Scenario 32: Crime of aggression
State A launches a cyber operation against State B, with malware deployed against the electric grid in State B, resulting in widespread power outages, including to hospitals. As part of the cyber operation, ransomware is deployed against hospital servers, which results in the destruction of hospital data (including medical records). In a later cyber operation, State A disables the military’s command and communications in State B and malware is deployed that permanently incapacitates and disables various weapon systems in State B’s military. The scenario analyses whether the incidents give rise to individual criminal responsibility for commission of the crime of aggression under Article 8bis of the Rome Statute of the International Criminal Court.
Scenario[edit | edit source]
Keywords[edit | edit source]
Act of aggression, crime of aggression, individual criminal responsibility under international law; Rome Statute of the International Criminal Court, use of force.
Facts[edit | edit source]
[F1] Prior to the events in question, State A and State B have had tensions at the political level, but relations have been peaceful.
[F2] State A launches a cyber operation, deploying malware against the electric grid in State B, which results in widespread power outages, including to hospitals. No fatalities result. As part of the same campaign, ransomware is deployed against hospital servers, which results in the destruction of hospital data (including medical records). Although no fatalities occur in the short term, the ability of large numbers of individuals to effectively seek future medical care is imperilled.
[F3] This first cyber operation was launched by a lower-ranking officer in State A’s Cyber Command. He is part of a faction within State A’s government, known for its animosity towards State B. The officer knew of a contingency arsenal of cyber capabilities, pre-developed and maintained in a state of readiness by State A’s Cyber Command and activated them on his own initiative. Cyber Command is a unit within State A’s armed forces.
[F4] Following the success of the unauthorized operations and seeing that State B is unable to respond effectively, the hostile faction gains traction within State A’s leadership. Sensing a window of opportunity, the President of State A then issues a statement publicly congratulating the officer and noting that the officer’s actions have the official seal of approval of State A.
[F5] Finally, the President of State A officially authorizes State A’s armed forces to launch another cyber operation against State B that disables the military’s command and communications in State B. Malware is also deployed that permanently incapacitates and disables various weapon systems in State B’s military.
Examples[edit | edit source]
- Stuxnet (2010)
- Use of malware to track and target Ukrainian artillery units (2014–2016)
- Water facilities attack (2020)
- Viasat KA-SAT attack (2022)
Legal analysis[edit | edit source]
For a general overview of the structure of analysis in this section, see Note on the structure of articles.
[L1] Focusing on the initial cyber operation resulting in power outages, including electricity being cut to hospitals and the destruction of hospital data, the analysis examines whether the crime of aggression has been committed, using the definition in Article 8bis of the Rome Statute[1] of the International Criminal Court (“ICC”). Specifically, the analysis considers whether there has been a “use of armed force” by a State, which amounts to an “act of aggression,” and whether the act amounts to a “manifest” violation of the UN Charter. The scenario then considers the same criteria regarding the second cyber operation that disables military command and communications, and permanently incapacitates and disables weapon systems in State B. The analysis concludes by examining the individuals who potentially could be held internationally responsible for the crime of aggression.
Violations of international human rights law applicable to cyber operations[edit | edit source]
Individual criminal responsibility under international law |
---|
Acts committed by cyber means could lead to individual criminal responsibility under international criminal law for genocide (Article 6 of the Rome Statute),[2] crimes against humanity (Article 7 of the Rome Statute), war crimes (Article 8 of the Rome Statute) and aggression (Article 8 bis of the Rome Statute).[3] Individual criminal responsibility for each of these offences requires that the perpetrator committed the requisite actus reus with the corresponding mens rea.[4]
Pursuant to Article 25(3)(a) of the Rome Statute, different forms of incurring individual criminal responsibility may be envisaged: (1) individual commission; (2) joint commission; and (3) commission through others.[5] Criminal responsibility could also arise for instigating, assisting in, facilitating, and aiding or abetting the commission, or attempted commission by cyber means (Article 25(3)(b)-(d) of the Rome Statute). Furthermore, Article (3)(f) of the Rome Statute envisages individual criminal responsibility for attempts to commit a crime when the crime does not occur because of circumstances independent of the person’s intentions. In accordance with Article 28 of the Rome Statute and customary international law,[6] commanders and other superiors may be criminally responsible for cyber operations that qualify as international crimes and that were conducted by their subordinates.[7] |
[L2] By launching cyber operations against State B, individuals in State A might incur individual criminal and/or superior responsibility provided that the criteria under Article 8bis of the Rome Statute are fulfilled. The mens rea requirements of Article 30 of the Rome Statute (intent and knowledge) would additionally need to be satisfied.
