For years, some cybersecurity defenders and advocates have called for a kind of Geneva Convention for cyberwar, new international laws that would create clear consequences for anyone hacking civilian critical infrastructure, like power grids, banks, and hospitals. Now the lead prosecutor of the International Criminal Court at the Hague has made it clear that he intends to enforce those consequences—no new Geneva Convention required. Instead, he has explicitly stated for the first time that the Hague will investigate and prosecute any hacking crimes that violate existing international law, just as it does for war crimes committed in the physical world.
In a little-noticed article released last month in the quarterly publication Foreign Policy Analytics, the International Criminal Court’s lead prosecutor, Karim Khan, spelled out that new commitment: His office will investigate cybercrimes that potentially violate the Rome Statute, the treaty that defines the court’s authority to prosecute illegal acts, including war crimes, crimes against humanity, and genocide.
“Cyber warfare does not play out in the abstract. Rather, it can have a profound impact on people’s lives,” Khan writes. “Attempts to impact critical infrastructure such as medical facilities or control systems for power generation may result in immediate consequences for many, particularly the most vulnerable. Consequently, as part of its investigations, my Office will collect and review evidence of such conduct.”
When WIRED reached out to the International Criminal Court, a spokesperson for the office of the prosecutor confirmed that this is now the office’s official stance. “The Office considers that, in appropriate circumstances, conduct in cyberspace may potentially amount to war crimes, crimes against humanity, genocide, and/or the crime of aggression,” the spokesperson writes, “and that such conduct may potentially be prosecuted before the Court where the case is sufficiently grave.”
Neither Khan’s article nor his office’s statement to WIRED mention Russia or Ukraine. But the new statement of the ICC prosecutor’s intent to investigate and prosecute hacking crimes comes in the midst of growing international focus on Russia’s cyberattacks targeting Ukraine both before and after its full-blown invasion of its neighbor in early 2022. In March of last year, the Human Rights Center at UC Berkeley’s School of Law sent a formal request to the ICC prosecutor’s office urging it to consider war crime prosecutions of Russian hackers for their cyberattacks in Ukraine—even as the prosecutors continued to gather evidence of more traditional, physical war crimes that Russia has carried out in its invasion.
In the Berkeley Human Rights Center’s request, formally known as an Article 15 document, the Human Rights Center focused on cyberattacks carried out by a Russian group known as Sandworm, a unit within Russia’s GRU military intelligence agency. Since 2014, the GRU and Sandworm, in particular, have carried out a series of cyberwar attacks against civilian critical infrastructure in Ukraine beyond anything seen in the history of the internet. Their brazen hacking has ranged from targeting Ukrainian electric utilities and triggering the only two blackouts ever caused by cyberattacks to the release of the data-destroying NotPetya malware that spread from Ukraine to the rest of the world and inflicted more than $10 billion in damage, including to hospital networks in both Ukraine and the United States.
HistoricRevisionist on September 8th, 2023 at 20:03 UTC »
The way people misunderstand the ICC is insane, especially among journalists. Both Russia and Ukraine are not signatories to the Rome statute (even tho Ukraine recognizes it in this case.)
But even if they did, it's incredibly hard to prove things like war crimes and crimes against humanities. Even for Darfur it wasn't a matter of simply prosecuting a guilty party for the very obvious genocide, as the terms of the crimes are very tightly defined.
It's definitely not a tool to use against your perceived enemies during an ongoing conflict, as the press often makes it sound.
In all its history, the ICC has only convinced ten people who have served/are serving a sentence, and only five on war crimes or crimes against humanity. The ICC does not try people unless they are present at the ICC in The Hague, and it doesn't have jurisdiction in Russia, China,India or the US (because they are all not signatories or party to the treaty).
Fun fact: did you know the US has an act that allows the president to order the invasion of The Hague if US soldiers are ever potentially prosecuted at the ICC? :-)
LLamasBCN on September 8th, 2023 at 19:44 UTC »
As a cybersecurity engineer, I hope we get to see far more evidence than we saw with Huawei and their "backdoors". Governments seem to love using cybersecurity "national security" as a joker, but it's not magic. Evidence in the cybersecurity world is often easier to find than in the real world.
Hrmbee on September 8th, 2023 at 19:39 UTC »
Submission statement:
Currently, state actors or their proxies are carrying out cyber attacks against adversaries, and are largely doing so with impunity. This lack of any kind of accountability might be coming to an end with the ICC's decision to prosecute these kinds of crimes, that though may be waged digitally, can have some very real world consequences to the people that they affect.