks on them.11 While state entities is the primary target of discussion for this comment, it is essential to mention the role that private figures can play in both cybersecurity measures and the directing of cyber attacks.12 Before the incorporation of cybersecurity initiatives in a military context, the dark web and insecure infrastructure open to target by hackers were mostly engaged in by computer specialists acting either independently or in small groups, mostly for financial benefit or solely for exploration.13 Over time, these hackers would either be utilized as modern-era mercenaries in the cyber fight for foreign interests or be meshed in with current military personnel as a key part of defense operations by a state. As such, private interests serve a key role in the cyber space discussion.14 Proponents argue that protections against cyber intrusions have just as significant of an interest in property rights as the right to self-defense in case of physical intrusions into your home does.15 While cyber security threats against the electoral process have been the most high profile, state actors such as then-National Security Advisor John Bolton has addressed the United States’ willingness to expand “hack back” towards both economic and other governmental threats as well, showing a willingness by the executive branch to expand such military capabilities.16 A recent bill introduced to legalize such private actions in hack back to both identify and counter hack suspected software introducers and malware distributors was proposed in 2019 but died in committee after being introduced into the House of Representatives.17 This is, however, the last prominent mention of the legality of such hack back methods in both houses of congress.18 Whether the private sector can engage in offensive cyber action has, thus, been little debated in both a domestic and international realm—however, under 31(1)(c), it would seem feasible that private actors who face cyber criminality can just as easily retaliate as a means of defense, as long as those means can be interpreted as “reasonable” to their survival.19 This again poses a problem in differentiating between actions based on both intensity and perspective; is it a “reasonable” counter towards economic cyber attacks against a company’s intellectual property for the company to engage in active server sweeping and IP tracking for hackers that might be operating in foreign jurisdictions? In the same sense, would private parties acting in retaliation against state sponsored cyber terrorism as a proxy for another state party be merely self-retaliation or a criminal act in itself? Under current international standards within the Rome Statute, the state actor requirement severely limits the ability for organizations like the ICC to even have the jurisdictional capabilities to prosecute on private actors.20 Even in a hypothetical scenario where private actors commit cyber attacks only on signatory nations, it would be impossible to prosecute under the four core crimes unless the prosecutor was able to find evidence of an affiliation between those aforementioned hackers and a state entity.21 Such issues between the private and public sphere bring further problems with effective regulation of the cyber criminal space.

In addition, the limited space that cyber crime can fit into within the Rome Statute makes clarification necessary. Of the four core international crimes of genocide, crimes against humanity, war crimes and the crime of aggression, Only the crime of aggression can aptly be identified as best to encompass cyberspace activities.22 Article 8 of the Rome Statute clearly outlines which acts are considered to be “war crimes”, so even though much cyber criminality engaged in major global conflicts could be seen by its loosest definition as a war crime, it would be difficult to prosecute without being able to fit in one of those examples.23 While cyber criminality could be a precursor or enabler of genocidal actions, it would be just as difficult, if not more, to try to fit cyber attacks in that category as well.24 The crime of aggression’s more loosely defined standards, in contrast with crimes against humanity, where a relatively exhaustive list is defined like war crimes, makes aggression the likely fit.25

In addition, the usage of technology will inevitably continue to influence how the future of warfare may present itself, but also impose new criminal actions that may not currently fit neatly into the Rome Statute ’s definitions for prosecutable crimes. In traditional warfare, the line between self-defense and aggression can more clearly be defined; the Rome Statute itself outlines that an act of aggression applies to “the use of armed force by a state against the sovereignty, territorial integrity or political independence of another State.”26 An attack on a country’s land, sea, or air forces can easily be identified and distinguished from the mere presence of military soldiers on the border, and the blockading of ports or violation of other sovereign rights by a foreign country also requires both intent and noticeable military action by the offending party.27 However, how can the “use of armed force” be defined in cyberdefense systems? Two common methods of cyber criminal activity, denial-of-service (DoS) and malware attacks, both pose immense jurisdictional questions as they can not only be conducted by both private or state entities, but also transcend borders by being able to attack almost any device that is connected within the internet, where physical borders need not apply.28 DoS attacks disrupts traffic by overrunning a server or network through multiple attacks on a target’s IP address, where programmed bots do nothing but overwhelm the server to prevent it from being able to carry out its original task, thus instituting the namesake denial of service.29 When conducting large-scale attacks, a DoS attack can elevate to the status of a distributed denial-of-service attack (DDoS) if the source of the bots and requests to a server is made from multiple different sources, making it difficult for the attacked party to identify both where the disruption is coming from or block a single source to try to stop the attack.30 Compared to espionage, DDoS attacks are more straightforward in their legal acceptance—state parties engaging in DDoS against other state parties are almost universally condemned and considered a violation of acceptable cybersecurity standards.31 Malware, a shortened portmanteau for malicious software, requires installing software on the computer or network to function, but serves a similar goal in DoS / DDoS attacks in shutting down capabilities of the technology targeted.32

