Elizabeth Wilmshurst CMG KC
Good. Well, hello and welcome. Welcome to those here in the hall and welcome to those online, to this meeting on “Prosecuting cyber-enabled international crimes.” Our panel up here, we have Nino Malisevic, who’s a Senior Director at Microsoft. He joined in 2014 and he leads the company’s efforts related to jid – digital diplomacy, aimed at enhancing responsible behaviour in cyberspace. Nino worked for more than ten years for the OSCE before coming to Microsoft, where he was the organisation’s first Cybersecurity Officer.
Marko Milanović is Professor of Public International Law at Reading. He’s co-General Editor of the ongoing Tallinn Manual 3.0 on the application of international law in cyberspace. And since 2024, relevant to this meeting, he’s been serving as a Special Adviser on Cyber-enabled Crimes to the Prosecutor of the International Criminal Court.
Harriet Moynihan is Head of Accountability in International Law at the Oxford Institute of Technology and Justice at the Blavatnik School of Government in Oxford, and she’s also an Associate Fellow in the International Law Programme here at Chatham House and is a co-author of this paper, “Securing Justice for Cyber-Enabled International Crimes.” As is Tsvetelina van Benthem, who I hope we have in the audience but is not on the panel with us.
Good. Just a little housekeeping. The discussion is on the record; it’s being recorded and livestreamed. You’re encouraged to tweet using #CH_Events and @ChathamHouse, and those online, please submit questions throughout the event using the Q&A box on your screen. And after this meeting, for those here, there will be drinks upstairs. We will finish at about five to seven, I should think. What we will have here is a panel discussion with prearranged questions, on the whole, but we will want to bring you in, as well, those online and those in the hall. So, do have your questions ready.
Right, well, the very first sentence of this paper of ours begins by “Harmful cyber operations are growing in pace, scale and impact,” and who better to tell us about the threat environment than Nino from Microsoft? Nino, yours.
Nemanja Malisevic
Thank you very much, Elizabeth. Always a pleasure to be here at Chatham House. Always particular pleasure to get a – get to share a panel with you, Harriet, and with Marko. So, very happy to say, also, a few words about the threat landscape, the overall threat landscape as we’re seeing it. It’s a big company, so that gives us a pretty unique vantage point in terms of the cybersecurity threat landscape. Every day we do get to process about a hundred and trillion – 100 trillion security signals from across the world, and if we look at our most recent Digital Defense Report and following up on what Elizabeth just said, what – quite clearly, what we’re seeing is attacks that are increasingly defined by speed, scale and sophistication.
And if we look ahead, I think the most acute challenge for 2026 will be the ongoing industrialisation of cybercrime, because really, these are no longer – and have been already for a while, but these are no longer isolated criminal acts. Instead, what we’re seeing is we see perpetrators operate as global enterprises hiding in permissive jurisdictions that, essentially, allow attackers to operate with near impunity, so-called safe havens, which then, of course, raises interesting questions about due diligence. We’ll probably get to some of those, as well.
In terms of the concrete threat vectors, the tech vectors that we’re seeing, our threat intelligence consistently keeps showing that identity theft is still the front door to very much of cybercrime, with the overwhelming majority of attacks still originating from compromised credentials, rather than other vulnerabilities. It also shows that about 97% of observed identity attacks are password spray or brute force attacks. Essentially, it means that the vast majority of these attacks are, essentially, guessing passwords or trying many passwords until one works. The good news for that particular aspect is that no matter how much the threat landscapes changes, and it does change and it does evolve, but multifactor authentication still helps to block over 99% of these types of unauthorised attempts, making it still the most important security measure an organisation can implement.
That said, we are also seeing AI will remain a force multiplier, both for defenders and attackers. For example, we’re seeing that AI is amplifying, we’re coming back to this, the scale, speed and sophistication of fraud and social engineering. So, while the core tactics, if you wish, often still remain unchanged, it’s still often about manipulating trust and exploiting human psychology, malicious actors are using bots to essentially supercharge these types of attacks. And we’re seeing across the entire year, our anti-fraud systems blocked approximately 1.6 million bot-driven fake account signup attempts per hour. So, an astonishing volume, if you think about it, and also, a good indication of just how attackers are abusing these types of automated and false identities at scale. We’re also seeing AI-generated IDs being used at higher rates globally, with an estimated 195% growth, again, reinforcing the importance of verification and security.
Nation – couple of words about nation state threats, and before I do that, I always like to take a little moment and take a step back and unpack what that actually means when we say things like nation state threats. If you’re dealing with the nation state threats, and there’s a bunch of you in the audience that know me, so you will have heard me make this bef – example before, but it means you’re dealing with adversaries that, essentially – with groups of people that wake up in the morning, they take their kids to school, they go to the office and then all day, they think about how to attack you. And when they’re done for the day, they leave, spend the evening, go to bed, do whatever and then, they do it again the next day and the day after and the day after. Meanwhile, your job is still your job, if you were, say, a government entity or a company or a think tank. You still need to do your job, but now you need to do your job while folks like this are attacking you. It’s, in many cases, hardly a fair fight and it’s something that’s really worth keeping in mind.
So, when it comes to nation state threats, geopolitical, and we’ll probably keep returning to this, geopolitical objectives continue to drive a surge in state-sponsored cyber activity. This increase is primarily focused on using cyber-espionage to complement traditional intelligence operations. Our threat intelligence shows that cyberactivity last year prioritised espionage against traditional intelligence targets. The most targeted sectors were IT, research and academia, government and think tanks and NGOs. China, Iran, North Korea and Russia remain the key players in this regard, acting in line with geopolitical hotspots and longstanding intelligence priorities. And somewhat unsurprisingly, if we break this down by – if we break down nation state activity by region, in the Americas, the United States was the most targeted country, in the Asia-Pacific region it was Taiwan, in Middle East and Africa it was Israel, and in Europe it was Ukraine.
So, why does all this matter for cyber-enabled international crimes? It matters because, of course, cyber operations can disrupt hospitals, water, power supply, power grids, transportation, all these things creating real-world civilian effects. It also matters because you have consequences, you can have consequences without visible damage, because mere loss of functionality can endanger life and help degrade protected services. Some of the most impacted sectors that I just mentioned include government services, healthcare, these types of things, and all of these, of course, are central to protecting civilians and humanitarian responses. So, clearly, critical infrastructure disruption can support unlawful attacks on protected objects and methods of warfare that endanger civilians.
We should also look at identity and manipulation, which can enable persecution, targeting of protected groups, exposure of witnesses and victims. And another thing that we, of course, always have to keep in mind is supply chain exploitation and trusted relationship compromises, because they can complicate, then, subsequently, attribution and remediation, all of which makes it even more complicated. And last, but certainly not least, referring back to what I said earlier, AI can amplify intimidation and coercion and muddy evidence authenticity, which, of course, is also super important.
So, probably to conclude, then, what we’ve been seeing is that cyber is now clearly a core instrument of power in conflict, and I think the difference between a lot of the real-world impact and then legal accountability is whether we can translate the technical effects into proof of harm, intent and responsibility, which then, of course, is exactly what – why the Chatham House research is so, so important. So, with that, back to you, Elizabeth.
Elizabeth Wilmshurst CMG KC
Thank you so much, Nino, and that sets the scene. Now, in our paper, in the Chatham House paper, which incidentally, you can find online, or there are a few copies there, or were…
Harriet Moynihan
Hmmm hmm.
Elizabeth Wilmshurst CMG KC
…the – we are distinguishing between cybercrimes and cyber-enabled international crimes, and cyber-enabled international crimes are just the big four, the genocide, crimes against humanity, war crimes and aggression. These are also the crimes that are dealt with in the ICC Officer Prosecutor Policy paper, which is another blue – so, that’s the background and this is the purpose of this panel, to talk principally about the international crimes.
Now, Marko, give us some examples of how these international crimes can be committed or enabled by cyber means.
Marko Milanović
Sure. So, lovely to be here and lovely, also, to continue the co-operation with Chatham House and Microsoft. So, we very much benefitted from that in the process of developing this policy, which Elizabeth mentioned, which was presented at the Assembly of States Parties in December. And as Elizabeth said, that policy, this policy, deals only with crimes under international law that directly exist under international law and that are punishable and prosecutable before the ICC. That does not include the vast majority of so-called cybercrime. So, fraud, like just hacking someone, taking their money, that’s not the concern of the ICC. The ICC’s concern is war crimes, genocide, crimes against humanity, aggression, plus crimes that are offenses against the administration of justice and Article 70 of the statute.
