The Iran Stuxnet worm was discovered at the Natanz facility in June 2010, about two years before it was programmed to self-destruct.17 It is unclear exactly how long the Stuxnet malware was operating before its discovery in 2010.18 Nevertheless, it ran long enough to render multiple uranium centrifuges nonfunctional and essentially worthless—causing significant economic and material loss.19 In addition to the wasted uranium, all of the metal in the affected centrifuges were ruined, which further contributed to a metal shortage of particular types of metal in Iran during this time.20 Also, all computer systems at the facility needed to be replaced, to ensure the worm was permanently disabled and would not continue to spread.21 Replacing all the computer systems was known to be an exceedingly difficult undertaking for a country with strict trading sanctions.22 The effects of the Stuxnet worm is believed to have set the Iranian nuclear program back several years.23 The U.S., Israel, or both working together were suspected of perpetrating the Stuxnet attack; there is even “strong evidence” that these countries conceptualized the program, facilitated its coding, and deployed this attack on Iranian nuclear facilities.24 Could the ICC Prosecutor have opened an investigation into the Stuxnet case and potentially pursued prosecution? To answer this, we must first determine if cyber attacks can ever be considered crimes of aggression at the ICC.

II. Can Cyber Attacks be Crimes of Aggression?

Cyber attacks can constitute crimes of aggression under Article 8 bis of the Rome Statute. The Kampala Amendments, which first established the ICC crime of aggression at in June of 2010, define the crime as:

[T]he planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.25

Thus, there must first be an act of aggression in order for there to be a crime of aggression at the ICC.

The aforementioned “act of aggression” in Article 8 bis originates from the United Nations (U.N.) Resolution 3314 (XXIX) and is defined as:

[T]he use of armed force by a State against the sovereignty, territorial integrity, or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations.26

The U.N. Security Council is responsible for determining whether there has been an act of aggression.27 Therefore, it is ultimately within the Security Council’s purview to decide that “the use of armed force by a State” can include certain severe cyber attacks. Cyber attacks have the potential to be extremely destructive and the impacts can be on par, or even worse, than those of kinetic weaponry and force.28 It is necessary for the interpretation of “armed force” to expand beyond just traditional kinetic understandings if the ICC is to even have a chance at keeping pace with technological innovations and its very real consequences for the international community.

Additionally, both Article 8 bis and U.N. Resolution 3314 refer to violations of the U.N. Charter. Relevant articles of the U.N. Charter include Article 2 paragraph 4:

All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.29

The “use of force” in Article 2 of the U.N. Charter should encompass cyber attacks.30 Further, these attacks are clearly inconsistent with the purposes of the U.N. which are to maintain international peace and security, to develop friendly relations, to solve social, cultural, humanitarian, and economic problems, and to be an intermediary in harmonizing nations actions to achieve these ends.31 Cyber crime is fundamentally inconsistent with all of these established international values.

The Security Council’s decision is meant to be “without prejudice” to the ICC’s findings and determination under the Rome Statute.32 Thus, the Prosecutor would subsequently also decide if cyber crime could qualify as an act of aggression at the ICC. Article 8 bis(2) lists seven examples of acts that “qualify as an act of aggression”, including “the invasion or attack by armed forces of a State of the territory of another State” and “the use of any weapons by a State against the territory of another State.”33 The Prosecutor could consider cyber attacks to be an “invasion or attack” by armed forces and, certainly, to be “the use of any weapon”. Furthermore, the list of examples is not exhaustive so cyber attacks could nonetheless be considered within the context of the crime of aggression, regardless of how they fit in the seven listed illustrations. In all, the language of the Rome Statute and its sources would allow cyber crime to be prosecuted at the ICC as a crime of aggression. If the Security Council creatively interprets “armed force”, cyber attacks can be included in the definition of an act of aggression—the “planning, preparation, initiation or execution” of which could be a crime of aggression at the ICC.

III. Could Stuxnet be Prosecuted as a Crime of Aggression?

The Stuxnet case would need to meet all jurisdiction and admissibility requirements in order to be investigated or prosecuted at the ICC.34 The prosecutor also considers if it is in the interest of justice to pursue the case.35 For many cyber crimes, and even for Stuxnet, there are significant challenges to satisfying most of these requirements. These obstacles will be addressed and discussed in Section IV.

