Treaties, conventions, state practice do not provide clear answers. Specialized conventions for cyberwarfare have not been negotiated and state practice—where it exists in the first place—is inconsistent and unclear. Hence, we need to turn to interpreting existing treaties, which were made for conflicts from another era.

The following comment will attempt to delineate the circumstances under which economic cyber crime might fall under the Rome Statute.3 When the comment makes reference to “economic cyber attacks,” it means cyber attacks attributable to sovereign states that are conducted primarily for financial gain, either by theft, extortion, or a similar method. Also, it will focus on questions of substantive law, not on questions of procedure and admissibility.

This comment first looks at economic cyber attacks as possible war crimes under Art. 8 of the Rome Statute and as a potential violation of Art. 8 bis. As war crimes require can only be committed during an armed conflict, the comment then moves on to examine if and when cyber attacks can trigger such armed conflict. The conclusion shows the impracticality of the current system and the resulting need for reform and international treaty recognition of cyber crimes and cyberwarfare.

II. The Rome Statute and Economic Cyber Crimes

So far, cyber crime and cyberwarfare in international law has been mostly confined to discussions lecture halls and war rooms instead of multilateral negotiating tables. The Rome Statute is no exception, as it does not feature special rules for crimes committed via the internet or cyber conflicts. Of course, the Statute does not prohibit considering economic cyber attacks, either. Therefore, digital hostilities might be prosecutable under several of the Statute ’s articles.

In particular, it is conceivable that an economic cyber attack constitutes a war crime under Art. 8 of the Rome Statute. Under this provision, “serious violations of the laws and customs applicable in international armed conflict” are punishable.4 The norm’s catalogue enumerates eight general war crimes in Art. 8(2)(a), another 26 acts that constitute war crimes when conducted during the course of International Armed Conflicts in Art. 8(2)(b), and 19 war crimes of Non-International Armed Conflicts in Arts. 8(2)(c) and 8(2)(e). Following the outlined conception of an economic cyber attack as a state-sponsored actor attacking financial infrastructure in another state, this comment is limited to considering International Armed Conflicts.5 This is not to say, of course, that this kind of attack is inconceivable in a non-international armed conflict and many of the following considerations apply there, too.

Within the catalogue of Art. 8, several offenses stand out: pillaging,6 the destruction and appropriation of civilian objects,7 and the intentional attack of civilian objects.8 Beyond Art. 8, the Crime of Aggression as enshrined in Art. 8 bis will also be examined.

A. The War Crime of Pillaging

Commonly, we refer to pillaging as incidents of theft and robbery in the face of catastrophes, violence or other breakdowns of the public order. In the context of wars and armed conflicts, its prohibition is an almost universally acknowledged principle of the jus in bello. While the language of Art. 8(2)(b)(xvi) of the Statute has its roots in the Hague Conventions,9 the prohibition of pillaging is much older than that. It can be found in Art. 44 of the 1863 Lieber Code, where “all pillage and sacking” was prohibited under the penalty of death.10 While this proclamation only bound American forces, the Code is considered to reflect the greater contemporary consensus on customs of war.11 The prohibition of pillaging has been a mainstay of the criminal law of armed conflict for the one and a half centuries, regardless of changes in technology or warfare. In light of this history alone, it does not seem far-fetched to acknowledge that pillaging can occur in cyberwarfare, too.

An analysis of Art. 8(2)(b)(xvi) of the Rome Statute supports this. While the provision itself does not elaborate what “pillaging” is, the Elements of Crimes define it as the appropriation of property for private or personal use against the consent of the owner.12 This should not be misunderstood: the criterion of “private or personal” use is meant to be read in opposition to militarily necessary cases of appropriation of property.13 It does not mean that state-sponsored raids during wartime fall outside the scope of the crime of pillaging. Insofar, the ICTY clarified in the Čelebići case that:

[T]he prohibition against the unjustified appropriation of public and private enemy property is general in scope, and extends both to acts of looting committed by individual soldiers for their private gain, and to the organized seizure of property undertaken within the framework of a systematic economic exploitation of occupied territory.14

In the later Hadžihasanović judgement, the ICTY confirmed this interpretation, finding that:

[T]he regulations do not allow arbitrary and unjustified plunder for army purposes or for the individual use of army members.15

Trial Chamber III of the ICC adopted this view, stating that “the prohibition of pillaging covers both individual acts of pillage and organized pillage.”16 The exception for militarily necessary appropriations will not apply in most instances of economic cyber attacks, as it is hard to imagine a clandestine cyber attack for economic gains during peacetime to further a legitimate military objective.