Now, in addition to the crimes themselves, and I’m going to start giving some examples in a moment, there’s also not just the commission of these crimes, there’s also their facilitation. There’s multiple modes of liability that, sort of, come into that, but you can facilitate a kinetic crime, for example artillery attacks on civilians or missile attacks against, say, civilian energy infrastructure, you can facilitate them by cyber means, and that’s also what our policy deals with.
So, examples, the one distinguishing, sort of, feature of international crimes is that often they have some kind of contextual element. There’s something that elevates them above mere ordinary criminality. It’s usually not just, like, the number of victims. You know, there is normally some kind of legal standard that needs to be met. So, for example, war crimes can only be committed in armed conflict. The policy goes a bit into this debate that has long been discussed in the literature about whether cyber means can be used to, for example, initiate an armed conflict. It’s clear that they can, at least when international armed conflicts are concerned. It’s also clear that cyber means can be used to commit war crimes in armed conflict. So, for example, it is a war crime under the statute to intentionally direct attacks against civilians, against the civilian population as such, or against civilian objects, yeah?
So, we are now witnessing – by the way, when I give examples, I am not speaking on behalf of the Office of the Prosecutor, but I will give you actual examples because I hate State A, State B. We’re now looking at Russia using missiles to target Ukrainian energy infrastructure, right? We’ve all seen the people in – of Ukraine freezing. That is an attack against civilian objects. Four high-ranking Russian officials are already charged with that war crime, yeah, so the Chief of Staff, two Generals, an Admiral, yeah.
Elizabeth Wilmshurst CMG KC
Charged in the ICC?
Marko Milanović
In the ICC. Sorry, when I say ‘charged’ I’m – I misspoke. Arrest warrants were issued for them, the charges have yet to be confirmed, yeah? It matters not whether you shut down a powerplant or a heating plant by lobbing a missile at it or by shutting it down by using cyber. You see what I mean? If the outcome is the same, yeah, you see – you cause the plant to shut down, you cause the harm that that is causing to the civilian population, the outcome is the same. If you shoot down a – by using a missile, if you shoot down a plane, that’s obviously a war crime if it’s directed against a civilian plane. If you use cyber means to hack air traffic control in an airport, you can commit the war crime of intentionally directing attacks against civilian population. You can commit the crime against humanity of murder if you cause those deaths and kill hundreds of people aboard the plane. That is fairly straightforward.
For most crimes in the statute, you can find cyber examples of how they can be committed through normal processes of interpretation that are completely straightforward. For example, it is a crime to directly and publicly incite genocide, yeah? If you stand up, go on TV, go on radio, and say, “Kill all the Serbs,” whatever, that is, in and of itself, criminal. If you do it on social media, it’s the same thing, yeah? You do not need to go through some, kind of, hugely imanit – imaginative leaps of reading these texts in a radically different way. You can normally apply these crimes fairly straightforwardly.
Sometimes, obviously, that’s difficult to do. You have the crime of torture, for example, which can be war – the war crime and the crimes against humanity, is something we associate with fairly physical harm, but it can be inflicted through mental harm. You know, you can imagine mental harm being – or at least at the minimum, outrages on personal dignity being done by, for example, circulating the sexual images or the nude images of prisoners of war or someone else in captivity and stuff like that.
So, my point is simply this. You can, without violating the principle of legality, apply the statute which states negotiated in 1998, in a technology neutral way, to cover cyber, to cover AI, to cover most kinds of new events that we see. Now, sometimes that is more difficult. Sometimes that interpretative exercise is not easy, yeah? So, for example, the crime of aggression, you would really need a normally massive, sort of, use of cyber power alone to commit the crime of aggression, to reach the scale of “a manifest violation of the charter by its character, gravity and scale,” which is what the statute requires.
Oh, but one key point that we make in the policy, though, is that it doesn’t have to be cyber alone, yeah? Cyber can be mixed with kinetic. So, I mean, if I can give you another real example, again speaking only on my own behalf, the recent raid by the United States on Caracas, on Venezuela, where they abducted Nicolás Maduro, 100 people get killed, it’s obviously unlawful, everybody knows it’s unlawful, right? There’s no problem there, abducting a President. It started with cyber, yeah? So, the whole thing is kinetic when you look at it, but it started through a cyber operation that shot down the electricity grid in Caracas for a few hours. That act on its own, yeah, is not, you know, a use of force as such, but it is part of a bigger whole. The person who committed that act could be, for example, prosecuted for aiding and abetting the offence or for some other mode of participation. So, that’s, sort of, the key message that the policy sends.
Another key point is that it also refers to crimes against the administration of justice. The Court itself was cyberattacked twice in the past couple of years. The details of these attacks have not been publicly disclosed, to the extent of who committed them and what the actual impact of them were, but you can easily imagine Judges being targeted, for example, to intimidate them by cyber means. Prosecutors being threatened by cyber means. Evidence being doctored and falsified by cyber means. It is not, you know, again, any kind of terrible leap of imagination to say that all of these crimes can be committed by means of cyber.
So, that’s, essentially, the message that the policy sends. I mean, it goes through this in a lot, of course, more legal detail, but I hope you get what I’m saying. You do not need to change the statute to effectively prosecute these crimes.
Elizabeth Wilmshurst CMG KC
Marko, if you don’t need to change the statute and it’s fairly easy to interpret the statute, why was it necessary to have a new policy? You don’t have a policy on machetes.
Marko Milanović
Thank you for being gentle with me, as you always are. So, well, because there are things that need to be worked through, right? So, it is setting the scene, it is also signalling exercise, right? It is signalling to the Court’s constituency, to the prosecutors of this constituency, that the Office is prepared and that the legal foundations are there. There are many more practical challenges that the second part of the policy deals with, that also the Chatham House paper presented tonight deals with in a lot more detail. It’s easy to say the law is there. You need to have a capacity to actually effectively prosecute this, and that is a real challenge, right? But there are also other legal questions, like questions of jurisdiction, for example, where is a crime committed and who by?
Elizabeth Wilmshurst CMG KC
We’ve got a question on that.
Marko Milanović
Oh.
Elizabeth Wilmshurst CMG KC
“How are international legal frameworks adapting” – well, let’s just say how is the ICC adapting “to prosecute cybercrimes,” well, cyber-enabled international crimes, “that cross multiple jurisdictions?” Is this not quite a novel problem that – yeah, carry on.
Marko Milanović
It is.
Elizabeth Wilmshurst CMG KC
Yeah.
Marko Milanović
It is reasonably novel. You know, we’ve always had these hypotheticals in law school, you know, where, you know, we discuss how a crime can be committed transnationally and so on, and how multiple states can have a transition. But cyber is really that, you know, multiplied by many factors. So, you know, I can be a Serbian state hacker, yeah, and I can use cyberinfrastructure in the UK to initiate a cyber operation against, say, Croatia, yeah, which then might produce consequences that I did not foresee in, say, the United States, yeah? The data that I am sending, the data packets, might be transiting through 50 states, through servers in 50 states, yeah?
So, the question is where the crime was committed and generally speaking, the policy takes the position that both the state in which the conduct happens, so where the person who types into a computer system is located, and the state where the conduct produces effects, or where the crime happened. It can happen in two states at the same time. If one of them is a state party to the Court, the Court has jurisdiction. The policy also says, however, that mere data transit is enough – not enough, yeah.
So, there are some things, obviously, in the policy which the Office of the Prosecutor is keen to say. There are also things it’s not terribly keen to say for various reasons, not necessarily because they’re not legally clear, but because they are sensitive in the sense there might be impending litigation. You don’t want to put everything out there in one single document, and on some points, we have to be careful. For example, there’s this whole big controversy about whether data is an object for the purpose of international humanitarian law, rules that govern attack. So, if you attack an object and the object is civilian, that’s a war crime. The question is whether cyber operations that simply delete data, whether they are attacks on an object. Some people argue it is, some people argue it’s not. Some states argue it is, some states argue it’s not. We see there’s a controversy; we don’t need to take a position. It is not necessary for us to take a position on that at this moment in time. At some future moment, in a case, maybe, that might be relevant.
Elizabeth Wilmshurst CMG KC
Thank you. Can we go back a little bit, if you’re not tired of talking at the moment…
Marko Milanović
Never.
Elizabeth Wilmshurst CMG KC
…to the question of facilitation…
Marko Milanović
Hmmm hmm.
Elizabeth Wilmshurst CMG KC
…which you mentioned briefly? Lots of, I mean, IT companies, other providers of various things, can be said to facilitate a crime, in that they, their platforms or whatever has been used for the purpose of – has been used by others for the purpose of committing genocide war crimes, crimes against humanity. Does that present a particular difficulty with regard to cyber-enabled crimes, more than it does when you have to consider I lend you something to commit a crime, I lend you some – a knife?