A high profile malware attack came recently in the form of Stuxnet, considered to be one of the most sophisticatedly engineered and targeted malware attacks in cyberattack history which deliberately attacked Iran’s nuclear program and spread rapidly across the country’s network.33 Its highly controlled design had both a rapidly spreading “worm” component that executed attacks against installed operating systems and a rootkit component that would hide traces of Stuxnet from computers, making it almost indetectable to those who were not searching for the malware.34 In addition, its conspicuous target against five Iranian organizations, with 60% of the infected computers worldwide being in Iran, leading to widespread concern that the attack was actually a coordinated United States—Israeli cyber attack effort.35 The code was sophisticated enough and clearly politically motivated, as the virus itself only targeted the closed computer systems of the Iranian government’s nuclear enrichment facilities, which meant that the virus spread to a target that was not connected to the public internet and instead only spread within internal Iranian networks.36 Both the United States and Israel have denied any association with the attack.37 While such state connections have not been conclusively proven, it’s difficult to see a scenario where United States involvement did not occur.38

Geopolitical problems like Stuxnet embody both how dangerous cyber attacks can be when conducted through state parties and how difficult it may be to enforce action against them, as not only are there a myriad of jurisdictional issues involved but a lack of proof against those conducting countries. A step forward was necessary—while cybersecurity wasn’t the catalyst, the definition of aggression was further clarified in the so-called Kampala Compromise, a series of amendments to the Rome Statute undergone during a 2010 review in Uganda.39 The review mostly addressed this difficult to ascertain definition for aggression, by providing procedural methods for the ICC judges to be more clearly define which actions may fall under the crime of aggression.40 Furthermore, it allows for the U.N. Security Council to step in and rule that certain actions do not constitute aggression.41 Most importantly, however, the conference and resulting amendment clarified a list of acts that would qualify as a crime of aggression.42 Aforementioned examples of blockading ports and bombarding a foreign state’s territory were added to Article 8 to provide further clarification, and also added provisions such as the “sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State” to also qualify.43 As expected, the further clarifications do not allow for cyber warfare to fit neatly in any example.44 Computer programming specialists, many of whom are non-state entities that may be recruited to design the sophisticated malware attacks carried out like Stuxnet, would generally fit under the Kampala amendments, but whether middle grounds such as cyber surveillance against foreign armed forces without disrupting their services constitute an attack is still up to interpretation.45 While Kampala provides further clarification and serves as a concrete step clearing up what acts aggression might actually be prosecutable, it requires another ICC amendment that can make vague definitions on territorial rights and attacks be placed in a uniquely new perspective, built and focused on cyber security and accounting for the simultaneous and ubiquitous nature of network connections to truly allow for cyber crimes to be properly categorized.46 In the case of Stuxnet, even if conclusive evidence linking the attack to both Israel and the United States existed, jurisdictional problems would make prosecution imposable, as neither countries are signatory parties to the ICC, nor Iran.47 The Kampala compromise’s opt-out clause also makes it virtually impossible to prosecute on the issue of aggression.48 Without a binding structure by which signatory countries must accept, cybersecurity measures no longer become what is acceptable de jure under the Kampala Amendment but rather whatever will provide a military advantage to counties, with rule of law overtaken by an impossible-to-adjudicate de facto reality.49 Thus, while Stuxnet was one of the most prominent attacks of the past decades, it will certainly not be the last.50 A state entity could just as easily install a malware program to harvest classified military data from an enemy party that would violate both (1) the sovereignty of that enemy party by installing malicious software onto computers and servers that lie within the latter’s borders and (2) serve as an internationally accepted form of espionage under the guise that, more often than not, virtually every modern nation engages in such cross-border practices as a part of an active cyber defense strategy. Thus, the compromise/amendment does little to further the problem of effectively incorporating cyber criminality within the Rome Statute frameworks.51