Notably, the provision itself and the interpretation given to it by tribunals, commentators, and the Elements of Crimes remain silent as to the mode of appropriation. On the one hand, this is due to the fact to acts of pillaging have been relatively straightforward in conflicts so far, they resembled burglaries and robberies at gunpoint, just that they were conducted by soldiers during wartime. On the other hand, this reflects that the Rome Statute is open to new developments in weapon technologies. Innovation does not prevent criminal prosecution.

Lastly, unlike other provisions of Art. 8, the war crime of pillaging is not limited to instances of occupation.17 However, the ICC Pre-Trial Chamber I found that “the war crime of pillaging occurs when the enemy’s property has come under the control of the perpetrator.”18 By its wording alone, this “enemy-control” criterion must be interpreted to impose a certain threshold that falls below that of occupation. When applying this test to economic cyber attacks, this means that only widespread attacks that take over significant parts of the relevant network or system and that operate under the sustained oversight of the attacker. Hence, neither low-level individual attacks nor unguided viruses that unintentionally infect random systems would suffice. In those cases, the attacker is in no position to exercise sufficient control over the system or network against which the economic attack is launched.

This shows that it is not wholly inevitable that an economic cyber attack constitutes an act of pillaging, as long as it is of particular gravity and scale. The attack would, however, have to occur during an armed conflict, which we will turn to shortly. Before this, the relevance of other crimes under the Rome Statute will be evaluated.  

B. Cyber Attacks and the Rome Statute Beyond Pillaging

While at a first glance it seems plausible that an economic cyber attack constitutes either the war crime of extensive destruction and appropriation of property,19 the intentional attack of civilian objects20 or the Crime of Aggression,21 a closer look proves fatal to all three.

1. Extensive Destruction and Appropriation of Property

Extensive destruction and appropriation of property is subject to particularly high thresholds. They must be “extensive” and carried out “wantonly.” Particularly grave cyber attacks might meet this threshold, either by dealing significant incidental damage to computer systems (as was the case for the WannaCry virus), or through particularly large sums attained. The vast majority of attacks, however, is unlikely to meet this requirement; not all that is illegal is also “extensive.”

Also, the act must be carried out “wantonly.” That is a high standard. The Commentary on the Fourth Geneva Convention, in the context of which the crime was first formulated, finds that “an isolated incident would not be enough.”22 The International Criminal Tribunal for the Former Yugoslavia (ICTY) affirmed this view, while conceding that a single grave attack can under exceptional circumstances count as “wanton.”23 As an example, it points to the destruction of a hospital, demonstrating just how heinous and destructive a single attack would need to be to fall under Art. 8(2)(a)(iv) of the Rome Statute. A mere one-of digital heist would hardly pass this threshold.

But even acts that might pass this first hurdle will frequently fail at a second one. Assuming the targets of our cyber heist aren’t hospitals and ambulances—in other words property that is afforded special protection under the Geneva Conventions24—the norm limits itself to protecting civilian property in occupied territory.25 Since the vast majority of state-sponsored cyber attacks are aimed at targets in sovereign, independent states, Art. 8(2)(a)(iv) proves to have a very narrow practical scope.

2. Intentional Attack of Civilian Infrastructure

Furthermore, those acts also fall outside the scope of Art. 8(2)(b)(ii),26 the war crime of attacking civilian objects. This hinges on the definition of “attacks against a[n] […] object.” At first glance, a cyber attack could certainly fall under the wording of the Article. However, the Rome Statute did not create the text of this provision out of thin air. The wording derives from Art. 52 of the Additional Protocol I to the Geneva Conventions (AP I)27 and reflects International Court of Justice (ICJ) precedent and customary law.28 The meaning of “attack” in the context of Art. 8 of the Rome Statute must therefore be construed in light of this history. As for AP I, the Protocol itself defines attacks to be “acts of violence,” Art. 49(1). The 1987 Commentary to AP I further clarifies what is meant by this. While it takes a generally wide interpretation of “attacks,”29 it states that an attack is “simply […] the use of armed force to carry out a military operation.” In its Article 53(1) Report on the Situation on Registered Vessels of Comoros, Greece and Cambodia,30 the ICC has further confirmed that word “attacks” must be interpreted in accordance with its IHL origin and agreed that an element of violence must be present. The Office of the Prosecutor stated that:

[A]n attack […] must include a forcible boarding operation, by analogy with other areas of international humanitarian law in which an attack includes all acts of violence against an adversary.

