As defined in the Rome Statute, the crime of aggression means ‘the planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.’
The statute then provides a list of ‘acts of aggression’. The list includes: invasion or attack by the armed forces of a state in the territory of another state; attack on their forces; any military occupation or annexation by the use of force; blockade of ports by the armed forces of another state; allowing one’s territory to be used by another state to commit an act of aggression against a third state; and the ‘sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to the acts listed above, or its substantial involvement therein’.
While these categories were agreed without regard to the use of cyber operations, they should be interpreted as including the use of any means, including cyber ones. The example given in the box above of an attack on another state’s military aircraft and ships would come within the definition of an act of aggression.
But such an act would not amount to the crime of aggression under the Rome Statute unless it met the threshold of a ‘manifest violation’ of the UN charter by reason of its ‘character, gravity and scale’. The term ‘manifest violation’ is intended to exclude acts that are not clearly unlawful. The criteria of gravity and scale may be applied by reference to the campaign as a whole, and not simply to the cyber elements of it. The OTP paper says that ‘as a practical matter it presently may be more likely that cyber operations will be used by the aggressor state as part of a wider course of conduct, also including acts entailing physical or kinetic force.’
No prosecutions for aggression have yet been instituted by the ICC. Because of the particular characteristics of the crime – the responsibility of the state for a ‘manifest violation’ of the law on the use of force, committed by leaders – and stricter criteria for the ICC to take jurisdiction, future cases in the ICC will perhaps be infrequent. But aggression is criminalized in the legislation of some individual states, and it may also be prosecuted in ad hoc tribunals.
2.5 The mental element of international crimes
Most international crimes require that the relevant acts were committed intentionally. Under the Rome Statute, the default mental element is set at ‘intent and knowledge’. While domestic legal systems can establish mental elements lower than intent, the gravity of the label ‘international crime’ militates against lowering standards to liability without fault.
The use of ICTs can both assist the proof of intent and open the possibility for unintended harms. As an example of the first, the Stuxnet malware that caused damage to Iran’s nuclear programme was designed for impact on industrial control systems. It would therefore be difficult to argue that its impact was unintended. As an example of the second, it is possible for cyber operations to affect networks in ways not desired or foreseen by their deployers. For example, the NotPetya wiper cyberattack, which was seemingly meant to target Ukrainian banks, airports and energy companies, instead spread globally and affected over 2,300 organizations in over 100 countries.
When ICTs are coupled with the use of AI, the risk of unintended harms becomes even greater. Whether AI is integrated into autonomous weapons systems (i.e. systems selecting and engaging targets without human intervention) or decision-support systems (i.e. those used to support human decision-making), the operation of the system may be relatively unexplainable, unpredictable and untraceable to its deployers. In practice, this means that individuals operating AI systems may not fully foresee the processes or consequences of the tools they use. For instance, an operator using an AI-powered programme for the identification of military networks may have limited time to act between receiving a list of identified networks and approval for engagement, and may be unable to verify how the AI system reached its conclusions. If the system then engages a civilian network, it is unlikely that the operator would be liable for the international crime of directing attacks against civilian objects, as they neither intended that outcome nor foresaw it. Further, it is also conceivable that an AI system could self-initiate and cause harm without any intent on behalf of its human operators to engage in an act of violence. This, in turn, raises the question whether such self-initiation can constitute an ‘attack’ under the war crimes regime, given that it was not performed deliberately.
While AI systems can be used as a tool to commit international crimes in much the same way as any other, difficult questions arise when the operation of the AI system is unforeseeable or unexplainable to its human operators and supervisors. Unless those individuals are aware that their weapon mischaracterizes civilians and civilian objects as lawful military objectives, there may be limited scope for individual responsibility under international criminal law.
2.6 Offences against the administration of justice
Just as states include in their national law offences to preserve their justice systems from obstruction and interference, so the Rome Statute includes ‘offences against the administration of justice’. These offences include conduct such as giving false evidence, tampering with witnesses or evidence, and hampering the administration of justice in other ways. It is easy to envisage these offences being committed by cyber means – including tampering with evidence and witness interference by the use of digital deepfakes, for example.