Crime of aggression[edit | edit source]
Crime of aggression |
---|
Pursuant to Article 8bis of the Rome Statute, the crime of aggression is committed if the following elements are present: (a) there is an act of aggression by a State; (b) the act constitutes a “manifest” violation of the Charter of the United Nations; (c) the perpetrator planned, prepared, initiated or executed the act; (d) the perpetrator is a person “in a position effectively to exercise control over or to direct the political or military action of a State;” and (e) the perpetrator acted with the required mens rea.
The first requirement is that an “act of aggression” has occurred. Act of aggression is defined in Article 8bis, paragraph 2, as the use of armed force by a State[8] “against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations.”[9] Article 8bis, paragraph 2, further provides a list of acts that qualify as acts of aggression based on United Nations General Assembly resolution 3314 (XXIX) of 14 December 1974.[10] While cyber operations are not specifically mentioned in the list, cyber operations could involve a “use of force against the territorial integrity or political independence of” a State,[11] as cyber operations could constitute use of armed force (see use of force). Cyber operations could also play a role in several of the listed acts of aggression, or could potentially constitute the fully completed act.[12] In any event, the list is not exhaustive,[13] so it is possible that other comparable acts could be encompassed. The second requirement, under Article 8bis, paragraph 1, is that the act of aggression “by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.”[14] This threshold clause “appropriately limit[s] the Court’s jurisdiction to the most serious acts of aggression under customary international law, thus excluding cases of insufficient gravity and falling within a grey area.”[15] The components of character, gravity and scale must be sufficient to justify a “manifest” determination.[16] The Elements of Crimes further state that “[t]he term ‘manifest’ is an objective qualification,”[17] meaning it is not dependent on the subjective belief of the actors involved.[18] The words “‘gravity’ and ‘scale’ were intended to exclude border skirmishes and the like.”[19] As to “character,” it is here that “genuinely legally controversial cases” are excluded;[20] thus, there must be “an incontrovertible breach of Article 2(4).”[21] A third requirement under Article 8bis, paragraph 1, is that the individual accused must have been involved in the “planning, preparation, initiation or execution” of the act of aggression,[22] which describes the perpetrator’s contribution to the State’s act of aggression. The individual conduct is additionally subject to the modes of responsibility listed in Article 25, and superior responsibility as stipulated in Article 28.[23] A fourth requirement found in Article 8bis, paragraph 1, is that the perpetrator is a person “in a position effectively to exercise control over or to direct the political or military action of a State”[24]—referred to as the “leadership clause.” From the face of the language, what matters is the leader’s effective control, and the leader could be either a political or military leader. The “leadership clause” is intended to cover a fairly narrow group of senior leadership, most certainly excluding ordinary soldiers.[25] Finally, the crime of aggression requires no specific intent (in contrast to the crime of genocide), and therefore the general mens rea elements of intent and knowledge are required pursuant to Article 30 of the Rome Statute.[26] |
[L3] Turning first to the “act of aggression,” Rome Statute Article 8bis, paragraph 2, states that this must involve the “use of armed force.” It is unclear whether the first cyber operation involved the “use of armed force,” while the second one likely did. (For discussion, see use of force concept page: “A cyber attack that causes or is reasonably likely to cause physical damage to property, loss of life or injury to persons would fall under the prohibition contained in Article 2(4) of the UN Charter.”).[27] The facts state that the first operation resulted in power outages, including at hospitals, but that no fatalities resulted at least in the short term. While the long-term harm should also be analysed, the facts, as presented, suggest no “physical damage to property, loss of life or injury to persons” resulting from the power outages. As to the destruction of medical records, there is controversy, at least for IHL purposes, whether this should be considered to be damage to property.[28] The second operation more clearly involves the “use of force” because the permanent incapacitation and disabling of weapon systems constitutes destruction of property.[29]
[L4] The “act of aggression” must also be committed “by a State.” Both cyber operations meet this requirement. State A’s Cyber Command is a unit within State A’s armed forces. The first, initially unauthorized operation, is later endorsed by the President of State A when he publicly congratulated the lower-ranking officer who launched it and stated that the actions have the seal of approval of State A. This amounts to an acknowledgement and adoption of the conduct as State A’s own.[30] The conduct might also be attributable to State A even if the President did not acknowledge and adopt the conduct.[31]
[L5] If the attack on the electric grid and destruction of hospital data constitute use of force (see para. L3), and because the second attack more clearly does, one next considers whether they fall under any of the listed acts contained in the definition of “act of aggression” in Article 8bis, paragraph 2.[32]
[L6] Both operations might fit into (b) “[b]ombardment by the armed forces of a State against the territory of another State or the use of any weapons by a State against the territory of another State.”[33] The cyber operations involve “the use of any weapon,”[34] and the operations target the electric grid and hospital data, as well as military command and communications and weapon systems in the territory of State B. Thus, there is “the use of any weapon” by a State against the territory of another State. As mentioned, however, some sources suggest that a clearer case of “use of force” (a necessary precondition of a UN Charter violation, and hence, an “act of aggression”), is where there has been loss of life or limb, or destruction of physical property. Under this view, the second cyber operation would qualify as an act of aggression, but the first might not.[35]
[L7] The second operation additionally fits within (d) as it is “[a]n attack by the armed forces” of State A’s Cyber Command (a unit in State A’s armed forces) against the “land, sea or air forces . . . of another State”—the military command and communications, and weapon systems in State B’s military.