The vast majority of economic cyber attack are, however, non-violent. If they do cause damage to civilian objects and infrastructure, as was the case with the aforementioned WannaCry-virus, this is damage is usually incidental and not intentional, their objective is financial gain. This precludes a prosecution for violation of Art. 8(2)(b)(ii) of the Statute.

Changing narrow definition of “attack” of Art. 8 to include non-violent offenses might be tempting, but would raise issues under the principle of nullum crimen sine lege, as enshrined in Art. 22(2) of the Rome Statute. Not only does this principle prohibit prosecution for unwritten crimes, but it also mandates that “[t]he definition of a crime shall be strictly construed.”31 Of course, this does not mean that a judge cannot clarify ambiguous terms of a statute. It does, however, mean that such clarification must be foreseeable for the accused.32 In the parallel judgments of C.R. v. United Kingdom and S.W. v. United Kingdom, the European Court of Human Rights stated regarding the similar Art. 7 of the European Convention on Human Rights that:

Article 7 […] cannot be read as outlawing the gradual clarification of the rules of criminal liability through judicial interpretation from case to case, provided that the resultant development is consistent with the essence of the offence and could reasonably be foreseen.33

In this case, however, there has been no indication that “attack” should be treated as entailing no-violent, economic crimes. Neither the ICC itself, nor international tribunals or other bodies tasked with interpreting relevant treaty law, have signaled that this interpretation is permissible. There is not even an academic debate on the issue, which might have made a change in judicial opinion predictable.

In summary, the Rome Statute ’s prior interpretation of Art. 8(2)(b)(ii) does not allow for a prosecution of economic cyber crimes. An ad hoc change of this interpretation would violate the principle nullum crimen sine lege, as enshrined in Art. 22(2) of the Statute.

3. The Crime of Aggression

An examination of Art. 8 bis Rome Statute does not fare much better. As per Art. 8 bis(2), an act of aggression:

[Is the] use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations.

This poses the question: What acts, short of an armed invasion, constitute the use of force and thus a violation of U.N. Charter Art. 2(4)?

The U.N. Charter is from 1945. Since then, conflict has changed significantly in ways which could not have been anticipated back then. Today’s battlefields are full of newly developed defense technologies and marked by shifting geopolitical power relations. An American drone attacking terrorist organization thousands of miles would have been unthinkable in the 1940s. Neither the technology nor the importance of and blurry definitions of non-state actors were expectable. Most of all, it was much easier to say when the threshold for the use of violence was crossed. This has changed significantly. There is hardly an instance where this change is more tangible than when cyber weapons are deployed.

Certainly, one could make the case that in today’s interconnected world and globalized economy, a well-placed virus attack wreaks greater havoc on societies around the world than traditional acts of aggression do.34 After all, the Rome Statute recognizes the “blockade of the ports or coasts of a State” to be acts of aggression. Doesn’t computer malware “blockade” the ports of a digital economy too? And if the U.N. Charter wants to save us from “the scourge of war,”35 shouldn’t Art. 2(4) be interpreted to prohibit as many forms of aggression as a liberal interpretation of the statute allows?36 The U.N. Charter at least does not limit what type of weapon is used in the course of a “use of force.”37 These arguments seem to be in line with a broader view favored by some academics and sates, who argue that any form of political, economic, and, of course, military force can constitute a violation of U.N. Charter Art. 2(4), as long as it reaches a certain threshold of gravity.38

But this interpretation of Art. 2(4) is rejected by most states and academics alike.39 A prominent proponent of the theory even admits that “the overwhelming majority of commentators today consider the term “force” in Art. 2(4) of the U.N. Charter as practically synonymous to “armed” or “military” force.”40 When interpreting the Rome Statute, there is even more grounds for hesitancy than in a mere jus ad bellum debate.

The Crime of Aggression has been highly controversial in the drafting history of the Rome Statute. The offense was not included in the original version of the Statute but was only added after the 2010 Kampala Review Conference. Unable to reconcile their widely differing views as to how the Crime of Aggression should be defined, in 1998 the Drafting Parties deferred the resolution of the problem to a later Review Conference.41 Eight years after the Rome Statute went into force, this Review Conference finally met in Kampala and came to an agreement on the appropriate wording of the Crime of Aggression. Consequently, today’s Art. 8 bis was inserted into the Statute by the States Parties.42

However, some doubts remain to what extent this compromise actually reflects a global consensus. So far, the ICC has heard no case involving the Crime of Aggression, which alludes to the crime’s high threshold and the Court’s hesitancy to apply it. Perhaps an early German statement, found in a 1997 Discussion Paper, best reflects the state of the actual in the international community:

In accordance with historic precedents the definition in question should focus on and try to cover only the obvious and indisputable cases of this crime (such as the aggressions committed by Hitler and the one committed against Kuwait in August 1990).43

Germany’s reason for this narrow approach to aggression seems to be in line with the Court’s views today. Says the Discussion Paper further:

It is of utmost importance that the definition does not lend itself to possible frivolous accusations of a political nature against the leadership of a Member State.44

Looking at this background of Art. 8 bis, it is not hard to understand why its drafters chose strong language and high standards and why commentators have interpreted it restrictively. It is limited to persons “in a position effectively to exercise control,” only applies to acts of aggression that, by virtue of their “character, gravity and scale,” are “manifest” violations of the U.N. Charter.45 For the sake of this present analysis, the criterion of “manifest violations” might be the most crucial. It is a somewhat elusive clause; the Elements of Crimes merely state that it is an objective rather than a subjective criterion.46 Commentators, too, have wrestled with the criterion. A prominent, albeit not uncontroversial, interpretation is that requiring an act to be a manifest” violation of the U.N. Charter, “grey areas” should not be criminalized.47 While there are limits as to how liberally one might be able to interpret “grey area,”48 the term should a at the very least be understood to prevent an all too progressive interpretation of crimes. Otherwise, the term would bear little relation to its definition as meaning “clear or obvious to the eye or mind”49 and the aforementioned Art. 22(2) concerns would apply here, too.

There might very well be some cyber attacks that meet the threshold of U.N. Charter Art. 2(4) and that might even pass the muster of Art. 8 bis of the Rome Statute. It is no coincidence that cyber weapons have been described as the “perfect weapon.”50 However, I have no doubt that mere economic cyber attacks—at least how we have experienced them so far—have not been acts of aggression that by their “character, gravity and scale, constitute[…] a manifest violation of the Charter of the United Nations.” And absent widespread physical destruction or the use of kinetic force, it is unlikely that they will rise to this level in the future. It seems like state practice agrees with this conclusion. So far, the most frequent response to economic cyber attacks has been public condemnation and occasional criminal indictments under municipal criminal law.51

III. Economic Cyber Crimes and Armed Conflicts

The previous discussion showed that a prosecutor wishing to go after the backers of an economic cyber attack would have the best case under Art. 8(1)(b)(xvi) of the Rome Statute. However, we could also see in the context of Art. 8 bis that there are substantial difficulties in applying rules of warfare made decades (or even centuries) ago to cyber attacks, particularly if those attacks are primarily committed for financial gain.

Similar issues as those discussed for the Crime of Aggression mar any consideration of war crimes too. But where we could point to the criterion of “manifest” violations and a more restrictive approach to interpreting U.N. Charter Art. 2(4), war crimes require the existence of an armed conflict, a term that is much wider interpreted than the “use of force” of U.N. Charter Art. 2(4), let alone “armed attack” of U.N. Charter Art. 51.

War crimes, both as they are generally conceived in IHL and as they are defined in Art. 8(2)(b) of the Rome Statute, require the existence of an International Armed Conflict (IAC).52 Whether or not certain hostilities amount to an IAC is a factual determination, independent of a formal declaration of war.53 In the oft-cited Tadić case, the ICTY found that “an armed conflict exists whenever there is a resort to armed force between States.”54 In the Lubanga55 and Katanga56 judgments, the ICC adopted this view. Using armed force is not equivalent to deploying the armed forces. In the words of Pre-Trial Chamber II:

[A]n international armed conflict exists in case of armed hostilities between States through their respective armed forces or other actors acting on behalf of the State. 57

Hence, it makes no difference whether a state uses military hackers or civilian personnel in its cyber attacks.58 What matters is that they are acting for the state. This definition of armed conflict poses two questions: First, can the use of a virus be considered to be a “resort to armed force?” If this is possible, what is the threshold for an “armed” cyber attack?

