Domestic and international accountability bodies form part of an ecosystem aimed at fighting impunity for international crimes.
Imagine that a military commander in state A uses a computer network in state B to launch ransomware against the healthcare system of state C, leading to a stalling in the provision of health services and the death of hundreds of civilians in need of emergency care. In which state may the commander be prosecuted for war crimes or crimes against humanity? Which states would have to be parties to the Rome Statute before the ICC could prosecute? This chapter discusses the aspects of jurisdiction that answer those questions.
It is worth emphasizing that little here is particular to cyber-enabled international crimes. States are apparently not adopting or developing cyber-specific rules and standards in the area of international criminal law, rather applying existing ones to the use of ICTs. This general discussion is nevertheless necessary before considering the practical aspects of investigation and prosecution in Chapter 4.
3.1 Investigation and prosecution by states
In the first instance, it is for states to investigate and prosecute international crimes. To be able to do so, states need to have their own domestic law in place that criminalizes the conduct concerned and gives them jurisdiction over the crimes.
National legislation
Some international treaties require states to incorporate relevant international crimes into their domestic law. This is the case for the crime of genocide and certain war crimes. Most recently, the Ljubljana–The Hague Convention (adopted in 2023, but not yet in force) places an obligation on states parties to incorporate genocide, crimes against humanity, war crimes and, if notified, the crime of aggression, into their national legal systems. Further, if states parties to the Rome Statute wish to retain the ability to prosecute their own nationals, rather than leaving prosecution to the ICC, they must ensure that their own law includes all Rome Statute crimes in some form or another.
Jurisdiction
First and foremost, states can legislate for conduct committed in their territory and prosecute crimes committed within their borders, regardless of the nationality of the perpetrator or victim. This ‘territorial’ jurisdiction may extend to crimes that are initiated abroad but are completed in that state’s territory.
But in the case of cyber-enabled international crimes, there may often be a question of where the unlawful conduct has been carried out. The concept of territory finds itself increasingly challenged by ICTs. There are technical difficulties associated with tracing where the conduct took place: hackers use a variety of tools to conceal their IP addresses, and thereby obscure the footprint of their actual location. And if jurisdiction is taken on the basis of completion of the crime in a state’s territory, cyber operations are likely to result in a wide range of cyber – and physical – effects, creating a multiplicity of states with territorial jurisdiction.
As is well established in law, in some instances and for some crimes, states also assert ‘nationality’ jurisdiction, allowing their authorities to prosecute the state’s citizens for crimes committed abroad. Beyond the nationality of the perpetrator, the nationality of the victim can also be a ground for the exercise of jurisdiction – thus, under the ‘passive personality’ principle, the state of a victim’s nationality can exercise jurisdiction. And, under the ‘protective principle’, some states exercise jurisdiction over the conduct of persons abroad which constitutes a threat to their vital interests, such as in cases of foreign threats to their national security. Because of the inter-connected nature of ICT infrastructure and the impact of vulnerabilities in digital systems of one state for the security of others, the category of ‘vital interest’ of the state could potentially be extended to cover certain forms of interference or threats of harm caused by cyber-enabled international crimes.
‘Universal’ jurisdiction allows the prosecution of crimes regardless of where they were committed and regardless of the nationality of the perpetrator or the victim. It is generally regarded as compatible with international law for states to assert universal jurisdiction over international crimes. While some states allow for universal jurisdiction even where the criminal conduct, its perpetrators and victims have no connection to that state whatsoever, others take a narrower approach, allowing prosecution only where there is some connection – for example, when the perpetrator is found in their territory. At the time of writing, some 106 states worldwide provided for a form of universal jurisdiction over at least one international crime.
It is generally regarded as compatible with international law for states to assert universal jurisdiction over international crimes.