Marko Milanović
I think it poses a difficulty. I don’t think the difficulty’s particular to cyber, if you see what I mean. I – the same kinds of issues arise if you are – for instance, the UK and you send money to a moderate organised arm group, knowing that from time-to-time, they will not be so moderate, right? The same problem of complicity in the acts of another arises – the – what is interesting in this setting is the corporate sector, is the importance of the corporate sector, and in cyber, that is enormously important in a way it might not be in other contexts. By the way, at the same event, at the States Parties, in December, the Office presented another policy, which I was not involved with, which was on environmental crimes, on – or on crimes of the statute which have produced environmental harms. You had the same kind of issue with the importance of the corporate sector.
And the legal answer is that people like Nino, hi, can be held criminally responsible, depending on what they do and with what level of fault they act. So, if they act with the requisite degree of intent or knowledge that is required under the statute, and they can be held responsible before the ICC, they can also be held responsible domestically. As you know, there’s been – I’m not going to get into the details because I cannot, but you know, there’s been this enormous public attention being given to the Israeli Defense Forces, or the Israeli state generally, using the cloud computing and other facilities of various tech companies to do things, for example, that could be qualified as a crime against humanity, persecution of the Palestinian population, yeah? Microsoft was a company which actually cut off ties with Israels once it realised that its Azure cloud was being used to store surveillance data of Palestinians.
In – there is a – one really interesting domestic persecution which you want to keep an eye out which is about cement, it’s not about cyber, but it is really instructive. So, in France they just concluded a trial of the Executives of Lafarge, the big cement company which operated in Syria, knowing that the money was being taken by ISIS to do all sorts of bad things, yeah? So, what the outcome of that trial I – will be, I have no idea. All I’m saying, and the policy says quite clearly, is that private sector individuals, but all other kinds of people, can be held liable for complicity or other forms of participation, like, for example, contributing to a crime intentionally with a common – when the crime’s committed by a group acting with a common purpose.
Elizabeth Wilmshurst CMG KC
Provided they have the necessary intent…
Marko Milanović
If the intent…
Elizabeth Wilmshurst CMG KC
…as you…
Marko Milanović
…is met, exactly.
Elizabeth Wilmshurst CMG KC
…say. Yeah, great, good. Let’s now talk about the challenges of prosecution and investigation, Harriet, if you would, and any of the solutions that have been thought of to deal with them.
Harriet Moynihan
Sure. Yes, thanks, and I would endorse the International Criminal Court’s new policy because it shows international law moving with the times and international law being technology neutral. So, I think it’s a really great thing. However, prosecution of international crimes is hard enough as it is. It’s very resource intensive, it’s very slow, but when you layer on the cyber aspect as well, then it becomes even more challenging. If we think about activity in cyberspace, it’s usually covert, so it’s hard to identify who the perpetrator is. Often the perpetrators will hide their tracks, and as we’ve heard, the evidence is often spread across multiple jurisdictions.
The type of practical challenges that will arise, of course, will depend on the way in which cyber is implicated. So, we’ve had a couple of examples from Marko. If we think about, for example, a foreign fighter who’s filming an atrocity, a mutilated body, or a dead body, on its phone and then taking pictures and sending it online, perhaps on – putting it on YouTube or Facebook, a, sort of, trophy, which happens, sadly, too often, in that sort of situation, we’re looking at probably open-source evidence. We might be looking at posts on Facebook or pictures, videos, on YouTube, and in some ways that might be good because the evidence is there, but the YouTube platform provider might, for example, decide to delete it because it violates its terms of service, precisely because it’s violent content. So, there’s issues about the fragility of open-source digital evidence. There’s also issues around the type of verification and reliability, because deep fakes are an increasing problem. So, has the evidence been manipulated?
Then there’s the sort of situation that Marko mentioned of a major cyber operation against critical infrastructure and there have been Article 15 submissions to the ICC under – in – alleging that there are war crimes as a result of cyberattacks brought by Russia on civilian infrastructure and power grids in Ukraine. In that sort of situation, we have very sophisticated cyber operations that are likely to require a more specialised form of investigation, perhaps digital and forensic expertise, and that can be quite difficult to obtain if you’re a criminal court and will probably require you working with private sector or specialist experts.
If we try and imagine how we get the evidence for these kind of cases, then the traditional way of doing so is mutual legal assistance treaties between states, which are notoriously slow and cumbersome, especially if you’re trying to do it across multiple jurisdictions. Sorry, and also, we’re almost certainly in this sort of case going to need to liaise with the private sector because they own the infrastructure involved. So, we’ve got a, sort of, situation where the investigation and prosecution is more complex because of cyber and we need to look for, sort of, guidance or guardrails in this case, and one of the ways that we can do that is looking at the investigation and prosecution of cybercrime, because there are some interesting synergies in terms of, often, the actors involved, the investigatory techniques and the pathways to evidence.
I should, of course, note that there are differences between prosecuting an international crime and cybercrime. As we’ve heard, there are many more elements to the prosecution of an international crime, for example, the contextual elements. So, they’re not on all fours in terms of their, sort of, legal content, but practically and procedurally, there’s some – there are some interesting synergies. And one of the things I wanted to flag as a, sort of, help is the Budapest Convention on Cybercrime (2001), which has 81 states parties, including the US, and is already used quite practically to try to get a more efficient way of gaining electronic evidence.
And in fact, there was a global cybercrime trends report published by the Council of Europe only last week, which showed that “97% of states have carried out reforms,” mainly in the last ten years, on – with specific legislation on cybercrime. “69% have put criminal laws in place” in relation to cybercrime, and “54% procedural powers in place.” The reason that that’s relevant for cyber-enabled international crimes is because the Budapest Convention covers any offence involving electronic evidence. So, it’s not specific to cybercrime and in fact, many states use it for other types of crime. Similarly, the UN Cybercrime Convention, which as many you will know, was signed in October by over 70 states, it’s not yet in force but is likely to be relatively soon, that covers any serious crime. So, again, the scope of it is broad enough to – and captures cyber-enabled international crimes.
In terms of actually getting evidence between states, still can be quite slow, but there are two new procedural treaties, I suppose, or regulations, that are going to make it quicker. There’s the Second Additional Protocol to the Budapest Convention on enhanced co-operation and disclosure of electronic evidence. That enables states to go directly to service providers for certain data, like subscriber data. There’s also the EU’s new e-evidence framework, which is coming into effect this year.
And if we think about the ICC, which itself doesn’t have powers to have arrest warrants or subpoenas and is quite dependent on states parties often to get evidence, most of the – well, all – currently all EU member states are states parties to the Rome Statute. Sadly, at least one is leaving in the summer, but most of them are states parties and that means that there is potential for ICC to, sort of, use these frameworks itself via states parties. For example, asking an EU member state to use an E-Production Order, which will come online, as I say, this year, to get the evidence that it needs. I think also, we should imagine this, sort of, network of, I suppose, e-evidence frameworks and treaties have helped to, sort of, build capacity between states in dealing with electronic evidence, and there’s been a whole lot of training going on in the background, as well.
But the final point I’d mention is that there are some concerns around these cybercrime treaties and particularly the UN Cybercrime Convention and through the negotiations, civil society organisations raised human rights concerns, because some states have used cybercrime laws to target Journalists and human rights defenders, for example. Now, the Cybercrime Convention, the UN Cybercrime Convention, does contain some human rights provision explicitly, Article 6 and Article 24, sort of, saying that “The treaty must be implemented in accordance with international human rights law.” But I think it’s very important, as states decide to sign up to these treaties, that they think about human rights in their implementation, in particular that the partners that they’re dealing with have a good record on those kind of things.
Elizabeth Wilmshurst CMG KC
Thank you very much for that. So, you can prosecute these international crimes in the ICC, or you can prosecute them in national courts. Is there much prospect of prosecutions in national courts, do you think?
Harriet Moynihan
Well, our – so, our – I should say our paper, Chatham House paper, probably goes a bit beyond the ICC policy because it does look at national courts as well as the ICC. And it’s certainly true that there have been some cases already where national courts have tried cyber-enabled international crimes. Marko mentioned the war crime of outrages on personal dignity and there have been some cases in Germany, Finland, the Netherlands, Sweden, where those countries have successfully prosecuted foreign fighters that, as I mentioned earlier, have filmed, sort of, atrocities, mutilated bodies or dead bodies, with their phones and put it online, and they have been successfully convicted for that.