It is widely accepted that the Geneva Conventions apply to the use of cyber warfare during a pre-existing IAC or Non-International Armed Conflict.59 In those cases, cyber weapons are treated like any other weapon. It is much less clear if this equal treatment also extends to a conflict started by the use of a cyber weapon, let alone one exclusively fought using cyber weapons. So far, this issue has been reserved to theoretical discussions, as cyber-only attacks—economic or otherwise—have not led to an escalation of violence or resulted in a “traditional” armed conflict.60

An early, consequence-based approach by Michael N. Schmitt considered cyber-only attacks to be “armed” if the cyber attack produced results similar to those of a conventional attack, i.e., injury, death, physical damage or destruction..61 Gradually, this approach has changed. Instrumental for this gradual change was Knut Dörmann, who expanded the consequence-test to include attacks that don’t destroy but merely disable or neutralize the target.62 By now, this approach has been adopted by the International Committee of the Red Cross63 and by a majority of commentators, as Schmitt himself observes.64

However, this is no blanket justification to consider all instances of state-sponsored cyber attacks incidents of an armed conflict. Whenever a cyber attack does not lead to injury, death, physical damage or destruction, it must be of a certain gravity. This gravity-threshold would be met in instances of disruptions of vital infrastructure, like electrical grids or water supply. Vital infrastructure stands in contrast to mere critical infrastructure, which would include the banking system, financial institutions, and the majority of other businesses and institutions.65 It seems like the implicit argument behind this theory is that non-destructive attacks can bear a foreseeable and grave risk of causing incalculable human suffering, fatalities, or physical destruction. In those instances, the attack must be treated as if it had directly led to those results. The approach of outlawing an act based on its associated dangers is not foreign to the Geneva Conventions. Art. 35 of Additional Protocol I, for example, prohibits:

[T]o employ weapons, projectiles and material and methods of warfare of a nature to cause superfluous injury or unnecessary suffering.

These weapons are banned based on their abstract nature, not their concrete consequences. Similarly, wherever cyber attacks, by their character alone, are highly likely to lead to injury, death, physical damage or destruction, they may be treated like attacks that directly cause those consequences.

Economic cyber attacks to date have fallen short of this threshold. Digitally stealing money from a civilian bank account causes financial loss and certainly some hardship, but not the immediate widespread suffering that preventing access to the water grid does. A standalone economic cyber attack would have to be of a much greater scale to be considered an “armed conflict.” Consequently, attacks so far have not constituted war crimes and future economic cyber attacks are unlikely to do so, too. There is no violation of Art. 8(1)(b)(xvi) of the Rome Statute.

This is not to say that cyber attacks don’t cause major disruptions for public life and constitute threats to peace. They change the battlefield and simultaneously stretch the textual interpretation of the current laws of war. This has led one commentator to wonder if one day the term armed attack will be obsolete.66 While this may be desirable lex ferenda, today, the “armed” criterion is still part of the jus in bello and puts a limit to the kind of hostilities that can constitute an IAC. It seems that most cases of economic cyber attacks fall just short of this limit.

IV. Conclusion

As seen, it is not completely impossible to prosecute international cyber crimes under the Rome Statute. However, requiring that the attack rise to the intensity of an armed conflict is a major obstacle. But even if the threshold were met, the attack would need to pass the muster of the gravity requirement of Art. 17(1)(d) of the Rome Statute.

The comment shows that the Rome Statute is an inappropriate framework to address the realities of cyberwarfare. It is not a convenient replacement for municipal criminal justice and for international treaty negotiation. But this is not a disappointing finding. First, it strengthens the standing of the Court and the Rome Statute. Why should cyber crimes be included through treaty interpretation when other serious offenses like terrorism, drug trafficking and crimes against United Nations personnel failed to make it into the Statute?67 In a time where the Court faces allegations of illegitimacy, expanding the scope of the Rome Statute through clever interpretation would only further undermine its work. Second, as the Rome Statute is an instrument of international criminal justice, limiting the use of ambitious textual interpretation is a win for the fundamental principles of justice, not a loss. Third, cyber crime and cyberwarfare are here to stay. They will challenge the international community for years to come. Ultimately, states will have to find their way to the negotiating table to draft the rules for cyber conflicts. Only a multilateral treaty has a realistic chance to achieve widespread acceptance and to mitigate the dangers of cyber attacks. Hence, this comment is less a manual for the prosecution of economic cyber attacks and more a call to action to fill the gaps in the international law on cyber conflicts.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1. 1.

   What is WannaCry Ransomware?, Kaspersky, available online (last visited Feb. 26, 2022). ↩

2. 2.

   Press Release, U.S. Dept. of Just., Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe (Feb. 17, 2021) [hereinafter North Korean Hackers Indicted], available online; Ewen MacAskill, Alex Hern & Justin McCurry, Facebook Action Hints at Western Retaliation over WannaCry Attack, The Guardian, Dec. 19, 2017, available online; White House says WannaCry attack was carried out by North Korea, CBS, Dec. 19, 2017, available online. ↩

3. 3.

   Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], available online. ↩

4. 4.

