A Single Comment — Permalink
© ICCforum.com, 2010–2024. All rights reserved. Policies | Guidelines
Featured Comments
- Jordan Murphy: The Extent to Which Cyberwarfare May Constitute Crimes Under the Rome Statute and Conditions for Accountability The International Court of Justice held in 1996 that international humanitarian law applies to all means of warfare, including those of the future.1 Such a concept must be applicable to the Rome Statute; if means and methods of war change, so too must the laws regulating them. The regulation of cyber... (more)
- Rory Razi: Cyber Attacks and the Crime of Aggression With rapidly advancing technology comes the disastrous reality of cyber attacks. This comment explores whether cyber attacks can be prosecuted at the International Criminal Court (ICC) as crimes of aggression. Section I discusses the Iran Stuxnet cyber attack. Section II, explores creative interpretation of the Rome Statute, Art. 8 bis, and... (more)
- SimonRuhland: Economic Cyber Crimes and the Rome Statute Summary This comment examines the possibility to prosecute perpetrators of economic cyber attacks under the Rome Statute. It considers economic cyber attack to be cyber attacks on financial institutions, businesses, or individuals with the primary goal of financial enrichment. The comment first assesses the possibility of prosecution under Article 8 and... (more)
- danielkim0610: Defining the Unique Issues Prosecuting Criminal Cyber Defense Actions Under the Rome Statute Presents: A Lost Cause? Cybersecurity has launched itself to the spotlight within both the scope of governmental organizations protecting national security and private industry keeping their own systems intact. Societal dependence on technology has brought with it the magic of efficiency, cost-effectiveness and widespread digital penetration on a scale... (more)
- Pankhuri97: Incorporation of Cyberwarfare in the Rome Statute: A Futile Endeavour Introduction How wars are conducted has evolved throughout history with nations adopting more and more efficient and sophisticated means of causing mass destruction. We are witnessing a transition from traditional weapons such as ammunition to cyber weapons. The Tallinn attack of 2007, the Georgia hack of 2008 and the Stuxnet worm detected in 2010 are already some... (more)
- Jeng2023: Tackling Territoriality: Fitting Cyber Crimes into the Crime of Aggression Introduction Territoriality has always been a key issue in national sovereignty. Wars have been fought over borders of nations, as territorial disagreements are often the precursor to war.1 This has led to conclusions where: “if you want to avoid war, learn how to settle territorial disputes non-violently.”2 However, the uniqueness of cyber activities... (more)
- JohnG: Distinguishing Cyberwarfare in the Law of Armed Conflict I. Introduction The dawn and parabolic expansion of the Internet over the last half-century revolutionized how individuals, businesses, organizations, and states interact with one another. As states and their militaries have become increasingly interconnected and dependent on these technologies, a new realm of warfare has evolved beyond the conventional battlefields of air, land,... (more)
- Smithp2022: Social Media May be Used to Commit Genocide Under the Rome Statute I. Introduction As technology progresses, cyber crime grows as a concern on a national, transnational, and international level. As the International Criminal Court pursues its goals of holding actors accountable for criminal violations of international law in 2022 and beyond, it will have to contend with a world that depends more and more on technology in all... (more)
- mschneer: Accountability for NotPetya: Why the International Criminal Court Can, and Should, Prosecute the Perpetrators of the NotPetya Cyber Attack as a War Crime I. Introduction In June 2017, a popular Ukrainian tax accounting software called M.E.Doc underwent a routine software update. Unbeknownst to the thousands of Ukrainians who use this software, that update served as the entry point for a destructive malware that would soon gain access to... (more)
Comment on the Cyberwarfare Question: “To what extent and under what conditions might cyber operations or cyberwarfare constitute crimes specified in the Rome Statute?”
The Extent to Which Cyberwarfare May Constitute Crimes Under the Rome Statute and Conditions for Accountability
The International Court of Justice held in 1996 that international humanitarian law applies to all means of warfare, including those of the future.1 Such a concept must be applicable to the Rome Statute; if means and methods of war change, so too must the laws regulating them. The regulation of cyber operations presents novel challenges for attributing criminal responsibility, particularly where advanced technology acts partially or wholly autonomously. It is possible, and necessary, to hold the perpetrators of crimes facilitated through cyber operations accountable, not least with the exponential advancement of artificial intelligence. Under certain conditions, this will be the case with a traditional interpretation of the Rome Statute; under others, the scope of criminal accountability may need to evolve alongside the means in which war crimes are committed.