There are many practical challenges associated with the exercise of universal jurisdiction. It requires the allocation of resources for crimes with little or no connection to the investigating or prosecuting state, it can be far removed from the witnesses and evidence, and it is prone to political backlash. Given these challenges, some states are seeking to establish meaningful parameters to their national regulation of the principle. For instance, Argentina, whose constitution and jurisprudence allow for ‘pure’ universal jurisdiction without any connection to the state, has recently issued guidelines to prosecutors for universal jurisdiction investigations that do require a link to the state, such as residency of the victim or perpetrator. In Sweden, meanwhile, prosecutors need governmental approval before filing an indictment concerning international crimes committed in another state.
As regards the most serious violations (‘grave breaches’), the four Geneva Conventions of 1949 require states to prosecute perpetrators, wherever they are to be found and wherever the crime was committed, with extradition being an available option. This requires all states to take universal jurisdiction over those crimes.
Relying on universal jurisdiction, victim groups and the organizations representing them have lodged criminal complaints in various European states – predominantly Belgium, France, Germany, the Netherlands and Sweden – for allegations of international criminality in the contexts of Gaza, Rwanda and Syria, among others. Argentina has become a particularly sought-after forum for universal jurisdiction complaints, ranging from allegations of crimes against humanity committed during Gen. Francisco Franco’s regime in Spain (1939–75), genocide by the Myanmar leadership in relation to the Rohingya, and torture through electrocution by Russian-affiliated individuals in Ukrainian territories occupied by Russia.
Finally, some states have sought to assert wider – and more controversial – grounds for jurisdiction, going beyond the universally accepted grounds described above. For instance, states have sought to assert jurisdiction over certain crimes relying on the ‘effects’ doctrine, on the basis that conduct outside a state’s territory has a substantial effect within that state’s borders. For example, without clearly specifying the jurisdictional ground for doing so, the US has brought prosecutions against certain individuals suspected of committing malicious cyber operations, even in situations where the operations concerned did not take place in the US or involve a US citizen as either perpetrator or victim. In the case of US v Stigal and Others, the defendants were accused of hacking into ‘computers associated with the Ukrainian government and entities associated with the governments of countries that provided support to the Ukrainian government in resisting Russia’s invasion of Ukraine’. The indictment also notes that the conspiracy included the probing of websites hosted by computers and servers that were maintained by a US government agency in Maryland, so there is some connection to the US in this case. However, the jurisdictional basis is not
explicitly stated or justified.
Even if a court has jurisdiction over a particular case, there may be procedural bars to the exercise of jurisdiction. For example, immunities can be a bar to the exercise of jurisdiction by national courts. Under international law, state officials are entitled to immunity from the jurisdiction of foreign states, including foreign courts, although the extent to which this is applicable in the prosecution of international crimes is not universally agreed. What this means is that persons launching operations using ICTs who are part of the formal apparatus of a state – such as personnel of Russia’s Main Intelligence Directorate (GRU) – may seek to claim immunity because of their official functions. However, members of hacker groups and isolated individuals who are not formally organs of a state (even if acting in line with that state’s interests) will not have a claim to immunity from the jurisdiction of other states.
3.2 Investigation and prosecution by the ICC
Beyond the domestic courts of states lies the possibility of prosecution by the ICC. Under the Rome Statute, the ICC’s jurisdiction is ‘complementary’ to national criminal jurisdictions. States exercising jurisdiction have primacy over any corresponding ICC proceedings, provided they are genuinely able and willing to investigate and prosecute.
The ICC has jurisdiction over the crimes in the Rome Statute when the relevant conduct takes place on the territory (or ships or aircraft) of a state which is a party to the Rome Statute or which has otherwise accepted the ICC’s jurisdiction (an accepting state), or when the crime is committed by a national of a state party or accepting state. The ICC does not have universal jurisdiction. Its bases of jurisdiction – territoriality and nationality – mirror those commonly taken by states for ordinary crimes. In addition, the ICC may also exercise jurisdiction if the UN Security Council refers a situation to the court by means of a resolution under Chapter VII of the UN Charter – regardless of whether any relevant state has accepted the court’s jurisdiction or not.