   Id. Art. 8(2)(b). ↩

5. 5.

   As defined by Article 2 Common to the Geneva Conventions, Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field, 75 U.N.T.S. 31 (adopted Aug. 12, 1949, entered into force Oct. 12, 1950), available online; Geneva Convention for the Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea, 75 U.N.T.S. 85 (adopted Aug. 12, 1949, entered into force Oct. 12, 1950), available online; Geneva Convention Relative to the Treatment of Prisoners of War, 75 U.N.T.S. 135 (adopted Aug. 12, 1949, entered into force Oct. 12, 1950), available online; Geneva Convention Relative to the Protection of Civilian Persons in Time of War, 75 U.N.T.S. 287, (adopted Aug. 12, 1949, entered into force Oct. 12, 1950), available online.

   (“[T]he present Convention shall apply to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties, even if the state of war is not recognized by one of them.”). ↩

6. 6.

   Rome Statute, supra note 3, Art. 8(1)(b)(xvi). ↩

7. 7.

   Id. Art. 8(2)(a)(iv). ↩

8. 8.

   Id. Art. 8(1)(b)(ii). ↩

9. 9.

   William A. Schabas, The International Criminal Court: A Commentary on the Rome Statute, 241 (2nd ed. Sep. 2016), paywall, doi. ↩

10. 10.

    General Orders No. 100: Instructions for the Government of Armies of the United States in the Field, Adjutant General’s Office (Apr. 24, 1863), available online. ↩

11. 11.

    Dietrich Schindler & Jiri Toman, The Laws of War and Armed Conflict 3 (4th ed. 2004), paywall, doi. ↩

12. 12.

    International Criminal Court, Elements of Crimes, ICC-ASP /1/3, Adopted and Entry into Force 9 September 2002, updated at Kampala, 31 May-11 June 2010, 26 (Jun. 11, 2011) [hereinafter Elements of Crimes], available online, archived; Andreas Zimmermann & Robin Geiß, Article 8 in The Rome Statute of the International Criminal Court: A Commentary, 553-4 (Otto Triffterer & Kai Ambos eds., 3rd ed. 2016). ↩

13. 13.

    Elements of Crimes, supra note 12, at n.47; Schabas, supra note 9, at 242; Mark Klamberg, Article 8(2)(b)(xvi), in Commentary on the Law of the International Criminal Court (Mark Klamberg & Jonas Nilsson eds., last updated Jun. 30, 2016), available online. ↩

14. 14.

    The Prosecutor v. Zejnil Delalić, Zdravko Mucić, Hazim Delić and Esad Landžo, IT-96-21-T, Judgement (ICTY TC, Nov. 16, 1998) [hereinafter Čelebići], available online. ↩

15. 15.

    The Prosecutor v. Enver Hadžihasanović and Amir Kubura, IT-01-47-T, Judgement, ¶ 52 (ICTY TC, Mar. 15, 2006) [hereinafter Hadžihasanović], available online. ↩

16. 16.

    The Prosecutor v. Jean-Pierre Bemba Gombo, ICC-01/05-01/08-3343, Judgment pursuant to Article 74 of the Statute, ¶ 117 (TC III, Mar. 21, 2016) [hereinafter Bemba], available online. ↩

17. 17.

    Zimmermann & Geiß, supra note 12, at 562. ↩

18. 18.

    The Prosecutor v. Germain Katanga and Mathieu Ngudjolo Chui, ICC-01/04-01/07, Decision on the confirmation of charges, ¶ 330 (PTC I, Sep. 30, 2008), available online. ↩

19. 19.

    Rome Statute, supra note 3, Art. 8(1)(a)(iv). ↩

20. 20.

    Id. Art. 8(2)(b)(ii). ↩

21. 21.

    Id. Art. 8 bis. ↩

22. 22.

    Oscar M. Uhler et al., eds., ICRC, Commentary on the Geneva Convention Relative to the Treatment of Prisoners of War 601 (Jean S. Pictet, ed., 1958) [hereinafter Geneva Convention IV Commentary], available online. ↩

23. 23.

    The Prosecutor v. Tihomir Blaškić, IT-95-14-T, Judgement, ¶ 157 (ICTY TC, Mar. 3, 2000), available online. ↩

24. 24.

    Geneva Convention IV Commentary, supra note 22, at 601. ↩

25. 25.

    Schabas, supra note 9, at 219; The Prosecutor v. Dario Kordić and Mario Čerkez, IT-95-14/2-T, Judgement, ¶ 335-340 (ICTY TC, Feb. 26, 2001), available online. ↩

26. 26.