I. Accountability Under the Rome Statute
Attributing accountability at the International Criminal Court (ICC) poses difficulty in prosecutions of even traditional war crimes. Article 5 of the Rome Statute limits the Court’s jurisdiction to only the most serious crimes under international law, which themselves set a high bar for both physical and mental elements.2 Genocide, for example, requires the actus reus to coincide with intent to destroy a group; the scope of crimes against humanity necessitate the act to occur within the context of a widespread or systematic attack; and the ICC has jurisdiction over war crimes insofar as they are committed as part of a plan or policy.
Once the actus reus of those crimes has been established, proving individual criminal responsibility presents the next difficulty, particularly where the high evidentiary burden is exacerbated by the challenges associated with collection of evidence during armed conflicts. For cyber operations, there is another barrier: the practical specification that accountability for crimes within the jurisdiction of the ICC relates to natural persons. The ICC’s jurisdiction is limited to natural persons;3 command responsibility requires a superior’s knowledge of crimes committed by subordinates;4 and individual criminal responsibility applies to a culpable “person.”5
Complexity therefore exists where the actus reus of a crime under the Rome Statute is directly perpetrated by cyber software or autonomous technology, such as a bug, virus, or artificial intelligence facilitating an illegal attack without the direct control of a combatant. Attributing intent, knowledge, and individual criminal responsibility where a crime is perpetrated by software is therefore both an evidentiary and substantive challenge. This inherent difficulty may cause such scenarios to slip outside of the scope of the Rome Statute where cyber operations are conducted by autonomous systems.
However, it is necessary to overcome this difficulty, evident in the exponential growth of cyber and autonomous technology utilized by states during armed—or non-armed—conflicts in the 21st century. In the dawn of artificial intelligence in military and civilian technology, the applicability of accountability pursuant to the Rome Statute will be even more necessary for war crimes that are perpetrated by these systems, whether in cyberspace or on the ground.
II. The Use of Cyberwarfare in Armed Conflict
Whilst the Russia-Ukrainian conflict has transpired predominantly with traditional methods of war, it has also served as a cyber battleground. The war has featured modern technology developed to confer a military advantage with a similar degree of destruction expected from an armed attack. The 2017 ransomware attacks on Ukraine through the malware “Petya” is considered by many, including the United States, as both the most destructive cyberattack in history, and an attack from Russia.6 Financial institutions, government ministries, and public services were temporarily destabilized. Furthermore, although military objects were targeted, Petya also attacked private and civilian property through its indiscriminate design, including even hospital systems in Pennsylvania.7 Despite the U.S. estimating over $10 billion in economic damages were caused, the more significant impacts were perhaps the destabilization of Ukraine’s national infrastructure, from government services to transport to media.8 As the White House stated in not-uncertain terms: “It was part of the Kremlin’s ongoing effort to destabilize Ukraine.”9
Whilst the link between the cyber operation and the implication for Ukraine requires an adaptation of the traditional conceptualization of kinetic attacks, such an adaptation has been recognised in international jurisprudence. Scholars note that cyber operations may reach the threshold of aggression and gravity needed for culpability under the Rome Statute; for example, if a cyber operation disrupts emergency systems for first responders leading to civilian death.10 Moreover, it is widely agreed that cyberwarfare may have kinetic consequences and a degree of harm comparable to traditional weapons, which if used to commit war crimes, should not escape the scope of the Rome Statute.11 Although no war crime was alleged, the 2010 “Stuxnet” cyberattack on Iran’s nuclear infrastructure could likely satisfy this instrument-based test based on its gravity.12 Experts drafting the Tallinn Manual on the International Law Applicable to Cyber Operations recognized the duty for states to ensure that the use of cyber operations complies with the same rules of war that bind traditional weapons.13 It is difficult to argue that this ought not apply to military commanders controlling their use on the battlefield.
III. The Issue of Accountability for Crimes Perpetrated Through Cyber Operations
For cyberwarfare, a more complex issue than merely the requisite kind and degree of a criminal act captured by the Rome Statute, is the issue of accountability. Once a crime has prima facie been perpetrated through cyberwarfare, the requirements for the necessary mens rea and individual criminal responsibility must be attributed to a natural person. For standard cyber operations, this is a difficult ask: although both Ukraine and the U.S. documented evidence that Russia was responsible for the Petya cyberattack, no perpetrator was identified and no case was brought.