But I think it’s fair to say that these kind of crimes are very hard for a single state to investigate, especially if we’re talking about major cyber operations, the, sort of, more sophisticated examples that I mentioned. And I think that it’s very time-consuming, it requires a lot of expertise, sometimes digital expertise and forensics, knowledge of how to get evidence across borders. And even if you manage to get the evidence, for example one of the private sector providers sends you the data, you may not even be able to store it. I’ve heard situations where companies have sent terabytes worth of data to National Prosecutions Services that simply don’t have the, sort of, e-discovery facilities to manage that volume of data. So, I think that there’s an issue around that.
Many states don’t have yet, sort of, cybercrime dedicated offices and – or units, and even if they do, we’re seeing war crime units, in some countries, which again, is only well-resourced states, and cybercrime units completely separate within a prosecution authority. So, in order to ideally prosecute these kind of crimes as a nation state, then you need to have some kind of crossover, you need to have, sort of, some joining up between your cybercrime unit and your war crime unit. This is still relatively new, and I think it’s something that, sort of, training needs to look at. We need to also try and think about synergies between training on cybercrime and training on cyber-enabled international crime because of all these overlaps.
Given the real challenges of a single state trying to prosecute this kind of thing, then I think joint investigations have a real value here, and that’s a trend that we’re seeing, sort of, develop quite positively. There’s a number of these treaties that I’ve mentioned which make explicit provision for joint investigations. So, I’ve already mentioned the Second Additional Protocol to the Budapest Convention and the UN Cybercrime Convention, but I should’ve also mentioned the Ljubljana-Hague Convention on International Co-operation in the Investigation and Prosecution of International Crimes. So, that’s specifically international crimes, which really seeks to promote international co-operation and evidence-sharing on international crimes.
And I think these, sort of, joint investigations can be productive. One example from the non-cyber context of that is the joint investigation into the MH17 tragedy, which was the Malaysia Airlines flight shot down by a Russian-backed Eastern separist – separatists. And there we saw Malaysia, Australia, Belgium and the Netherlands come together to investigate a really complex situation which really required very technical analysis and difficult attribution questions. And it did result in four people being charged, chain of command being identified and three people being convicted and sentenced to life imprisonment. So, it, sort of, shows what can happen when states get together.
Joint investigations are also very evident now in the international criminal sphere. For example, there’s a Joint Investigation Team in relation to Ukraine which was set up very quickly after the full-scale invasion by Russia, and that involves seven prosecution authorities. Eurojust has been playing a brilliant role in spearheading this, there are joint investigation networks with best practice, but it’s not only been useful for those countries. It’s also been useful for the ICC itself, which, of course, is investigating the situation in Ukraine, including cyberattacks on critical infrastructure.
So, I think the thing I would finish with on that is that in order to participate in these joint investigations, states actually have to have legislation in place to enable them to do so, and some states already have that, but many don’t. So, I think that’s one of the recommendations in our paper, is that states need to – as they think about co-operation, make sure they’ve got the legislation in place to enable them to do that.
Elizabeth Wilmshurst CMG KC
Thank you very much for that. Nino, I’m going to…
Nemanja Malisevic
Hmmm.
Elizabeth Wilmshurst CMG KC
…come back to you. Could you tell us how IT companies, such as Microsoft, can help with some of these problems, problems of attribution and help in investigations and threat detection?
Nemanja Malisevic
Hmmm hmm, sure. Before I do, I do want to pick up on one point that you just said, ‘cause you mentioned the UN Cybercrime…
Harriet Moynihan
Hmmm hmm.
Nemanja Malisevic
…Convention and that civil society was concerned, industry too, was very concerned.
Harriet Moynihan
Yeah.
Nemanja Malisevic
I spent a good chunk of the last three years in that negotiation. I recognise Joyce over there, too. So, I think industry and – it was one of those rare occasions where you had industry and civil society speaking more or less with one voice.
Harriet Moynihan
Yes.
Nemanja Malisevic
We had this job where we could, basically, read each other’s statements ‘cause we shared the same concerns, which, basically…
Harriet Moynihan
Yes.
Nemanja Malisevic
…never happens, so – anyways.
Harriet Moynihan
Hmmm.
Nemanja Malisevic
But to get to your – to you…
Elizabeth Wilmshurst CMG KC
Actually, can I just…
Nemanja Malisevic
Yeah.
Elizabeth Wilmshurst CMG KC
…follow up on that? In UN fora, when I was around, it was so difficult ever to get civil society into a negotiating room. Somehow you managed to cope with that in the UN Cybercrime Convention. Was that – I mean, you had a voice – you obviously had a voice?
Nemanja Malisevic
I mean, you touch on a really – it’s my favourite topic. So, you…
Elizabeth Wilmshurst CMG KC
Oh, okay.
Nemanja Malisevic
Modalities for each of those negotiations are discussed separately. So, you have situations where at the UN, in the cyber-norms related discussions, the modalities allow for the member states to veto specific – when these set – when these eve – when these processes are set up, like, for example, the open-ended working groups in the past, member states get to – industry and civil society apply to participate and then member states can individually veto the participation of specific entities. Which is how you had situations where I think Microsoft is the only entity that ever got double vetoed by Russia and by China, I mean, they really didn’t want us in that room.
The modalities for the Cybercrime Convention, where much more permissible states had fought very hard, Western, liberal, democratic states had, by and large, had fought hard for modalities that allowed civil society and industry to have a more prominent role in those negotiations. So, we had the chance to actually be part of the substantive sessions and to make interventions. Yes, they was – they were timed to three minutes and whatnot. You have to still play within the rules, which is, of course, obviously fine, but we were able to meaningfully contribute to those negotiations.
And to pick up on the last point, it never was about taking – none of this is ever about taking decision-making power away from states when we advocate for this. States should take the decisions. It’s – the idea is that hopefully, they will take the best possible decision if they get to also listen to industry and civil society. So, it’s about giving stakeholders a voice, not a vote.
Elizabeth Wilmshurst CMG KC
Thank you. Now back to the original question.
Nemanja Malisevic
Ah, yeah, on that piece that you men – how can IT companies not just admire the problem, but how is it – what can we actually contribute constructively here? I think there’s a number of roles that we can and we should play, and I – let me highlight a few specific ones briefly. So, I think we can help understand the threat landscape early and put it in context, and I think a key role for a large provider, then, is to spot emerging campaigns and help connect the technical signals, figure out who is doing it, perhaps also analyse why they’re doing it and what that might mean for government, civil society and essential services. It – think of it as a type of Horizon Scanning of, for example, influence operations. In our house this is done by the Threat Analysis Center, M-Tech.
Second, I think another role is to turn signals into attribution and knowledge, investi – because Investigators ultimately need more than just indicators. I think they need as clear a picture as they can get, ideally, of which actor is behind an operation. They need to know how they work and they also, ideally, will know – need to know how a campaign fits into a broader pattern. So, this type of mapping, if you wish, of state and criminal groups in – on our side, is done by a Threat Intelligence Center called MSTIC.
And third, I think you need to help tra – figure out and how can you help victims contain incidents and preserve the facts while they are still fresh? So, when an intrusion happens, obviously, time is of the essence, so it’s essential to stop harm, understand what happened and also capture the technical record before it gets overwritten or lost. So, essentially, you’re thinking about incident response and fact development. In our house this is done by the Detection and – by a Detection and Response Team, DaRT.
Fourth, I think industry can help play a role in disrupting criminal infrastructure. I think a provider can raise the cost of malicious activity by taking down domains, servers, services that make cybercrime scalable. Goes back to what I said earlier, this whole idea of industrialisation of cybercrime. And then, also, by sharing what it finds by the appo – appropriate legal channels. On our side, this type of disruption work is led by the Digital Crimes Unit.
Another thing we can and should do is to try and figure out how we can support lawful co-operation in ways that actually courts can rely on, because obviously, we’ve heard a bunch of times now, courts and Prosecutors need evidence that is obtained lawfully and can be explained clearly. So, what data exists, what can be disclosed and how can authenticity and chain of custody be supported and also, then, be in line with the cross-border routes that you’ve mentioned, MLATs, Budapest Convention, Second Protocol, EU e-evidence, these types of things. On our side, this is done by a dedicated law enforcement and National Security Team.
And then last, but certainly not least, I think another thing that industry can hopefully help is to share what we’re learning, publish trends, cases, practical lessons. Idea – the idea being to raise the baseline resilience throughout. On our side, we try to do this with the annual Digital Defense Report that we publish. Because ultimately, of course, industry can’t prosecute, but I think we can help make cases possible by hopefully focusing on turning – how can we turn threat intelligence into defensible attribution and so that we can help by preserving the right evidence early, supporting lawful investigations that then, hopefully, help the Courts reach the truth?