    Rome Statute, supra note 3, Art. 8(1)(b)(ii)

    (criminalizing “[i]ntentionally directing attacks against civilian objects, that is, objects which are not military objectives.”). ↩

27. 27.

    Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, 1175 U.N.T.S. 3 (adopted Jun. 8, 1977, entered into force Dec. 7, 1978), available online. ↩

28. 28.

    Schabas, supra note 9, at 227; Noëlle Quénivet, Article 8(2)(b)(ii), in Commentary on the Law of the International Criminal Court (Mark Klamberg & Jonas Nilsson eds., (last updated May 13, 2019), available online; Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion), 1996 I.C.J. Rep. 226, ¶ 78 (Jul. 8, 1996), available online; Jean-Marie Henckaerts & Louise Doswald-Beck, Customary International Humanitarian Law, Volume I: Rules Rule 7 (2005), available online. ↩

29. 29.

    Yves Sandoz, Christophe Swinarski & Bruno Zimmermann eds., ICRC, Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (1987), available online. ↩

30. 30.

    Office of the Prosecutor, International Criminal Court, Situation on Registered Vessels of Comoros, Greece and Cambodia: Article 53(1) Report, ¶ 93 (Nov. 6, 2016), available online. ↩

31. 31.

    Rome Statute, supra note 3, Art. 22(2). ↩

32. 32.

    Bruce Broomhall, Article 22, in Rome Statute of the International Criminal Court: Article-by-Article Commentary 38 (Otto Triffterer & Kai Ambos eds., 3rd ed. 2016). ↩

33. 33.

    S.W. v. The United Kingdom, 20166/92, Judgment ( ECHR, Nov. 22, 1995), available online; C.R. v. The United Kingdom, 20190/92, Judgment ( ECHR, Nov. 22, 1995), available online. ↩

34. 34.

    Heather Harrison Dinniss, Cyberwarfare and the Laws of War 62 et seq. (2014), paywall, doi

    (using a similar line of argument that cyber-only attacks can violate U.N. Charter Art. 2(4), stating that “the weapon criteria is losing its relevancy in today’s world.” However, she limits her argument to an attack that “manifest itself in the physical sphere”).

    Similar Nils Melzer, UNIDIR, Cyberwarfare and International Law 8 (2011), available online.

    (Whether financial losses fall under her conception of Art. 2(4) of the Charter is unclear). ↩

35. 35.

    United Nations Charter, Preamble. ↩

36. 36.

    Melzer, supra note 34, at 8. ↩

37. 37.

    Andreas Zimmermann & Elisa Freiburg, Article 8 bis, in Rome Statute of the International Criminal Court: A Commentary, 157-58 (Otto Triffterer & Kai Ambos eds., 3rd ed. 2016). ↩

38. 38.

    James A. Delanis “Force” under Article 2(4) of the United Nations Charter: The Question of Economic and Political Coercion, 12 Vand. J. Transnat’l L. 101 (1979), paywall. ↩

39. 39.

    See Daniel B. Silver, Computer Network Attack as a Use of Force Under Article 2(4) of the United Nations Charter, in Computer Network Attack and International Law 73 (Michael N. Schmitt & Brian T. O’Donnell eds., 2002), available online

    (rejecting this argument in the context of economic cyber attacks).

    Albrecht Radelzhofer & Oliver Doerr, Article 2(4), in The Charter of the United Nations: A Commentary, Volume I 17-20 (Bruno Simma et al. eds., Nov. 2012), paywall, doi

    (rejecting the inclusion of economic and political force).

    See also Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. United States), Judgment, 1986 I.C.J. Rep. 14, ¶ 195 (Jun. 27, 1986), available online. ↩

40. 40.

    Melzer, supra note 34, at 7. ↩

41. 41.

    United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Bureau Proposal, A/CONF.183/C.1/L.59, at 1 (Jul. 10, 1998) [hereinafter Bureau Proposal], available online. ↩

42. 42.

    Zimmermann & Freiburg, supra note 37, at 30 et seq. ↩

43. 43.

    United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Proposal by Germany, A/AC.249/1997/WG.I/DP.20, at 2 (Dec. 11, 1997), available online. ↩

44. 44.

    Id. ↩

45. 45.

    Rome Statute, supra note 3, Art. 8 bis(1). ↩

46. 46.

    Elements of Crimes, supra note 12, at 43. ↩

47. 47.

