Cybercrimes under consideration by the ICC
Yola Verbruggen, IBA Multimedia JournalistFriday 13 October 2023
International Criminal Court (ICC) Prosecutor, Karim Khan, has announced that the ICC is considering the scope for investigating cybercrimes that violate the Rome Statute. ‘Digital front lines can give rise to damage and suffering comparable to what the founders of the ICC sought to prevent’, Khan says in a article published in Foreign Policy magazine. ‘Cyber warfare does not play out in the abstract. Rather, it can have a profound impact on people’s lives.’
While the Rome Statute does not specifically mention cybercrime, Khan emphasises that such crimes might meet the elements of core international crimes as they already have been defined. A policy paper on cybercrimes, the first focus of his Office at this stage, should provide insight into such debates.
Researchers at UC Berkeley’s Human Rights Center had earlier urged the ICC to investigate various Russian cyber attacks in Ukraine as possible war crimes. Lindsay Freeman is the Director of Technology, Law & Policy at UC Berkeley’s Human Rights Center, which filed the Article 15 communication, as it is formally known, to the Office of the Prosecutor. This Article of the Rome Statute allows anyone to send information on alleged crimes.
Freeman says it’s significant that the Prosecutor made the statement before a ‘catastrophe’ involving cybercrime has happened. ‘So often these international institutions, they’re conservative, they’re resource strapped. They don't actually deal with problems until it's past the point where you can deal with them. It signals a forward-thinking approach of anticipating what's to come and trying to make the law move forward before you have that apocalyptic incident that is too late to come back from’, she says.
It signals a forward-thinking approach of anticipating what's to come and trying to make the law move forward before you have that apocalyptic incident
Lindsay Freeman
Director of Technology, Law & Policy at UC Berkeley’s Human Rights Center
Toby Cadman is an international law specialist at Guernica 37 Chambers in London and Secretary of the IBA War Crimes Committee. ‘Cybercrime is something that we all need to grapple with’, he says. ‘There is an obligation on national jurisdictions to legislate and prosecute for cybercrime but, ultimately, the ICC as the court of last resort for matters of international humanitarian and criminal law is the right place [to take on such cases]. I think it's important that it is moving in that direction.’
The submission that Freeman and her team made to the ICC lists five attacks on civilian infrastructure in Ukraine each of which they say shows a larger-scale tactic, a broader pattern of how Russia’s intelligence services operate. Three are attacks on Ukraine’s power grid in December 2015, December 2016, and April 2022. The others are the NotPetya malware attack in 2017 that caused over $10bn in damage and hit over 60 countries; and the attack on the Viasat satellite modem network used by Ukraine’s military on the day of the invasion, and which affected several European countries.
‘We look at the power grid attacks under the charge of attacks on civilian objects. Whereas NotPetya and the satellite network attack, we look at as indiscriminate attacks’, says Freeman.
Leila Sadat is a member of the IBA War Crimes Committee Advisory Board and was Special Adviser on Crimes Against Humanity to the ICC Prosecutor from 2013 to 2023. She says that while cyber operations, like other means of committing crimes, can be used to perpetrate atrocity crimes, there are ‘unique challenges’ to overcome when it comes to prosecuting individuals for cyber attacks. These difficulties lie especially around the identification of specific perpetrators up the line of command, the technological sophistication needed to identify the perpetrators, and the challenge of recruiting or training Court personnel with the technical expertise to work on such cases.
Some aspects of a crime – such as intent - might actually be easier to prove for cybercrimes than for atrocity crimes committed by other means, Freeman and her team have found. ‘If in an armed conflict a missile hits a nuclear power plant, there's always going to be that defence of "that's not what we were aiming for”. But with the unique nature of using cyber means and methods in warfare, there are incidents where we can show hackers were in the system doing over six months of reconnaissance’, she says.
Lisandro Frene is Cybersecurity Officer of the IBA Technology Law Committee and a partner at Richards Cardinal Tutzer Zabala Zaefferer in Buenos Aires, Argentina. He says that while the law should continue to be interpreted in light of new technological developments to avoid being a ‘dead letter’, it’s not straightforward. ‘In the present circumstances of the Ukraine war, getting consensus to introduce cyberattacks in the ICC['s remit] may be hard to reach in practice and tangled with heavy political pressures,’ says Frene.
Freeman hopes that, after the work on the policy paper has been finalised, actual cases are going to be tried. Only then will the law be interpreted so that it can be used to hold the perpetrators of cybercrimes accountable in the Court. ‘We're seeing a lot of cyber activity right now like in the Armenia and Azerbaijan conflict, in the China-Taiwan context, and between Israel and Iran. I think this really is going to be the future of armed conflict’, says Freeman.
Image credit: Rafael Henrique - stock.adobe.com