2.7 Participation in the commission of international crimes
Under the Rome Statute, as well as in domestic legal systems, individuals can be held criminally responsible not only when they physically pull the trigger or press the computer key, but also when their conduct constitutes another form of participation in a crime. This could be ordering, inducing, attempting, facilitating or – under some circumstances – failing to prevent a crime or punish its perpetrators. How the boundaries of these forms of participation are drawn depends on the relevant legal framework.
This section provides an overview of the main forms of criminal participation in international criminal law, with specific reference to the use of ICTs. It focuses on the prosecution of cyber-enabled international crimes by the ICC, drawing on existing caselaw from the ICC and previous international criminal tribunals, such as the ICTR and the International Criminal Tribunal for Yugoslavia (ICTY). It also addresses the ways various states incorporate and implement international criminal law through their own domestic law. Each domestic legal system contains its own regulation of forms of participation in criminal conduct, and these sometimes differ from those in international law.
The use of ICTs can, on the one hand, further obscure the link between individual contribution and harm by stretching chains of causation between individual conduct and a harmful outcome. But, on the other, it can clarify the roles that individuals play by providing a retrievable digital footprint of their conduct.
International criminal law is geared towards the regulation of collective criminality and large-scale harms, where the causal relationship between individual conduct and a particular harmful outcome is not always easy to discern. The use of ICTs can, on the one hand, further obscure the link between individual contribution and harm by stretching chains of causation between individual conduct and the manifestation of a harmful outcome. But, on the other hand, ICT use can clarify the roles individuals play by providing a retrievable digital footprint of their conduct.
In practice, the relationship between cyber and physical conduct in the commission of international crimes can take various forms. There can be physical and cyber forms of participation in the commission of cyber-enabled crimes. Crimes which are committed by physical means can be ordered, induced or facilitated through cyber means. And conduct committed on or via ICTs could provide useful evidence to prove elements relevant for particular forms of participation, such as knowledge of circumstances or consequences.
The main forms of criminal participation are:
Perpetration
An individual can commit a crime on their own, jointly with, or through, another person. For instance, an individual who, in the context of an armed conflict, intentionally deploys ransomware to lock hospital staff out of their systems and prevent the delivery of emergency care could be responsible as a direct perpetrator for the crime of intentionally directing attacks against civilians or civilian objects. Where there is more than one perpetrator, each co-perpetrator’s contribution must be essential for the crime to have been committed in the way that it was. The co-perpetrators must also share a common criminal plan. Within such a framework of shared intent, in the context of ICTs, the tasks of development and deployment of malware could be spread among multiple individuals – one actor could be scanning for vulnerabilities in target systems, another coding the malware and a third deciding on the timing of its employment.
Commission ‘through another person’ establishes a form of responsibility in cases where an indirect perpetrator commits the crime by controlling the will and acts of another (or others), irrespective of whether that latter person (or persons) is responsible (a ‘perpetrator behind the perpetrator’) or not (an ‘innocent agent’). Indirect perpetration can be of particular relevance in the context of ICTs. Criminals using ICTs often exploit unknowing persons through forms of social engineering, such that these unknowing persons themselves trigger the causal chain of harm.
The caselaw of the ICC has affirmed that indirect perpetrators can commit crimes by exercising control over an organization, evidenced by the establishment of a system of automatic compliance (through strict training, payment and punishment mechanisms, among others) and relative interchangeability of the ‘instruments’ of the indirect perpetrator.
Although many hacker collectives are loosely organized and coordinated, certain cybercriminal groups may bear the hallmark of organizations with strict compliance systems and interchangeability of affiliates. Little is known of the precise parameters within which cybercriminal groups operate. However, for example, it has been revealed that dark0de – a black-market website for cybercrime – operated on an invite-only basis, with members being subject to rigorous vetting and a system of promotions once admitted.
One challenge in applying doctrines of perpetration to the ICT context relates to the use of AI tools. Humans may have limited foresight of or control over the functioning of an AI model, or they may be part of a system of human–machine interaction in which their meaningful supervision is eroded due to time pressures or cognitive biases such as automation bias (i.e. when humans ‘over-trust’ the outcome of a machine process). As explained in section 2.5, if the harmful outcome of the AI application was unintended, this may mean that no international crime was committed. Of course, if humans intentionally use AI to torture, persecute, target civilians and civilian objects, criminal responsibility is clear.