The ICC has held that, for the purpose of Article 8(2)(b), no actual damage or destruction is needed; only that a perpetrator launches an attack.14 In turn, the ICTY has held that the act of direction is satisfied where a perpetrator plans, orders, aids, or abets the attack’s instigation.15 Therefore, no direct kinetic damage is needed for the actus reus of either crime related to protected persons or objects under the Rome Statute—although the destruction of data and cyber property could arguably meet this standard in realities of the 21st century—only that an attack was directed against them.
However, the barriers to criminal accountability for the kind of cyberattack constituting a crime under the Rome Statute are, firstly, the requisite mens rea and, secondly, satisfying individual criminal responsibility with the evidentiary and prescriptive challenges associated with cyberwarfare. These difficulties will be more apparent as cyberwarfare evolves: what began as viruses targeting state-owned infrastructure directed by government developers could soon become entirely created, executed, and controlled by self-learning artificial intelligence.
This scenario is made even more complex for the international legal framework with the rapid expansion of “intelligent agents”: highly autonomous systems that can self-learn, make decisions, and outperform human capabilities. In the context of criminal accountability pursuant to the ICC, such a concept presents additional difficulty where there is financial and operational collaboration between the public and private sector; for example, the critical role of Microsoft and donors like Elon Musk in funding the development of Open AI. Where private entities are responsible for military assets, such as Musk’s September 2023 Pentagon contract for military satellites or Ukraine’s plan to use Musk’s “Starlink” to attack Russian naval vessels, the application of traditional jurisprudence on military combatants and criminal responsibility becomes blurred.16
IV. The Mens Rea Issue for Cyberwarfare
As aforementioned, the mens rea standard for crimes under the Rome Statute is intent and knowledge.17 It is relevant that this mental element apply to the material elements of the charge, meaning that intent and knowledge must be attributed to all material conduct constituting the crime. For example, an alleged perpetrator must have knowledge that the execution of a cyber operation will result in the commission of a crime under the Rome Statute, and intends to engage in the necessary act or is aware that it will occur in the ordinary course of events.
In the Petya example, this is a significant difficultly when considering the likely intended target of Ukrainian infrastructure and the self-replicating, self-adjusting nature of the highly-infectious virus. For “traditional” viruses, it is likely that the use of biological warfare is inherently unlawful due to its inherently indiscriminate nature, its propensity for inhumane and disproportionate suffering, and the ICTY’s treatment of the 1925 Geneva Protocol prohibiting chemical warfare as international customary law.18 For cyberwarfare that seeks to infect property, data, and infrastructure—physical, rather than biological systems—no such rule exists, and the mental elements under Article 30 must be attributed to the consequences of the cyberattack.
This burden of proof is especially problematic where there is the issue of autonomy. The use of cyberwarfare may be direct and surgical, such as Stuxnet developers ensuring that the virus could only target certain militarily-relevant software and containing safeguards against spreading to civilian computers.19 However, particularly with the involvement of artificial intelligence, cyber operations may be executed partially or wholly through autonomous systems. In 2023, the Georgetown Center for Security and Emerging Technology published a policy brief on autonomous cyber defense systems, as a direct response to the “immense damage caused by cyberattacks and recent advances in artificial intelligence.”20 The use of autonomous defense systems necessarily envisages the use of contrary autonomous cyber weapons systems. If artificial intelligence can identify, target, and execute defense operations to protect cyber infrastructure, it is a reasonable logical extension that artificial intelligence can autonomously identify, target, and execute hostile cyber operations. If cyber operations are executed with a kinetic link to harm, it is possible that such operations could be in violation of the Rome Statute, if those responsible do not implement adequate safeguards.
V. Individual Criminal Responsibility for Cyberwarfare: Evidentiary and Legal Challenges
The second barrier to accountability lies in Article 25 of the Rome Statute: individual criminal responsibility once a crime has been established. As aforementioned, criminal culpability requires that a natural person not only meet the physical and mental elements of the crime, but also meet the requirements for individual culpability. This creates both evidentiary and conceptual difficulties in regards to crimes related to cyberwarfare.