A. Jurisdiction Requirements

The jurisdictional requirements which must be proven in order to pursue a case at the ICC are subject matter jurisdiction, temporal jurisdiction, and either territorial jurisdiction or active nationality jurisdiction.36

1. Subject Matter Jurisdiction

There must be subject matter jurisdiction for one of the four crimes in the Rome Statute.37 For the Stuxnet case, there arguably is subject matter jurisdiction because all six elements of the crime of aggression are met. First, the perpetrator “planned, prepared, initiated or executed an act of aggression.”38 This act was definitely “planned, prepared, initiated, and executed” since the Stuxnet worm was designed many months in advance, as further explained below, and obligated a precise series of actions—culminating in the execution at the Natanz facility. The invasion of the malware and its subsequent destruction constitutes an act of aggression because it was the use of armed force against the sovereignty and territorial integrity of Iran.39 The use of armed force was certainly inconsistent with the U.N. Charter.40 Additionally, this cyber attack fits into one of the Article 8 bis examples: the “use of any weapons by a State”.41 Stuxnet, designed to be as physically destructive and calamitous as weapons of the conventional understanding, would categorically be “any” weapon.

Second, the perpetrator was most likely “in a position effectively to exercise control over or to direct the political or military action of the State which committed the act of aggression.”42 Designing and creating malware of this sophistication was estimated to have taken up to ten programmers upwards of six months to code.43 This would have been an incredibly costly endeavor.44 Thus, it is strongly believed that such a precise and powerful program was most likely ideated and backed by a state government.45 As previously mentioned, there is strong evidence that Stuxnet was formulated by the United States and Israel governments.46 Further investigation by the Prosecutor, once the investigation is authorized to begin, would likely lead to specific members of leadership who had effective exercise of control over political or military action of the state.

Third, the act of aggression “was committed”.47 As established for the first element of the crime, this was an act of aggression because the Stuxnet malware could be interpreted to be a use of armed force against another state’s territorial integrity or political independence. This “was committed” when the malware infected the PLC and the SCADA at the Natanz facility, causing the destruction of multiple uranium centrifuges.

Fourth, the perpetrator would have been “aware of the factual circumstances” that make weaponizing such malware inconsistent with the U.N. Charter.48 Stuxnet was created and executed at Natanz for the sole purpose of damaging as many centrifuges at the uranium enrichment facility as possible. There is a global understanding that purposefully sending such an attack upon another country would be inconsistent with the U.N. Charter, which was established to promote peace and stability between nations.49

Fifth, the act constitutes a “manifest” violation of the U.N. Charter because of its character, gravity, and scale.50 The Kampala Conference established that no single part of character, gravity, or scale could meet the “manifest” threshold on its own.51 Therefore, there must be some combination of these factors. There is no precedent for what kind of situation would constitute a “manifest” violation or how the prosecutor would consider the character, gravity, or scale of a given cyber attack. It is possible that the Stuxnet example could meet this bar. It was not a smale invasion of unknown impact; this was an intentional attack upon the energy resources of another state, which resulted in substantial material loss of high value on a very large scale.52

Sixth, the perpetrator was “aware of the factual circumstances that established such a manifest violation.”53 Stuxnet was not accidentally created or executed. It was designed for the precise purpose of causing damage and disabling multiple uranium enrichment centrifuges.54 It is apparent that the perpetrators would have been aware that the malware, created for the very purpose of causing significant destruction, would be of a severe character, gravity, and scale—and, thus, a manifest violation. The Stuxnet example, and other cyber crimes like it, could theoretically fulfill all the elements for the crime of aggression and therefore establish subject matter jurisdiction at the ICC.

2. Temporal Jurisdiction

For an ICC investigation and possibility of prosecution to begin, there must also be temporal jurisdiction.55 The Rome Statute went into force in 2002.56 However, the exercise of jurisdiction for the crime of aggression is distinct from the rest of the Rome Statute crimes. Article 15 bis outlines the exercise of jurisdiction over the crime of aggression, and it specifies:

[The] Court may exercise jurisdiction only with respect to crimes of aggression committed one year after the ratification or acceptance of the amendments by thirty State Parties.57

This ratification by thirty State Parties only happened in June 2016.58 Moreover, Article 15 bis also establishes that there is no jurisdiction before a vote by State Parties that would take place after January 1, 2017.59 Thus, there could not be jurisdiction over the crime of aggression until at least 2017. The Stuxnet worm was first discovered in June 2010.60 Jurisdiction cannot be applied ex post facto at the ICC. Therefore, with the specific facts of the Stuxnet case, there would not be temporal jurisdiction; for the purposes of examining how Stuxnet, or a cyber attack similar to it, can be pursued at the ICC, however, we will assume temporal jurisdiction was satisfied.

