The Prosecutor’s New Policy on ‘Cyber Operations’ before the International Criminal Court (and its Implications for Ukraine): Some Preliminary Reflections

In late August, the International Criminal Court’s (ICC) chief prosecutor, Karim A. A. Khan, published a little-noticed op-ed with Foreign Policy Analytics discussing the potential for the ICC to prosecute ‘cyberattacks’ as international crimes pursuant to the Rome Statute (RS). A cyberattack, according to the Tallinn Manual 2.0, is a ‘cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects’ (415). Although the RS does not criminalise such conduct directly, Khan has now accepted the position that cyberattacks can constitute violations because they ‘potentially fulfil the elements of many core international crimes as already defined’ (emphasis added). As denoted by this emphasis, the prosecutor considers the established legal framework of the RS to be broad and flexible enough to address cyber activities without requiring new rules to be created or existing norms to be extended to do so (although this possibility is not precluded). Following the publication of this op-ed, a spokesperson for the Office of the Prosecutor (OTP) confirmed to WIRED that this will represent its ‘official stance’ going forward:

‘The Office considers that, in appropriate circumstances, conduct in cyberspace may potentially amount to war crimes, crimes against humanity, genocide, and/or the crime of aggression […] and that such conduct may potentially be prosecuted before the Court where the case is sufficiently grave.’

While this announcement may have come as a surprise to some, it is not entirely unanticipated. In his 2023-2025 Strategic Plan, the prosecutor indicated that his office would introduce new policies ‘during the implementation of this strategic plan [that would] address areas including cybercrime […]’ [para. 57]. He has subsequently indicated that he will convene a panel of experts at a ‘cybercrimes-focused event’ in the Autumn, with its proceedings ‘feed[ing] into the Office’s development of a policy paper’ in the future.

Although the particulars of the policy have yet to be articulated, it undoubtedly represents a major shift in the OTP’s attitude towards the application of international criminal responsibility to cybercrimes – something it has not investigated as part of any ICC prosecutorial strategy in the past. As Khan explains, however, this position was adopted in order to recognise ‘an emerging consensus among States that cyberspace is not a special domain free from regulation but [one in which] international law has a clear role to play’. Indeed, in recent years, security analysts have become increasingly concerned with the growing role that cyber-operations have played in shaping the outcome of armed conflicts. As the UN noted in 2020, ‘more than a hundred cyber incidents with the potential to undermine international peace and security were identified [which could] cause substantial damage and casualties’. Recognition of the threat posed to peace and security by abuses of cyberspace has in turn encouraged both states and non-state actors alike to endorse its characterisation as a new strategic ‘military’ domain. Since 2016, for example, the NATO alliance has ‘recognise[d] cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land, and at sea’ [para. 70]. By positioning ‘cyberspace’ alongside these other well-established domains of warfare, it can be assumed that NATO ‘no longer [considers there to be] a fundamental difference between them’. Likewise, according to the ICRC, ‘there is no question that [International Humanitarian Law (IHL)] applies to, and therefore limits, cyber operations during armed conflict […]’ (4).

This progressive ideational transformation of the understanding of cyberspace within the context of armed conflict serves as an obvious prelude to the prosecutor’s application of the Rome Statute to its activities. As stated in Rule 84 of the Tallinn Manual 2.0, ‘[c]yber operations may amount to war crimes and thus give rise to individual criminal responsibility under international law [….] [This] is without prejudice to the possibility that cyber-operations may amount to a crime against humanity, genocide, or crime of aggression under international law [as well]’ (391-396). In this context, Khan argues that it is necessary for international criminal justice to ‘adapt’ to the increasingly outsized role that cyberspace operations have played (as ‘means of statecraft and warfare’) in contemporary armed conflicts, as well as to respond to its growing capacity to ‘facilitate’ the commission of crimes within the Court’s jurisdiction.

What are the potential implications arising from this new policy?

Cyber Operations and the War in Ukraine

Of immediate note is the timing of the publication of the OTP’s novel policy. This is likely indicative of the prosecutor’s intention to widen the scope of his probe into the situation in Ukraine in order to examine the activities of Russian hackers as inter alia prospective war crimes. The OTP’s interest in investigating Russian cyber activities is unsurprising. The war in Ukraine has been described as ‘the first major conflict involving large-scale cyber operations’; and Russia’s use of ‘hybrid warfare techniques in Ukraine – particularly cyber operations – [to be] unprecedented in scale and scope’. Since 2014, Russian cyberhackers have launched a barrage of attacks against Ukraine’s critical networks. This includes repeated assaults on Ukraine’s electrical distribution grids, some of which have occurred in close proximity to (and likely in aid of furthering) political turmoil taking place during the 2015-2016 annexation of Crimea and adjacent conflicts in Donetsk and Luhansk; as well as more recent attacks transpiring during the subsequent escalation of the war in 2022. These involve the use of various wipers and malware to destroy critical data, interrupt communications systems (such as satellites, internet modems, and routers), and impede access to the internet for ‘tens of thousands of civilians’ that rely on it to receive urgent information about the war, and so on. Whether the goals of these operations were to ‘surveil, disrupt, corrupt, or destroy’, they have battered Ukraine’s critical ‘government, civilian, and information infrastructure’.