    Marie Aronnson-Storrier, Article 8 bis(1) in Commentary on the Law of the International Criminal Court (Mark Klamberg & Jonas Nilsson eds., last updated Apr. 10, 2017), available online; Mary Ellen O’Connell & Mirakmal Niyazmatov, What is Aggression? Comparing the Jus ad Bellum and the ICC Statute, 10 J. Int’l Crim. Just. 189 (Mar. 2012), paywall, doi; Patrycja Grzebyk, Criminal Responsibility for the Crime of Aggression 201-02 (Oct. 2013), available online, doi; Claus Kreß, Strafrecht und Angriffskrieg im Licht des “Falles Irak”, 115 Zeitschrift für die gesamte Strafrechtswissenschaft, 294, 302-07 (2003) (Ger.), paywall, doi. ↩

48. 48.

    Andreas Paulus, Second Thoughts on the Crime of Aggression, 20 EJIL 1117, 1122-23 (2009), available online, doi; Zimmermann & Freiburg, supra note 37, at 66. ↩

49. 49.

    Manifest, Lexico, available online (last visited Feb. 26, 2022). ↩

50. 50.

    David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (May 14, 2019), paywall. ↩

51. 51.

    Press Release, FCDO, Foreign Office Minister Condemns North Korean Actor for WannaCry Attacks (Dec. 19, 2017), available online; North Korean Hackers Indicted, supra note 2; Gary D. Brown, Why Iran Didn’t Admit Stuxnet Was an Attack, 63 JFQ 70 (Oct. 1, 2011), available online

    (offering possible explanations for this restraint). ↩

52. 52.

    As mentioned in Section II, war crimes can also be committed during a Non-International Armed conflict, which is outside the scope of this comment. ↩

53. 53.

    Lindsey Cameron, Bruno Demeyere, Jean-Marie Henckaerts, Eve La Haye, Iris Müller, Cordula Droege, Robin Geiss, Laurent Gisel, Article 3—Conflicts Not of an International Character in Commentary on the First Geneva Convention 211 (Philip Spoerri et al. eds., 2016), paywall, doi. ↩

54. 54.

    The Prosecutor v. Dusko Tadić, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, ¶ 70 (ICTY AC, Oct. 2, 1995) [hereinafter Tadić], available online, archived. ↩

55. 55.

    The Prosecutor v. Thomas Lubanga Dyilo, ICC-01/04-01/06, Judgment Pursuant to Article 74 of the Statute, ¶ 533, 541 (TC I, Mar. 14, 2012), available online; see also The Prosecutor v. Thomas Lubanga Dyilo, ICC-01/04-01/06, Decision on the confirmation of charges, ¶ 209 (PTC I, Jan. 29, 2007), available online. ↩

56. 56.

    The Prosecutor v. Germain Katanga, ICC-01/04-01/07, Judgment Pursuant to Article 74 of the Statute, ¶ 1173 (TC II, Mar. 7, 2014), available online. ↩

57. 57.

    Bemba, supra note 16, ¶ 223 (emphasis added); see also id. ¶ 1177. ↩

58. 58.

    There might be issues regarding attribution of the attack, however. ↩

59. 59.

    Melzer, supra note 34, at 22; Louise Doswald-Beck, Some Thoughts on Computer Network Attack and the Law of Armed Conflict, in Computer Network Attack and International Law 164-5 (Michael N. Schmitt & Brian T. O’Donnell eds., 2002), available online. ↩

60. 60.

    Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue & Julia Spiegel, The Law of Armed Attack, 100 Cal. L. Rev. 817, 850 (2012), available online. ↩

61. 61.

    Michael N. Schmitt, Wired Warfare: Computer Network Attack and Jus in Bello, 84 Int’l Rev. Red Cross 365, 374-5 (2002), available online. ↩

62. 62.

    Knut Dörmann, Applicability of the Additional Protocols to Computer Network Attacks, ICRC 4 (2004), available online; see also Cordula Droege, Get off my Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians, 94 Int’l Rev. Red Cross 533 (2012), available online. ↩

63. 63.

    International Committee of the Red Cross, 31st International Conference of the Red Cross and Red Crescent: International Humanitarian Law and the Challenges of Contemporary Armed Conflicts 36-38 (2011), available online. ↩

64. 64.

    Michael N. Schmitt, Rewired Warfare: Rethinking the Law of Cyber Attack, 96 Int’l Rev. Red Cross 189, 198 (2014), available online, doi. ↩

65. 65.

    Droege, supra note 62, at 548. ↩

66. 66.

    Doswald-Beck, supra note 59, at 165. ↩

67. 67.

    Bureau Proposal, supra note 41, at 1. ↩