[L8] As to the manifest threshold requirement in Article 8bis, paragraph 1, if one analyses the first cyber operation alone—if it constitutes “use of force” that qualifies as an “act of aggression” (that is, a UN Charter violation)[36]—it is unclear whether it would meet the requirement of a “manifest” violation of the UN Charter. It may depend on how long the electric grid is incapacitated and what kind of harm results. Destroying hospital data is quite serious, but it would be a case of first impression whether this initial attack reaches the threshold of a “manifest” UN Charter violation by its “character, gravity and scale.” As noted above, some might not accept that the first cyber operation was a “use of force” or violated the UN Charter.[37] Given that the “manifest” threshold is intended to require that the UN Charter violation be very clear or incontrovertible,[38] the first cyber operation might well not rise to that level given the ambiguities involved, although the analysis might depend on the severity of the downstream consequences.
[L9] The second cyber operation that disables the military’s command and communications in State B and permanently incapacitates and disables various weapon systems in State B’s military is much more akin to a conventional military operation. Assuming command and communications are disabled for a significant period of time and a fairly large number of weapon systems are permanently disabled, this could meet the requirement of a “manifest” UN Charter violation by its “character, gravity, and scale.” It would be a clear UN Charter violation in terms of its “character,” and significantly serious in terms of its “gravity and scale.”[39]
[L10] A question additionally exists whether the cyber operations should be viewed separately, or cumulatively—with both considered part of one act of aggression. The law is uncertain on this. It is not fully clear whether an “act of aggression” may be achieved through an accumulation of events.[40] “This doctrine [of accumulation of events] has not yet been applied to the crime of aggression in any context, cyber or kinetic.”[41] If the events are viewed cumulatively, because the second operation likely meets the “manifest” threshold, the two operations, if considered together, would do so as well. (It is also possible that one or more cyber operations could be evaluated cumulatively along with one or more kinetic operations, although that is not part of the instant fact pattern.)
[L11] Turning to the individuals involved, given that the President of State A ordered the second operation, he was involved in its “execution”; thus, one of the operative action words in Article 8bis, paragraph 1, has been satisfied. Additionally, his actions would qualify as “ordering” under Article 25 and could constitute superior responsibility under Article 28. The President of State A is also a person “in a position effectively to exercise control, over or to direct the political or military action of a state,” so the leadership clause is met.
[L12] The low-ranking officer who activated the first operation was involved in its “execution,” satisfying one of the operative words in Article 8bis, paragraph 1. He was also involved in committing the act, satisfying Article 25. However, his low rank suggests he may not be a person “in a position effectively to exercise control over or to direct the political or military action of a state.” Further analysis would be warranted, because, despite his low rank, his position appears to have allowed him to impact the military actions of State A.[42]
[L13] While the President of State A later endorsed the first operation, because the endorsement occurred after the fact, a question exists whether it falls within “planning, preparation, initiation or execution.” Further factual information might be needed to evaluate whether the first operation was still ongoing at the time of the endorsement (in which case the crime is continuing), and/or whether the President of State A might bear superior responsibility for the acts of the lower-ranking officer, in which case the President could have superior responsibility for their execution.
[L14] As to either individual, proof would additionally need to be obtained as to the perpetrator’s mental state (mens rea), such that the requirements of intent and knowledge in Article 30 of the Rome Statute are met. For example, with respect to the lower-ranking officer, this might entail proving that he intentionally activated the cyber capabilities while being fully aware of the potential consequences on State B’s critical infrastructure and healthcare systems. With respect to the President, evidence should show that he intentionally issued the order and understood that the order, if carried out, would significantly compromise State B’s military capabilities and effectively render their defenses inoperative.