The issue with the collection of evidence and its attribution to individual perpetrators is exacerbated with cyberwarfare. Although limited evidence exists, major cyber operations like Petya and Stuxnet have not been pinned on any perpetrator, public or private. The line between the two also adds complication, such as the evidence suggesting “private” entities Kaspersky Lab and Equation Group may be secretly state-controlled by Russia and the United States, respectively. Cyberwarfare is deliberately kept in a legal grey area, so that militaries may operate clandestinely; it was not until Edward Snowden’s whistleblowing that U.S. “offensive cyber operations” capabilities were somewhat revealed.21 Despite no physical acts of aggression, policy documents demonstrate thousands of cyber operations directed at controlling or destroying foreign infrastructure, all of which the Obama Administration declined to acknowledge.22
The other challenge for accountability is a prescriptive one; that is, meeting the legal requirements for individual criminal responsibility. If the Prosecutor were to charge an intelligence director or head of state for a crime committed through cyberwarfare, that Prosecutor must satisfy the “known or should have known” test under Article 28 of the Rome Statute to establish culpability. That burden is difficult to establish where a cyberattack, with kinetic consequences on protected persons or property, can be defended by pointing to rogue software, an unforeseeable deviation of the cyber operation from the plan, or autonomous artificial intelligence. For individual criminal responsibility under Article 25, the crime must be attributed to a “person,” who must have committed, ordered, or facilitated the actus reus of the criminal element of the cyber operation—not simply the cyber operation itself—resulting in the same legal difficulties.
VI. The Extent to Which Accountability for Crimes Under the Rome Statute Exists for Cyberwarfare
Criminal responsibility for cyber operations that constitute crimes under the Rome Statute—those with a kinetic and causal link to a violation—is possible under current legal conceptualizations. Although evidentiary and practical legal barriers exist in identifying and prosecuting individual perpetrators, those barriers can be overcome. For example, a cyber operation that targets infrastructure resulting in extensive destruction and appropriation of property not justified by military necessity, in violation of Article 8(2)(a)(iv) of the Rome Statute, may be attributed to a military intelligence officer with intent and knowledge related to the material elements of that operation.
This understanding that cyber operations may constitute crimes under the Rome Statute is widely-held. The International Committee of the Red Cross unequivocally considers that “cyber tools that spread and cause damage indiscriminately is prohibited” and that the interconnectivity of cyberspace means that a “cyberattack on a specific system may have repercussions on various other systems,” which may create the material elements of a crime.23 For example, the expansionist and aggressive nature of Petya took it from lawfully-targeted Ukrainian infrastructure to a protected hospital in the United States.
International criminal law foresaw the necessity of its application to future methods of warfare, as the International Court of Justice confirmed, such as the obligation to assess the lawfulness of new technology under Article 36 of Additional Protocol I to the Geneva Conventions.24 As such, military commanders are obligated to ensure that the development and use of cyber technology does not disproportionately or indiscriminately target civilians or civilian infrastructure, applying the rules of the Rome Statute just the same as with traditional means of warfare.
However, the extent to which criminal culpability under the Rome Statute applies to cyberwarfare may require the Prosecutor to assess the cyber operation with a degree of analysis that proves a practical barrier to liability. As Gervais notes, although cyberattacks directed at the networks of protected objects would be unlawful, incidental damage to civilian infrastructure would not constitute a violation:
The Prosecutor’s investigation of an alleged crime necessitates an assessment of not only the gravity and material elements constituting the crime, but an assessment of the material elements of the cyber weapon used (including its capability for distinction, proportionality, and any mitigating components like safeguards), correct identification of the perpetrators (public or private), and a determination of the mental elements of the Rome Statute. The latter subsequently includes assessment of the likely intent of the developers and executors of the cyberweapon, and a determination of whether those perpetrators knew or ought to have known the foreseeable consequences of the cyberattack.
This would require not only a legal assessment, but a detailed technological analysis of the cyber weapon to ascertain its likely use and the foreseeability and likelihood of repercussions constituting a crime. Such a legal and investigative burden may be particularly challenging for an Office handling multiple situations, cases, and resource constraints. However, it does not deter from the fact that, to the extent that a perpetrator may be identified and evidenced to be responsible, cyberwarfare may constitute a crime under the Rome Statute.
VII. The Conditions for Accountability Where Cyber Operations Include Autonomous Systems
As previously mentioned, conditions for accountability may necessitate adaptation to international criminal law where cyberwarfare involves autonomous systems. Brownlie writes that “adapting the principles of international humanitarian law to the use of cyberattacks is not only possible but also appropriate given its growing popularity.”26 It is arguable that cyber operations, like the kind described above, do not necessitate an adaptation of principles. Instead, cyberattacks with targets or consequences that constitute the elements of a crime under the Rome Statute may be unlawful under existing principles.