Ordering
When an individual orders the commission of a crime, they are using their position of authority to convince or coerce another to commit that crime. What is implied in this form of participation, therefore, is a form of superior–subordinate relationship. Orders can be transmitted through both physical and digital means. Thus, an order can be made via ICTs – for example, by a text message.
Soliciting and inducing
Soliciting and inducing cover similar conduct characterized by the urging or otherwise inciting of another person to commit a crime, but without a relationship of authority. According to ICC caselaw, inducement is a stronger form of instigation compared to solicitation. While solicitation is, at base, about asking or urging the physical perpetrator to commit the criminal act, inducement requires exertion of influence over the physical perpetrator, ‘either by strong reasoning, persuasion or conduct implying the prompting of the commission of the offence’. The acts of inducement and solicitation must have had a direct effect on the commission or attempted commission of the crime.
Inducement and solicitation can occur through psychological pressure or manipulation, among other methods, and can find wide application to the harmful information operations proliferating on social media. For example, the Independent International Fact-finding Mission on Myanmar found in 2018 that Facebook had been ‘a useful instrument for those seeking to spread hate’ against the Rohingya, including Myanmar’s authorities. While online incitement by the Myanmar authorities could also plausibly be characterized as direct and public incitement to genocide, the forms of participation of inducement and solicitation are broader, as they can relate to any international crime. For example, they could cover orchestrated social media campaigns that incite their audiences to commit the crimes against humanity of rape and torture, or the war crimes of destruction and appropriation of property.
Assistance
There is criminal responsibility in cases where individuals assist the commission of an international crime. This complicity rule has a wide scope, covering any act that contributes to the commission or attempted commission of a crime – be it a physical or psychological type of support, in the form of an action or omission. Moral support and encouragement – including, in certain circumstances, mere presence at the scene of the crime – can constitute acts of assistance under this mode of liability. Such assistance can occur before, during or after the commission of the principal crime. The assisting party need not know all the details of the crime in which they assist, or, in certain domestic systems, even the precise crime.
Given the virtually unlimited range of acts captured by ‘assistance’, the courts have developed limiting factors. First, the act of assistance must have an effect on the commission of the offence – whether that effect has to represent a ‘substantial’ contribution to the crime, or create or increase the risk that the crime will be committed, or otherwise facilitate or further the commission of the crime. Another limiting factor is that the contribution of the accomplice must be made ‘for the purpose of facilitating’ the commission of a crime. This rather high requirement is not always to be found in domestic systems. In the UK, for example, it is sufficient for the assisting party to intend to assist the commission of the crime. It is not necessary to prove that the accomplice wanted the crime to be committed – indeed, they can be indifferent to its commission.
The complicity rule has a wide scope, covering any act that contributes to the commission or attempted commission of a crime – be it a physical or psychological type of support, in the form of an action or omission.
In the context of ICTs, it has been argued that information operations disseminated online and aimed at the concealment of the truth about international crimes and/or obstruction of accountability can, subject to satisfying the relevant subjective and objective elements, qualify as criminal acts of assistance under the Rome Statute. The ICC has accepted that ex post facto assistance can trigger assistance liability in circumstances where, following an offer of assistance or agreement with the accomplice, the principal perpetrator committed the crime knowing they would receive assistance in the aftermath.
Another question of great practical significance is whether the CEOs of digital service providers – and, in particular, social media platforms – can be criminally responsible for assisting the commission of international cyber-enabled crimes. The provision of a ‘space’ in which hateful rhetoric can spread and subsequently manifest in the physical world through violent action, together with the use of algorithms that prioritize and amplify such speech, could potentially be regarded as an act of assistance. Depending on the circumstances, it may produce the relevant effect on the commission of crimes. In many cases, however, this assistance will not be provided with the necessary intent, especially for the ‘purpose of facilitating’ test under the Rome Statute. There will therefore be no criminal responsibility.