Further muddying the waters is the difficulty in distinguishing between what is acceptable as part of an active cyber defense and what becomes generally accepted as cybercrime. The Department of Defense (DoD) officially defines their “active cyber defense” as the DoD’s “synchronized, real-time capacity to discover, detect, analyze, and mitigate threats and vulnerabilities,” which “operates at network speed by using sensors, software, and intelligence to detect and stop malicious activity before it can affect DoD networks and systems.”52 Problems lie when further attempting to define what each of these verbs might actually mean in practice. The overbroad possibilities that “real-time capacity” can entail in addition to “software and intelligence” means that general questions must be asked that can clarify how intrusive a cyber defense mechanism might be.53 A question that could be asked to clarify is whether the cybersecurity measure has internal or external capabilities.54 Protecting a state’s own servers through IP address whitelists and blocking suspicious connections coming from foreign IP addresses would universally be accepted but identifying origin sites from incoming or outgoing network traffic to servers that aren’t located within sovereign boundaries would clearly be an external act that would be a grey area.55 Another potential distinguisher would be whether the mechanism is solely utilized for surveillance and observational purposes or has capabilities to disrupt and change an opposing country’s technological capabilities remotely.56 While software that merely observes server data and checks to see if any connections are being made that could source sensitive DoD information to a foreign country’s server might be considered an internationally accepted form of espionage, this question would make harvesting sensitive internal data from foreign countries, which would clearly constitute a cyber attack, to be a legitimate defense mechanism.57 In essence, no single definition actually exists on what qualifies as internationally accepted standards for an “active cyber defense” and what qualifies as a “cyber attack”—establishing clear boundaries from the current international standards on what is considered acceptable and not between state parties is essential to actually identify whether such actions can constitute crimes against each country.58