I assert that cyberwarfare instead may require an adaptation of accountability pursuant to the Rome Statute. This is particularly where there are autonomous elements to the attack, such as autonomous systems or control by artificial intelligence. The distinction lies in where the individual alleged to be responsible for the attack lies along the metaphorical “loop.” In artificial intelligence jurisprudence, the “loop” refers to the chain of critical tasks performed by a system: “on-the-loop” systems include a natural person capable of exercising meaningful control over their critical functions, and “out-of-the-loop” systems can perform their critical functions without any human intervention.27
The challenge for accountability in artificial intelligence and autonomous cyber systems arises where the material elements of a crime (for example, the unlawful direction of a cyberattack against civilian property) are perpetrated without a natural person exercising meaningful control. In such a scenario, it is difficult to attribute both actus reus and mens rea to a natural person under the jurisdiction of the ICC, and establish the requirements for individual criminal responsibility.
For a natural person to be culpable under the Rome Statute for an “out-of-the-loop” cyberattack, the Prosecutor would have to overcome multiple barriers beyond proving the elements of the crime. The Prosecutor would firstly have to prove that, for example, an “attack” within the meaning of the Rome Statute was directed at a protected person or property. This necessitates an approach that considers the cyber network or infrastructure of a protected object as part of that object and falling under its protection; for example, the cyber systems of the hospital in Pennsylvania. Where there is a kinetic consequence, such as the technological failure of hospital equipment with health implications for civilians, this may be established, especially since no physical damage is required (only that an “attack” according to law was directed).
However, any of the corresponding crimes specified in the Rome Statute for targeting a protected person or object require the “intentional” direction of an attack, thereby including a mental aspect in the actus reus of the crime.28 This complexity is especially burdensome in conditions where the launching of the attack (pursuant to the judgement of the ICC)29 is directed by software controlled by artificial intelligence operating autonomously. The travaux préparatoires adopted the interpretation that this requisite intentionality applies to not only the direction of an attack, but also to the unlawful object of the attack; that is, a perpetrator must intentionally direct an attack and intentionally do so against a protected person or object, thereby requiring factual awareness of its protected status.30
The Prosecutor must then satisfy the mental elements under Article 30 of the Rome Statute. Intent to carry out the material elements of the crime is difficult to attribute where those elements were technically “directed” by an autonomous computer virus or an artificial intelligence. A military officer may intend to utilize such a cyber operation, but not intend the consequences that were natural and foreseeable with the cognitive capability of the artificial intelligence but not the individual. For example, AI software may be developed to attack lawful targets, but its inherent autonomy and ability to operate completely “out-of-the-loop” means it will cause indiscriminate harm to civilian systems. In such a scenario, the developers may point to their lack of intent or awareness to escape culpability, and it would be difficult to prove awareness of how an artificial intelligence will operate in the ordinary course of events.31
Where an artificial intelligence cyber system can also self-learn and adjust decision-making processes, it may be impossible to attribute knowledge to a human developer. Releasing Petya or Stuxnet on the battleground with the intention to attack military targets may be lawful; requiring awareness of how a cyber system with cognitive capabilities exceeding that of a human will operate in the ordinary course of events may be unjust. For the purposes of a prosecution, this may be the case even when a military commander was negligent or reckless in the development and utilization of such a software.
Finally, if the physical and mental elements of the charge are satisfied, the Prosecutor must then attribute individual criminal responsibility to a natural person. In the previous example, where AI software that conducts a cyberattack against a hospital, the Prosecutor must establish culpability under Article 25(3) of the Rome Statute. This necessitates that a person (commander or subordinate) directly commits the crime; indirectly commits it with or through another person; orders, aids, or abets the crime; or contributes within a group of persons acting with a common criminal purpose.
In all cases, Article 25 of the Rome Statute requires that a natural person be meaningfully and materially involved in the actual commission of the crime. Insofar as ordering, soliciting, or inducing under Article 25(3)(b) is applicable where a military commander “orders” the execution of an unlawful attack by a cyber operation, this may be impractical where the attack is executed by artificial intelligence, with its own cognition, capable of making decisions without direct orders to commit the criminal act.