3. Territorial or Active Nationality Jurisdiction

For the crime of aggression, there must also be either active nationality jurisdiction or territorial jurisdiction— and either the state accused of active nationality or the state claiming territorial jurisdiction must be a party to the Rome Statute.61 This requirement to be a party to the Statute is different from the jurisdictional requirements for any other ICC crime. For the crime of aggression, even if “committed by [a] State’s nationals or on its territory”, there will be no jurisdiction if the state has not ratified the Rome Statute.62 Neither the United States nor Israel has ratified the Rome Statute.63 This is a significant obstacle, explored in Section IV. To continue exploring how a cyber crime case could be pursued at the ICC, we will assume the involved states are parties to the Statute. There would be territorial jurisdiction because the events took place on Iranian territory when the Stuxnet worm targeted and destroyed property at the Natanz facility.64

B. Admissibility Requirements

The Prosecutor must then show that all Article 17 and Article 53 admissibility requirements are met. These requirements are complementarity and gravity.65

1. Complementarity

Complementarity is satisfied as long as there are no other investigations or previous prosecutions related to the given case conducted by states with jurisdiction over the conflict—as long as the investigations or prosecutions were not properly and legitimately conducted due to inability or unwillingness.66 For Stuxnet, the state with jurisdiction over the conflict would have been Iran. There is no concrete evidence of an investigation. Furthermore, even if there was an investigation, Iran would have been unable to proceed at a certain point because the case involves other powerful countries; there was no real avenue it could take on its own in order to further inspect the Stuxnet incident or to compel cooperation from the suspected perpetrators. Also, there was evidently no trial or actual punishment of any perpetrators. Therefore, because there are no ongoing investigations, and there was an inability to do so in the first place, the ICC would have jurisdiction. Thus, the ICC would be the court of last resort and the requirement for complementarity is fulfilled.

2. Gravity

The second legal admissibility requirement is gravity.67 There is significant overlap between gravity as a subject matter element of the crime and gravity as an admissibility requirement. In the context of admissibility, however, the Prosecutor considers relative gravity: the seriousness of this crime in comparison to other cases that could be prosecuted at the ICC.68 The Prosecutor considers all available information and can initiate an investigation, unless there is not a reasonable basis to continue.69 There is a reasonable basis if the case at hand is grave enough for the Prosecutor to prioritize it over others and spend some of the limited resources on pursuing the case.70 Proving gravity as an admissibility requirement will prove challenging for cyber attack cases in which there is solely material and economic loss, as explored in Section IV; however, the prosecutor will need to broaden the understandings of these factors if cyber crime is to be tried at the ICC. The factors to consider for the admissibility requirement are the scale, nature, manner of commission of the crimes, and impact of the situation.71

Scale can include the number of victims, extent of damage, and geographical or temporal spread which means a low intensity of crimes over a longer period of time or a high intensity of crimes in a short time frame.72 The Stuxnet worm caused large-scale damage—not only by changing the PLC coding and SCADA data, but also by destroying valuable property and resources when rendering the uranium centrifuges useless. There was economic loss and significant progress postponement. While there were no human victims, there was a large extent of damage in a relatively short time frame.

Nature is evaluated by assessing how serious each specific element of the crime is, with particular focus on crimes against human life or condition.73 The Stuxnet attack could be viewed as one of a serious nature, however it would be the first crime without direct or indirect victims to be considered of sufficient nature. Here, a state deliberately targeted and attacked the territory of another; it is believed that the Stuxnet attack was a war move that weakened Iranian power to respond to any United States embargo policy.74 The determination for whether or not the nature of the crime provides a reasonable basis to proceed with an investigation does not explicitly exclude a situation such as Stuxnet’s. The nature determination is open ended and there seems to be room for Stuxnet to be considered severe enough.