In assessing whether the relevant conduct takes place on the territory of a state party for the purpose of invoking article 12(2)(a) of the Rome Statute, the ICC has accepted that the consequences of conduct can also bring a case under its jurisdiction, if those consequences form part of the crime itself. In its decision authorizing an investigation into potential crimes committed against Rohingya Muslims in Bangladesh and Myanmar, the ICC explained, ‘the consequence of an act of killing is that the victim dies. Both facts concerning the act and the consequence (i.e. the killing and the death)’ are part of the crime. In other words, in a case where the death occurred in a state party but the act of killing did not, the ICC would have jurisdiction.
Applied to the context of cyber-enabled crimes, this approach could easily become expansive. Technology knows few borders: it is spread around the world through computers, cables, satellites and other devices. Are all of the states through which a cyber operation is routed to be considered ‘territorial states’ for the purpose of ICC jurisdiction?
Given this ‘many jurisdictions’ problem in the use of ICTs, multiple states could potentially be considered as territories ‘on’ which an element of conduct, or the consequences of the conduct where that is a necessary part of the crime, can be said to take place – even for one, isolated cyber operation. An indication of how the ICC might approach such issues can be found in prior caselaw. In one case not directly concerning cyber-enabled crimes, the court held that ‘if at least one element of a crime … or part of such a crime’ is committed on the territory of a state party, that is enough.
While this approach would clearly cover instances where a cyber operation is launched from the territory of state A and causes death or destruction on the territory of state B, making both A and B states on whose territory the crime took place, it would not necessarily cover states hosting cables or servers through which data transits. This view is confirmed by the OTP policy paper: the office ‘would not regard the mere transit of data through a State Party’s territory as a sufficient basis to assert the Court’s territorial jurisdiction’.
In the medium term at least, the OTP is most likely to investigate conduct in cyberspace only to the extent that it accompanies or facilitates crimes committed by physical means.
The Rome Statute was a carefully negotiated compromise, and states parties are likely to be sensitive to what could be perceived as an overexpansive approach to jurisdiction on the part of the ICC. For this reason, the ICC would be prudent to take a conservative approach to jurisdiction in cases involving cyber operations.
In addition to questions of jurisdiction, issues of immunity also arise in the operation of the ICC. While immunities are not a bar to the ICC’s jurisdiction, states parties to the Rome Statute may still be bound to observe the immunities of wanted individuals. The Rome Statute contains a clause protecting states parties from court requests that would require them to act inconsistently with their international obligations. That said, ICC caselaw suggests that since immunities do not apply before the ICC itself, states parties can and must bring perpetrators to the ICC – even if the perpetrator is a sitting head of state. But this approach is not without controversy.
Finally, gravity is an issue not only for admissibility but also for case selection and prioritization. A case will only be heard by the ICC if it is admissible as being ‘of sufficient gravity to justify further action by the Court.’ The OTP may apply a stricter test for assessing gravity when it chooses or prioritizes cases than is legally required for the admissibility test. In this context, its ‘assessment of gravity includes both quantitative and qualitative considerations’. The factors that guide the OTP’s assessment include the scale, nature, manner of commission and impact of the crimes. A further factor in the current policy for selection of cases is that only ‘those most responsible’ for the crime will be prosecuted, although this ‘does not necessarily equate with de jure hierarchical status within a structure’.
Applying the gravity criterion outlined above to cyber-enabled international crimes, it is likely that cases selected by the OTP will be those involving significant harm – such as death, injury, destruction or disruption. At the same time, even cyber-enabled crimes with few direct victims may have a significant impact through increasing the vulnerabilities of other individuals and communities. Cyber operations against critical infrastructure are one such example, as they could affect the delivery of essential services. In the medium term at least, the OTP is most likely to investigate conduct in cyberspace only to the extent that it accompanies or facilitates crimes committed by physical means.
