Blog, Humanitarian Law, International Criminal Law, Public International Law

Prosecuting Cyber Crimes as Crimes Against Humanity: Lessons from the Ukraine Conflict

Introduction 

In a recent article, Karim Khan, the lead prosecutor of the International Criminal Court affirmed his commitment towards investigating and prosecuting cybercrimes under the Rome Statute (“Statute“). The notion of prosecuting cybercrimes as violations under both international humanitarian law (“IHL“) and the Rome Statute has sparked considerable debate, with some scholars arguing for a new treaty to codify such offenses. However, the necessity for a new treaty to codify such offences seems redundant as it is evident that cyber warfare can already be prosecuted under the Rome Statute.

Russia’s campaign of cybercrimes against Ukraine has made it evident that modern conflicts transcend traditional modes of warfare. Given that the Prosecutor’s office is already conducting investigations pertaining to offences committed under its jurisdiction, it becomes essential to consider whether cybercrimes committed by Russia against Ukraine fall within the purview of the ICC’s jurisdiction. Through this blog, the author seeks to analyse the prospects for prosecuting cybercrimes as Crimes Against Humanity (“CAH“) under Article 7 of the Rome Statute. 

The Contextual Elements of CAH under the Rome Statute 

There exists conceptual uncertainty as to what crimes exactly amount to CAH. However, the chapeau under Article 7(1) of the Statute lays down the common nature of CAH as widespread or systemic attacks against a civilian population. Consequently, to establish cybercrimes as CAH, the Prosecutor’s office will first have to show that the conduct meets the contextual or chapeau elements outlined in Article 7(1). The chapeau necessitates two broad elements, namely, a widespread or systemic attack, which must be directed against the civilian population.   

Pursuant to the chapeau, for an attack to be ‘widespread’, it must be of a large-scale nature, which is typically gauged from the number of victims. While there is no set numerical threshold for the number of victims, there must be a multiplicity of victims arising out of the attack. 

There is no doubt that cybercrimes can easily be established as having a widespread nature. Given the nature of the offence, a straightforward calculation involving the number of servers affected or the degree of harm to civilian infrastructure could confirm the offence’s widespread nature. Attacks like the SolarWinds spyware, for instance, affected roughly 18,000 people, including high-ranking Pentagon officials. Such an attack is illustrative of the widespread nature of cybercrimes. A more pertinent example is the Russian NotPetya attack, which caused significant damage to critical infrastructure in Ukraine and collateral harm to other entities, such as Maersk. 

For an attack to be considered systematic, it must follow a preconceived plan or policy of an organisation. Consequently, if an attack follows a regular pattern based on a common policy, it would be systematic in its nature. Cybercrimes inherently result from a common policy, as they require preparation, planning, and meticulous cooperation, thus necessitating the existence of a common organisational policy.

Under the Statute, an attack is not restricted to military attacks but simply constitutes an operation against the civilian population. Additionally, attacks need not involve armed hostilities or even violence; it suffices that an attack involves victimisation of the civilian population. Therefore, it is evident that ‘attacks’ under the Statute are wide enough to encompass non-violent or non-physical attacks. Cyberattacks targeting civilian infrastructure undoubtedly cause psychological suffering to the civilian population, which would be sufficient to establish a CAH. 

An Analysis of Potential (Cyber) Crimes in the Ukraine Conflict 

Once the chapeau elements are established, the alleged crime should fulfil one of the enumerated offences under Article 7 of the Statute. It is pertinent to note that since CAH specifically only protects civilians, only those cybercrimes that have humanitarian consequences may amount to CAH. Consequently, cybercrimes which only harm infrastructure without affecting the human population would not amount to CAH. It would be relevant to consider whether Russia’s cybercrimes amount to crimes of persecution (Article 7(1)(h) of the Statute) or forced displacement (Article 7(1)(d) of the Statute). 