[L15] This scenario does not evaluate the issue of ICC jurisdiction over the crime of aggression, but that would also need to exist for a case to proceed there, and, at present, the ICC’s jurisdiction over the crime is quite limited.[43] The scenario also does not evaluate the ICC’s gravity threshold, which additionally would need to be met.[44] The analysis also does not consider responsibility under domestic criminal codes,[45] nor the issue of immunities at the domestic level.[46]
Checklist[edit | edit source]
- Did the cyber operation involve the use of armed force—for example, did it seriously injure or kill a number of persons or cause significant damage to, or destruction of property—or cause other harm comparable to a kinetic attack in its scale and effects?
- Was the cyber operation conducted by a State?
- Does the cyber operation fall within the list of acts of aggression contained in the definition in Article 8bis, paragraph 2, of the Rome Statute (or, potentially, is it comparable in gravity and scale to a listed act)?
- Did the cyber operation (either on its own, or, potentially considered cumulatively with other operations) rise to the level of a “manifest” violation of the UN Charter measured by its “character, gravity and scale”?
- Is there an identifiable person who played a role in planning, preparation, initiation or execution of the cyber operation(s)?
- Was that person also in a position effectively to exercise control over or to direct the political or military action of the State?
- Can the ICC’s mens rea requirements of intent and knowledge be satisfied vis-à-vis that person?
Appendixes[edit | edit source]
See also[edit | edit source]
- Scenario 03: Cyber operation against the power grid
- Scenario 19: Hate speech
- Scenario 20: Cyber operations against medical facilities
Notes and references[edit | edit source]
- ↑ The Rome Statute of the International Criminal Court (17 July 1998) 2187 UNTS 90 (as amended) [hereinafter, “Rome Statute”] art 8bis.
- ↑ The Rome Statute of the International Criminal Court (adopted 17 July 1998, entered into force 1 July 2002) 2187 UNTS 3. See also the Amendments on the crime of aggression to the Rome Statute of the International Criminal Court, Kampala, 11 June 2010, Resolution RC/Res.6 of the Review Conference of the Rome Statute.
- ↑ See Kai Ambos, ‘International Criminal Responsibility in Cyberspace’ in Nicholas Tsagourias and Russell Buchan (eds), Research Handbook on Cyberspace and International Law (Elgar 2015) 118, 120, noting that the focus of the debate lies on the application of IHL to cyber space. In this regard, see Tallinn Manual 2.0, rule 84 (on “Individual criminal responsibility for war crimes”).
- ↑ See generally M. Cherif Bassiouni, Introduction to International Criminal Law (2nd rev ed, Martinus Nijhoff 2014), Chapter IV.
- ↑ Art 25(3)(a) Rome Statute.
- ↑ ICRC CIHL Study, Rules 152 and 153.
- ↑ See Tallinn Manual 2.0, rule 85; Elies van Sliedregt, ‘Command Responsibility and Cyberattacks’, (2016) 21(3) Journal of Conflict & Security Law 505.
- ↑ The acts of non-state actors may sometimes be attributable to a State. See Tallinn Manual 2.0 Rule 17 (“Cyber operations conducted by a non-State actor are attributable to a State when: (a) engaged in pursuant to its instructions or under its direction or control; or (b) the State acknowledge and adopts the operations as its own.”).
- ↑ Rome Statute art 8bis, para 2.
- ↑ Ibid. Specifically, the list includes: "(a) The invasion or attack by the armed forces of a State of the territory of another State, or any military occupation, however temporary, resulting from such invasion or attack, or any annexation by the use of force of the territory of another State or part thereof; (b) Bombardment by the armed forces of a State against the territory of another State or the use of any weapons by a State against the territory of another State; (c) The blockade of the ports or coasts of a State by the armed forces of another State; (d) An attack by the armed forces of a State on the land, sea or air forces, or marine and air fleets of another State; (e) The use of armed forces of one State which are within the territory of another State with the agreement of the receiving State, in contravention of the conditions provided for in the agreement or any extension of their presence in such territory beyond the termination of the agreement; (f) The action of a State in allowing its territory, which it has placed at the disposal of another State, to be used by that other State for perpetrating an act of aggression against a third State; (g) The sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to the acts listed above, or its substantial involvement therein." Ibid.