The manner of the commission assessment looks at the means employed to commit the crime, the intent behind it, and if it was systematic or part of an organized policy.75 The manner of commission for the Stuxnet malware is sufficiently fulfilled, as the perpetrators used extremely deceptive means to deploy the malware.76 Also, this attack was not an accident. It was not a case in which there was more damage caused than intended. The perpetrators evidently intended to inflict extreme damage to the Iranian nuclear facility because the worm was deliberately designed to cover up its tracks—optimizing its ability to cause the most amount of destruction possible without raising suspicions.77 The crime was most likely the result of a plan or organized policy since Stuxnet was so complex and necessitated the work of many programmers working to create a program with this particular purpose, and specific location, in mind.

Measuring the impact of a crime weighs the level of inflicted economic damage and how vulnerable a population is after the crime.78 The impact of the Stuxnet cyber attack was sizable. There was significant economic loss and considerable material damage.79 The harm was of such an extent that Iran’s program was back several years.80 The community could be considered increasingly vulnerable after the attack because repairing the damages was a large challenge for a country with strict trading sanctions. Additionally, the malware may have directly injured Iran’s ability to counter subsequent attacks, and left them with vulnerabilities . Again, there are many obstacles to proving these factors which are explored in Section IV. Overall, the Stuxnet cyber attack case could, suppositionally, be one of sufficient gravity which would justify further action by the ICC.

C. Interest of Justice

Lastly, the Prosecutor considers whether pursuing this case is in the interest of justice.81 According to Article 53, the Prosecutor can decide not to go forth with an investigation or prosecution if there is substantial reason to believe it is not in the interest of justice.82 The pre-trial chambers are able to review this decision.83 Here, there is a strong case that an investigation is in the interest of justice, as it would communicate a much-needed message that international cyber acts of aggression are taken seriously and can actually be prosecuted. There are no other mechanisms of justice in this case; the ICC is the only established international body that could pursue it at this time. Furthermore, there is an alarming reality that even more devastating cyber attacks can occur; nations may be targeted in ways that weaken, or eliminate, the ability to self-defend or counterattack to a subsequent attack.84 It is important the ICC be adaptable to the changing world and take on non-kinetic crimes of aggression. This is an increasingly important message with globalization and rapid technological innovation. The most severe cyber crimes should be investigated at the ICC—the forum created for the purpose of prosecuting the most serious international crimes.

In all, the Stuxnet worm case could have met all jurisdictional and admissibility requirements if the situation occurred after January 1, 2017 and one of the involved states was party to the Rome Statute. Thus, it is possible for certain cyber attack cases to satisfy all ICC requirements and warrant the beginning of an investigation, and even potentially be prosecuted. However, there are numerous obstacles which make it practically impossible to exercise jurisdiction over many, if not most, cyber crimes.

IV. Limitations

Most cyber attacks would face several challenges with any of the above requirements for jurisdiction at the ICC. Some of these obstacles are even depicted by the Stuxnet example. These hurdles for cyber crime at the ICC include the limitation to State Parties and state actors, the ability to opt-out from jurisdiction, the issues with a Security Council referral and its act of aggression decision, the high bar for proving manifest violation, and the difficulty in fulfilling the gravity admissibility condition.

A. State Parties and State Actors

First, a significant hindrance to the exercise of jurisdiction over cyber crime is the limitation to only State Parties. As previously explored in Section III(A)(3), Article 15 bis limits the exercise of jurisdiction for the crime of aggression.85 When a case is referred by a state or is investigated proprio motu, but the state is not a party to the Rome Statute, “the Court shall not exercise its jurisdiction […] when committed by that State’s nationals or on its territory”.86 The suspected perpetrators of Stuxnet, the United States and Israel, have not ratified the Rome Statute and, therefore, are not State Parties.87 Thus, the ICC would not actually have jurisdiction over the Stuxnet case. This also seems to negate the ability for states to grant jurisdiction to the ICC, as it bars jurisdiction for any state that is not a party to the Rome Statute. Regardless, if a state was involved but had not ratified the Rome Statute, that state would likely never voluntarily grant jurisdiction to the ICC. Article 15 bis essentially encourages states that are not already parties to the Rome Statute to remain that way in order to stay out ICC jurisdictional reach for the crime of aggression.