Another key issue comes from identification. Discovering who might be perpetrating a cyber attack poses greater challenges than conventional warfare. Even in conventional warfare, significant problems exist in being able to actually collect prosecutable evidence during the ICC’s investigative practices.59 The prosecutor is constantly stymied by what is a “failure to satisfy the burden of proof to the requisite standard,” and the difficult of collecting evidence for many humans rights violations, for which there might be few if little writing available documenting what, who and when anything happened, makes convictions even rarer.60 While Second Chief Prosecutor Fatou Bensouda’s decision to favor large-scale, open-ended investigations over the small teams of ground-level investigators that first prosecutor Luis Moreno Ocampo used might be marginally more successful, both cannot account for the insurmountably large issue of being able to actually identify who might be behind cyber crimes.61 Instead of a thick jungle wall or locals unwilling to cooperate hiding key perpetrators, a sea of code so sophisticatedly written that traces of the source might not even be found after a DoS attack can be a death knell to any attempt at prosecution.62 The Rome Statute is intentionally broad in identifying perpetrators as anyone who commits “the most serious crimes of concern to the international community as a whole.”63 This broad categorization is further specified once crimes that are within the ICC’s jurisdiction are identified, with the prosecutor-general seeking out those who “bear the greatest responsibility” for those aforementioned crimes.64 Both exist for many practical reasons in addition to jurisdictional problems—identifying who might be responsible for criminal actions is often a decades-long and arduous process fraught with extensive evidence collection and dependency on witnesses and cooperation by war-torn populations who might be hesitant on offering support to ground workers for the ICC.65 In addition, any international crime contains multiple layers of criminals who are perpetrating human rights violations, with the ICTY’s sentencing for Srebrenica involving multiple high-profile military commanders like Zdravko Tolimir and Vujadin Popović, who both face life sentences for their hole in the massacre.66 This is consistent with the “bear the greatest responsibility” standard, with prosecutors focusing on the decision-making perpetrators of the most heinous crimes.67 However, many of the most high-profile cybercriminal actions of the last few decades have resulted in ambiguous prosecutable figures coming forth, with the only evidence of action being the hacking itself.68 The Paris G20 Summit cyber attacks, which obtained documents from more than 150 of the ministry’s 170,000 computers through a malware attack, did not lead to any criminal prosecution.69 The only evidence of state action came from a ministry report that the malware’s files was directed to Chinese computers, which in itself did not serve as concrete or even verifiable proof of interference or knowledge by the Chinese government.70 Other coordinated cyber attacks, like the July 2009 DoS attack against American and South Korean government websites, have had suspected North Korean interference, but mostly from timing and geopolitical concerns instead of concrete evidence.71 Similar to the Stuxnet attacks, it was evident from the beginning that the 2009 attacks had the signs of political interference.72 Government and commercial websites came under attack, and the scale of the botnets were from relatively unsophisticated systems ranging from 50,000 to 65,000 computers that had been commandeered by hackers—much less sophisticated than Stuxnet, but something that could be expected if coming from a less technologically capable nation like North Korea.73 Thus, while the effects weren’t as damning as most website were able to reaccess key functions within the same day, the precedent set that a hostile entity can engage in such DDoS attacks against a neighboring country’s core technological infrastructure, especially in an internet-economy nation like South Korea, with little fear of prosecution makes for a dangerous future as their hacking capabilities continue to grow.74 This ease of cyber attacks launching devastating consequences on obtaining classified state information combined with the difficulty of actually tracking who or what might be causing such attacks makes for these cybercrimes to exist within a different realm than collecting evidence of proof for conventional warfare.75 As such, countries have relied more heavily on cyber defense mechanisms to obtain concrete evidence of state action in suspected cyber attacks.76 This has fed difficult-to-measure feedback loop of states being more brazen in their counter-offensive capabilities for cyber defense in order to counteract the sophistication of hidden cyber attacks, leading to cyber attacks potentially sponsored or undertaken by state interests becoming more incognito and intrusive which leads to state defense systems going through greater lengths and repeating again and again.77

Maintaining an active cyber defense and eliminating potential issues of identification through constant surveillance are both within key military goals of the United States. As such, United States Cyber Command (USCYBERCOM) serves an essential role as the front lines of cybersecurity methods on a national scale.78 USCYBERCOM was established in 2010 and serves as the cybersecurity defense and protection for the Department of Defense, with civilian networks being protected under the Department of Homeland Security.79 The growing importance of cyber security is clearly stated in both the mission statement and official documents released by the Department of Defense; the vision statement of USCYBERCOM, approved in March 2018, states that:

Defending forward as close as possible to the origin of adversary activity extends our reach to expose adversaries’ weaknesses, learn their intentions and capabilities, and counter attacks close to their origins. Continuous engagement imposes tactical friction and strategic costs on our adversaries, compelling them to shift resources to defense and reduce attacks. We will pursue attackers across networks and systems to render most malicious cyber and cyber-enabled activity inconsequential while achieving greater freedom of maneuver to counter and contest dangerous adversary activity before it impairs our national power.80