- ↑ Tallinn Manual 2.0 Rule 68 (“A cyber operation that constitutes a threat or use of force against the territorial integrity or political independence of any State, or that is in any other manner inconsistent with the purposes of the United Nations, is unlawful.”).
- ↑ See list of acts qualifying as aggression from Rome Statute art 8bis, para 2. “[M]any of the acts in the list can be interpreted to apply to cyber operations . . . .” Permanent Mission of Liechtenstein to the United Nations, “The Council of Advisers’ Report on the Application of the Rome Statute of the International Criminal Court to Cyberwarfare” (Aug 2021) [hereinafter, “Council of Advisers’ Report”] 10, para 3; see also ibid, 10–11, paras 3–5 (envisioning acts in subparagraphs (b), (c), (d), (f), and (g) committed through cyber operations).
- ↑ Ibid, 10, para 3 (“the list is not exhaustive”). The list is open-ended (eg, illustrative) but “closed” by the need to meet the requirements in Article 8bis, paragraph 1—including that the act of aggression rise to the level of a “manifest” violation of the UN Charter. See Rome Statute art 8bis, para 1.
- ↑ Rome Statute art 8bis, para 1. Implicit in the definition is that an act of aggression has occurred. While “attempt” is encompassed within Rome Statute Article 25(3)(f), it should be thought of as covering attempts to plan, prepare, initiate or execute the crime. But if there is no manifest UN Charter violation, there is no crime.
- ↑ “Report of the Special Working Group on the Crime of Aggression,” ICC-ASP/6/20/Add.1 (June 2008) Annex II, para 68. The negotiations in the Special Working Group on the Crime of Aggression (“SWGCA”) fed into the finalization of the crime of aggression, so constitute negotiating history.
- ↑ International Criminal Court, Assembly of States Parties, Review Conference, ICC Doc. RC/Res.6. The Crime of Aggression (11 June 2010) Annex III, Understanding 7 [hereinafter, “Kampala Amendments”].
- ↑ “ICC Elements of Crimes, Article 8bis, Crime of Aggression,” 43, Introductory Note 3 <ElementsOfCrimesEng.pdf (icc-cpi.int)>.
- ↑ See Robert Heinsch, “The Crime of Aggression after Kampala: Success or Burden for the Future” (2010) 2 Gӧttingen J Intl L 713, 727 (“This [Introductory Note] tries to illustrate that the interpretation of the term is independent from subjective opinions and not dependent on the opinion of the actors involved.”).
- ↑ Claus Kreß, “Time for Decision: Some Thoughts on the Immediate Future of the Crime of Aggression: A Reply to Andreas Paulus” (2009) 20 EJIL 1129, 1138.
- ↑ Ibid.
- ↑ Carrie McDougall, The Crime of Aggression under the Rome Statute of the International Criminal Court (2nd edn, CUP 2021) 158. Understanding 6 agreed on at the 2010 Review Conference provides: "It is understood that aggression is the most serious and dangerous form of the illegal use of force; and that a determination whether an act of aggression has been committed requires consideration of all the circumstances of each particular case, including the gravity of the acts concerned and their consequences, in accordance with the Charter of the United Nations." International Criminal Court, Assembly of States Parties, Review Conference, ICC Doc. RC/Res.6. The Crime of Aggression (11 June 2010) Annex III, Understanding 6. Understanding 7 further states that “the three components of character, gravity and scale must be sufficient to justify a ‘manifest’ determination. No one component can be significant enough to satisfy the manifest standard by itself.” Ibid, Understanding 7. This leaves it open to interpretation whether all three terms must collectively satisfy the threshold, or whether two may suffice. Robert Heinsch, “The Crime of Aggression after Kampala: Success or Burden for the Future” (2010) 2 Gӧttingen J Intl L 728, 729.
- ↑ Rome Statute art 8bis, para 1.
- ↑ Ibid, arts 25, 28. One can think of it that Rome Statute Articles 25 (individual criminal responsibility) and 28 (superior responsibility) broaden the field of who may be accused (eg, to those who aid in the planning, for example) but the requirement of involvement in “planning, preparation, initiation or execution” (contained in the definition of the crime) must be met for any accused.
- ↑ Ibid, art 8bis, para 1; art 25, para 3bis.