Elizabeth Wilmshurst CMG KC
Thank you very much. That’s talking about the Courts, but of course, the ICC is not popular in every country, and a lot of the tech companies come from the US. And I’m going to come to that question in a minute, but I just want to finish off my question. Sorry, there is a question in the audience, if we’ve got a microphone, at some point. But in the meantime, Marko, co-operation that the ICC is getting from tech companies of the kind that was described here, yes or no?
Marko Milanović
Well, it’s not the yes or no question. I mean, yes, right, so you can’t really effectively do this without co-operation. Some of it can be purely voluntary, right? Sometimes companies can co-operate with the Court or with the Office simply because they’re not constrained by any legal framework that prohibits them from them – maybe might not be bound to co-operate, but they are not prohibited from co-operating, either. Often, though, you will need enabling domestic legal frameworks and that, sort of, ties a bit into what Harriet was saying about the Budapest Convention, about the UN Hanoi Cybercrime Convention. States are revising their laws on facilitating mutual co-operation in sharing various kinds of evidence and allowing private entities, such as companies, to share evidence with third states. You know, they should also think about the ICC and how they can facilitate the work of the Court, right?
So – however, I mean, you will have situations where a state can prohibit its companies from co-operating with a court and that’s just the reality of things, if it happens. It has not happened yet in the American context.
Elizabeth Wilmshurst CMG KC
Do you want to add anything?
Nemanja Malisevic
No, I think that’s good.
Elizabeth Wilmshurst CMG KC
No, okay, thank you very much. There is a question. The microphones might not be with us yet, so just if you give your affiliation and speak loudly and clearly, I will then repeat your question. Thank you.
Peter Sommer
Okay, my name’s Peter Sommer. I act as an expert witness largely in the domestic courts, so I have worked in the international courts. One of the problems you’re going to have on evidence – oh, thank you, don’t have to shout. Well, is this working?
Marko Milanović
Yes.
Peter Sommer
Yes, good. I was very glad to hear that you were focusing on the issues of evidence. I was a little alarmed listening to the first two speakers and thinking well, how are you going to get the evidence? But we had some good answers, I thought, from the third speaker. But one of the problems you’re going to have is on disclosure of methodology. If you’re going to talk about reliability of evidence, you’re going to have to say why it is reliable, and very often, that is going to involve interception and hacking. In the UK we call hacking equipment interference. It’s actually in the legislation, but hardly ever produced in Court because for all sorts of obvious reasons, they don’t want to show how they’re doing it. So, perhaps we could have some comments from the panel about how we overcome that problem or address it.
Elizabeth Wilmshurst CMG KC
Thank you, that’s an interesting one. Marko, is that one for you?
Marko Milanović
I mean, I can…
Elizabeth Wilmshurst CMG KC
Or Harriet?
Marko Milanović
…give it a stab. It is really difficult to answer that question and be abstract.
Peter Sommer
Yeah.
Marko Milanović
Right? I mean, I can tell you that that type of difficulty arises in all sorts of cases that have nothing to do with cyber. Interception evidence has been used already in the International Criminal Tribunal for the former Yugoslavia, for…
Elizabeth Wilmshurst CMG KC
Yeah.
Marko Milanović
…example, and people got convicted, yeah? So, all of these are doing – I’m not trying to understate the challenges. They are serious challenges. The main one is also to build capacity from within for the Office to have people with substantial expertise on these issues. It already actually has a cyber unit. It has some Lawyers who specialise on some of these issues, as well, and at some point, when the opportunity arises to prosecute one of these cases, the Office will be tested, and we shall see, you know, whether it meets the challenge. My personal desire would be to start with something smallish. You don’t want to prosecute a cyber Putin first, if I can put it that way.
Nemanja Malisevic
Hmmm hmm.
Marko Milanović
You know, like, the first ICTY case, for example, was this Tadić case which was against a nobody, like, a Camp Prison Guard, but it did all of these legal things you needed to do. You know, my ideal first cyber case would be, you know, in – offences against the administration of justice, you know, something nicely packaged, something manageable, something that’s not two years of expert evidence. I hope that answers your question.
Elizabeth Wilmshurst CMG KC
Harriet, do you want to add anything?
Harriet Moynihan
Just, I suppose, to add the political dimension, and you’ve pointed out some of the legal issues, but I think where states are gathering evidence across networks, and they’re not necessarily getting consent, they might be going into other people’s – other states’ network without consent, then they may be reluctant to, sort of, submit that evidence. So, I think that in the cyber world, this is not uncommon, it’s happening across networks, and I think there are political reasons in terms of the evidence that I just mentioned, but also just in terms of bringing – participating in international prosecutions that we haven’t really flagged up to date. So, I think that’s worthing noting, as well, as a potential disincentive.
Elizabeth Wilmshurst CMG KC
Thank you for that question. I am going to take other questions, but while you’re thinking, I just want to ask you – Marko, I wanted to come back on artificial intelligence, because no sentence…
Nemanja Malisevic
Yeah.
Elizabeth Wilmshurst CMG KC
…is valid nowadays without…
Marko Milanović
Go on.
Elizabeth Wilmshurst CMG KC
…AI. You say that in relation to crimes committed by cyber means, there’s nothing hugely new about the interpretation of the statute, but what about AI? Does it increase the challenges to the law by having AI-enabled…
Marko Milanović
Grok, can you please…
Elizabeth Wilmshurst CMG KC
…cyber…?
Marko Milanović
…answer that? I wouldn’t have that on my phone, no, but the – so, I can tell you this. The policy – on the question of AI, the policy’s very cautious. So, it – there’s a page and a half. The reason why it’s cautious should be obvious, so I’m not going to say anything more about it. There could be live cases that concern this. You do not, therefore, compromise stuff like that in a policy. There might or might not be, yeah? So, I can give you my own opinion. My own opinion is that quite a few people in this room who are great experts and who will publish articles will often argue that AI poses radically new challenges to international criminal law. It sells an article.
Nemanja Malisevic
Hmmm hmm.
Marko Milanović
I don’t think it’s true in 99% of circumstances, you know. In the type of crime that the ICT – that the ICC prosecutes, I don’t think AI is a huge game changer on the nature of criminal liability, on who you will prosecute, on – even on the questions of evidence, right? So, for example, if you look at the context of hostilities, it was – it is difficult theoretically to prosecute a Commander who uses AI, for example, a decision support system, which results in an attack on a civilian object. The Commander can always say, “Well, the AI told me it was a military objective and I trusted it, and I committed a mistake and therefore, subjectively, I did not possess the intent and knowledge required to be responsible for the crime.” That’s true, but the ICC is never going to prosecute one guy for one thing. It will prosecute someone who killed thousands of people in thousands of incidences, and then you will have a pattern that will show guy, you’re lying. It’s not the AI, you did it, yeah?
So, the four Russian Generals/Admirals, whatever, they could each say, “Well, in that case, the power plant was a dual-use object, therefore a military objective,” or, you know, in one individual case they could that – say that. When they’ve targeted dozens of power plant and heating plants that have no military use whatsoever, dozens of times over years, like you don’t have to be Sherlock Holmes to say your intent was to attack a civilian object, do you see what I mean? And whether they used AI in the process of doing that, to my mind, seems perfectly irrelevant.
So, the answer is the same as always, it’s a technology neutral statute, it can accommodate the use of these technologies. You use AI to surveil a population which you persecute, it’s fine, we have a solution for that. It does not take, again, an enormous amount of…
Elizabeth Wilmshurst CMG KC
Though it may be more…
Marko Milanović
…creativity.
Elizabeth Wilmshurst CMG KC
…difficult to have attribution or to find the appointed…
Marko Milanović
Sure.
Elizabeth Wilmshurst CMG KC
Do you have anything to add on that, Nino?
Nemanja Malisevic
No, I think that is…
Elizabeth Wilmshurst CMG KC
No, no, okay.
Nemanja Malisevic
I wouldn’t want to argue with Marko.
Elizabeth Wilmshurst CMG KC
Okay, let’s have some questions. Right there and two here, and then I’ll look in another part of the room.
Professor Nnenna Ifeanyi-Ajufo
Good evening, everyone.
Elizabeth Wilmshurst CMG KC
Thank you.
Professor Nnenna Ifeanyi-Ajufo
Nnenna Ifeanyi-Ajufo, Leeds Beckett University, Professor of Law and Technology. I’m just going back to Elizabeth’s question on, is there a place for national jurisdiction? And we’re seeing countries like Nigeria promulgated a cybercrime act as far back as 2015 and is prosecuting genocide and crimes against humanity, as amusing as it sounds, prosecution of not more than five years for that act. So, [inaudible – 59:53] in 2020 cyber-genocide, it’s there.