Cyberattacks as War Crimes

While the prosecutor does not refer to the Russia/Ukraine conflict in his op-ed, these incidents have clearly influenced his decision to adopt this policy. In fact, over the past year, both legal scholars and state officials have lobbied the OTP to assume a more forward position with regards to the legal characterisation of Russian cyberattacks under international criminal law (ICL). For example, in March 2022, a group of human rights lawyers from UC Berkeley’s School of Law sent a formal request to the OTP urging it to investigate several serious and indiscriminate cyber-attacks allegedly launched by Russian ‘Sandworm’ hackers operating from within ‘Russia’s GRU military intelligence agency’. Unsurprisingly, the most vocal of these petitions have come from within Ukraine itself. In January, Victor Zhora, the country’s deputy head of the State Service of Special Communications and Information Protection, pointed to ‘coordination between kinetic strikes and cyberattacks […] [with] the majority of kinetic attacks [being] organized against civilians’. Subsequently, he concluded that actions taken in cyberspace that are coordinated alongside kinetic operations, or are ‘focused on [or support attacks against] civilian infrastructure’, consequently helping in the commission of physical war crimes, must themselves be characterised as such.

In his assessment of potential cyber war crimes, the prosecutor places similar emphasis on the presence of physical or kinetic consequences occurring as a result of the relevant activities. As Khan notes, ‘Cyber warfare does not play out in the abstract. Rather, it can have a profound impact on people’s lives. Attempts to impact critical infrastructure such as medical facilities or control systems for power generation may result in immediate consequences for many, particularly the most vulnerable.’ What is unclear about this statement is whether the OTP will apply the criterion of actual consequential harm as a condition sine qua non to its assessment of cyberattacks as potential war crimes. If it does, how will it quantify the relevant harm?

This distinction is relevant because the kind of cyber activities that may take place during an armed conflict can take different forms – some of which would not result in direct physical harm to the safety or physical health of vulnerable and protected persons or objects. Consequently, not all cybercrime may amount to an ‘attack’ in accordance with the definition provided in Article 49 of the 1977 Additional Protocol I (API) (that is, an ‘act[] of violence against the adversary, whether in offence or in defence’), and in those cases, IHL would not be applicable. For such purposes, API distinguishes between violent (or ‘violence causing-’) and non-violent military operations, with the latter falling outside the scope of its definition. Indeed, as previously noted, even the Tallinn Manual stipulates a ‘reasonable expectation’ of injury, death, or destruction to be a key condition of a genuine ‘cyberattack’. A requirement of actual harm may thus, in theory, exclude situations where government agency websites are defaced or flooded with distributed denial of service (DDoS) attacks as ‘part of a general campaign of harassment and demoralization against the public’ when no physical damage is done to infrastructure. On the one hand, this distinction potentially preserves the understanding that, as a matter of gravity, war crimes should apply only to serious violations of IHL. On the other, however, this would strip away much of the nuance necessary to situate cybercrimes within the framework of ICL.

Such concerns are potentially addressed in the final report of the Council of Advisers on the  Application of the Rome Statute of the International Criminal Court to Cyberwarfare, which the prosecutor refers to in his op-ed. The report makes several crucial recommendations. First, it suggests (in accordance with Article 52(2) API) that an attack can be understood to have taken place when an objective is merely ‘neutralised’ rather than destroyed outright. Thus, in the context of cyberspace, the Council submits that ‘disrupting or halting the functions of a State’s critical infrastructure or jamming military capabilities, even if the critical infrastructure or military hardware is not physically destroyed, may qualify as an attack under IHL (although not necessarily a war crime)’ (emphasis added) (38). The appended caveat is notable because it appears to suggest that the ultimate evaluation of this matter will fall to the prosecutor in the exercise of his discretion. Secondly, the report advises that ‘civilian data’ should be considered a ‘legitimate protected object’. Targeting such information can thus amount to an attack (39). In support of this view, the report gives the crucial example of targeting patient personal healthcare data held by a civilian or military hospital, the deletion of which would severely undermine the care that can be provided to the sick and wounded.

Cyber Space and Incitement to Genocide

In his op-ed, the prosecutor makes the passing observation that the ICC is ‘mindful of the misuse of the internet to amplify hate speech and disinformation, which may facilitate or even directly lead to the occurrence of atrocities’. Although Khan does not expand upon this, this passage appears to be a reference to the crime of ‘incitement to genocide’, which is outlined under Article 25(3)(e) RS. Here, the Statute states that a person who ‘directly and publicly incites others to commit genocide’ ‘shall be criminally responsible and liable for punishment’. This is not an inchoate crime. In contrast to Article 25(3)(b), which stipulates that incitement to war crimes and crimes against humanity require the crime itself to have been attempted or actually taken place, the mere act of incitement to genocide sufficiently completes the crime (independent of the factual occurrence of the crime itself). This detail is of special relevance to the prosecutor’s potential decision to characterise the conflict in Ukraine as a genocide – a matter that has plainly divided legal scholars who have been unable to agree whether there is sufficient evidence to establish the requisite dolus specialis (special intent) necessary to apply the crime of genocide to the facts.

Although the limitations of the present format prevent a more complete reflection on the application of Article 25, it should be noted that numerous public statements made by Russian actors using ‘eliminationist rhetoric’ have been thoroughly catalogued by various parties. As much of this language clearly amounts to incitement (and proof of an actual genocide is not required to establish this crime), its distribution through cyberspace could under the appropriate circumstances be prosecuted under Article 25(3)(e) RS. Indeed, as Dapo Akande and others have previously discussed, there are many ways that such inciting rhetoric can be spread swiftly throughout cyberspace using, for example, different social media platforms. Within this ambiguously ungoverned legal space, fraught with conflicting norms of human rights and freedom of expression, how the prosecutor exercises his discretion to apply (or not) the crime of incitement to genocide will be of genuine interest to those seeking to better understand international law’s reach in cyberspace.