VIII. The Possibility of Adaptation for Accountability Under the Rome Statute
As Erik Jenson writes, “Too narrow a view on accountability unnecessarily limits the application of legal norms to autonomy on the battlefield.”32 Whilst this is undoubtedly the case in the development of legal norms and application of principles, accountability in the context of crimes specified in the Rome Statute may require an unnatural stretching of its scope.
One possible solution is a broad consideration of what physical and mental elements are required to order the commission of a crime under Article 25(3)(b) of the Rome Statute where the attack is targeted and executed by artificial intelligence. This may also require the mutual understanding amongst states that if an artificial intelligence software or autonomous cyber system is developed and utilized in an armed conflict, military commanders or government leaders may be held to a high standard of awareness and foreseeability. This may unfairly attribute an understanding of artificial intelligence to leaders, who lack full knowledge of what the ordinary course of events is in an artificial intelligence’s chain of decision-making and actions. However, it would also seek to ensure that the use of cyber software with cognitive capabilities can comply with international criminal law in all circumstances, and hold military commanders and state leaders accountable for the approval of such systems.
Another normative solution is the expansion of “personhood” within the context of the Rome Statute. As aforementioned, individual criminal responsibility necessitates the natural person as both perpetrator and executor. Even in the case where the accused is responsible for committing a crime with or through another person, or acts in a group of persons who jointly commit the crime, the crime must be physically executed by at least one person. Even where the Rome Statute specifically states that only the perpetrator’s criminal liability is at question, the executor must be a “person.”33
If a military commander or state leader is responsible (in a practical sense) for the development, approval, and deployment of artificial intelligence software that results in the elements of a crime, the most natural form of culpability is indirect criminal responsibility. Specifically, a perpetrator is indirectly responsible for committing a crime through the executor that pulled the trigger (or, in the case of cyberwarfare, launched the code). The Rome Statute intentionally specified that the executor’s own criminal responsibility is irrelevant for indirect criminal responsibility. Whether a person or a machine, only the perpetrator’s culpability is considered, meaning that the ICC does not need to have jurisdiction over the executor.34
The ICC has held that indirect perpetration, or “perpetration-by-means,” occurs where the “perpetrator-by-means uses the executor as a mere tool or an instrument for the commission of the crime.”35 This complements the express provision that the executor’s intent, knowledge, and responsibility is not required. Therefore, it is only necessary to assess the perpetrator’s awareness to establish the requisite mens rea of intent and knowledge. It is arguable that in the realities of warfare and technology in the 21st century, artificial intelligence may be considered a “person” within the scope of Article 25(3)(a) of the Rome Statute.
A cyber system may be self-learning, self-operating, completely out-of-the-loop, and possess cognitive capabilities exceeding that of a natural person’s. An artificial intelligence may execute the decision-making processes of a crime autonomously, just as a person would. Although the software cannot be culpable under the Rome Statute, it does not need to be. Only the commander who possessed awareness of its use and consequences would be culpable under this conceptualization of personhood in this example. By attributing a form of legal personhood to artificial intelligence for the sole purpose of indirect criminal liability in the context of the Rome Statute, the door may be opened for accountability for developers and commanders.
IX. Conclusion
International humanitarian law applies to all means of warfare, including those of the future. When the International Court of Justice envisaged those new methods, it is likely they considered cyber operations with kinetic consequences for protected persons or property.36 It is less likely that they considered the scope and extent of artificial intelligence capabilities in armed conflict, and the degree to which armed conflict will be waged in cyberspace. The extent to which cyberwarfare may constitute crimes under the Rome Statute depends on the application of rules to cyberattacks as traditional warfare, albeit with a different conceptualization of what constitutes unlawful targets in relation to networks and cyber infrastructure.
A greater difficulty is the question of accountability, particularly as artificial intelligence is used to make systems more autonomous and more intelligence, thereby distancing any one person from the chain of decisions and actions leading to the commission of a crime. Although possible under current interpretations of the Rome Statute, notwithstanding evidentiary and practical challenges for the Prosecutor, it may be necessary to expand the scope of accountability in the future as artificial intelligence and cyberwarfare become more engrained in the means and methods in which wars are waged.
Endnotes — (click the footnote reference number, or ↩ symbol, to return to location in text).