The decision to “pursue attackers across networks and systems to render most malicious and cyber-enabled activity inconsequential” may just be political war hawk language, but is clear that, if effective, indicates that organizations like USCYBERCOM intend to not only pursue cyber defensive capabilities solely within our jurisdictional borders but go on the offensive in disrupting systems through aggressive activities more likely to be classified as violations against other state security systems (if targeting foreign powers).81 It certainly uses language that would make operations like Stuxnet be considered a justified, preemptive strike “before it impairs out national power”, referencing American hegemony.82 Other countries have followed suit, with military departments in other armed forces for nations such as China and Russia also expanding on their current cybersecurity defenses and establishing entire divisions dedicated towards cyberspace operations like USCYBERCOM.83 Like USCYBERCOM, the People’s Liberation Army of China established their own separate branch dedicated towards cyber and electronic warfare in the past decade.84 The People’s Liberation Army Strategic Support Force (PLASSF) was created in 2015, with an aggressive emphasis on a dual-support network of talent recruitment at high-ranking Chinese universities and joint ventures with universities and private sector industries on research methods.85 Much of China’s cyberwarfare efforts were conducted not through government departments like PLASSF, but rather through private contractors and espionage specialist hackers who were given immunity from government prosecution by the Ministry of State Security.86 PLASSF represents a goal by the Chinese military to both professionalize their cybersecurity efforts and establish in-house operations that fit within internationally accepted cybersecurity norms.87 President Xi Jinping addressed the importance of PLASSF within China’s long-term military strategy at the 19th National Congress of the CCP in 2017, further demonstrating a necessary time crunch on both governments to bolster their cybersecurity efforts for the future and for international organizations like the ICC to speed up their ability to regulate and properly adjudicate on cyber crime related issues.88 How aggressive PLASSF will be in their activities is to be seen—Chinese military action has been notoriously secretive over the years, but history tells us that a growing Chinese cyber military threat will likely be at least as potently aggressive as what other major powers like the United States might bring to the table. A facet to consider is if state consolidation of cyber security efforts into military divisions/commands such as USCYBERCOM and PLASSF could potentially lead to state parties being held liable for the controversial cyber security methods that they partake in, what could incentivize such efforts? Outside of general military restructuring, establishing dedicated branches demonstrates an aforementioned priority towards cyber security structure, even if it may lead to jurisdictional liability. In addition, the weaknesses of enforceability by international organizations like the ICC in being able to attribute cyber crimes and cyber attacks as crimes of aggression will lead to departments like the PLASSF continuing to gain strength with little checks in power, as the benefits that accrue from a head start in cyber capabilities outweigh whatever legal liability that they will find themselves in—which, due to the above problems in enforceability, will likely remain zero under the current structure.

Finally, enforceability becomes an issue, one that is closely intertwined with the problem of identification. When private entities, such as “hack back” initiatives or PLA association with private research forces or state-sponsored and/or state-prosecution-immune hackers become the instigators of cyber attacks, determining the liability of the host countries or state parties behind the decision making becomes both controversial and outright impossible.89 The most preeminent figures in both active cyber defense and potential sovereign sources of cyber criminality, the United States, Russia and China, also happen to be three of the five permanent members of the U.N. Security Council, making the Kampala Compromise’s delegation of power between both the prosecutor and the Council come at odds.90 In addition, proving that suspected attacks which might have links towards a country leads to evidentiary concerns far more difficult than what has been faced by the ICC in the bloodiest and most uncooperative war zones, as much cyber criminality can just as easily be conducted with virtually no trace of where the attack was originated, with technological capabilities to reduce traceability continuing to improve by the year.91 In addition, the efforts that countries can undertake to try to identify who may be behind cyber attacks may themselves be considered too aggressive under the Kampala aggression definitions, leading to another contradictory loop where the only solutions to criminal actions might be state parties committing internationally recognized criminal actions themselves.92 In the end, laws are only as powerful as they are enforceable and actually influence human/state behavior—nations that see that little repercussions will occur from their objectively illicit cybersecurity actions will have little to no incentive to stop.93 The Security Council’s political involvement functionally guarantees that, under the current legal framework, cyber-aggression, at least by state entities, will go unpunished, but this should not deter policymakers from looking into what language can be used to try to deter.94 In the end, the goal of international organizations like the ICC is not only to punish crime through a retributive criminal defense mindset, but to promote peace by incentivizing nations to limit their offensive cyber defense systems.95

