Hackers in the Hague? The Prospects of Prosecuting International Cyber Crimes Before the ICC

The Hague-based International Criminal Court (ICC) is no stranger to shifts in focus with changing times. What started with a 1989 proposal to establish a court to address international drug trafficking has since evolved into a major global criminal tribunal with growing jurisdiction that today covers genocide, crimes against humanity, war crimes, and aggression. And although the ICC focused almost exclusively on Africa in the first years after its creation in 2002, today its Office of the Prosecutor also conducts investigations in several areas in Asia, Europe, and Latin America.

The newest possible shift came in a recent announcement by ICC Prosecutor Karim A.A. Khan that the Office of the Prosecutor would start collecting and reviewing evidence of cyber misconduct that may amount to one of the offenses under the ICC’s jurisdiction. Although buried in an initially little-noticed essay in a report published by FP Analytics, the announcement has since received coverage in specialist legal and technology outlets, as well as in some mainstream news journals. In this article, we offer a brief analysis of the announcement, focusing on the likelihood that it will be borne out in the ICC’s practice.

Cyber Activities as International Crimes?

The assumption underlying the prosecutor’s announcement is that cyber activities can qualify as one or more of the core international crimes over which the ICC has jurisdiction. The founding treaty of the ICC, the Rome Statute, does not explicitly address cyber crimes. In fact, the statute—an agreement concluded in 1998—does not have much to say about cyberspace, digital activities, or new technologies writ large, with the exception of a nod or two to the use of communications technology in the court’s proceedings (see Articles 63 and 69).

Nonetheless, the prosecutor’s proposal reflects a consensus in the international community that cyber activities do not occur in a legal vacuum but are governed by international law. This view has now been set forth in several UN-mandated consensus reports and endorsed by states in a series of UN General Assembly resolutions (for more, see this overview). It therefore follows that international law, including international humanitarian law (IHL) and international criminal law (ICL), applies to all forms of human conduct, including those that rely on cyber means.

Further, many of the relevant rules are technology neutral. In wartime, for instance, IHL prohibits direct attacks against civilian objects—a prohibition that is criminalized, among other rules, by Article 8(2)(b)(ii) of the Rome Statute—without reference to the means used. In other words, what is prohibited to do with kinetic means (such as bombs or missiles) is equally prohibited to do with cyber capabilities. Consequently, intentionally launching a cyberattack against civilian infrastructure may lead to criminal liability.

The view that international crimes may be committed, instigated, or facilitated by cyber means is today widely agreed upon by international law scholars and experts. It was endorsed by the two (differently composed) international groups of experts that drafted the Tallinn Manual (see Rule 84 in the second edition published in 2017) and the Report on the Application of the Rome Statute of the ICC to cyber warfare (issued in 2021). Other platforms—like the 2022 ICC Forum—have come to the same conclusion.

Will Such Acts Be Prosecuted by the ICC?

This question is more difficult, as there are several important challenges. From the perspective of the ICC, two main ones relate to the gravity of such acts and to identifying their originators. First, as the preamble to the Rome Statute affirms, the ICC was established to investigate and prosecute only “the most serious crimes of concern to the international community as a whole.” Consequently, the court is under an obligation to declare a case inadmissible if it is not of sufficient gravity (Article 17(1)(d) of the statute).

But how does the court assess the gravity of alleged crimes? In its case law, the ICC has clarified that it takes into account both quantitative and qualitative considerations, such as “the nature, scale and manner of commission of the alleged crimes, and their impact on victims.” The “scale,” for example, refers to the number of direct and indirect victims or the extent of the damage caused, in particular the bodily or psychological harm inflicted on the victims and their families, or their geographic or temporal spread.

However, the court has consistently affirmed that the gravity of a given case should not be assessed only from a quantitative perspective. Indeed, some crimes, although not resulting in a high number of victims, can meet the gravity threshold due to their “nature.” Consider, for example, crimes involving killings, sexual violence, and torture, which are generally considered of higher gravity than crimes that involve merely property (ICC Trial Chamber, Prosecutor v. Al Mahdi, Judgement and Sentence).