Additionally, jurisdiction is limited to only state actors; non-state actors cannot be implicated for the crime of aggression at the ICC.88 While further investigation into the Stuxnet case is believed to most likely implicate one or both of the United States and Israel, much of cyber crime is perpetrated by non-state actors.89 Even if a state could be attributed to the conduct, the crime of aggression is a “leadership crime”. This means that jurisdiction is even further limited to when the crime is conducted “by a person in a position effectively to exercise control over or to direct the political or military action of a State.”90 This makes the exercise of jurisdiction for the crime at the ICC very narrow in scope—limited to the leadership of state actors which are also parties to the Rome Statute.91 Not only would this be an extremely small fraction of cyber crime perpetrators, but proving leadership involvement would also be problematic. The ICC has limited resources.92 Tracing cyber attacks back to their sources is a costly undertaking in itself, and even more so when the programs are of such sophistication as Stuxnet was, for example.93 It would require the services of many cyber experts, but even experts could not guarantee that their work would uncover evidence of state attribution.94 Additionally, if the ICC begins to investigate cyber crime, state actors may be more careful about concealing their involvement and preventing traceability. States could, instead, contract third parties to do the work and ensure this commission would not lead back to a state leader.95 The limitation to leaders of states that are parties to the Rome Statute essentially incentivizes perpetrating states to be even more deceptive and prevent uncovering attribution to the state. This, along with the limited ICC resources and high cost of even attempting to uncover the perpetrators for most cyber crimes, is an overwhelming barrier to exercising jurisdiction at the ICC.

B. Opt-Out Provision

Article 15 bis(4), further weakens the already narrow scope of ICC jurisdiction over the crime of aggression.96 This provision in the Rome Statute effectively allows State Parties to opt-out of jurisdiction over the crime of aggression when the case is referred by another state or investigated proprio motu.97 States may simply “lodg[e] a declaration with the Registrar”.98 As it is, nations already do not have to ratify the Kampala Amendments, or the whole Rome Statute to begin with.99 Article 15 bis takes this even further by allowing any State that is a party to the Statute to declare its rejection of ICC jurisdiction over the crime of aggression.100 If the perpetrator of cyber crime was a party to the Rome Statute, it could simply lodge a declaration with the ICC Registrar.101 There are no repercussions or disincentives to do otherwise.102 While the goal of this provision may have been to encourage more states to ratify the Rome Statute and the Kampala Amendments, it strips the ICC from any actual power in regards to the crime of aggression. Thus, even if prosecuting cyber crime at the ICC is a possibility, Article 15 bis and this specific section 4 provision make the practical exercise of jurisdiction over the crime of aggression impossible.

C. Security Council Referral

The Security Council can refer cases to the ICC, per Article 15 ter of the Rome Statute.103 This could theoretically countervail the issue of the opt-out provision. However, it is highly unlikely the Security Council would even refer cyber crime cases to the ICC given that the five permanent members are the United States, China, Russia, the United Kingdom, and France.104 If any of these countries were involved or suspected of being involved in a case, such as the United States in the Stuxnet case, for example, that state would veto the Security Council referral. Even if one of the five permanent members were not directly involved in a specific case at hand, any of the permanent member states may be reluctant to refer a cyber attack case if involved in other cyber situations or possibly may be involved in the future. Many of these countries are already suspected, and some confirmed, to have been a part of certain cyber attacks.105 These nations would not want to expand ICC jurisdiction to cyber crimes, and potentially implicate its own country later on. Thus, the Security Council referral, while in abstract could help the ICC exercise jurisdiction over cyber crime, is highly unlikely to ever be exercised in cyber crime cases given the permanent membership of the Security Council.

D. Act of Aggression Determination

The Security Council is also responsible for deciding whether a situation rose to the level of an act of aggression.106 This gives the Security Council great gatekeeping power over what cases are pursued at the ICC. There is great potential for this deciding body to limit the ICC’s ability to proceed in a cyber attack case; giving the Security Council this decision-making power can arguably prevent many legitimate cases from being prosecuted, especially, again, considering what countries make up the five permanent members. Several of these permanent members have been suspected to be involved in cyber crime.107 Some of these member states are even confirmed to have been involved in cyber crime.108 Similarly to the Security Council referral, many, if not all, of the permanent members would have significant motive to decide there was no act of aggression in a cyber crime case—whether its country was a perpetrator in the specific case or not. Article 15 bis does outline that, when the Security Council fails to make a determination within 6 months, the prosecutor may proceed with an investigation if the Pre-Trial Division authorized it.109 Yet, this is only when there is no determination on the issue; the prosecutor cannot begin to pursue a case when the Security Council makes the decision that there has not been an act of aggression—and the Security Council arguably has strong motive to make that negative decision. The Security Council could determine cyber crime never reaches the level of an act of aggression and, therefore, prevent the ICC from exercising jurisdiction.