It is not difficult nevertheless to imagine circumstances in which digital service providers may be deemed as acting with the necessary intent. For example, if an authoritarian leader pursues the development of ‘home-grown’ providers to facilitate the criminal policies of their regime, the CEOs of such providers may indeed be responsible for criminal assistance.
Contribution to criminality of a group of persons acting with a common purpose
This form of participation in criminal conduct targets contributions to collective attempts at criminality, where the collective – the group – acts with a common purpose. According to ICC caselaw, the contribution must meet a test of significance – ‘it cannot be just any contribution’. But, at the same time, there is ‘no additional requirement for a certain level of contribution or threshold to be attained’. The individual making the contribution need not be part of the group: they can be external to its organization. In terms of subjective elements, on one level, the participant must make an intentional contribution, and, on another, they must either contribute ‘with the aim of furthering the criminal activity or criminal purpose of the group’, or do so ‘in the knowledge of the intention of the group’.
This form of accessorial liability can be of particular relevance to cyber contributions – including geographically and causally distant ones – that are meant to or known to advance the group’s criminal activity. For instance, imagine an individual who is aware of a group’s intent to target the water filtration facilities of a state with malware, gain access to their networks and increase the levels of dangerous chemicals in drinking water. That individual aims to further the criminal activity of the group, and, in the days prior to the targeting of the water filtration facilities, overwhelms their networks with a distributed denial of service (DDoS) attack, making them unavailable to the facilities’ employees.
This kind of ‘common purpose’ participation in a crime is dealt with in various ways in national systems. In South Africa, common purpose liability exists in the form of both prior express or implied agreement between parties to commit an offence or of active association with the commission of an offence. Under active association, it is sufficient to prove that the individual foresaw the possibility that others may commit a crime to further the group’s purpose, and reconciled themselves with that eventuality. In the UK, individuals can be held liable for conspiracy when two or more persons agree to commit a crime, regardless of whether the crime is actually committed.
Common purpose liability, though apt to cover conduct assisting ICT-enabled crimes, can also become unbounded, if not constrained with appropriate standards for a guilty mind. In the UK, for example, after some caselaw suggesting that criminal responsibility for joint criminal enterprise can be established on the basis of foresight of the possible commission of an offence, the law was changed to cover only intentional support by words and deeds to the commission of the crime. Both the ICC and national courts should be wary of expansive common purpose liability doctrines that come in tension with individual culpability.
Superior responsibility
The Rome Statute incorporates the doctrine of superior responsibility, which criminalizes certain omissions of ‘superiors’ with respect to criminal acts or omissions of their subordinates. Superiors are not only individuals in the military chain of command, but also civilian superiors exercising effective control. For example, in the ICTR case regarding RTLM, Nahimana was found guilty of direct and public incitement to commit genocide by virtue of his position as a ‘superior’ at the radio station. He was actively engaged in the management of the organization and failed to take necessary and reasonable measures to prevent the killing of Tutsi civilians instigated by the radio station’s personnel.
Heads of social media companies and other digital service providers could similarly be held responsible as civilian superiors for wrongful omissions in relation to the criminal conduct of their subordinates.
Superior responsibility is contingent on the presence of four elements:
- Existence of a subordinate crime. If there is no crime by a subordinate, there is no superior responsibility. So, for example, if subordinates are unable to anticipate the effects of the ICT tools they deploy, they will not have the necessary intent to commit a crime: the subordinates will not have committed a crime, and neither will their superiors have criminal responsibility.
- Superior–subordinate relationship. A superior–subordinate relationship exists when a superior exercises effective control over their subordinates, with the ability to prevent and punish subordinate acts. Establishing such control may be more difficult with respect to individuals without formal ties to the commander or superior, such as members of loosely organized hacker collectives or cyber volunteers. Furthermore, under the Rome Statute, where the superior–subordinate relationship is not of a military or paramilitary nature, the subordinate’s crimes must have ‘concerned activities that were within the effective responsibility and control of the superior’. In other words, the subordinate’s crimes must have occurred in the context of their relationship with the superior, rather than being a private matter of their own.
