The International Criminal Court’s (ICC) chief prosecutor, Karim A. A. Khan, published an op-ed in Digital Front Lines, highlighting the ever-increasing use of cyberspace in modern warfare and denoted the potential for the ICC to prosecute cyber operations as international crimes defined in the Rome Statute. After touching upon the evolving nature of tools used for serious international crimes, encompassing cyber capabilities, social media, and artificial intelligence, the piece stresses that these new means can be exploited to commit war crimes, crimes against humanity, genocide, and aggression between states. The ICC Prosecutor acknowledges the fact that the Rome Statute lacks specific provisions for crimes but goes on to say that the acts conducted in cyberspaces or via cyber means may be interpreted so as to fulfill the elements of many core international crimes as already defined in the Rome Statute. The piece concludes with the need for the ICC's jurisdiction alongside state jurisdictions in addressing the evolving cyber challenges.
Following the publication of this op-ed, a spokesperson for the Office of the Prosecutor (OTP) confirmed to WIRED that this will represent the prospective official stance of the ICC:
“The Office considers that, in appropriate circumstances, conduct in cyberspace may potentially amount to war crimes, crimes against humanity, genocide, and/or the crime of aggression […] and that such conduct may potentially be prosecuted before the Court where the case is sufficiently grave.”
The core international crimes stipulated in the Rome Statute include genocide, crimes against humanity, war crimes, and the crime of aggression, most of which describe acts such as killing, murdering, injuring, torturing, or persecuting as the material element of crime. Vis-à-vis the unique character of these elements of crimes, the ICC chief prosecutor’s op-ed and the following confirmation raise critical questions as to whether the way in which a cyber operation is carried out can amount to war crimes or crimes against humanity, and if yes, how. In other words, it is worthwhile to elucidate how attaining a backdoor access to a network or installing malicious malware might result in the commission of those international crimes.
Actually, the application of the existing international law mechanisms to cyberspace is not new. In its position paper, the ICRC declares that international humanitarian law applies to, and therefore limits, cyber operations during armed conflict – just as it regulates the use of any other weapon, means and methods of warfare in an armed conflict, whether new or old. In the same vein, Rule 84 of the Tallinn Manual 2.0 envisages that cyber operations may amount to war crimes and thus give rise to individual criminal responsibility under international law and that this Rule is without prejudice to the possibility that cyber operations may amount to a crime against humanity, genocide, or crime of aggression under international law.
In my doctoral dissertation, I have delved deep into the international law around cyber operations and addressed the legal issues, including the above-posed questions, arising from the adoption and employment of cyber operations under international law. In the dissertation, I have divided cyber operations into seven categories according to, amongst others, their severity in terms of their scale and impact: preventive, preemptive, detective, corrective, counteractive, disruptive, and destructive. Destructive cyber operations are actions which carry the potential to produce effects comparable to those normally generated by kinetic means. In other words, cyber operations which cause or are likely to cause destructive effects on property and persons count toward destructive ones. An inherent extension of this description is I purport that destructive cyber operations are the ones which are most likely to result in the commission of international crimes defined in the Rome Statute.
A destructive cyber operation amounting to war crimes might look as follows: A member of the armed forces responsible for cyber operations accesses an industrial control system of a dam in the enemy state during an armed conflict. Having exploited the obtained access, the cyber attacker opens the dam's floodgates and releases a significant amount of water, thereby generating a flood of inhabited civilian areas and causing substantial damage to life and property. Neither the dam nor the population adjacent to the dam constitute valid military objectives. The individuals behind this cyber operation have likely committed a war crime and may be held individually responsible for the offence.
What seems problematic in establishing the commission of international crimes is the fulfillment of the prerequisite that the crimes be committed in a systematic or widespread manner. The systematic character refers to the commission of illegal acts in accordance with a predetermined plan or policy, as well as the organized nature of the acts of violence and the improbability of their random occurrence. That the acts concerned were perpetrated in line with a plan may also be derived from them displaying a recurring or continuous nature. On the other hand, the widespread criterion corresponds to the massiveness, frequency and large scale of violations carried out collectively with considerable seriousness and directed against multiple victims, as well as the breadth of the geographical scope of the violations.
The difficulty in establishing that destructive cyber operations fulfill the systematic and widespread criteria for international crimes lies in the nature of these cyber actions. Destructive cyber operations are often carried out discreetly and may not necessarily follow a predetermined plan in the same way that traditional military operations might. These operations might be individually initiated without direct orders from a higher authority, making it challenging to establish a systematic pattern. Likewise, destructive cyber operations, by their very nature, can be highly targeted and precise, affecting a limited number of victims or a specific location. They may not exhibit the massiveness or large-scale impact required to meet the widespread criterion.
Prosecuting cyber operations before the ICC as war crimes or crimes against humanity appears to hold potential as we navigate the intricate intersection of cyber operations and international law in an ever-changing global landscape. However, the discreet, targeted, and potentially individual nature of cyber operations makes it difficult for them to fulfill the systematic and widespread criteria required for international crimes. On the other hand, destructive cyber operations conducted in conjunction with conventional military actions, a.k.a. hybrid warfare, have the most potential to meet these criteria since hybrid warfare strategies are typically executed according to a predetermined plan or policy, displaying recurring or continuous patterns of coordinated actions, and might impact a broad geographical scope as well as a multiplicity of victims.