For years, some cybersecurity defenders and advocates have called for a kind of Geneva Convention for cyberwar, new international laws that would create clear consequences for anyone hacking civilian critical infrastructure, like power grids, banks, and hospitals. Now the lead prosecutor of the International Criminal Court at the Hague has made it clear that he intends to enforce those consequences—no new Geneva Convention required. Instead, he has explicitly stated for the first time that the Hague will investigate and prosecute any hacking crimes that violate existing international law, just as it does for war crimes committed in the physical world.
In a little-noticed article released last month in the quarterly publication Foreign Policy Analytics, the International Criminal Court’s lead prosecutor, Karim Khan, spelled out that new commitment: His office will investigate cybercrimes that potentially violate the Rome Statute, the treaty that defines the court’s authority to prosecute illegal acts, including war crimes, crimes against humanity, and genocide.
“Cyber warfare does not play out in the abstract. Rather, it can have a profound impact on people’s lives,” Khan writes. “Attempts to impact critical infrastructure such as medical facilities or control systems for power generation may result in immediate consequences for many, particularly the most vulnerable. Consequently, as part of its investigations, my Office will collect and review evidence of such conduct.”
When WIRED reached out to the International Criminal Court, a spokesperson for the office of the prosecutor confirmed that this is now the office’s official stance. “The Office considers that, in appropriate circumstances, conduct in cyberspace may potentially amount to war crimes, crimes against humanity, genocide, and/or the crime of aggression,” the spokesperson writes, “and that such conduct may potentially be prosecuted before the Court where the case is sufficiently grave.”
Neither Khan’s article nor his office’s statement to WIRED mention Russia or Ukraine. But the new statement of the ICC prosecutor’s intent to investigate and prosecute hacking crimes comes in the midst of growing international focus on Russia’s cyberattacks targeting Ukraine both before and after its full-blown invasion of its neighbor in early 2022. In March of last year, the Human Rights Center at UC Berkeley’s School of Law sent a formal request to the ICC prosecutor’s office urging it to consider war crime prosecutions of Russian hackers for their cyberattacks in Ukraine—even as the prosecutors continued to gather evidence of more traditional, physical war crimes that Russia has carried out in its invasion.
In the Berkeley Human Rights Center’s request, formally known as an Article 15 document, the Human Rights Center focused on cyberattacks carried out by a Russian group known as Sandworm, a unit within Russia’s GRU military intelligence agency. Since 2014, the GRU and Sandworm, in particular, have carried out a series of cyberwar attacks against civilian critical infrastructure in Ukraine beyond anything seen in the history of the internet. Their brazen hacking has ranged from targeting Ukrainian electric utilities and triggering the only two blackouts ever caused by cyberattacks to the release of the data-destroying NotPetya malware that spread from Ukraine to the rest of the world and inflicted more than $10 billion in damage, including to hospital networks in both Ukraine and the United States.
Most PopularThe Top New Features Coming to Apple’s iOS 18 and iPadOS 18By Julian Chokkattu CultureConfessions of a Hinge Power UserBy Jason Parham GearHow Do You Solve a Problem Like Polestar?By Carlton Reid SecurityWhat You Need to Know About Grok AI and Your PrivacyBy Kate O'Flaherty
GearThough the Berkeley group’s submission initially focused on Sandworm’s 2015 and 2016 attacks on Ukraine’s power grid as the clearest example of cyberattacks with physical effects comparable to those of traditional warfare, it later expanded its argument to include Sandworm’s NotPetya cyberattack, as well as a third attempt by the hackers to sabotage Ukraine’s power grid and another cyberattack on the Viasat satellite modem network used by Ukraine’s military, which caused outages of the satellite modems across Europe.
The fact that Khan doesn’t explicitly mention Russia in his article doesn’t actually mean he’s shying away from investigating war crimes carried out by Sandworm or other Russians involved in the Ukraine attacks, says Lindsay Freeman, the Human Rights Center’s director of technology, law, and policy. Instead, she sees the article as a broader statement that hacking activities that violate international law will be considered as part of any investigation the prosecutors carry out. “The fact that he’s not just saying that he’s going to do this in Ukraine, that he’s going to do this in all investigations is really important,” says Freeman. “Seeing that this is the reality of cyberwar now and this is something they, as an office, have to investigate in every single case—that goes beyond what we were pushing for, and it’s a really important and powerful move.”
Ukraine’s government, meanwhile, has already opened its own investigation into Russian war crimes carried out via cyberattacks. Aside from charging any Russian hackers or their superiors in its own court system, evidence from that investigation could now also be provided to the ICC’s prosecutors to aid any case that the Hague prosecutors bring against Russia.
Six of Sandworm’s hackers are already facing an indictment in the United States for hacking crimes related to their cyberattacks targeting Ukraine, as well as the network of the 2018 Winter Olympics in Pyeongchang, Korea. But Freeman points out that charges against Russian hackers at the Hague would have a broader effect: 123 countries are parties to the Rome Statute, and so have agreed to help detain and extradite convicted war criminals. That includes some countries that don’t have extradition treaties with the United States, such as Switzerland and Ecuador. The Hague’s remit also extends not only to the hands-on-keyboards hackers themselves, Freeman notes, but to the command structure above those hackers, opening the possibility of new charges against higher-level officers within Russia’s military or even Russian president Vladimir Putin himself.
In terms of legal precedents, Khan’s statement that the Hague prosecutor’s office will now consider hacking a potential violation of international law is “novel but not surprising,” says Bobby Chesney, director of the Strauss Center for International Security and Law at the University of Texas Law School. “I don’t think anyone who’s serious about international law would dispute that there are at least some circumstances in which intentional harm to civilians can be carried out through cyber means in a way that qualifies as an attack and therefore a violation” of the Rome Statute’s principle that combatants distinguish between civilian and military targets, Chesney says.
Most PopularThe Top New Features Coming to Apple’s iOS 18 and iPadOS 18By Julian Chokkattu CultureConfessions of a Hinge Power UserBy Jason Parham GearHow Do You Solve a Problem Like Polestar?By Carlton Reid SecurityWhat You Need to Know About Grok AI and Your PrivacyBy Kate O'Flaherty
GearChesney says he was more intrigued to see other parts of Khan’s article that mention disinformation as a separate area of concern and “gray zone” tactics that “operate in the area between war and peace.” As a precedent for sources of disinformation being charged under international law, Chesney points to rare incidents, like radio journalists who were convicted in an international criminal tribunal for helping incite genocide in Rwanda in 1994. Investigating or charging hacking that occurs outside the context of war as a violation of international law, as Khan’s article seems to suggest, would be newer territory.
But the Human Rights Center’s Freeman argues that given the ICC prosecutor’s limited resources and discretion to choose which cases to prosecute, any commitment to examine and potentially charge cyberwar crimes is a historic moment. “Just looking at how cyber is being used in war, and that [Khan] sees it in his remit and something worth investigating as a priority within his power of discretion, I think is incredibly important,” she says.
Khan clearly sees the stakes as equally high: He ends his article by quoting (or perhaps misquoting) Albert Einstein’s stated fear that “technology would exceed our humanity.”
“Undoubtedly, we shall be tested,” Khan writes. “But through our common efforts—and above all the belief that we can mobilize the law on these new front lines to deliver justice—we may collectively ensure that a more humane world is forged. The ICC will play its part, now and in years to come.”