- Fault. For military commanders, the crime is committed if the superior ‘knew or, owing to the circumstances at the time, should have known’, and for civilian superiors, if they ‘knew, or consciously disregarded information’. In complex organizational systems, such as the malware-as-a-service criminal ecosystem, persons formally or factually controlling and overseeing the process might have a fragmented understanding and knowledge of the conduct of all relevant actors, which could include ‘malware developers and operators, affiliates, analysts, botmasters, initial access merchants, money processing and laundering specialists, escrow services, forum and illicit marketplace administrators, infrastructure administrators, [and] even negotiation and customer support personnel’. In such structures, even the constructive knowledge standard of ‘should have known’ could be difficult to meet.
- Failure to take measures to prevent or punish the perpetrators of the principal crime. This requires the adoption of necessary and reasonable measures: the superior is not asked to perform the impossible. What is ‘necessary’ and ‘reasonable’ is fact dependent. It depends, among others, on the extent of the superior’s actual and proven material ability to act to prevent or punish those crimes.
Many domestic systems – including those of Bosnia and Herzegovina, Chile, the Democratic Republic of the Congo and France – incorporate variants of superior responsibility. However, not all states (fully) incorporate superior responsibility for international crimes in their national law.
Attempt
Attempt is the taking of action that ‘commences [a crime’s] execution by means of a substantial step’, to use the wording of the Rome Statute. For attempted crimes in, or otherwise involving, cyberspace, it may be unclear when execution commences and what constitutes ‘a substantial step’. For example, would the writing of a certain piece of code be sufficient, or would the code need to be tested or verified, triggered or even directed at a target? Given advances in cybersecurity and cyber defence, many potentially harmful cyber operations will be averted. The offence of attempt can therefore gain a particular significance. This, in turn, highlights the need for its further clarification.
States play a crucial role in the implementation of international criminal law and sometimes regulate forms of criminal participation in ways that differ from the Rome Statute.
The typical suspect before the ICC is likely to be the person who orders, plans or otherwise takes part in criminality at a mid- or high level – not the low-level hacker physically pressing a key. Domestic systems do not face such constraints. States play a crucial role in the implementation of international criminal law and sometimes regulate forms of criminal participation in ways that differ from the Rome Statute. As explained above, the forms of criminality established at the domestic level can track the Rome Statute formulations or be broader or narrower. An example of a mode of participation that goes beyond what is established in the Rome Statute is the Bulgarian Criminal Code’s crime of justification, denial or underestimation of an international crime: ‘whoever, in whatever manner, justifies, denies or seriously underestimates a crime against peace and humanity and by doing so creates a risk of expression of violence or hatred […] shall be punishable by imprisonment from one to five years.’ While this provision can be interpreted as a self-standing offence, it can also be conceptualized as a form of assistance in international criminality.
As discussed in Chapter 3, how states incorporate international law domestically, and the standards for substantive crimes and forms of participation they establish in their domestic law, are critical to the way in which accountability for international crimes can be implemented.
2.8 Avoidance of criminality
One does not simply stumble into international criminality. At the same time, the variety of modes of participation in international crimes under both the Rome Statute and domestic law places certain individuals within organizational structures at particular risk of criminal involvement. This is particularly true for military superiors and the leadership of large corporations, including ICT companies.
To avoid criminal complicity in the wrongs of others, and to prevent wrongs whose commission could have been avoided, specific measures need to be taken and protocols put in place. Irrespective of whether crimes are committed by cyber or other means, well-regulated militaries will already have in place measures both to avoid the commission of war crimes by their personnel and to ensure that those in charge do not facilitate criminality, or fail to prevent or repress it. The legal training of forces and establishment of a robust reporting and oversight system are of utmost importance.
In relation to ICT companies and other corporations, equally robust measures of governance and due diligence will need to be put in place. When the customer is in a conflict-affected area, the matter is of obvious importance. The choice of customers is hugely relevant. Measures such as escalation triggers and mechanisms for review and internal inquiry may need to be adopted. The OTP paper confirms that the office ‘will investigate alleged crimes within the jurisdiction of the Court equally, irrespective whether they are committed within the context of commercial activity.’
