Cyber Operations as Crimes at the International Criminal Court

by

,
| Oct 4, 2023

ICC cyber operations

Editors’ Note: The authors co-led a discussion group at the 2023 International Humanitarian Law Roundtable in Chautauqua, New York, on the topic of Cyber Attacks and the Rome Statute. This post reflects discussion points raised during the session. They thank the discussion group for their insightful contributions and look forward to future conversations on this topic.

Over the past several years, Russia has been accused of carrying out a significant number of cyber operations against Ukraine. Some of these might amount to crimes within the jurisdiction of the International Criminal Court (ICC). Other rogue States could also carry out harmful cyber operations in the near future.

As Karim Khan, the ICC Prosecutor, recently wrote, “[a]s states and other actors increasingly resort to operations in cyberspace, this new and rapidly developing means of statecraft and warfare can be misused to carry out or facilitate war crimes, crimes against humanity, genocide, and even the aggression of one state against another.” In a recent press communication, the Office of the Prosecutor (OTP) confirmed that “in appropriate circumstances, conduct in cyberspace may potentially amount to war crimes, crimes against humanity, genocide, and/or the crime of aggression.” Moreover, Prosecutor Khan has announced that the OTP will develop a policy paper on the investigation and prosecution of cyber operations.

We agree with the OTP and argue that a cyber operation of sufficient gravity, causing serious loss of life or physical damage, could potentially fall within the jurisdiction of the ICC. (For an important report on the topic, see here; for prior writings by Trahan see here and here.)  Moreover, a potential investigation and subsequent prosecution of those responsible for serious cyber operations in situations where such operations amount to crimes covered by the Court’s jurisdiction, and possibly even the issuance of an ICC policy paper (and/or statements by the Prosecutor), could potentially contribute to deterring such crimes. We are not making the case that all actors will be deterred, but a first step in deterrence, to the extent it is possible, is certainly raising awareness.

Despite the importance of concluding a policy paper and using the Rome Statute’s jurisdictional regime to its fullest potential to investigate and prosecute individuals responsible for grave cyber operations, it is important to recognize that various factors may limit the Court’s jurisdiction over cyber operations. Thus, only a small number of serious cyber operations may amount to a prosecutable offense before the ICC. Yet the good news is that no amendment to the ICC’s Rome Statute is required. Cyber is a means by which each of the crimes may be committed in whole (an operation conducted solely through cyber) or in part (a “blended” attack consisting of conventional or kinetic means as well as cyber).

In this post, we will first discuss limiting factors, with a particular emphasis on the element of gravity, before analyzing how specific cyber operations could constitute the crime of aggression. Our focus on the crime of aggression is not meant to suggest that cyber operations cannot and should not be prosecuted as war crimes, crimes against humanity, or genocide. Instead, we have chosen to emphasize aggression as the Russian invasion of Ukraine represents a flagrant instance of modern-day aggression, committed largely through kinetic means, but also somewhat through cyber operations. We recognize that the ICC does not have jurisdiction in the Ukraine situation over the crime of aggression. Nonetheless, we believe that this analysis remains useful, in particular as evidence is gathered, and related to any future accountability mechanism established for the situation of Ukraine that would have jurisdiction over the crime of aggression.

Limiting Factors

Whether the ICC is able to proceed in a case involving cyber operations will depend on many factors. Some factors limiting the Court’s ability to exercise jurisdiction over, or otherwise proceed with, a situation involving cyber operations include gravity, attribution, jurisdiction, intent, and the Rome Statute’s Article 22 prohibition on construing crimes by analogy. We will focus on gravity as one of the most important limiting factors in the exercise of ICC jurisdiction over cyber operations that constitute Rome Statute crimes. In addition, we briefly discuss the other limiting factors mentioned above.

Gravity

Article 17(1) of the Rome Statute requires all cases to be sufficiently grave to be admissible to the Court. In addition, the Prosecutor has a discretion to consider gravity at the case selection and prioritization stage. Gravity is assessed based on the whole case, and not on individual incidents. In fact, the ICC has clarified in a number of decisions that a case’s gravity is to be assessed holistically, on the basis of both qualitative and quantitative factors. ICC case law has thus specified that the number of victims alone cannot form the basis of a gravity determination, but that the gravity analysis has to do with “the existence of some aggravating or qualitative factors attached to the commission of crimes” (Pre-Trial Chamber II, Situation in the Republic of Kenya).

