The technical tools for defending against cyber threats are constantly evolving and have improved significantly in recent years with the integration of artificial intelligence into the defense armory. But even with the latest technology, those approaches to cyber defense will never be sufficient to protect against the myriad vulnerabilities that exist in our ever-expanding, interconnected network of devices and sensors. That is why we must incorporate other methods of response—including diplomacy and legal accountability—to deploy an effective, comprehensive strategy against global cyber threats. An important but often overlooked instrument is the international criminal justice system, which has the power to hold individual perpetrators accountable for grave violations of international law. Although international legal institutions tend to be slow to advance with the times, especially compared to the rapid rate of technological change, recent developments at the International Criminal Court (ICC) show a promising willingness to join the fight.
The ICC and the state parties to the Rome Statute may exercise jurisdiction over four core international crimes: war crimes, crimes against humanity, genocide, and the crime of aggression. As digital technologies advance and more of our lives take place online, it is inevitable that these grave crimes will be facilitated by, or committed through, cyber-enabled means. In 2023, ICC Prosecutor Karim A.A. Khan KC announced for the first time—in Foreign Policy Analytics’ Digital Front Lines report—that cyber-enabled crimes can fall within the ICC’s jurisdiction if the requirements of the Rome Statute are met, and he noted that his office was preparing to investigate and/or prosecute such conduct. In early 2024, the ICC hosted an innovative conference in The Hague, gathering a range of experts from government, academia, civil society, and the private sector for a dialogue on the topic.
The conference, not coincidentally, was held as the world was witnessing what could be considered the first cyber war. Russian aggression against Ukraine has provided significant insights for governments and industry about the nature of cyber in armed conflict. While the use of cyber tools has not been as game-changing as many anticipated, cyber operations have played a significant role in espionage, the destruction of data, and other information operations, as well as attempts to cause physical harm by overriding industrial control systems. The timing of Prosecutor Khan’s action is notable, as it comes when there are concrete incidents that could amount to cyber war crimes but before a cyber-enabled humanitarian catastrophe like the often-referred-to “cyber 9/11” or “cyber Pearl Harbor.” While traditionally the advancement of international law is reactive (e.g., the Geneva Conventions and U.N. Charter, both of which were formed in response to World War II), the initiative to draft a cyber policy before a major humanitarian disaster caused by a cyberattack is novel and commendable.
While a single cyberattack has not yet caused a significant loss of life, escalating risks and insufficient protection measures demand action from those empowered to enforce the law and punish perpetrators. In recent years, the world has witnessed cyberattacks targeting water facilities, dams, airplanes, autonomous vehicles, and hospitals, some of which have been deadly. In addition, an increasing number of countries have developed military cyber capabilities, making the prospect that a war crime or major atrocity will be committed through cyber means an inevitability.
The ICC—in accordance with the Rome Statute—is uniquely positioned to help address current impunity gaps, especially when cyber-enabled acts occur in the context of an armed conflict. As an institution with 124 state parties, the ICC has an important role to play in developing norms and standardizing practices across jurisdictions. Relying on individual national criminal laws to fight cyber threats risks fragmentation, a lack of clarity, and inconsistent enforcement, which could ultimately undermine rather than strengthen the rule of law.
Finally, taking on this issue is a good way for the ICC to demonstrate its relevance, innovation, and agility to respond to modern threats to international peace and security. At present, many of the top cyber powers—Russia, China, Iran, North Korea, Israel, and the United States—are not party to the Rome Statute. By engaging in these issues and establishing precedent through its court system, the ICC cannot be ignored or disregarded by powerful states. Recent advancements in AI are quickly leading to greater human dependence on automated systems. As technology evolves and new digital infrastructure replaces existing infrastructure, the threat to services and risk of physical harm to civilians will grow. To prepare for this future, international criminal prosecutors and policymakers need to be thinking about how to apply existing laws to contemporary threats, create new laws, and enforce those laws to ensure accountability. Doing so would be a powerful tool in the global effort to protect, defend, and deter against cyber threats.
Lindsay Freeman is the Director of the Technology, Law, and Policy program at the University of California Berkeley School of Law’s Human Rights Center. Freeman is an American lawyer specializing in international criminal law and international humanitarian law with a focus on digital evidence and digital investigations. She led the drafting of the United Nations’ Berkeley Protocol on Digital Open Source Investigations and developed an OSI training course with the Institute of International Criminal Investigations. She previously worked for the Office of the Prosecutor of the International Criminal Court.