The crime of persecution involves the intentional and severe deprivation of fundamental rights of civilians based on their identity. An illustrative incidence is the BlackEnergy attack of 2015, which caused disruption to Ukrainian power grids and affected over 23,000 civilians. It could be argued that such an attack would amount to persecution since it involves the deprivation of adequate living standards on the basis of the ethnicity of the population. However, persecution must be carried out in connection with another crime under Article 7(1), which does not include cybercrimes. Consequently, it would be difficult to establish a case for the CAH of persecution in such cases.

Cybercrimes may also potentially qualify as the crime of forced displacement, which involves the unjustified displacement of individuals through coercive means. However, to find an offence of forced displacement, the perpetrators should have had the intent to use coercive means to effectuate such displacement. Two prominent Russian cybercrimes – Industroyer and Industroyer 2 were aimed at Russian power grids, causing blackouts in civilian areas. A repeated attack of a similar magnitude could arguably lead to the crime of forced displacement. 

However, due to an absence of intent to cause forced dislocation or actual evidence of displacement arising out of such conduct, it is highly improbable that a case for the CAH of forced displacement would be made out. Given these challenges, it is argued that cybercrimes may be prosecuted as ‘other inhumane acts’ under Article 7(1)(k) of the Statute. 

Cybercrimes as ‘Other Inhumane Acts’

Other inhumane acts emerged as a residual category of offence under Article 7(1) in order to penalise an ever-evolving catena of crimes borne out of the imagination of perpetrators. The requirements to meet the offence of ‘other inhumane acts’ are two-fold: they should be of a similar nature and gravity as other offences under Article 7(1) and should cause great suffering or injury (mental or physical). It is not far-fetched to imagine that prolonged periods of blackouts, systemic shutting down of civilian infrastructure, and denial of access to critical infrastructure, such as hospitals, would amount to widespread psychological suffering caused to the civilian population. 

As we have already observed, most of the cybercrimes committed today are similar in nature to the CAH of persecution and forced displacement. However, the prospect of prosecuting cybercrimes as a distinct offence as an ‘other inhumane act’ would allow the Prosecutor to avoid the pitfalls of having to prove the specific intent required to commit the aforementioned offences. The requisite mens rea for other inhumane acts is limited to the intent to cause suffering, which is very easy to establish in the case of cybercrimes. Notably, a key element of Russia’s attacks involves targeting critical infrastructure with a view to causing psychological suffering to the Ukrainian population. 

The prospect of criminalising an attack against property as an ‘other inhumane act’ is not without precedent in international criminal law. Illustratively, in the Dujail Trial, the Iraqi High Tribunal prosecuted the offence of destruction of infrastructure as an ‘other inhumane act’. Thus, the author argues that a cyberattack against critical civilian infrastructure, with the intent to cause suffering, could amount to an ‘other inhumane act’ under the Statute. 

Another illustrative threat is presented in the form of attacks against critical healthcare infrastructure. Notably, the Russian hacktivist group KillNet recently threatened to shut down emergency ventilators in British hospitals to demand the release of one of its members. Various scholars agree that such an offence would amount to a CAH since it meets the requisite threshold of offences such as murder or extermination. However, we often observe that certain cyber malware have unintended consequences, as was noted in the DarkSide attack. In such situations, treating cybercrimes as a residual category would once again help hold individuals accountable despite the lack of the specific intent to commit the enumerated CAH under Article 7(1). 

Conclusion

The Ukraine conflict has made it evident that cyberwarfare has evolved to become a central aspect of a country’s offensive policy. Since these crimes also affect the civilian population, it is argued that a recognition of such crimes as CAH is warranted and inevitable. 

Though the Prosecutor’s commitment towards investigating such crimes is commendable, it is unlikely that the crimes committed in Ukraine would warrant the ICC’s jurisdiction due to the practical issues spelt out above. Additionally, due to Ukraine’s commendable efforts in minimising the harm from such attacks, they are unlikely to meet the gravity threshold for admissibility before the Court. 

In any case, the Russia-Ukraine conflict serves as an allegory for the potential destructive capabilities of such attacks and provides valuable lessons for prosecuting cyberattacks as CAH in the future.

Armaan Rai is a student at National Law University, Jodhpur.

Image Credits: Libkos/Getty Images

Leave a comment