In the Abu Garda case, the ICC Appeals Chamber confirmed this approach by emphasizing that the gravity threshold could be satisfied in a situation where the number of victims is relatively low, but where the alleged offense impacted not just the direct victims but also millions of other Darfuri citizens. In the Al Mahdi case, the Trial Chamber held that a mid-level perpetrator’s attack on historic sites in Timbuktu, Mali, satisfied the gravity threshold because “the targeted buildings were not only religious buildings but also had a symbolic and emotional value for the inhabitants of Timbuktu.” Thus, in this particular situation, the Court found that although crimes against buildings are generally not as grave as crimes against individuals, the crimes in question were launched in order to cause great emotional impact on the broader population, which in turn rendered these crimes sufficiently grave.

As some scholars and experts have argued, the ICC thus uses an expressivist approach to gravity, which according to Matthew E. Cross “places emphasis on the significance of criminal prosecution and punishment as symbolizing the legal and moral condemnation of the constituents of international criminal law.”

The Office of the Prosecutor has also considered gravity and has clarified, in its policy paper on case selection and prioritization, that the Prosecutor considers gravity as the “predominant case selection criteria” related both to the degree of responsibility of the alleged perpetrator and to charging. Thus, the OTP’s strategic objective is to focus its investigations and prosecutions “on the most serious crimes within a given situation.” Moreover, the OTP exercises discretion and considers the “scale, nature, manner of commission and impact of the crimes” in determining whether to bring a case forward.

Under the Court’s approach to the gravity threshold, as outlined above, and under the OTP’s strategic objectives, it may be argued that some cyber operations should be considered sufficiently grave, particularly if they cause loss of life or serious destruction to physical property. It is an open question whether cyber operations that do not cause loss of life or serious physical destruction could also satisfy the ICC’s gravity threshold. The Human Rights Center at the UC Berkeley School of Law has argued, in an Article 15 communication to the OTP, that a Russian cyber operation against a Ukrainian power grid in the middle of winter should be considered sufficiently grave, because this type of cyber-attack should be viewed as an attack on every home, office, hospital, and other building, which would impact the lives of thousands of Ukrainians who depend on this essential service.

However, it remains unresolved whether such a cyber operation would be considered sufficiently grave if it does not cause fatalities and/or physical destruction on a serious scale. It is also relevant to emphasize that the gravity analysis would disqualify many other types of less serious cyber operations (and a lot of what is more properly considered cyber-crime) from falling within the Court’s jurisdiction on admissibility grounds, as well as on grounds of prosecutorial discretion (not to mention that the elements of a Rome Statute crime may also not be satisfied).

Other Limiting Factors

In addition to gravity, other limiting factors circumscribe the Court’s ability to exercise jurisdiction over cyber operations. Cyber operations are notoriously difficult to attribute, as States may outsource their cyber activities to groups or individuals who may not be easily linked back to the State. Some operations may involve deception, such that it looks like another actor is undertaking them, rather than the actual perpetrator. Finally, it may be challenging to attribute specific cyber operations to specific individuals; as the Court may only exercise jurisdiction over individuals and not over States or other groups, this difficulty in attributing criminal behavior to a specific person may add a significant layer of complexity to the Court’s ability to bring a prosecution. It may also require a significant investment in developing the requisite technical expertise to make such an attribution to the Court’s high evidentiary standards.

Jurisdiction may pose an additional limiting factor to the Court’s potential investigations and prosecutions of those responsible for cyber operations. For the Court to have jurisdiction over a cyber operation that constitutes genocide, a crime against humanity, or a war crime, one would think that the operation would have to take place on the territory of a State party or be committed by a national of a State party. If, for example, an ICC State party were to outsource cyber operations to groups or individuals located on the territory of a non-State party, assuming such cyber attackers are also nationals of the non-State party, that arrangement could preclude the Court from exercising jurisdiction in the situation, depending on where the impact (effects) of the cyber-operation occur. Cyber operations are somewhat like the crime of aggression in that there may be conduct in one State that materializes in the territory of a second State. Thus, if the second State is a Rome Statute State party, then jurisdiction could exist, as the Court may exercise jurisdiction in situations where at least one element of the underlying crime is committed on the territory of a State party (see ICC, Pretrial Chamber Ruling on Prosecutor Request). The ICC’s jurisdictional regime over the crime of aggression is even more restricted, as discussed below, which in turn creates even more limiting conditions for the exercise of jurisdiction over a cyber operation amounting to, or part of, the crime of aggression.