So, in this unclear, uncharted territory where the line between cyber crime and cybersecurity become thinner and thinner, where can the ICC go from here? Attempts to further provide clarification through compromises like the Kampala Amendments are a good start—while not enough on its entirety, providing clearer standards by which cyber criminal actions can fit within the crime of aggression will be the first step in outlining to state parties what cyber defense measures will and will not be condoned. Jurisdictional issues will continue to haunt the ICC in both cyber warfare and traditional conflict; as such, the contentious issue of how to prosecute private parties that may be acting with state decision-makers in organizing large-scale cyber attacks may pose too large of a hurdle for the ICC to combat without addressing their other key jurisdictional problems involving signatory opt-outs and enticing non-member states to join. As such, establishing stronger boundaries between surveillance actions that have been internationally condoned as part of a cyber defense system and demarking DoS and malware attacks that involve direct action against another state’s military capabilities as example crimes of aggression will apply the pressure necessary to institute changes in internal state decision-making. In addition, holding military commands dedicated to active cyber defense such as USCYBERCOM and PLASSF for signatory nations liable as the parties responsible for those aforementioned cyber attack crimes will allow for the ICC to hold nations accountable as cybersecurity measures become more centralized and sophisticated within state governments. Only time will tell whether the ICC will be capable of enacting such narrowed policies to target cyber attack problems. However, it is of no doubt that the current definitions for the crime of aggression and how cyber criminality might fit in to the Rome Statute are wholly insufficient to deal with this rising problem—a problem that will inevitably become worse as technology develops and both states and hackers develop their offensive capabilities in cyber space.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1. 1.

   Paul Rosenzweig, International Law and Private Actor Active Cyber Defensive Measures, 47 Stan. J. Int’l L. (May 28, 2013), available online, doi. ↩

2. 2.

   Id. at 2. ↩

3. 3.

   Active Defense, Fortinet, available online (last visited Feb. 26, 2022). ↩

4. 4.

   Monica E. Oss, For Crisis Recovery, the Best Defense Is A Good Offense, Open Minds (Jul. 1, 2020), paywall. ↩

5. 5.

   James R. Holmes, The Two Words That Explain China’s Assertive Naval Strategy, Foreign Pol. (Jun. 3, 2015), available online. ↩

6. 6.

   Michael Belil, A Re-Examination of the Schlieffen Plan, The Strategy Bridge (Feb. 1, 2018), available online. ↩

7. 7.

   Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 31(1)(c), available online. ↩

8. 8.

   Id. ↩

9. 9.

   Ed Caesar, The Incredible Rise of North Korea’s Hacking Army, The New Yorker (Apr. 19, 2021), available online. ↩

10. 10.

    Rosenzweig, supra note 1, at 2. ↩

11. 11.

    Id. ↩

12. 12.

    Id. at 7. ↩

13. 13.

    Id. ↩

14. 14.

    Id. ↩

15. 15.

    Shannon Vavra, Congress to Take Another Stab at ‘Hack Back’ Legislation, CyberScoop (Jun. 13, 2019), available online. ↩

16. 16.

    Id. ↩

17. 17.

    All Actions to Active Cyber Defense Certainty Act, H.R. 3270, 116th Cong. (2019), available online. ↩

18. 18.

    Vavra, supra note 15. ↩

19. 19.

    Rome Statute, supra note 7. ↩

20. 20.

    Jonathan A. Ophardt, Cyber Warfare and the Crime of Aggression: The Need for Individual Accountability on Tomorrow’s Battlefield, 9 Duke L. & Tech. Rev. (2010), available online. ↩

21. 21.

    Id. at 8. ↩

22. 22.

    Id. at 24. ↩

23. 23.

    Id. ↩

24. 24.

    Id. ↩

25. 25.

    Id. ↩

26. 26.

    Rome Statute, supra note 7, Art. 8. ↩

27. 27.

    Id. Art. 8 bis

    (noting that examples stated, such as the blockading of ports and the violation of other sovereign rights, were inserted by resolution RC/Res.6, infra, as the Kampala amendment/compromise).

    The Crime of Aggression, RC/Res.6 at 17, in Assembly of State Parties, Review Conference of the Rome Statute of the International Criminal Court, Kampala, 31 May-11 June 2010 Official Records II (Jun. 11, 2010), available online, archived. ↩

28. 28.

    Alexandra Perloff-Giles, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 23 Yale J. Int’l L. 191 (2018), available online. ↩

29. 29.

    Id. at 10. ↩

30. 30.

    Id. at 11. ↩

31. 31.

    Id. ↩

32. 32.

    What Is Malware?, Cisco Systems, available online (last visited Feb. 26, 2022). ↩

33. 33.

    Alexandra Perloff-Giles, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 23 Yale J. Int’l L. 191 (2018), available online. ↩

34. 34.

    Chance Cammack, The Stuxnet Worm and Potential Prosecution by the International Criminal Court under the Newly Defined Crime of Aggression, 20 Tul. J. Int’l & Comp. L. 303 (2011), paywall. ↩

35. 35.

