In this report we capture context on the shift in ICC intentions regarding investigating and prosecuting cyber war crimes.

Recent reporting reveals that the International Criminal Court (ICC) will now investigate and prosecute cyber war crimes in the same way it does kinetic and physical war crimes.  The ICC’s lead prosecutor Karim Khan authored an article that though acknowledged that no provision of the Rome Statute is dedicated to criminal cyber acts, the types of aggression being carried out in cyberspace could “potentially fulfill” the conditions already laid out in current international crime criteria, thereby warranting ICC scrutiny and potential prosecution.  Khan even goes so far as including for ICC consideration the softer areas of cyber operations such as disinformation that seek to “exploit ambiguity” and operate in the gray area between conflict and peace, legal and illegal, where proxies and nonstate elements are utilized.  Per Khan, the ICC’s jurisdiction can serve as an important part of a whole-of-society response to these hybrid attacks. 

Though Russia is not mentioned once in the article, it is quite clear the types of activities the ICC’s lead prosecutor is describing is what’s been observed occurring during the Ukraine conflict.  Since the 2014 annexation of Crimea, Russia-linked cyber activity has frequently targeted Ukrainian critical infrastructure, notably its power grids.  At the time, such attacks were unprecedented, particularly with causing two temporary blackouts that impacted parts of Kyiv.  Perhaps more concerning was the deployment of NotPetya malware that initially infected Ukraine but ended up escaping into the wild spreading globally.  Instead of stealing data, NotPetya destroyed it, elevating a disruptive attack into a destructive one.  With respect to the softer side of cyber operations, Russia has been tied to global disinformation and influence campaigns, seeking to sow discord especially around country national election cycles.

Though these types of activities are worrisome to say the least, it begs the question if they reach the level of some of the more notable and kinetic war crimes that can be measured financially, materially, and in persons killed.    For example, Russia-linked actors are not the only ones targeting critical infrastructure in the Ukraine conflict.  Pro-Ukraine cyber actors have targeted a Russian railway site, and a subsidiary of a Russian energy company.  While any potential threat could have significant repercussions for a civilian populace, none have quite hit that mark with respect to cyber attacks. This is both good and bad – good in the sense that there has not been a purposeful or accidental attack that has caused such effects, and bad that bodies like the ICC or United Nations haven’t taken this time to draw redlines in what would constitute an attack on critical infrastructure that would qualify for a response from a state or international body.

This is where determining effect criteria needs to play a substantial role in whether or not the ICC prosecutes.  Just targeting a critical infrastructure is clearly not enough to warrant investigation, so what would be?  Like any law, there needs to be clear parameters of activities coming close to and then crossing the line of legal/illegal.  Once that determination is made, the ICC needs to socialize it to the global community.  The ICC cannot suddenly spring it that some attack has crossed an unidentified threshold.  Of course, creating red lines informs cyber actors of what would be “allowed,” ostensibly providing them a guide of things that could be done as long as it didn’t cross that limit.  Nevertheless, whatever the criteria, intent alone should not be enough to bring the ICC in to investigate.  The cyber war crime must be both significant and quantifiable, and one warranting an international tribunal.

Further complicating matters is the determination of the actor behind the attack.  Official miliary or intelligence state actors are one thing, as their direct ties to a government are obvious, save for the very rare occasion should they have operated in a rogue man, independent of government sanction or direction.  But what about proxies and nonstate actors (which may include commercial organizations) who engage in hostile cyber attacks in support of a government?  There will also need to be criteria determining levels of government influence or association, which in and of itself may be difficult to establish.  These conditions also have to be clearly defined and socialized to the greater international community as well.  

Except for the Ukraine war and perhaps the 2008 Russian invasion of Georgia, the more news garnering cyber attacks have occurred during times of geopolitical tension and short of armed conflict.  This needs to be considered if the ICC is going to investigate cyber war crimes, as some of areas of the greatest cyber hot spots are China-India, China-Taiwan, India-Pakistan, Iran-Israel where geopolitical issues drive reciprocal cyber exchanges between state assets and nonstate proxies/sympathizers.  It is very possible that in these back-and-forth exchanges become escalatory with the range of targeting and consequential effects becoming more intense and result in the type of destruction that is expected during a war.  For example, Iran conducted cyber attacks to raise chlorine levels at Israeli water systems, and China compromised Indian power grids.  It is very easy to see how such incidents could be escalated to introduce more destructive payloads to cause substantial detrimental effects to civilians. 

Another are that the ICC needs to consider is when a state acts in its “national security” interests in the execution of a cyber attack that results in severely damaging effects, regardless of initial intent.  Would that meet the magical threshold for investigation?  For example, the Stuxent incident was designed to impede the expansion of Iran’s nuclear development program.  What if the malware did not act accordingly and ended up causing significant material, financial, and possibly human loss?  The intent of the attack might not have been to cause this effect but did so anyway.  Would the ICC see that as a cyber “war crime, and would it pursue investigation and prosecution of the government(s) behind the attack if it turned out to be traditionally friendly nations?

How cyber attacks are to be quantified to meet the qualifications for ICC prosecution must be very clear and not subject to a sliding-scale of judgment.  This becomes very important because if the ICC is going to be a credible voice in the area of cyber war crimes, it will have to investigate all incidents for potential wrongdoing.  And this will include all states who engage in offensive cyber operations for national security reasons, hunt-forward defense, or retaliatory response.  That means no one gets a free pass, regardless of reputation or government type.  If the ICC pursues investigations selectively, then the international community will continue to question international organizations’ motives in trying to codify state cyber activities, and how they’re doing it.  And this may further polarize the world, making any semblance of cyber order a truly elusive endeavor.