ICC Office of the Prosecutor Releases Draft Policy on Cyber-Enabled Crimes

Editor’s note: This article is cross-posted at EJIL Talk!

On March 6, the Office of the Prosecutor of the International Criminal Court (ICC) published a draft Policy on cyber-enabled crimes, which is now open for public consultation. States and non-state actors are increasingly using advanced cyber tools, including artificial intelligence (AI), to commit or facilitate crimes against international law. This happens both in peacetime situations and especially in wartime. The incidence of such potentially criminal use of new technologies will only be on the rise, and it requires a response. The draft Policy is part of that response, explaining both how the Office will interpret the provisions of the Rome Statute of the ICC in a cyber context and what practical measures it will adopt when conducting its investigations and prosecutions.

All legal systems must adapt to challenges posed by new technologies, including cyber and AI. There are various processes through which this kind of adaptation can be done. One such process—legislative action—is exceptionally difficult in the international legal system, especially in a political climate that is not exactly conducive to multilateralism. Rather than making new law, therefore, the international legal system generally needs to apply “old” rules, designed long before cyber technologies became so ubiquitous or before they even existed, to issues arising from the use of such technologies. There is simply no alternative.

As a branch of international law, international criminal law is no different. In the absence of legislative action, there is no choice but to apply existing rules to the commission or facilitation of international crimes by cyber means. This can be done by using widely accepted approaches to interpretation, without impermissibly stretching the meaning of existing rules and violating the principle of legality.

The first systematic interpretative effort in this regard was a 2021 report by an expert group convened by Lichtenstein and supported by several states (The Council of Advisers’ Report on the Application of the Rome Statute of the International Criminal Court to Cyberwarfare). Additionally, there is the ongoing work on Tallinn Manual 3.0 on the application of international law in cyberspace, which I co-direct. Last year, the international group of experts working on the Manual finalized a new chapter on international criminal law and cyber (the chapter will not be publicly available until the Manual as a whole is completed).

After a conference held last year that brought together cybersecurity and technology experts, corporations, civil society, academics, state representatives, and members of the judiciary, the ICC Prosecutor initiated a process of formulating a policy for his Office, which would guide its future work on crimes under the Rome Statute committed or facilitated by cyber means. I was appointed special adviser to the Prosecutor and, together with colleagues from the Office of the Prosecutor, worked on drafting the new Policy.

During this consultation process, the Office would very much welcome comments from all partners, especially from states parties, civil society, interested private-sector corporations, and other organizations with particular expertise in this area. After the public consultation process concludes on May 30, we will revise the draft Policy in light of the comments received. The final Policy will then be approved by the Prosecutor later this year.

What are some of the key takeaways from the draft Policy? First, it is important to understand its scope. The Policy deals with crimes within the jurisdiction of the ICC, which are criminalized directly under international law. It does not address ordinary “cybercrime,” which are dealt with by domestic law (for example, the commission of theft or fraud by cyber means). For these ordinary crimes, states may assume treaty-based duties of investigation and mutual cooperation, for instance, under the Budapest Convention or the new UN Convention Against Cybercrime, but they do not as such fall within the jurisdiction of the ICC. That is, the Policy is concerned with the commission or facilitation by cyber means of aggression, genocide, crimes against humanity, and war crimes. It is also concerned with the cyber aspects of crimes against the administration of justice set out in Article 70 of the Rome Statute.

Second, in line with the prior work of the Council of Advisers and the Tallinn Manual 3.0 experts, the Office considers that, in principle, the crimes in the jurisdiction of the ICC can all be committed by cyber means. The Policy analyzes the elements of ICC crimes and how they can apply in the cyber context, often by providing hypothetical examples. Clearly, some crimes can more straightforwardly be committed by cyber means than others. It does not take a great leap of imagination to say that, for instance, the inchoate offense of direct and public incitement to genocide can easily be committed using social media platforms. Similarly, the crime against humanity of murder can be committed by means of a cyber operation targeting air traffic control systems, thereby causing planes to crash—this is an ordinary interpretative exercise that in no way stretches the bounds of the Rome Statute.

There are, of course, prudential limits that the Office must abide by when engaging in this kind of interpretative exercise, before an actual case is litigated. There is a balance to be struck between providing new interpretations of the provisions of the Rome Statute in the cyber context and saying too much, when doing so not only would be unnecessary but also could create practical problems in future cases before the ICC or provoke backlash. Thus, for example, the Policy does not adopt a position on certain issues that are currently debated among states, such as the question whether cyber operations that do not cause death, injury, or physical damage can be regarded as “attacks” as that term is understood in the law of armed conflict, or the question whether data can be regarded as an “object” to which targeting rules, such as the principle of distinction, would apply.