    Id. ↩

36. 36.

    Id. ↩

37. 37.

    Id. ↩

38. 38.

    Id. ↩

39. 39.

    Kevin L. Miller, The Kampala Compromise and Cyberattacks: Can There Be an International Crime of Cyber-Aggression?, 23 S. Cal. Interdisc. L.J. 217 (Feb. 19, 2014), available online. ↩

40. 40.

    Id. at 221. ↩

41. 41.

    Id. at 220. ↩

42. 42.

    Id. at 233. ↩

43. 43.

    Rome Statute, supra note 7, Art. 8. ↩

44. 44.

    Ophardt, supra note 20, at 8. ↩

45. 45.

    Id. ↩

46. 46.

    Miller, supra note 39, at 222. ↩

47. 47.

    Id. at 257. ↩

48. 48.

    Id. ↩

49. 49.

    Id. ↩

50. 50.

    Id. ↩

51. 51.

    Id. ↩

52. 52.

    United States Department of Defense, Department of Defense Strategy for Operating in Cyberspace (Jul. 2011), available online. ↩

53. 53.

    Rosenzweig, supra note 1, at 3. ↩

54. 54.

    Id. ↩

55. 55.

    Id. at 4. ↩

56. 56.

    Id. ↩

57. 57.

    Id. at 5. ↩

58. 58.

    Id. ↩

59. 59.

    Patryk Labuda, The ICC’s ‘Evidence Problem’: The Future of International Criminal Investigations After the Gbagbo Acquittal, Völkerrechtsblog (Jan. 18, 2019), available online. ↩

60. 60.

    Id. ↩

61. 61.

    Id. ↩

62. 62.

    Id. ↩

63. 63.

    Human Rights Watch, The Selection of Situations and Cases for Trial Before the International Criminal Court (Oct. 26, 2006), available online. ↩

64. 64.

    Id. at 2. ↩

65. 65.

    Id. ↩

66. 66.

    Marlise Simons, Genocide Verdicts in Srebrenica Killings, N.Y. Times, Jun. 10, 2010, available online. ↩

67. 67.

    Id. ↩

68. 68.

    Ophardt, supra note 20, at 8. ↩

69. 69.

    Paris G20 Files Stolen in Cyber Attack, Homeland Security News Wire, Mar. 18, 2011, available online. ↩

70. 70.

    Id. ↩

71. 71.

    Choe Sang-Hun & John Markoff, Cyberattacks Jam Government and Commercial Web Sites in U.S. and South Korea, N.Y. Times, Jul. 8, 2009, available online. ↩

72. 72.

    Id. ↩

73. 73.

    Id. ↩

74. 74.

    Id. ↩

75. 75.

    Id. ↩

76. 76.

    Id. ↩

77. 77.

    Ophardt, supra note 20, at 12. ↩

78. 78.

    Our History, U.S. Cyber Command, available online (last visited Feb. 26, 2022). ↩

79. 79.

    Id. ↩

80. 80.

    Id. ↩

81. 81.

    Id. ↩

82. 82.

    Id. ↩

83. 83.

    Suyash Desai, PLA SSF: Why China Will Be Ahead of Everyone in Future Cyber, Space or Information Warfare, The Print (Dec. 31, 2019), available online. ↩

84. 84.

    Id. ↩

85. 85.

    Id. ↩

86. 86.

    Saikiran Kannan & Abhishek Bhalla, Inside China’s Cyber War Room: How PLA Is Plotting Global Attacks, India Today, Aug. 6, 2020, available online. ↩

87. 87.

    Id. ↩

88. 88.

    Derek Grossman & Michael S. Chase, Xi’s Consolidation of Power at the 19th Party Congress: Implications for PLA Aerospace Forces, RAND Blog (Dec. 11, 2017), available online. ↩

89. 89.

    Ophardt, supra note 20, at 19. ↩

90. 90.

    Miller, supra note 39, at 221. ↩

91. 91.

    Id. at 259. ↩

92. 92.

    Id. at 257. ↩

93. 93.

    Id. ↩

94. 94.

    Id. ↩

95. 95.

    Id. ↩