In cases involving cyber operations, the intent requirement may also limit what can be prosecuted. Cyber operations may have unintentional or unpredicted consequences in light of the complexity of the technology used and its potential for spillover effects. The ICC’s rulings on intent appear to exclude responsibility for unforeseen consequences and limit responsibility even for foreseen consequences if these are not intended (see, e.g., Mohamed Elewa Badar & Sara Porro, “Art. 30(2)(b), Intent in Relation to Result,” Case Matrix Network). Thus, any kind of broad proliferation of a cyber-operation beyond the intended target, under this approach, would be beyond the Court’s reach.

Finally, Article 22(2) of the Rome Statute provides that “the definition of a crime shall be strictly construed and shall not be construed by analogy.” Applying the Rome Statute to cyber operations cannot involve a liberal interpretation of the Statute, as that could run afoul of Article 22(2). The crime must fit directly into the elements of the crimes.

Despite the above-discussed limiting factors, some cyber operations may constitute crimes within the Rome Statute (or an aspect of a Rome Statute crime) and may be investigated and prosecuted. (For a broader discussion, involving all four Rome Statute crimes, see, e.g. here.)  The next section focuses on the crime of aggression, and discusses whether cyber operations may amount to uses of force constituting aggression.

Cyber Operations and the Crime of Aggression

Article 8bis, paragraph 1 of the Rome Statute specifies,

“crime of aggression” means the planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.

Paragraph 2 indicates that an act of aggression “means the use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations,” and goes on to provide a list of covered acts.

Aggression is thus a leadership crime, imposing individual criminal responsibility only on “a person in a position effectively to exercise control over or to direct the political or military action of a State.” Moreover, due to the requirement of a “manifest” violation of the UN Charter, measured by its “character, gravity and scale,” the crime of aggression is inherently a serious violation of international law; basically a breach of Article 2(4) of the United Nations Charter. As a result, only serious and unambiguously illegal uses of force are encompassed within the definition of the crime.

While aggression was already included in the Rome Statute in 1998, it was only at the 2010 Kampala Review Conference that States adopted the definition of the crime. However, they also agreed to limit the Court’s ability to exercise jurisdiction over the crime. Pursuant to the compromise reached at Kampala, the Court’s jurisdiction over the crime of aggression is significantly more limited than the ICC’s jurisdiction over its other three crimes. Activation of the Court’s jurisdiction was also delayed, only being activated on December 14, 2017, by a decision of the States parties, effective July 17, 2018.

Cyber Operations as “Armed Force”?

As mentioned above, Article 8bis of the Rome Statute defines an act of aggression as “the use of armed force by a State against the sovereignty, territorial integrity or political independence of another State or in any other manner inconsistent with the Charter of the United Nations.”  The same article then lists seven different acts that amount to acts of aggression. It is possible to argue that a cyber operation can constitute “armed force” within the meaning of Article 8bis, as the word “armed” does not refer to any specific weapon.

Indeed, the International Court of Justice has already clarified, in its Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons, that the use of force may be accomplished “regardless of the weapon employed.” Moreover, it may be argued that the list of enumerated acts in Article 8bis is non-exhaustive, and that many of the enumerated acts themselves can be interpreted to apply to, or include, cyber operations. Some of the enumerated acts that may be carried out (wholly or partly) by means of a cyber operation include bombardments, blockade of ports, an attack by the armed forces on the forces of another State, and allowing one’s territory to be used by another State to commit aggression (Rome Statute, Art. 8bis(2)(b)-(e)).

Cyber Operations as “Manifest Violation[s]” of the UN Charter

For an act to constitute the crime of aggression, it must also rise to the threshold of a “manifest violation” of the UN Charter, measured by its “character, gravity and scale.” According to the Elements of Crimes and Understandings attached to the text of the Kampala amendments, the term “manifest” is an objective qualification, which “requires consideration of all of the circumstances of each particular case, including the gravity of the acts concerned and their consequences.” This has been interpreted to mean that “a breach of the prohibition of the use of force will only amount to aggression where it is a grave violation with serious consequences.” The “manifest violation” requirement involves analysis of the magnitude of the unlawful use of force (its “gravity” and “scale”) as well as analysis of its “character,” which will exclude borderline or grey area cases in terms of their legality.