Elizabeth Wilmshurst CMG KC
Oh, my goodness.
Professor Nnenna Ifeanyi-Ajufo
And, you know, there are all of those, not more than 20 years. So, you have all of this in existence, and now, while complementarity is clear on that Rome Statute, what is not clear is the threshold for cyber-enabled international cybercrime. So, my question is, how do we then forge – what is the best approach, remembering that most of these countries are promulgating these laws on the business of disinformation and misinformation, not necessarily because of how cyber enables certain crimes that meet the threshold of genocide and crimes against humanity, even though they are mentioned clearly? So, I’m just thinking what the best, you know, approach would be in defining complementarity, which is not the same as traditionally defined for genocide and crimes against humanity.
Elizabeth Wilmshurst CMG KC
Thank you, and there’s another question just there.
Member
[Pause] Hello. What is stopping ICC to prosecute private spywares like Pegasus, NSO Group, Candiru and Intellexa, things like that, to – because they are committing crimes and they are a corporate structure, but just operating in a – independently, yeah?
Elizabeth Wilmshurst CMG KC
Thank you. I should’ve reminded everyone to give your affiliation when you ask a question but thank you. Yeah.
Kubo Mačák
Thank you. Kuba Mačák, University of Exeter is my affiliation. Thank you for a great panel, to all of you. My question is about, you know, the perhaps remaining unsettled questions, because Marko, you convinced me that a lot of the law is settled. I am with you there, but there are also a lot of questions that I think the policy wisely says, you know, they’re unsettled, doesn’t, kind of, pitch a stake and say, you know, “This is our view on that.” But probably for a successful prosecution of cyber-enabled international crimes, the more substantive clarity we have, the better, and so, the way that the law evolves and is clarified in this area, to a large part, is through the publication of national positions by states. So, we monitor with the Cyber Law Toolkit, a number of them with the new Handbook on National Positions, and so…
Elizabeth Wilmshurst CMG KC
Ad – yes, sorry…
Kubo Mačák
And so…
Elizabeth Wilmshurst CMG KC
…advertisements, yes.
Kubo Mačák
Sorry for the advertisements, but it’s relevant to establish the premise of the question.
Marko Milanović
We forgive you.
Elizabeth Wilmshurst CMG KC
Kubo…
Kubo Mačák
My…
Elizabeth Wilmshurst CMG KC
Kubo, you’re forgiven, but…
Kubo Mačák
Yes.
Elizabeth Wilmshurst CMG KC
…what’s the question, sorry?
Kubo Mačák
So, the question is, we now only have two of these national positions that cover international criminal law, Austria and Belgium. Belgium is the newest one. So, the question is if my premise that we need more clarity is correct and if this is the vector of development of the law in this area, does the panel believe that there will be more expressions of views through these national positions on international criminal law? And is it something that you think is desirable, or should we start looking for other vectors of development, like through the new permanent Mechanism, the successor to the OEWG that Nema mentioned? You know, what are your thoughts on this? How can we get closer to substantive clarity? Thank you.
Elizabeth Wilmshurst CMG KC
Thank you very much. I think I’m going to go to you, Marko…
Marko Milanović
Well…
Elizabeth Wilmshurst CMG KC
…on all three of those.
Marko Milanović
On the first question, the complementarity, so I – you packed a lot into that question, and I mean, one issue is that – so, one question of law is whether, if a state prosecutes people under a crime that exists in its law, which does not necessarily correspond to crimes against statute – in the statute, does that satisfy the statute? You know, if you prosecute someone for murder and in the ICC, you could prosecute them for a war crime, is that good enough? I don’t want to get into that, right? So, the answer to that question is the same across the board. There is the jurisprudence of the Court that exists on this already. To extent there are some strange cyber offences in the – in domestic law, I mean, I very much doubt that the Office of the Prosecutor would interfere, unless there was an attempt to shield people from accountability, the unwilling component.
On the second question of why not prosecute companies? I cannot answer that question. I mean, all I can say is that you need the facts and the fact it – you think there are the facts might not necessarily mean those facts exist, especially when it comes to the intent of people. You need to have jurisdiction, you need to have all of those things combined, and the only thing I can really say is that in principle, as stated in the policy, the Office would prosecute corporate offenders.
Elizabeth Wilmshurst CMG KC
Corporate…
Marko Milanović
I…
Elizabeth Wilmshurst CMG KC
…offenders, not the corporates themselves…
Marko Milanović
Not the corporation…
Elizabeth Wilmshurst CMG KC
…of course.
Marko Milanović
…itself.
Elizabeth Wilmshurst CMG KC
Yeah.
Marko Milanović
The legal entity of the corporation is subject to domestic law, not to – and then to Kubo’s question, is it desirable to have? I think – so national policies will necessarily – oh, they will see this and then somebody in a Foreign Ministry will say, “Oh, why not we – well, maybe we can say a couple of paragraphs here and there.” The big clarification happens in some substantive areas, like IHL. That’s where, you know, you have the clarification, and ultimately, many of these issues have to be settled in Court. So, it is when we get the caselaw that you will have the really super-duper clarification.
Nemanja Malisevic
Can I…?
Marko Milanović
I think Harriet wants to…
Nemanja Malisevic
Oh.
Elizabeth Wilmshurst CMG KC
Thank you. Do you want to add anything, Harriet?
Harriet Moynihan
Could I just add something on the national positions? Because I think there’s a – they are desirable from a legal standpoint, even though it’s unclear exactly what their legal status is. But they could be argued to be opinion and like the views of states or, like…
Nemanja Malisevic
Yeah.
Harriet Moynihan
…what the law is. But even if that is unclear, then I think there’s a real value in, sort of, the upskilling process that happens when a state puts together a national position, because Legal Advisors in government are having to devote resources to really think these things through because they’re having to, you know, put their views on record.
I think about – when you mentioned about other ways in which these could be discussed, like the UN Global Mechanism, which starts substantive work in July, it’s a – quite a sensitive subject, international criminal law, so I’m not sure that would be top of my list for them to be discussing it. But I think there’s a lot of scope for it to be discussed in Track 1.5 and Track II fora, and in fact, I think there’s really, kind of, good synergies, as I’ve said, with cybercrime. So, things like Europol’s Octopus Conference, we’ve been talking about it at CyCon, I think it’s very important that this is surface so that we can see how applicable this law is to real-world examples, especially in the Russia-Ukraine context right now.
Elizabeth Wilmshurst CMG KC
Thank you. Nino.
Nemanja Malisevic
And just as a quick follow up, also, to what you, Kubo, had said and then, also, following up on your comment, and everybody who knows me knew that I was not going to be quiet. On the – oh, on the Open-Ended Working Group that just concluded and then now looking at the Global Mechanism that is going to continue and with an – with a modalities session now in March and then, the substantive session in July. Again, hearing your caveats, I’m not disagreeing with them, but in some form or other, if these topics could still be addressed and looked at, I think that would be important to push for. Largely because again, I think when it comes to the international law provisions and the last – it – in the last Open-Ended Working Group, real – they really weren’t all that great.
I very much agree with Kubo, you have an article there where you concluded that it’s – it was a ‘missed opportunity’. I agree that it was a missed opportunity. So, I think anything that we can collectively try and get countries to revisit this and talk about it in some form of constructive manner, I think that would be helpful.
Harriet Moynihan
Yeah.
Elizabeth Wilmshurst CMG KC
Thank you. There’s some questions over this side.
Emily Taylor
Hi, Emily Taylor, I’m an Associate Fellow at Chatham House and also a founder of the Global Signal Exchange. So, we’re working in the cybercrime – the regular cybercrime space, if you like, and I was really interested in the panel’s remarks and particularly yours, Harriet, about, sort of, learning from each other in that. And one of the things that we’ve really experienced is that even the huge members that we have, such as Microsoft and other Big Tech, there’s still huge siloing in what they know, and so ways of joining up those siloes, even in the private sector, can really be effective in disrupting, as well as, you know, getting it – evidence.
But, you know, Harriet, you talked about cross-border dataflows, how difficult that’s been. That’s something we’ve talked about a lot. My question to the panel is, you know, what do you do about the countries that are never going to get – they’re never going to be part of the Budapest Convention, they’re never going to get an adequacy decision? And how – and yet, they are really important as part of the dataflows in prosecuting crime. How do you include them in an international context? I mean, I know imaginative application of the law is a bit like creative accounting, not everyone’s in favour of it, but I’m really, you know, intrigued by the way that the National Crime Agency here has been partnering with countries that are centres for cybercrime that may not ever, you know, be part of those conventions. So, that’s my…
Elizabeth Wilmshurst CMG KC
Thank you very much…
Emily Taylor
…question, thanks.