Legality of the Threat or the Use of Nuclear Weapons, Advisory Opinion, 1996 I.C.J., ¶ 86 (Jul. 8, 1996), available online, archived. ↩
Rome Statute of the International Criminal Court, Adopted by the United Nations Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court, Jul. 17, 1998, U.N. Doc. A/CONF.183/9 [hereinafter Rome Statute], Art. 5, available online. ↩
Id. at Art. 25(1). ↩
Id. at Art. 28. ↩
Id. at Art. 25(3). ↩
Sarah Huckabee Sanders, White House Press Secretary, Statement on NotPetya (Feb. 15, 2018), available online. ↩
Western PA Hospital Victim of Russian Cyber Attack, DOJ Says, WPXI News, Oct. 19, 2020, available online. ↩
Andy Greenberg, The Untold Story of NotPetya, the Most Devastating Cyber Attack in History, Wired (Aug. 22, 2018), excerpt available online. ↩
Sanders, supra note 6. ↩
Michael Gervais, Cyber Attacks and the Laws of War, 30 Berkeley J. Int’l L. 525, 526 (2012), available online. ↩
Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, 37 Colum. J. Transnat’l L. 885, 888 (1999), available online. ↩
Ian Brownlie, International Law and the Use of Force by States 362 (Mar. 26, 1963), paywall. ↩
Michael N. Schmitt ed., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 467 (2017), paywall, doi. ↩
The Prosecutor v. Bosco Ntaganda, ICC-01/04-02/06, Judgment, ¶ 1136 (ICC TC VI, Jul. 8, 2019), available online. ↩
Prosecutor v. Thomir Blaškić, IT-95-14, Judgment, ¶ 31 (ICTY TC, Mar. 3, 2000), available online. ↩
Tara Copp, Elon Musk Blocking Starlink to Stop Ukraine Attack Troubling for DoD, AP, Sep. 12, 2023, available online. ↩
Rome Statute, supra note 2, at Art. 30. ↩
Prosecutor v. Dusko Tadíc, IT-94-I-AR72, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, ¶¶ 96–127 (ICTY AC, Oct. 2, 1995), available online. ↩
William J. Broad, John Markoff & David E. Sanger, Stuxnet Worm Used Against Iran was Tested in Israel, N.Y. Times, Jan. 15, 2011, paywall. ↩
Andrew Lohn, Anna Knack, Ant Burke & Krystal Jackson, Georgetown Center for Security and Emerging Technology, Autonomous Cyber Defence: A Roadmap from Labs to Ops 2 (Jun. 2023), available online. ↩
Barton Gellman & Greg Miller, “Black Budget” Summary Details U.S. Spy Networks Successes and Failures, Wash. Post, Aug. 29, 2013, paywall. ↩
Barton Gellman & Ellen Nakashima, U.S. Spy Agencies Mounted 231 Offensive Cyber Operations in 2011 Documents Show, Wash. Post, Aug. 30, 2013, paywall. ↩
International Humanitarian Law and Cyber Operations During Armed Conflicts—ICRC Short Papers, ICRC (Mar. 7, 2023), available online. ↩
Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, Art. 36, 1125 U.N.T.S. 3 (Jun. 8, 1977) [hereinafter Additional Protocol I], available online, archived. ↩
Gervais, supra note 10, at 525. ↩
Brownlie, supra note 12, at 362. ↩
Swati Malik, Autonomous Weapon Systems: The Possibility and Probability of Accountability, 35 Wis. Int’l L.J. 609, 612 (May 24, 2018), available online. ↩
Rome Statute, supra note 2, at Arts. 8(2)(b)(i)-(iii), 8(2)(b)(ix). ↩
Prosecutor v. Ntaganda, supra note 14, ¶ 1136. ↩
Prosecutor v. Blaškić, supra note 15, ¶ 185. ↩
Rome Statute, supra note 2, at Art. 30(2)(b). ↩
Erik Talbot Jensen, Autonomy and Precautions in the Law of Armed Conflict, 96 Int’l L. Stud. 577, 594 (2020), available online. ↩
Rome Statute, supra note 2, at Art. 25(3)(a). ↩
Id. at Art. 25(1). ↩
The Prosecutor v. Germain Katanga and Mathieu Ngudjolo Chui, ICC-01/04-01/07-717, Confirmation of Charges, ¶ 495 (ICC PTC I, Sep. 30, 2008), available online. ↩
Legality of the Threat or the Use of Nuclear Weapons, supra note 1. ↩