E. Manifest Violation and Gravity

The requirement that there be a “manifest” violation of the U.N. Charter is another barrier for many cyber attack cases. The inclusion of “manifest” language in the article was to ensure only the most flagrant violations would be considered.110 This makes sense when considering the context that the ICC was created to prosecute violators of the most serious crimes in the world. However, this is an extremely high bar that is not conducive to the emerging field of cyber crime—which is in serious need of an international body to step in and begin holding perpetrators accountable. A manifest violation is one of sufficient character, gravity or scale; even in the case of Stuxnet, while it is possible that it was an instance of a manifest violation, this is a stretch. There was no harm inflicted upon people, and no direct or indirect victims. The loss was solely material and financial. While these types of crimes should be prosecuted to deter future commissions and potentially devastating capabilities of cyber attacks, the manifest language can conceivably preclude cases if not considered of proper character or gravity.111 Many cyber attack cases, including Stuxnet, may not be able to meet this high standard.

The gravity admissibility requirement may also be an obstacle. Many cyber attacks inflict damage to incredibly specific targets and may not be as grave, in regard to number of victims or human harm, as other Rome Statute crimes. It is difficult to imagine a case such as Stuxnet being prosecuted at the ICC when other parts of the world experience horrific human rights violations and devastation to whole communities. Yes, there are cyber crime cases that could severely harm large populations such as targeted attacks upon a city’s water or power grids.112 Yet, many cyber attacks are of a less devastating nature, at least in regard to human life or condition. There has not yet been a case in which gravity is successfully tied to financial loss or destroyed resources. Until the Prosecutor pursues a cyber crime case and sets a precedent for what a sufficiently grave cyber attack looks like, it is difficult to realistically believe the vast majority of cases like Stuxnet, which do not result in any human casualties or direct bodily harm, would be of sufficient gravity for the ICC. Additionally, at the time of the Stuxnet case, Iran stated its uranium enrichment facilities were for peaceful purposes and to create nuclear power.113 But any uncovered evidence that these centrifuges would have been used for building nuclear weapons could have hindered meeting the gravity threshold.114 While the prosecutor is an apolitical actor in theory, they would likely consider the very significant backlash of investigating states such as the United States or Israel, especially if it was for damage of material that could have been used to build nuclear weapons. This could even result in decreased legitimacy and respect for the ICC as an institution. It is conceivable that this would color the entire case. It would be difficult to satisfy the gravity requirement on its own, and the political implications could make this even more arduous.

Ultimately, Article 8 bis of the Rome Statute can encompass cyber attacks and allow for cyber attack cases to be prosecuted at the ICC. However, there are significant barriers to practical application. In abstract, the Prosecutor could have opened an investigation into a case like Stuxnet, but even this case uncovers many of the challenges to actually exercising jurisdiction over the crime of aggression at the ICC: the limitation to State Parties and state actors, the opt-out provision, the Security Council referral, the act of aggression determination, proving a manifest violation, and meeting the gravity requirement. While certain cyber crime cases may be pursued at the ICC, this is evidently not the most efficient or effective forum for the investigation or prosecution of cyber crime.

Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).

1. 1.

   Chance Cammack, The Stuxnet Worm and Potential Prosecution by the International Criminal Court Under the Newly Defined Crime of Aggression, 20 Tul. J. Int’l & Comp. L. 303, 315 (2011), paywall. ↩

2. 2.

   Id. ↩

3. 3.

   Jeremy Richmond, Evolving Battlefields: Does Stuxnet Demonstrate a Need for Modifications to the Law of Armed Conflict?, 35 Fordham Int’l L.J. 842, 856 (2012), available online. ↩

4. 4.

