A. Khan on Cybercrime
Cyber warfare is not theoretical—“it can have a profound impact on people’s lives.” Hybrid or gray zone strategies, which exploit ambiguity and operate “between war and peace, legal and illegal,” are a growing challenge. The ICC’s jurisdiction, which is “clearly defined and complementary to that of states,” can play an important role in the “collective response” to cybercrime. The ICC can make several contributions to the fight against cybercrime, including deterring offenders, “mitigate[ing] the ambiguity of hybrid strategies,” and “supporting states and other bodies to proceed under their applicable laws.” Cooperation is essential for the success of combating cybercrime. The ICC is currently investing in its own operational practices to ensure that it is adequately defended against cyberoperations.
B. Jurisdictional Landscape
Cybercrime can constitute a war crime if it is committed in the context of an armed conflict, it is intentional, and it causes serious harm. For example, a cyberattack that disables critical infrastructure, such as a power grid or a hospital, could be considered a war crime if it is carried out during an armed conflict and causes significant death or injury. Cybercrime can also constitute a crime against humanity if it is part of a widespread or systematic attack against a civilian population. For example, a cyberattack that targets a specific ethnic group or religious minority and causes widespread death or suffering could be considered a crime against humanity. In addition to its jurisdiction based on the core crimes, the ICC also has jurisdiction over the crime of aggression, which was activated in 2017. Aggression is defined as the use of force by a state against the sovereignty, territorial integrity, or political independence of another state.
C. Potential Challenges
Article 22(2) of the Rome Statute prohibits the ICC from construing crimes by analogy. There are a few exceptions to the prohibition on analogy—specifically, for example, the ICC can interpret the Rome Statute in the light of international law, including customary international law and the general principles of law. The Court can also interpret the Statute in a way that is consistent with the objectives of the Statute and the principles of justice.
Cyber operations may be outsourced or involve deception, which poses attributional challenges as the ICC can only exercise jurisdiction over individuals and in situations where the underlying crime is committed on the territory of a State Party or by a national of a State Party. Moreover, the ICC’s rulings on intent suggest that it may not hold perpetrators responsible for the unforeseen or unintended consequences of cyber operations, posing additional challenges with non-cooperation of States when looking to prosecute non-State actors.
D. Potential Case Example
The Human Rights Center at UC Berkeley’s School of Law formally requested the ICC to investigate Russian hackers for their cyberattacks in Ukraine, focusing on cyberattacks carried out by a Russian group known as Sandworm. Sandworm, believed to be a part of the Russian Main Intelligence Directorate (GRU) and responsible for a series of high-profile cyberattacks, including the NotPetya ransomware attack in 2017 and the attack on the Viasat satellite modem network in 2022, carried out a series of cyberwar attacks against critical civilian infrastructure in Ukraine, including targeting Ukrainian electric utilities, triggering blackouts, releasing malware that caused billions of dollars in damages, and sabotaging Ukraine’s power grid and satellite modem network. Future cases are yet to come.