One possible approach to evaluating “gravity” and “scale” (in terms of the manifest violation requirement), or “gravity” (as part of a separate gravity analysis, see above) in the context of cyber warfare, is to use the Tallinn Manual’s eight-factor test to assess whether a particular cyber operation rises to the level of an “armed attack” in the context of the use of force. It is possible to argue that only cyber operations resulting in loss of, or serious injury to, life, or large-scale physical destruction could reach the thresholds. Yet some experts suggest that loss of functionality or incapacitation without physical destruction could in some circumstances potentially satisfy such requirements. Most experts believe that cyber operations causing purely economic impact, election interference, and attacks on financial infrastructure would not reach the level of a “manifest” violation of the UN Charter. Finally, it is unclear whether a series of cyber operations, none of which could individually amount to an armed attack, could collectively constitute an armed attack. One might additionally conduct the evaluation of the “manifest” and “gravity” thresholds in the context of a blended attack, by considering both kinetic and cyber-operations.

Cyber Operations Attributed to Non-State Actors?

As mentioned above, individual criminal responsibility for the crime of aggression attaches to “a person in a position effectively to exercise control over or to direct the political or military action of a State.” In the context of cyber operations, States may outsource operations to individuals or groups/non-State actors. It might be possible to argue that responsibility for acts of aggression committed through cyber operations should attach to non-State actors. However, it it would only attach if the non-State actors are in a position effectively to exercise control over or to direct the political or military actions of a State (which may rarely be the case). It also may be difficult to satisfy the elements of the crime, when it comes to non-State actors, because Article 8bis defines aggression as “the use of armed force by a State.” This suggests that such non-State actors may incur responsibility only if their acts can be attributed to the State. For example, a non-State actor could be prosecuted for their cyber acts if a State’s leader engaged the non-State actor to conduct cyber operations on the State’s behalf.

Jurisdiction

Finally, jurisdiction over the crime of aggression is fairly limited. Article 15bis provides two significant carve-outs to the ICC’s jurisdiction over the crime of aggression. Article 15bis (5) eliminates jurisdiction for crimes committed by the nationals of, or on the territory of, non-States parties. Meanwhile, Article 15bis (4) also contains an “opt out” even for States parties. The Assembly of State Parties’ decision activating the Court’s jurisdiction over the crime of aggression in 2017 further limited jurisdiction (or attempted to) by requiring the aggressor State to be a Rome Statute State Party that has ratified the crime of aggression amendments.

These same limitations would apply to a cyber operation when viewed under the lens of the crime of aggression, absent an amendment to the crime of aggression’s jurisdictional regime, as some have called for (see proposal by the Global Institute for the Prevention of Aggression, for which Trahan serves as Convenor.) As a preliminary matter, it may be possible to conclude that jurisdiction would not exist where one State executes a cyber operation routed through servers in several different countries. This is because it is likely that only the aggressor State, where the cyber act originated, and the victim State or victim States, affected by the aggressive act, are relevant for jurisdictional considerations. However, a different analysis might apply where the servers in a third State are taken over by the aggressor State where the cyber operation originated.

Conclusion

A cyber operation can amount to, or constitute part of, an act of aggression, if it (or the blended attack) constitutes an attack which amounts to a “manifest” violation of the UN Charter. The ICC, however, would only have jurisdiction over such cyber-attacks if its complex aggression jurisdictional requirements are met (or they are changed in the future). “As technology continues to advance on and off the battlefield and war-making organizations continue to evolve, it has become clear that cyber technologies will play a role in international criminal acts, including the commission of aggression” (Council of Advisors Report, para. 37).

As the OTP has confirmed its intent to investigate and prosecute cyber operations that constitute Rome Statute crimes, it is both appropriate and crucially important to continue to analyze when and how cyber acts rise to the level of those crimes including aggression, and when and how those who engage in cyber aggression may face accountability before the ICC, or before another accountability mechanism.

It is even more important to do so in the context of the Ukraine investigation, as Russia has already launched a significant number of cyber operations against Ukraine and seems intent on continuing to do so, making clear that its invasion was both a kinetic and cyber operation. Investigating cyber operations that amount to crimes under the Rome Statute and prosecuting individuals responsible for launching such operations, as well as statements such as those by the Prosecutor and the Court’s recent policy paper, remain important work. Jurisdictional limits on the prosecution of the crime of aggression notwithstanding, such work may well contribute to the deterrence of such crimes, whether in Russia or elsewhere.

***

Milena Sterio is The Charles R. Emrick Jr. – Calfee Halter & Griswold Professor of Law at the Cleveland-Marshall College of Law, and Co-Coordinator for Global Justice Partnerships at the Public International Law and Policy Group.

Jennifer Trahan is Clinical Professor of Global Affairs at N.Y.U. and Director of its Concentration in International Law and Human Rights.

 

Photo credit: Unsplash