   Id. ↩

5. 5.

   Marco Roscini, Gravity in the Statute of the International Criminal Court and Cyber Conduct that Constitutes, Instigates or Facilitates International Crimes, 30 Crim. L. Forum 247, 250 (2019), available online, doi. ↩

6. 6.

   Id. ↩

7. 7.

   Cammack, supra note 1, at 316. ↩

8. 8.

   Id. ↩

9. 9.

   Id. ↩

10. 10.

    Maskun, Achmad, Naswar, Hasbi Assidiq, Armelia Syafira, Marthen Napang & Marcel Hendrapati, Qualifying Cyber Crime as a Crime of Aggression in International Law, 13 J. East Asia & Int’l L. 397, 410-411 (2020), available online, doi. ↩

11. 11.

    Id. ↩

12. 12.

    Id. ↩

13. 13.

    Cammack, supra note 1, at 317. ↩

14. 14.

    Id. ↩

15. 15.

    Richmond, supra note 3, at 856. ↩

16. 16.

    Id. ↩

17. 17.

    Cammack, supra note 1, at 315. ↩

18. 18.

    Id. ↩

19. 19.

    Id. at 317. ↩

20. 20.

    Richmond, supra note 3, at 859. ↩

21. 21.

    Id. ↩

22. 22.

    Id. ↩

23. 23.

    Id. ↩

24. 24.

    Id. at 845. ↩

25. 25.

    Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9, as amended [hereinafter Rome Statute], Art. 8 bis(1), available online. ↩

26. 26.

    Definition of Aggression, G.A. Res. 3314 (XXIX), A/Res/3314 (Dec. 14, 1974), available online. ↩

27. 27.

    Id. § 6. ↩

28. 28.

    Cammack, supra note 1, at 319. ↩

29. 29.

    United Nations Charter, Art. 2(4) [hereinafter U.N. Charter], available online. ↩

30. 30.

    Cammack, supra note 1, at 322-323. ↩

31. 31.

    Id. ↩

32. 32.

    Jennifer Trahan, The Rome Statute ’s Amendment on the Crime of Aggression: Negotiations at the Kampala Review Conference, 11 Int’l Crim. L. Rev. 49, 83 (Jan. 1, 2011), paywall, doi, earlier version online. ↩

33. 33.

    Rome Statute, supra note 25, Art. 8 bis(2). ↩

34. 34.

    Id. Arts. 5, 11, 12, 17. ↩

35. 35.

    Id. Art 53. ↩

36. 36.

    Id. Arts. 5, 11, 12. ↩

37. 37.

    Id. Art. 5. ↩

38. 38.

    International Criminal Court, Elements of Crimes, ICC-ASP /1/3, Adopted and Entry into Force 9 September 2002, updated at Kampala, 31 May-11 June 2010, Art. 8 bis (Jun. 11, 2011) [hereinafter Elements of Crimes], available online, archived. ↩

39. 39.

    Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue & Julia Spiegel, The Law of Cyber-Attack, 100 Cal. L. Rev. 817, 842 (2012), available online. ↩

40. 40.

    Id. ↩

41. 41.

    Rome Statute, supra note 25, Art. 8 bis(2). ↩

42. 42.

    Elements of Crimes, supra note 37. ↩

43. 43.

    Cammack, supra note 1, at 318. ↩

44. 44.

    Id. ↩

45. 45.

    Id. ↩

46. 46.

    Richmond, supra note 3, at 845. ↩

47. 47.

    Elements of Crimes, supra note 37. ↩

48. 48.

    Id. ↩

49. 49.

    U.N. Charter, supra note 29, Art. 1. ↩

50. 50.

    Elements of Crimes, supra note 37. ↩

51. 51.

    Assembly of States Parties, The Crime of Aggression, RC/Res. 6, at Annex III (Jun. 11, 2010), available online. ↩

52. 52.

    Roscini, supra note 5, at 265. ↩

53. 53.

    Elements of Crimes, supra note 37. ↩

54. 54.

    Richmond, supra note 3, at 893. ↩

55. 55.

    Rome Statute, supra note 25, Art. 11. ↩

56. 56.

    Trahan, supra note 32, at 55. ↩

57. 57.

    Rome Statute, supra note 25, Art. 15 bis(2). ↩

58. 58.