Elizabeth Wilmshurst CMG KC
…for that, and that goes very nicely with a question online, and it’s to you, really, Harriet, as was that one. “How do you see the prospects for building the kind of international co-operation we need in this area in a world of growing fragmentation, where cybercrime seems to be an increasingly important means of waging war? What are the politics around this?” Could you take…
Harriet Moynihan
Hmmm.
Elizabeth Wilmshurst CMG KC
…those two?
Harriet Moynihan
Yes, thanks, Emily, and thanks to the question online. I mean, we heard the theme ‘partnership’ a lot tonight and I think it is the crux of these things, and I just would like to highlight a couple of areas where I think there’s some very positive developments which could hopefully, kind of, spur on more of the same.
I’m going to bring up cybercrime again, because I say there are these synergies. In the cybercrime context, we’re seeing this, sort of, multi-agency approach where we’ve got states, i – international government organisations like Europol and Interpol, tech companies, all working together to try and address major issues like ransomware. And the, kind of, well-rehearsed example that I trot out often on this is Operation Cronos, which actually led to the takedown of the LockBit infrastructure, LockBit being the biggest ransomware actor, who was doing massive damage around the world. And that wasn’t just a, sort of, operational measure which took down the infrastructure.
It also led to arrests and the imposition of sanctions on the individuals concerned. So, you’ve got multiple actors working together and you’ve got multiple strands of levers being pulled, as well. Operation Endgame was against botnets and again, we saw arrests all around the world. And I think that, sort of, force in numbers, Emily, gives the, sort of – those ones that are holding back, a, sort of, a feeling that they would be prepared to be part of it because they’ve got less to lose. If you’re acting individually, then you could fear, for example, political retribution from those powerful states that are often harbouring cybercriminals. But if you’re acting together, then, you’re, kind of – you’ve got the force in numbers.
I also wanted to highlight structured partnerships, because ad hoc partnership is fine, but sometimes there isn’t enough confidence on the part of, for example, tech companies to be part of that. So, CISA in the US has set up this, for some time now, Joint Cyber Defense Collaborative with lots of tech companies, who again, because they’re working together, probably feel like they can join it, as opposed to being singled out. And the EU’s ENISA has also got similar partnerships. Europol recently entered into a partnership with Microsoft, and that’s so valuable because then you’ve got this, sort of, sharing of threat intelligence.
So, I think one thing we should, sort of, commend the ICC for is that it – over the last few years, it’s really strengthened its partnerships by entering into agreements with Europol, Eurojust and Interpol, bearing in mind that these massive organisations have huge databases and very valuable evidence. So, I think that is the way forward.
Elizabeth Wilmshurst CMG KC
Thank you. Yes, let’s have some questions here.
Nicholas Tsagourias
Well, thanks very much for the presentation. Sorry, Nicholas Tsagourias, University of Sheffield. Now, given the difficulties in collecting, analysing, attributing, verifying evidence, do you – cyber evidence, do you think that will pose any challenges to the criminal law standard of beyond reasonable doubt, or perhaps have a different standard? So, it’s either to Harriet or Marko.
Elizabeth Wilmshurst CMG KC
Thank you.
Nicholas Tsagourias
Thank you.
Elizabeth Wilmshurst CMG KC
And one in the front, here. Thank you.
Robert
Yeah, Robert, business owner. In the Second World War there was a very good chance of bringing people to justice that had committed crimes and they were served. That took decades. AI come along, quantum computing, encryption, everything you could possibly think of, multiple times, the complexity of all that, you’re probably currently prosecuting probably less than one ten thousandths of the cybercrime that actually takes place in the world. Aren’t people going to turn round and say all this cost to businesses, infrastructure, data storage, providing data, getting prosecuted ‘cause I held the wrong data and gave it to somebody else that I shouldn’t have given it to, and I’m getting prosecuted and not the person that actually did the crimes? Isn’t it going to come to the day when it drops to less than a million people getting prosecuted who are actually doing any crime? Is there any point?
Elizabeth Wilmshurst CMG KC
Thank you for that. Yes, and we’ve got one in the front, here. Sorry, almost in the front. Yes, thank you.
Mahnoor Omer
Hello, Mahnoor Omer. I’m a Lawyer with the Islamabad – Associated Islamabad Bar Council. And knowing with that, I, kind of, first picked up on the, what happens when ‘I lend you’ the ‘knife’? comment, and it made me a bit curious about how you do establish intent when prosecuting corporate offenders. It’s also okay if you can’t answer that, but I’m just curious as to what challenges come when these prosecutions are taking place against corporate offenders, and most importantly, what solutions could be used to overcome this? Thank you.
Elizabeth Wilmshurst CMG KC
Thank you very much. Right, “beyond reasonable doubt,” do we drop the standard? I know that the ICC doesn’t technically have that standard, but it’s more or less…
Marko Milanović
Well, it does for…
Elizabeth Wilmshurst CMG KC
It fits more…
Marko Milanović
…conviction, right?
Elizabeth Wilmshurst CMG KC
…or less, doesn’t it?
Marko Milanović
So – yeah, so, well, at the ICC you have three thresholds of evidence. There’s one threshold of evidence of arrest warrants, which is reasonable grounds to believe. Then you have another one which is for confirmation of charges, which is substantial grounds for belie – to believe, and then at conviction, it’s really beyond reasonable doubt. I mean, I don’t think – well, the short answer, Nick, to your question, is that you cannot simply, jurisprudentially, drop the standard for conviction without amending the statute, but that standard has always had some flex to it, yeah?
So, if you look at the actual convictions, you know, that have happened of high ranking people, think, for example – I mean, the best example I give is – I’d like to give in this type of question is the conviction of the President of the Bosnia Serbs, Radovan Karadžić, who was convicted of genocide in Srebrenica. So, you know, July 1995, 8,000 Bosnian Muslim men and boys are killed by Bosnian Serb military in a few days, yeah? Karadžić never went there, yeah? He was not commanding the armed forces, this Mladić guy did that. Karadžić was convicted and convicted beyond a reasonable doubt on the basis that he had genocidal intent, purely on the basis of inference. The inference was from the fact that one of his minions went there, that he came back and there was a phone call. That was it. Do you see what I mean?
So, Judges can be very flexible if they need to be…
Nemanja Malisevic
Hmmm.
Marko Milanović
…yeah, to convict someone beyond reasonable doubt. Then the question is, is it going to survive appeal? Oh, you know, how good of a Lawyer do you have? All of those things come into play. So, there is that, and so, the same answer, sort of, applies to inferring intent. For accomplices it’s in 90% of cases is going to be inference.
Nemanja Malisevic
Hmmm.
Marko Milanović
Remember though, you know, cybercriminals, super smart people, whatever, smart people do stupid things, too. Do you see what I mean? Most prosecutions that end well end because you have all kinds of evidence, including statements of the defendant, that if they were at all rational, they would never have said. Do you see what I mean?
Nemanja Malisevic
Hmmm hmm.
Marko Milanović
But they do, yeah, so, it can be done. And on your last question, I mean, I really don’t know how to answer it. Well, let me give you a domestic example. Less than 1% of rapists end up in prison, so are we going to give up? Do you see what I mean?
Robert
Well, people say that the justice system and the legal policing already have, don’t they?
Marko Milanović
Well, the question is what to do to improve it…
Harriet Moynihan
Hmmm hmm.
Marko Milanović
…yeah? And you can say in – you know, at some point, the legal system is so meaningless, so divorced from reality, that it does nothing, and that happens in some countries.
Nemanja Malisevic
Yeah.
Marko Milanović
But I don’t think we’re there yet.
Nemanja Malisevic
Absolutely, and I might – yes.
Marko Milanović
We could…
Nemanja Malisevic
Okay, and then you go first.
Elizabeth Wilmshurst CMG KC
Okay, good, Nino’s going to have a…
Nemanja Malisevic
Just on that last piece.
Elizabeth Wilmshurst CMG KC
Yeah, yeah.
Nemanja Malisevic
We can’t give up, like, I mean, straight up, we cannot on – not on this, not on regular cybercrime, either. So – and if – on the contrary, just because it gets worse, it means we need to do more.
Elizabeth Wilmshurst CMG KC
Hmmm. Harriet?