- ↑ See Carrie McDougall, The Crime of Aggression under the Rome Statute of the International Criminal Court (2nd edn, CUP 2021) 257 (“The definition applies to de facto ‘leaders’ who are in a position to have a decisive say over, govern, instruct, or command the deeds of the political or military establishments of a State aimed at achieving particular objectives.” Also arguing “that this definition excludes business and religious leaders (unless they otherwise meet the leadership definition),” resulting in a “narrowing of the class of potential perpetrators.”). For further discussion of the “leadership clause,” see Astrid Reisinger Coracini and Pål Wrange in Claus Kreβ and Stefan Barriga (eds), The Crime of Aggression: A Commentary (CUP 2017) 309–12; Roger Clark, in Kreβ and Barriga, 583 et seq.
- ↑ See Rome Statute art 30.
- ↑ See also Tallinn Manual 2.0 Rule 69 (“A cyber operation constitutes a use of force when its scale and effects are comparable to a non-cyber operation rising to the level of a use of force.”).
- ↑ Controversy has existed over whether data should be considered an “object” that is protected under IHL, although the debate seems to be resolving that it is protected. See Jeffrey T Biller and Michael N Schmitt, “Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare” (2019) 95 Intl Law Studies 179; Kubo Mačák, “Military Objectives 2.0: The Case for Interpreting Computer Data as Objects under International Humanitarian Law” (2015) 48 Israel Law Rev 55. If paper hospital records were destroyed, there would be destruction of “physical property”; it makes little sense to have the same information treated differently just because it is digitized. Alternatively, even if data were not protected under IHL, that does not preclude its being considered part of an act of aggression since IHL analysis and crime of aggression analysis are not coextensive; for example, combatants may be targeted under IHL but are victims of the crime of aggression.
- ↑ The Tallinn Manual does not close the door to other harm, other than physical damage to property, loss of life or injury to persons, being considered “use of force.” See Tallinn Manual 2.0 Rule 69, para 8. For factors to evaluate in determining when the level of harm of a cyber operation rises to the level of a “use of force,” see ibid, 333–36.
- ↑ See Int’l L Comm’n, Draft Articles on the Responsibility of States for Internationally Wrongful Acts, with Commentaries (adopted), UN Doc. A/56/10 (2001), art 11 (“Conduct . . . shall . . . be considered an act of [a] State under international law if and to the extent that the State acknowledges and adopts the conduct in question as its own.”).
- ↑ See ibid, art 7 (“The conduct of an organ of a State or of a person or entity empowered to exercise elements of the governmental authority shall be considered an act of the State under international law if the organ, person or entity acts in that capacity, even if it exceeds its authority or contravenes instructions.”).
- ↑ See list of acts qualifying as aggression from Rome Statute art 8bis, para 2. The list is open-ended, so it is not imperative for the attack(s) to fall directly into the enumerated acts, see Permanent Mission of Liechtenstein to the United Nations, “The Council of Advisers’ Report on the Application of the Rome Statute of the International Criminal Court to Cyberwarfare” (Aug 2021) [hereinafter, “Council of Advisers’ Report”] 10, para 3, but a clearer case would be one where they do.
- ↑ Rome Statute art 8bis, para 2 (b) (emphasis added).
- ↑ For the question of whether cyber capabilities may qualify as weapons, see also Legal review of cyber weapons, means and methods of warfare (“Although the precise definition of a ‘cyber weapon’ is unsettled as yet, at the very least, all cyber tools capable of conducting ‘attacks’ as understood in IHL, that is, acts of violence against the adversary whether in offence or in defence, should be considered to qualify as cyber weapons . . . .”) (footnotes omitted). According to the International Court of Justice, “use of force” may be accomplished “regardless of the weapons employed.” Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep 226, para 39.
- ↑ L3. Arguably these requirements—suggested in the Tallinn Manual 2.0—are too narrow. Of course, the Tallinn Manual 2.0 does not make fatalities or physical destruction an absolute precondition when evaluating “use of force.” See Tallinn Manual 2.0 Rule 69, para 8. Simultaneously, expanding what constitutes “use of force” in the cyber domain is a “ground [that] must be trodden upon very carefully since it can result in dilution of the threshold for use of force more broadly”—eg, it could potentially expand what triggers a state’s right to use self-defence. See Council of Advisers’ Report 15, para 19.
- ↑ See L3.
- ↑ See L3.
- ↑ See Carrie McDougall, The Crime of Aggression under the Rome Statute of the International Criminal Court (2nd edn, CUP 2021) 158. Understanding 6 agreed on at the 2010 Review Conference provides: It is understood that aggression is the most serious and dangerous form of the illegal use of force; and that a determination whether an act of aggression has been committed requires consideration of all the circumstances of each particular case, including the gravity of the acts concerned and their consequences, in accordance with the Charter of the United Nations.; see also Understanding 6.