Moreover, the broader “impact” of a crime (such as victims’ suffering or the broader social, economic, or cultural damage inflicted on the population) or the fact that the crimes were committed systematically or resulted from a plan or organized policy (“manner of commission”) are relevant when assessing the crime’s gravity. For more in-depth scholarly treatments of these questions from the cyber perspective, see, for example, this 2019 article by Marco Roscini or this one published in 2021 by Jennifer Trahan.

In our view, while various cyber incidents in the past have certainly wreaked havoc around the world, most of them would not have met the gravity threshold under the Rome Statute. This is even more apparent in armed conflict situations, in which the scale of human suffering brought about by kinetic warfare (such as bombs and missiles) is incomparably greater than what cyber capabilities may have caused thus far.

However, this does not mean that cyber operations can never be considered sufficiently grave to be prosecuted before the ICC. Indeed, the potential human cost of cyber operations, in particular those directed against essential services and critical infrastructure, can be devastating. Think, for example, of a cyberattack against electricity-generating facilities that power the already-degraded health care, water, and sanitation services of a war-torn country.

Such operations can have a broad impact on the population, and they may cause serious harm to civilians. In such situations, especially when cyberattacks do not occur in isolation, they may indeed fulfill the gravity threshold under the Rome Statute. This position finds support in the writings of several scholars and experts (see, for example, here, here and here). To the extent that the Office of the Prosecutor will act on the basis of the prosecutor’s announcement, it will also most likely focus on incidents of this kind (a point to which we return below).

Second, it is notoriously difficult to attribute activities in cyberspace. Even if a certain cyber operation can be considered sufficiently grave, establishing who exactly was behind it presents another significant hurdle to successful prosecution. Indeed, anonymity is one of the main characteristics of cyberspace. As Roscini explains in his contribution to the ICC Forum referenced earlier, while it may be possible—with the cooperation of the internet service provider—to trace the IP address of a computer system from which a malicious cyber operation had supposedly originated, the IP address can also be “spoofed” or the computer system may have only been a “bot” that was used as a stepping stone by hackers located elsewhere.

Given the inherent anonymity and complexity of cyberspace, attributing conduct often requires, in the words of Chris Inglis, the former U.S. national cyber director, “piecing together sometimes ephemeral digital clues, analyzing patterns of behavior, and finding similarities in tactics, techniques, and procedures.” And we must remember that while technical means can succeed at identifying the machine from which a given cyber operation was launched, criminal liability can attach only to the human behind the machine. Determining the identity of that person and meeting the required standard of proof—“beyond reasonable doubt” (Article 66(3) of the Statute)—is anything but easy.

Overcoming the attribution difficulties is particularly problematic for an international tribunal like the ICC, which has only limited investigative powers to obtain the relevant information. Even so, we agree with experts—such as Lindsay Freeman of UC Berkeley’s Human Rights Center—who have described the prosecutor’s announcement as a “historic moment.”

What Will the (Near) Future Bring?

In light of the challenges discussed in this piece, it would be difficult for the ICC to pursue such prosecutions right now. But it is not impossible: As Prosecutor Khan said later, doing so requires “focus, determination and expertise.” Especially when it comes to expertise, the prosecutor’s plans to “build and strengthen partnerships” with states and tech companies become particularly relevant. Such partnerships may help develop the ICC’s capacity for successful investigation and prosecution of cyber activities.

In the short term, however, we do not expect to see investigations of purely cyber conduct. We believe it is more likely that the ICC will start by looking into incidents in which cyber operations may have been used to support kinetic strikes against protected persons and objects. A number of such allegedly coordinated cyber and kinetic operations in the Russia-Ukraine international armed conflict were documented by Microsoft in a report published last year. Such incidents would also pose fewer difficulties with respect to the gravity and attribution challenges discussed in this article.

In the meantime, it will be interesting to look out for the policy paper that the Office of the Prosecutor intends to draft in the near future, as flagged by the prosecutor in his essay. This paper will likely shed more light on the prosecutor’s future plans in this area. But even then, policy papers are just that; observers have noted that the Office of the Prosecutor had previously announced it would widen its remit to environmental destruction and human trafficking cases, but this did not materialize in practice. Hence, whether the present announcement will truly result in the ICC entering the murky cyber waters remains to be seen.