Third, the Policy is particularly keen in explaining that offenses against the administration of justice, pursuant to Article 70 of the Rome Statute, can easily be committed by cyber means. For example, a witness can be intimidated or retaliated against by means such as circulating death threats against them on social media or by disseminating an AI-generated deepfake video harmful to their reputation. Evidence may be tampered or interfered with by, for instance, altering or deleting digital records. Similarly, an official of the ICC may be subjected to blackmail, intimidation, or retaliation through the use of social media, the digital fabrication of evidence of their supposed wrongdoing, or the dissemination or threatened dissemination of reputationally harmful deepfakes. These are not mere hypotheticals—the ICC itself was already the target of a massive cyberattack in 2023. The Office is therefore explicit in signaling that it will rigorously investigate and prosecute attempts to undermine the Court’s mission, by cyber means or otherwise, where they amount to offenses against the administration of justice.

Fourth, the Policy emphasizes that cyber means can be used not only to commit crimes under the Rome Statute but also to facilitate their commission. For example, cyber means, including the use of AI, can be used to facilitate the commission of war crimes or crimes against humanity by more traditional, kinetic means. This is why the Policy uses the term “cyber-enabled crimes,” and why it discusses various accessory modes of liability that are available in the Rome Statute, such as contributing to the crimes of a group acting with a common purpose.

Fifth, the Policy discusses how the jurisdictional framework of the Rome Statute would apply to cyber-enabled crimes. The core principles of that framework are easy to state. The ICC has jurisdiction over a crime if it is committed on the territory of a state party, or by a national of a state party, or pursuant to a UN Security Council referral. But there are many complexities here, which arise from the text of the statute and from the jurisprudence of the Court interpreting it. In the cyber context, for example, it can frequently be the case that the criminal conduct is committed simultaneously in the territory of more than one state.

Similarly, there are some uncertainties about how the jurisdictional framework of the Rome Statute applies to forms of participation in a crime other than commission. Consider, for instance, a scenario in which a war crime (such as intentionally directing attacks against civilians or civilian objects) is committed by kinetic means on the territory of a state party but is facilitated by cyber means by an accessory operating outside the territory of a state party. The Policy provides the views of the Office on some of these questions. Again, however, it is not a complete statement of the Office’s views. Jurisdictional issues can be especially sensitive, legally and politically, and it could be counterproductive for the Office to announce its views on some of them until a relevant case is being litigated.

Sixth, the Policy deals with many practical aspects of investigating and prosecuting cyber-enabled crimes. It explains, for example, that the Office will apply the same criteria that guide its approach to case selection to both cyber and kinetic crimes. It emphasizes the need to develop and build partnerships, with states, corporations, and civil society, to meet the technological and practical challenges of successfully investigating and prosecuting cyber offenders.

The Office is very much aware of these practical challenges, which are not underestimated. Proving the attribution of specific conduct in cyberspace to a specific individual, and doing so to the legally required standard of proof (for example, beyond a reasonable doubt for a conviction), is no easy task. There will be cases where proof will prove impossible to obtain. But such difficulties, technical or otherwise, should also not be overestimated. It is possible to effectively prosecute cybercriminals, great or small, as domestic experiences demonstrate.

Therefore, the draft Policy emphasizes the need for capacity-building and training within the Office. The Office is particularly keen to enhance its cooperation with national authorities in order to facilitate the flow of evidence and expertise. As states are now increasingly building cooperation capacities in investigating and prosecuting ordinary cybercrimes, many of these capacities can also feed into the work of the ICC. The Policy also explains that it is absolutely essential for the Court to cooperate with the private sector, which plays an outsized role in the cyber context. Such cooperation can be both formal and informal, and has already been undertaken.

In all of these ways, the Policy seeks to show that the Office’s mandate will not be outpaced by technology, and that the Rome Statute remains relevant to the criminal conduct of persons within the ICC’s jurisdiction, irrespective of the technological means they might employ. Again, there are practical difficulties in prosecuting cyber offenders, in the ordinary domestic context or in the international criminal one. These challenges should not be either underestimated or overestimated. The Office of the Prosecutor is committed to establishing an institutional environment that facilitates the effective investigation and prosecution of cyber-enabled crimes under the Rome Statute—and the need for this is increasingly pressing. The Policy is but a first step in this regard, and I am very grateful to all those who will contribute to the public consultation process in the months to come.