- ↑ Ambiguity whether all three terms must be satisfied. See International Criminal Court, Assembly of States Parties, Review Conference, ICC Doc. RC/Res.6. The Crime of Aggression (11 June 2010) Annex III Understanding 6. Understanding 7 further states that “the three components of character, gravity and scale must be sufficient to justify a ‘manifest’ determination. No one component can be significant enough to satisfy the manifest standard by itself.” Ibid, Understanding 7. This leaves it open to interpretation whether all three terms must collectively satisfy the threshold, or whether two may suffice. See Robert Heinsch, “The Crime of Aggression after Kampala: Success or Burden for the Future” (2010) 2 Gӧttingen J Intl L 728, 729.
- ↑ Council of Advisers’ Report 15, para 18 (“This proposition suggests that a series of attacks, none of which would individually amount to an armed attack, could nonetheless collectively constitute an armed attack. The ICJ has not explicitly endorsed this argument, but some have argued that it has implicitly done so: it has on multiple occasions ruled that a series of individual attacks did not, on the facts, amount to an armed attack, while not rejecting this legal theory wholesale.”), citing Oil Platforms (Iran v US) (Judgment) [2003] ICJ Rep 161, para 64; Armed Activities on the Territory of the Congo (Dem Rep Congo v Uganda) (Judgment) [2005] ICJ Rep 168, para 147; Steven R Ratner, “Self-Defense Against Terrorists: The Meaning of Armed Attack” in Larissa van den Herik & Nico Schrijver (eds), Counter-Terrorism Strategies in a Fragmented Legal Order: Meeting the Challenges (CUP 2013). The accumulation of events theory should be accepted. A slow-moving genocide would still be genocide if the element of the crime are met. There is no reason the same should not be true vis-à-vis the crime of aggression. See also Tallinn Manual 2.0 Rule 71, para 11 (as to a series of cyber incidents, “there are grounds for treating the incidents as a composite armed attack” if “the same originator (or originators acting in concert) has carried out smaller-scale incidents that are related and that taken together meet the requisite scale and effects”).
- ↑ Council of Advisers’ Report 15, para 18.
- ↑ Some domestic criminal codes that contain the crime of aggression do not have the leadership clause. See Annegret Hartig, Making Aggression a Crime under Domestic Law (Springer 2023) 300 et seq; Astrid Reisinger Coracini, “(Extended) Synopsis: The Crime of Aggression under Domestic Criminal Law” in Claus Kreβ and Stefan Barriga (eds), The Crime of Aggression: A Commentary (CUP 2017) 309–12.
- ↑ For example, the nationals of non-States Parties and crimes committed on their territories are completely excluded from ICC jurisdiction over the crime of aggression. See Rome Statute art 15bis, para 5. For a proposal by the Global Institute for the Prevention of Aggression (“GIPA”) to amend the Rome Statute to harmonize the ICC’s jurisdiction over all four Rome Statute crimes, see <GIPA-model-amendment-proposal.pdf (crimeofaggression.info)>; see also GIPA’s reasons for the proposed amendment <GIPA-Proposal-Short.pdf (crimeofaggression.info)>; Jennifer Trahan, “Amending the Kampala Amendments: Proposal to Harmonize the ICC’s Jurisdiction Over the Crime of Aggression with Its Jurisdiction Over Its Other Core Crimes” (Opinio Juris, 2 Nov 2023) <Amending the Kampala Amendments: A Proposal to Harmonize the ICC’s Jurisdiction - Opinio Juris>.
- ↑ The ICC has not yet opined on the topic of gravity and cyber operations. A strong case can be made that a cyber operation that causes harm akin to a kinetic attack—for example, one that seriously injures or kills a number of persons or that causes significant damage to, or destruction, of property—could, depending on the facts, satisfy the ICC’s gravity threshold; however, other cyber attacks might do so as well, such as attacks on critical infrastructure, even absent loss of life or physical destruction. See Jennifer Trahan, “Contributing to Cyber Peace by Maximizing the Potential for Deterrence: Criminalization of Cyber-Attacks under the International Criminal Court's Rome Statute” in Scott Shackleford, Frederick Douzet, and Christopher Ankersen (eds), Cyber Peace: Charting a Path Toward a Sustainable, Stable, and Secure CyberSpace (CUP 2022) 138; Jennifer Trahan, “The Criminalization of Cyber-Attacks under the Rome Statute” (2021) 19 J of Intl Criminal Justice 1133, 1138–46. While the “manifest” threshold might satisfy the gravity requirement, there is as of yet no ruling whether these thresholds are coextensive.