    Press Release, ICC, State of Palestine becomes Thirtieth State to Ratify the Kampala Amendments on the Crime of Aggression (Jun. 29, 2016), available online, archived. ↩

59. 59.

    Rome Statute, supra note 25, Art. 15 bis(2). ↩

60. 60.

    Maskun et al., supra note 10, at 410. ↩

61. 61.

    Rome Statute, supra note 25, Art. 15 bis(5). ↩

62. 62.

    Id. ↩

63. 63.

    Cammack, supra note 1, at 324. ↩

64. 64.

    Roscini, supra note 5, at 262. ↩

65. 65.

    Rome Statute, supra note 25, Arts. 17, 53. ↩

66. 66.

    Id. Art. 17. ↩

67. 67.

    Id. Art. 53. ↩

68. 68.

    Roscini, supra note 5, at 255. ↩

69. 69.

    Rome Statute, supra note 25, Art. 53. ↩

70. 70.

    Roscini, supra note 5, at 255. ↩

71. 71.

    Office of the Prosecutor, ICC, Policy Paper on Preliminary Examinations 3 (Nov. 2013) [hereinafter Policy Paper], available online. ↩

72. 72.

    Id. at 15. ↩

73. 73.

    Id. ↩

74. 74.

    Maskun et al., supra note 10, at 411. ↩

75. 75.

    Policy Paper, supra note 70, at 15-16. ↩

76. 76.

    Cammack, supra note 1, at 317. ↩

77. 77.

    Id. ↩

78. 78.

    Policy Paper, supra note 70, at 16. ↩

79. 79.

    Maskun et al., supra note 10, at 411. ↩

80. 80.

    Cammack, supra note 1, at 304. ↩

81. 81.

    Rome Statute, supra note 25, Art. 53(1). ↩

82. 82.

    Id. ↩

83. 83.

    Id. Art. 53(3). ↩

84. 84.

    Maskun et al., supra note 10, at 416. ↩

85. 85.

    Rome Statute, supra note 25, Art 15 bis. ↩

86. 86.

    Id. Art. 15 bis(5). ↩

87. 87.

    Richmond, supra note 3, at 845. ↩

88. 88.

    Hathaway et al., supra note 39, at 824. ↩

89. 89.

    Johan Sigholm, Non-State Actors in Cyberspace Operation s, 7 J. Mil. Stud. 1 (Nov. 22, 2016), available online, doi. ↩

90. 90.

    Rome Statute, supra note 25. ↩

91. 91.

    Id. ↩

92. 92.

    Sang-Hyun Song, Second President of the ICC, Keynote Speech for the 20th Anniversary of the Rome Statute, Past Achievements and Future Challenges of the ICC (Jul. 17, 2018), available online. ↩

93. 93.

    Maskun et al., supra note 10, at 416. ↩

94. 94.

    Id. ↩

95. 95.

    Cammack, supra note 1, at 322. ↩

96. 96.

    Trahan, supra note 32, at 83-84. ↩

97. 97.

    Rome Statute, supra note 25, Art. 15 bis(4). ↩

98. 98.

    Id. ↩

99. 99.

    Id. Art. 12. ↩

100. 100.

     Id. Art. 15 bis(4). ↩

101. 101.

     Id. ↩

102. 102.

     Id. ↩

103. 103.

     Id. Art. 15 bis(1). ↩

104. 104.

     Current Members, S.C., available online (last visited Feb. 25, 2022). ↩

105. 105.

     Sintia Radu, China, Russia Biggest Cyber Offenders, U.S. News & World Rep., Feb. 1, 2019, available online. ↩

106. 106.

     Rome Statute, supra note 25, Art. 15 bis(6). ↩

107. 107.

     Radu, supra note 104. ↩

108. 108.

     Id. ↩

109. 109.

     Rome Statute, Art. 15 bis(8). ↩

110. 110.

     Trahan, supra note 32, at 58. ↩

111. 111.

     Jonathan A. Ophardt, Cyber Warfare and the Crime of Aggression: The Need for Individual Accountability on Tomorrow’s Battlefield, 3 Duke L. & Tech. Rev. ¶ 10 (2010), available online. ↩

112. 112.

     Id. ↩

113. 113.

     Richmond, supra note 3, at 858. ↩

114. 114.

     Id. ↩