Harriet Moynihan
Yeah, and I think it’s interesting because in the US, there have been these prosecutions of cybercriminals or, sort of, act – cyber actors who are carrying out harmful cyber operations in Russia, in Iran and North Korea and China, for some years now. And most of the time, those criminals are still in those jurisdictions and they haven’t been extradited. So, there was, sort of, this question about well, what’s the point, then? But they were known as, kind of – they are known as speaking indictments, that they, sort of, show that the evidence is there. That evidence might be used in other ways, for example, sanctioning.
They, sort of, establish that there is a normative framework there, that there is, sort of – that justice can be done. It’s just a question of getting those people in. And I think that in some cases now we are starting to see extraditions, because there are things like the Counter Ransomware Initiative which has got many states involved.
Nemanja Malisevic
Hmmm.
Harriet Moynihan
And we’re starting to see some of these criminals being extradited to the US and actually standing trial there now. And I think what we’ve heard today is that states are unusually active on this. They’ve actually starting to make treaties about it. It’s quite unusual for states to, kind of, make treaties quite quickly. They’ve been training, they’ve been making their law up to date so that there is cybercrime on their books, and for states to move like that it’s because there is a real – a recognition of the problem of cybercrime and cyber-enabled international crimes.
And I think the final thing is that you could bother – you – why would you bother? Well, you could bother ‘cause you can disrupt what they’re doing, as well. So, we’ve heard about the LockBit thing actually being taken down, and we don’t necessarily feel that, but that was creating a lot of problems around the world, and even if you can’t get them to actually prosecute them, you can restrict their movement. Because you’ve got this network of allies who are all on – you know, okay, Interpol’s got a red notice out on this person. So, suddenly, those cybercriminals can’t leave Russia, or they can’t leave the country from which they’re operating, and it feels like small steps, but I think overall, there’s quite a positive direction and we’re seeing more prosecutions now.
Elizabeth Wilmshurst CMG KC
Thank you, and then that interesting question about, how do you establish intent of corporative officials? I suppose how do you establish intent of any person in any institution?
Marko Milanović
Yeah.
Elizabeth Wilmshurst CMG KC
Anything to add? No?
Harriet Moynihan
No.
Elizabeth Wilmshurst CMG KC
It’s difficult, but as – was it Lord Denning who said, “The state of a man’s mind is as much a question of fact as the state of his stomach?” And you might equally have…
Marko Milanović
Sounds like him.
Elizabeth Wilmshurst CMG KC
…yeah, difficulty in finding that. But I mean, of course, there would be problems, often, yeah. Good, we’ve got time for just one lot of other questions, and there’s one here and there’s also one right at the back. So, over there and here, thank you.
Robert Young
Thank you. I’m Rob Young from the Canadian Foreign Ministry, Global Affairs Canada. First of all, a word of thanks for the panellists and the panel for getting us all together, very worthwhile. I came from Ottawa and I’m glad I came.
Elizabeth Wilmshurst CMG KC
Oh, welcome.
Robert Young
Secondly, congratulations to the authors of the report. Very timely, very helpful, very comprehensive, will be very helpful and partly, I think, helpful to answer a little bit your somewhat rhetoric question, Elizabeth, about why the policy? I think the policy, first of all, is not only for the Court, but I think it’s for states and here I’m talking about the, you know, the acid test of the Rome Statute is complementarity and what states will do. So, I think beyond the answer, which is, I think, really good that Marko gave, the new policy will challenge us in capitals at state levels to do more with the Rome Statute, to use it in a vigorous and, sort of, creative way to address cyber-enabled international crimes. So, that’s very positive.
One of the things I like best about the report is the – is chapter four and the focus on practical implementation in those issues, to the very same point, which is that states need to be challenged and guided, and I think chapter four will be very useful for this. But there is a question that I have, and the question is – the question, which just…
Elizabeth Wilmshurst CMG KC
Good.
Robert Young
…occurred to me today is it’s clear that the private sector will have a very important role, and this is highlighted, Harriet has been speaking about it. I read that section a few times, but I may have missed it, have we considered a scenario where a private sector actor might be assisting with investigations but might also be, arguably, complicit, in other words, responsible, whether civilly, whether domestically, or possibly even a – for individual criminal responsibility, whether in a domestic court or at the ICC? Or is that next year’s panel? Thanks.
Elizabeth Wilmshurst CMG KC
Robert, thank you very much and thanks to Canada, who is one of the countries who helped to fund the project ending in the Chatham House report. There was a – someone who wanted the floor way back there.
Aisha Patel
Thank you. I’m Aisha. I’m a final year politics and international relations student at Queen Mary, and my question was about providers. So, obviously, co-operation is needed from them to support the prosecution of cybercrime, but some of them, like Apple, with the UK, for example, are claiming that it’s going to impede their duty of privacy to their users. So, how are they supposed to balance, you know, their duty of privacy to their users with, obviously, helping support the prosecution of crimes? Thank you.
Elizabeth Wilmshurst CMG KC
Thank you very much, and there’s one right up here. I’m – thank you very much to those with the microphones. You get a bit of extra exercise. Thank you.
Sarah Wahidi
Hello, I – my name is Sarah Wahidi. I’m from the University of Oxford. I wrote this down because I’m a technical person and I don’t want to embarrass myself. But if the prevailing view is that computer data is not an object under IHL, how does the ICC analyse cyber operations that delete, corrupt or encrypt civilian data with severe real-li – world effects, for example, hospital systems or civil registries, given that many Rome Statute war crimes provision hinge on objects and damage? Thank you.
Elizabeth Wilmshurst CMG KC
Thank you for that very good question. Right, oh dear, I have to look at you for the first one, again, Marko. Conflict of interest, if you use, if you co-operate with the private sector, what happens if they’re, themselves, complicit in the crime or other things? You did – we did consider this. You did consider it.
Marko Milanović
Yes, I really can’t answer the question.
Elizabeth Wilmshurst CMG KC
Oh, well, it’s dealt with in the Chatham House report at the end. We all say “Be very careful, oh, ICC, be…
Harriet Moynihan
Hmmm hmm.
Elizabeth Wilmshurst CMG KC
…very careful. Please co-operate with the private sector, but remember there is this problem.”
Robert Young
Right.
Elizabeth Wilmshurst CMG KC
So…
Robert Young
So, is the same true for national courts, then?
Elizabeth Wilmshurst CMG KC
Yeah, yeah, I…
Marko Milanović
I mean, it’s certainly…
Elizabeth Wilmshurst CMG KC
…would…
Marko Milanović
…possible in principle, what you’re saying.
Elizabeth Wilmshurst CMG KC
Yeah.
Robert Young
Say again.
Marko Milanović
The scenario you’re describing is certainly possible in principle.
Robert Young
Right, sure.
Elizabeth Wilmshurst CMG KC
And Nino, the…
Nemanja Malisevic
Hmmm hmm.
Elizabeth Wilmshurst CMG KC
…second one is for you, I think.
Nemanja Malisevic
Yeah.
Elizabeth Wilmshurst CMG KC
How do you resolve the privacy question?
Nemanja Malisevic
In that – finding that balance is a challenge that all providers need to find a way to deal with, but ultimately, you need to adhere to the laws of the countries that you’re operating in, and again, I think not just us, others also have mechanisms to co-operate with countries with – when they make these types of requests to us. And again, and there’s a whole – there’s mechanisms in place to deal with that, and I think by and large, we do have a good track record of dealing with these types of requests, as long as they are lawful and as long as they’re done in a way that we can then lawfully and narrowly disclose the type of information that is actually going to help in those particular cases.
Elizabeth Wilmshurst CMG KC
Thank you, and the third question on data. I think you said that the OTP paper leaves it open, and yeah?
Marko Milanović
Well-ish. So, on the exact example you gave, which is that there’s a data deletion operation which then causes death, we are clear that that would be treated as an attack on civilians, so – because there’s a direct causal connection, right? It’s the kind of a cyber operation where, for instance, you know, Ukrainian hackers delete the data in the Finance Ministry of Russia, yeah, so they disrupt tax collection. I mean, they’ve done stuff like this, yeah? So, that’s the type of scenario which does not directly cause death or anything like that, which has been most controversial from an IHL perspective. That’s the kind of thing we don’t take a position on. If it causes death or injury, whatever, we’re fine. I mean, we have what to – we know what to do.
Elizabeth Wilmshurst CMG KC
Good. Well, there are drinks upstairs.
Marko Milanović
Oh.
Elizabeth Wilmshurst CMG KC
So, unless anyone wants to keep us from drinks, and I see that is not the case, I’m going to thank our speakers very much and see you upstairs [applause].
