All parties must ensure that they understand the applicability of international law to cyber-enabled international crimes, and should take steps to strengthen accountability for those crimes.
Although the law could further be clarified, it is clear that existing international criminal law applies to cyber-enabled international crimes. The OTP’s policy paper will ensure that cyber-enabled international crimes are given due attention by the ICC. As this Chatham House paper has shown, states can also assert jurisdiction over these crimes.
Governments, prosecuting authorities, technology companies and civil society groups, among others, need to be fully aware of the ways in which the law applies to ICTs of all kinds. They also need to be aware of potential responsibility under international criminal law, including where the perpetrator is not the principal criminal but is assisting or facilitating in some way.
Cooperation between different entities (states, international organizations, private companies and civil society) will be crucial to the effective investigation and prosecution of cyber-enabled international crimes. Harmful cyber incidents have impacted all regions, causing disruption of essential services, economic loss and psychological trauma. This shared experience could provide the basis for a more global and proactive approach to bringing perpetrators to justice.
While recognizing the difficulties in investigating and prosecuting any cyber-enabled crime, the following section presents a series of recommendations to a range of stakeholders for strengthening accountability for cyber-enabled international crimes within both national and international law frameworks.
Recommendations
For states
States should use their best efforts to prevent the commission of cyber-enabled international crimes, including by non-state actors operating from their territory. As well as having binding obligations to do so in certain circumstances, the UN voluntary norms on responsible state behaviour in cyberspace – agreed by the UN GGE in 2015 and since affirmed by the UN OEWG and many international bodies – set out the expectation that states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.
States should set out how they consider international criminal law applies in the cyber context by publishing or updating national position statements. If international criminal law is to constrain, deter and provide accountability for the gravest forms of cyber harm, there needs to be clarity on how the rules apply.
States should incorporate international crimes into their domestic law and provide appropriately wide jurisdictional grounds for prosecution, including when crimes are committed by cyber means. They should also ensure that their domestic law enables them to participate fully in the joint investigation of international crimes.
States should embed cyber expertise across national prosecution authorities. For example, they could appoint a cyber liaison expert, whose role would be to ensure lessons and expertise are shared between cybercrime and international crime teams; to explore avenues for informal information-sharing; and to promote effective liaison with international organizations on issues related to cyber-enabled international crimes.
State investigators and prosecutors should strengthen their informal networks with the cyberthreat intelligence community and CIRTs to increase their access to cyber intelligence. One way of strengthening such networks is through participation in reputable cyber networks and conferences such as Europol’s annual Cybercrime Conference or the Council of Europe’s ‘Octopus’ Conference on Cybercrime.
States should cooperate fully with the ICC and with intergovernmental organizations (such as Eurojust and Europol). As and when states amend their domestic law to implement new treaties relevant to the investigation and prosecution of cybercrime, such as the Second Additional Protocol to the Budapest Convention or the UN Convention against Cybercrime, they should include the ICC in their cooperation mechanisms – for example, as one of the parties able to participate in JITs, or able to request material from states and other actors.
Law enforcement officials can strengthen the prospect of successfully obtaining evidence from technology companies for the prosecution of cyber-enabled international crimes by taking into account international human rights law and potential conflicts of law when framing their requests for evidence, and ensuring they have rule-of-law safeguards in place for handling the evidence they receive.
States should put in place the necessary internal procedures and international arrangements to strengthen cooperation in the investigation and prosecution of both cybercrimes and cyber-enabled international crimes. To do so, they may wish to consider becoming parties to existing treaties, such as the Second Additional Protocol to the Budapest Convention and the UN Convention against Cybercrime, or to conclude new bilateral treaties with partner states.
In implementing their obligations under cybercrime treaties, states parties should ensure that they comply with their obligations under international human rights law, including procedural safeguards.
For the OTP
If budget permits, the OTP should reinforce its existing in-house cyber expertise, with the aim of deepening its technical knowledge of the threat and forensics landscape (including digital forensics, attribution, encryption and blockchain-tracing), as well as enhancing its knowledge of the legal and regulatory landscape, including the navigation of cross-border frameworks for data sharing. This would fit with the court’s proposed thematic approach to cyber issues and its acknowledgment that the pervasive nature of information technology means that, increasingly, many if not all criminal investigations will likely have a cyber component. In light of this approach, the recruitment of additional, dedicated staff should form the basis of a powerful funding request to states.
If funds are not available, a suggestion in the OTP’s policy paper of expanding secondments from outside the ICC is a good alternative. These should be long-term secondments of lawyers and/or other relevant experts, particularly those who understand the regulatory schemes around gathering digital evidence. In establishing such secondments, measures to avoid possible conflicts of interest should be put into place.
In its policy paper, the OTP anticipates outsourcing at least some of the forensic analysis necessary in complex cases, and commissioning specific advice from third party providers where appropriate. For the investigation of complex cyber operations, the OTP could commission reports from a cybersecurity provider in relation to actors of interest to the court – for example, those operating in an area already under investigation. This type of collaboration would provide a structured basis for cooperation with cybersecurity firms, which can offer capabilities that the OTP cannot sustain in-house (such as malware analysis, attribution and dark web monitoring) and give prosecutors valuable leads. In its dealings with these and other external actors, the OTP should be vigilant in upholding its independence at all times.