- ↑ For domestic legislation following the 2010 Review Conference, see Annegret Hartig, Making Aggression a Crime under Domestic Law (Springer 2023) ch 6. For legislation that preceded the 2010 Review Conference, see Astrid Reisinger Coracini, “(Extended) Synopsis: The Crime of Aggression under Domestic Criminal Law” in Claus Kreβ and Stefan Barriga (eds), The Crime of Aggression: A Commentary (CUP 2017).
- ↑ On functional immunities and the crime of aggression before domestic courts, see Annegret Hartig, Making Aggression a Crime under Domestic Law (Springer 2023), 422–57. On personal immunities, see Astrid Reisinger Coracini and Jennifer Trahan, “The Case for Creating a Special Tribunal to Prosecute the Crime of Aggression Committed Against Ukraine (Part VI): On the Non-Applicability of Personal Immunities” (Just Security, 8 Nov 2022) <The Case for Creating a Special Tribunal to Prosecute the Crime of Aggression Committed Against Ukraine (Part VI): On the Non-Applicability of Personal Immunities (justsecurity.org)>.
Bibliography and further reading[edit | edit source]
- Ambos, K “International Criminal Responsibility in Cyberspace” in Tsagourias, N, and Buchan, R (eds), Research Handbook on Cyberspace and International Law (Edward Elgar 2015).
- Ambos, K, “Individual Criminal Responsibility for Cyber Aggression” (2016) 21(3) Journal of Conflict & Security Law 495.
- Biller, J T, and Schmitt, M N, “Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods Of Warfare” (2019) 95 International Law Studies 179.
- Efrony, D, and Shany, Y “A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyber Operations and Subsequent State Practice (2018) 112(4) American Journal of International Law 583.
- Hathaway, OA, Crootof, R, Levitz, P, Nix, H, Nowlan, A, Perdue, W, and Speigel, J, “The Law of Cyber Attack” (2012) 100(4) California Law Review 817.
- Jensen, E T, “The Tallinn Manual 2.0: Highlights and Insights” (2017) 48 Georgetown Journal of International Law 735.
- Kress C, and Barriga, S (eds), The Crime of Aggression: A Commentary (CUP 2017).
- Mačák, K “Military Objectives 2.0: The Case for Interpreting Computer Data as Objects under International Humanitarian Law” (2015) 48(1) Israel Law Review 55.
- Mačák, K “On the Shelf, but Close at Hand: The Contribution of Non-state Initiatives to International Cyber Law” (2019)113 AJIL Unbound 81.
- McDougall, C, The Crime of Aggression under the Rome Statute of the International Criminal Court (2nd edn, CUP 2021).
- Permanent Mission of Liechtenstein to the United Nations, “The Council of Advisers’ Report on the Application of the Rome Statute of the International Criminal Court to Cyberwarfare,” (Aug 2021).
- Roscini, M, “Gravity in the Statute of the International Criminal Court and Cyber Conduct that Constitutes, Instigates or Facilitates International Crimes” (2019) 30(3) Criminal Law Forum 247.
- Schmitt, M N (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2nd edn, CUP 2017).
- Trahan, J, “The Rome Statute’s Amendment on the Crime of Aggression: Negotiations at the Kampala Review Conference” (2011) 11(1) International Criminal Law Review 49.
- Trahan, J, “From Kampala to New York: The Final Negotiations to Activate the Jurisdiction of the International Criminal Court over the Crime of Aggression” (2018) 18(2) International Criminal Law Review 197.
- Trahan, J, “Contributing to Cyber Peace by Maximizing the Potential for Deterrence: Criminalization of Cyber-Attacks under the International Criminal Court's Rome Statute” in Shackleford, S, Douzet, F, and Ankersen, C (eds), Cyber Peace: Charting a Path Toward a Sustainable, Stable, and Secure CyberSpace (CUP 2022).
- Trahan, J, “The Criminalization of Cyber-Attacks under the Rome Statute” (2021) 19 Journal of International Criminal Justice 1133.
- Tsagourias, N, “Cyber Attacks, Self-Defense and the Problem of Attribution” (2012) 17(2) Journal of Conflict & Security Law 229.
Contributions[edit | edit source]
- Scenario by: Jennifer Trahan
- Analysis by: Jennifer Trahan
- Reviewed by: Christiane Ahlborn, Sina Alavi, Liina Lumiste
Previous: Scenario 31: Sharing degrading content |