A recent piece in an international political and policy journal raised the question if it was time to establish an International Cyber Court to address the most serious cyber crimes that pose a threat to the international community.  Although the article did not get into specifics, attacks against critical infrastructures or seriously adversely affect the political and/or economic sovereignty of a country comes to a mind.   No doubt, ever increasing cybercrime increasingly costs the global community trillions of dollars, and tempestuous geopolitical conflicts that have spilled into cyberspace, have propelled such thinking.   Efforts in the United Nations (UN) to come to consensus on cyber norms of behavior and even the initiative to create a UN Cybercrime Treaty further underscore the need for international collaboration as a tool to take on the most egregious cyber threats.   An obvious benefit for such an enterprise is that it would adhere to international law, and as such, would ostensibly be attractive as a potential means for justice as many countries – especially the cyber powers – generally agree that acts in cyberspace fall under it.

To be fair, the article raised three other potential options.   One alternative would expand the jurisdiction of the current International Criminal Court by creating a cyberspace branch under its umbrella.   A second option suggested the institution of a special international criminal court specifically for cyberspace and would operate under International Criminal Tribunal for Cyberspace statutes.   A third possibility was the creation of ad-hoc courts/tribunals that would adhere to UN Security Council’s Chapter VII of the UN Charter.   Collectively, the four possibilities for applying legal mechanisms are rooted in international collaboration as the necessary precursor if there is to be any hope for progression, with the International Cyber Court having the benefit of being based on international law.  

It is no secret that international cooperation is essential to target hostile actors in cyberspace whose activities often traverse the jurisdictions of several nation states.  Some of the more notable law enforcement “take downs and arrests” of criminal gangs and cybercriminals have resulted from such efforts.  Botnets, ransomware gang members, dark web markets, and individual prolific cybercrime actors have been successfully targeted by joint law enforcement partnership.  While these have been positive developments, these investigations take time, effort, and resources, and unfortunately, do not put a dent in the overall problem of cybercrime.  Even when groups are neutralized, they either regroup, rebrand, or are replaced by other groups eager to take their place.  Simply, cybercrime is too lucrative of an endeavor to extinguish completely, currently leaving robust law enforcement and legal action the only viable paths forward to combat this threat.

The establishment of a separate International Cyber Court immediately brings comparisons to the International Criminal Court (ICC).  According to its website, the International Criminal Court was established in 2002 via the Rome Statute treaty, and investigates and tries individuals charged with crimes against humanity to include but not limited to genocide and other war crimes, and other acts of aggression.  Made up of 18 judges each from a different member country and elected by the member states, the ICC ensures fair trials, renders decisions, issues arrest warrants, authorizes victim participation, among other measures.  The ICC opens an investigation in one of three ways: a member country can bring a possible situation to the  Court if it happens within its own borders; the UN Security Council can bring a situation to the Court; or the prosecutor can launch an investigation into a member state on his own initiative. 

If an International Cyber Court should be modeled after this, it is necessary to see where the ICC has succeeded and where it is not to give some indication of its potential applicability to cyberspace.  While the ICC has had success in trying war criminals, these victories have been few and far in between.  Moreover, there are several criticisms of the ICC that could extend to a International Cyber Court counterpart. There are those that believe the ICC has too little authority to follow through on its supposed mandates.  Others have suggested that the ICC has too much prosecutorial authority without a check against potential political bias.  Unsurprisingly, some in the international community have questioned the intentions of the ICC.  In 2016, the African Union supported backing out of the ICC due to perceptions that the Court targeted African countries more than any others. Some world leaders like China, India, and Russia haven’t signed due to concerns that the ICC oversteps a state’s own sovereignty.  Even the United States hasn’t signed, justifying this by asserting that tenets of the Criminal Court did not align with the U.S. Constitution.

Currently,123 states are party to the Rome Statute, though 40 countries have never signed the treaty, and several dozen have signed but haven’t ratified it. This raises one significant problem with a court set up to address serious issues that cross state borders – if a state hasn’t signed onto the ICC, then it is not required to follow its directives or decisions. The fact that there is no enforcement mechanism against any state that refuses to cooperate with the ICC immediately calls into question whether such a body can realistically serve the judicial needs of the greater international community.

An International Cyber Court would face similar obstacles, and for the same reasons that have already played out in the UN where definitions and threshold criteria are consistently the obstacles that cannot be overcome.  Furthermore, the nature of cyberspace makes it more difficult to determine perpetrators, as opposed to kinetic acts that are easily more identifiable, and thus, attributable.  This is not so easy in cyberspace where sympathetic or nationalistic hackers and even for-hire groups can execute the types of attacks that could be brought to the International Cyber Court.  How would the Court reasonably assign attribution and address state responsibility in those cases?

But there are more questions to consider that make the establishment of an International Cyber Court highly unlikely.  Will the International Cyber Court focus on strictly financially motivated cyber crime, or any crime committed via information systems and through cyberspace that have met the threshold for bringing it to the Court?  Will the International Cyber Court look at state-sponsored espionage activity that focuses on trade secrets and intellectual property theft?  What about countries like North Korea that may use cybercrime as means of offsetting economic sanctions and conduct prolific monetary theft?  

The failure to harmonize terminology has consistently obstructed the way forward for the international community when it comes to progression in cybersecurity matters.  While many states certainly support such efforts, the countries that are most tied to hostile cyber activities, namely, the United States, China, Iran, Russia are resistant to join bodies that may force them to curtail activities they deem critical to ensure their national interests.  If a court cannot be used as a means to enforce justice, hold governments accountable, and levy impactful consequences, and in turn, deter future hostile cyber activity on its biggest perpetrators, what good would it serve?  With respect to cyber attacks, governments already assign levels of guilt to offending states and take retaliatory action (whether via sanctions or a hack-back) if they deem it warranted based on severity of the suffered attack without an international court’s, approval.  An International Cyber court seems it would only add a legal “stamp of approval” for a response a state was going to make regardless.

With the Internet threatening to balkanize, perceptions of a world wide web are fast becoming an ideal of the past.  It is highly doubtful that the international community will fall neatly under the rules of any global consensus.  The reigning cyber powers do not want to be regulated in the same manner as lesser cyber capable states.  As such, what’s left is for these states to enter cyber agreements amongst their peers, even if they contrast against the wishes of those governments that traditionally have been looked to for cyber leadership. If international cooperation is the key to reducing the threats in cyberspace, the sooner these agreements are in force, the quicker there will be legal precedent for actions taken against offending states, and on which later legal decisions could be based.  And with this, states may finally have a voice the cyber powers will have to listen to.