While the OTP already has cooperation arrangements in place with Eurojust and Europol, there is scope for enhanced cooperation between the OTP and the EU. A formalized agreement or liaison mechanism could help to strengthen further the OTP’s access to the EU’s technology expertise, evidence and networks. The OTP should also explore joining the EU’s SIRIUS network to facilitate access to cross-border electronic evidence, as well as knowledge-sharing and best practice.
The OTP should identify opportunities for outreach and cooperation on the prosecution of cyber-enabled international crimes beyond the EU. As well as helping to sensitize these regions to the OTP policy position, broader cooperation would minimize the risk of instrumentalization by any one regional group.
The OTP policy paper makes clear that the OTP will explore ways to enhance direct cooperation with all stakeholders, including private entities. This will include the creation of a standing mechanism to ensure that the OTP can benefit from dialogue with experts in this area, ‘including but not necessarily limited to civil society and industry experts’. As part of this mechanism, it would be valuable for the OTP to include specialists in digital forensics, digital infrastructure and cyberthreat intelligence, as well as representatives from Europol and Interpol.
The OTP should also explore the possibility of joining public–private partnerships already formed by certain states and regional organizations – for example, the partnerships forged by Europol, Interpol and ENISA with trusted technology and cybersecurity companies.
The OTP should consider establishing a forum for technology exchanges and capacity building as a platform for information exchange between the OTP and private actors. Such a forum could help to demystify the investigation and prosecution process, and build greater trust and understanding between the OTP and private actors. It would not only be useful for the major US technology companies, but also for smaller technology companies that are not as well-resourced or familiar with issues in this area, as they respond to requests for evidence.
For private companies
Companies should carry out human rights due diligence, the need for which is heightened when companies are operating in conflict-affected contexts. All companies – including social media platforms, cloud providers, satellite companies, providers of surveillance technology and cryptocurrency exchanges – should uphold the corporate responsibility to respect human rights, including by not causing or contributing to adverse impacts on any human rights through their activities.
Companies’ due diligence processes should include procedures to identify and mitigate the risks of participation in harmful cyber activity that violates international law, including international criminal law. ICT companies should have policies in place for staff to report concerns about potential complicity in international crimes. Training policies should include the circumstances in which company directors and other members of staff may be liable under international criminal law, in addition to domestic cybercrime law. Companies should also participate in external training provided by reputable bodies in this area (for example, the OTP or Eurojust).
Where there is a serious risk of international crimes being committed, technology companies should preserve any material taken down on their own initiative to ensure it is available for investigators at a future date. Technology companies have a responsibility to cooperate with investigators and prosecutors on the preservation and production of evidence relevant to cyber-enabled international crimes. But in certain circumstances, technology companies may decide to take down material in line with their own terms of service or in response to legal concerns. In such cases, retention should be the default.
Technology companies should ensure they have law enforcement portals in place to facilitate timely responses to requests for evidence of international crimes.
Companies should also work together to standardize the systems they use to process such requests to make those processes more efficient.
For civil society organizations
Civil society organizations, including NGOs, universities and think-tanks, should facilitate multi-stakeholder dialogue on the practical issues involved in preserving and sharing evidence of cyber-enabled international crimes. As the Chatham House roundtables found, this will not only help to build relationships between different stakeholders, but also to develop shared understandings of the constraints and possibilities in this area.
When collecting evidence relevant to the prosecution of international crimes, civil society organizations should aim to follow protocols designed by the ICC and others that provide standards on the collection and use of digital evidence in court, to increase the likelihood that such evidence is admissible in court.
Civil society organizations or academics should establish a database with details of all domestic or international investigations and prosecutions of cyber-enabled international crimes, both past and ongoing. Such a database would ensure that relevant information is easily available in one place, providing a repository of know-how for all relevant actors.
For all parties
States and civil society should support the OTP in its efforts to brief and train external partners in this area, including those in the private sector. As the OTP policy paper notes, there is a need for outreach by the OTP to familiarize all actors with cyber-enabled criminality under the Rome Statute and facilitate future cooperation.
States and the OTP should ensure that adequate training is available to investigators, prosecutors and judges in digital forensics, attribution, encryption, blockchain-tracing and deepfake detection, as well as legal and regulatory expertise in cross-border frameworks, data localization laws and admissibility standards for evidence. This would benefit the prosecution of all crimes with a digital element.
Training in the prosecution of cybercrime provided by organizations such as Eurojust, the Genocide Prosecution Network, the European Judicial Training Network and the Cybercrime Programme Office of the Council of Europe should be adapted to include the prosecution of cyber-enabled international crimes, and the OTP should be invited to take part. Table-top exercises that work through case studies are particularly valuable in relation to complex cyber cases.
States, international organizations and NGOs should work together to establish regional networks, along the lines of the recently established PacificJust, that can facilitate the operation of JITs in other parts of the world. To date, efforts to coordinate joint investigations into international crimes have been dominated by European institutions. To enable a wider range of states from different regions to participate in joint investigations, there will need to be investment in capacity and institutions beyond Europe.
States should invest in advanced eDiscovery systems (akin to those already in use by civil litigators) to enable their prosecuting authorities to properly store, authenticate and analyse digital evidence. Many national prosecution services currently lack the facilities necessary to handle significant amounts of digital data. Investment in such systems can be useful for the investigation of a range of other crimes, as well as for cyber-enabled international crimes. Meanwhile, the ICC and states that already have digital evidence management systems should keep those systems under review to ensure they remain resilient, robust and relevant.
