Attacking Through or Against Data?
Some Additional Considerations on Criminalising Cyber Operations under the Rome Statute
It is a well-established fact that cyber operations have permeated the reality of armed conflict and have become a powerful weapon in the hands of a belligerent (as demonstrated lately), reaching the ICRC’s list of the twelve most pressing issues for 2022. Primarily directed against military targets, the use of cyber warfare can also negatively affect civilians or be otherwise in violation of international humanitarian law, raising the question of their qualification as war crimes under the Rome Statute (RS). In answering this question, the approaches taken so far (including on this blog) have been to differentiate between physical consequences (further divided into the immediate and secondary effects) and non-physical effects, where such operation merely affects the computer data itself (see here), and to then select the appropriate clause of RS.
Below it will be argued that relying on traditional understandings of crime composition and its constituting elements might simplify qualifying cyber breaches under RS and make the whole concept of cyber warfare more organic to the RS system than it appears at a face value (not least due to its commonplace depiction as detached from the rest of the legal realm). Two main lines of argumentation are that, firstly, in some cases it will be more pragmatic and technically correct to qualify the deletion, appropriation, or other manipulation of computer data as part of a ‘conduct’ element of a crime, rather than a consequence thereof; and that, secondly, in criminal law terms, there is not much use in categorising immediate and delayed consequences. Instead, a unified approach to consequences shall be advocated.
The ‘Attack-Based’ Crimes
The first war crime potentially applicable to unlawful employment of cyber means is ‘intentionally directing attacks against civilian objects’, provided under Article 8(2)(b)(ii) of RS. Efforts have been made to interpret ‘objects’ as including computer data, in order for a cyber operation to be prosecuted under this clause (see here, pp. 39, 47-48; here p. 1166; and here). While this approach might also be useful, in most cases it is unlikely that the manipulation of data or disruption to the normal functioning of a system is what attack is primarily directed against. Instead, such activity is aimed at causing damage to other civilian objects through such disruption. Therefore, deletion, conversion, or another handling of data is more akin to the conduct element of crime and constitutes an ‘attack’ itself. Under this approach, there is no need to regard the computer data or its embedding system as an object against which the attack is conducted – rather, the attack is conducted through the use of such data or system (for a comparison see McKenzie, p. 1170).
One of the benefits of considering cyber activity as ‘just another way of committing a crime’ is that when the ultimate objective of the attack is damage to civilians, such operation can also be prosecuted under Article 8(2)(b)(i) RS, which criminalises ‘intentionally directing attacks against the civilian population’. Thus, decisive importance is given to the intended effect of harming civilians (directed against civilians) and as far as the Statutory formulation is concerned, a cyber operation is just another way of ‘directing an attack’. That cyber operations can generally constitute attacks was expressly confirmed, among others, in the Tallinn Manual (p. 415; see also here, p. 38).
There are other benefits too. Notably, the above crimes – attacking civilian population or civilian objects – are inchoate in nature, which means that they are completed as soon as the perpetrator directed an attack. It is thus not necessary for the damage or injury to civilians to materialise. The crimes still presuppose an intention (or knowledge) on the part of the perpetrator to target an object or an individual other than the manipulated system itself, and a reasonable expectation of such damage being realised. However, the view adopted here is that the cases where a cyber operation is calculated solely on altering the configuration of a certain system, without some ultimate, real-life consequences are rare, and even more rarely would such conduct attain the high threshold of ‘the most serious crimes of international concern (see also McKenzie, p. 1191). Nevertheless, in the exceptional cases where the data itself is of utmost importance, the above approach of regarding computer data or its storing system as the standalone targeted object (McKenzie, pp. 1171-2) will be more relevant.
One more overlooked feature of the ‘attack-based’ crimes that provide greater protection to individuals from an offensive cyber activity is that attacks are directed against civilians or civilian objects in a general sense, and not necessarily against their life or limb. Hence, such offences even have the potential of addressing a threat to the general well-being of the civilian population (e.g., when cyber activity targets the health-care sector, electricity or water systems), or financial harms suffered by private companies (the example of Maersk incident invoked here). In the same vein, deletion of medical files, instead of trying desperately to include them in the category of ‘objects’, can be considered as a cyber-attack directed against civilians under Article 8(2)(b)(i) RS.
The Crimes of Destruction and Appropriation
Another set of crimes often referred to as potentially applicable to cyber warfare are offences against property, such as the extensive destruction and appropriation [Article 8(2)(a)(iv)] and the destruction or seizure of enemy’s property [Article 8(2)(b)(xiii)]. The defining feature of such offences is (in contrast to the ‘attack-based’ crimes) that the intended consequence of destruction or appropriation should indispensably materialise for a crime to be completed. The scope of application of these crimes is limited, on the one hand, as only the outcomes of destruction or appropriation of a certain property can constitute the war crime. Yet, on the other hand, the means for achieving these outcomes are essentially unlimited, as the relevant clauses do not specify how exactly the negative consequence should be brought about. Consequently, destruction or appropriation/seizure by employing cyber means can easily amount to the offences in question.
As we compare the two types of offences (attack-based and consequence-oriented), it is important to clarify that the situations of their application are not as interchangeable as sometimes portrayed. Instead, it seems to be a well-established position that the crime of attacking civilians or civilian objects should be committed in the context of active hostilities, whereas only the property that has fallen into the enemy’s hands can be destroyed or appropriated (e.g., in the context of occupation). The issue has attracted wider attention as the International Criminal Court attempted to define the term ‘attack’ on its Ntaganda judgment. While most authors agree on the separation of ‘conduct of hostilities’ and ‘occupation’ crime categories, some allege that such divergence is not grounded in the RS and instead originates from the underlying IHL norms. At any rate, when it comes to cyber operations and their qualification as war crimes, attention should be given not only to appropriate object and other constituting elements but also to the context in which they are committed – inside or outside active combat. Given the ever-changing landscape of protracted conflicts with territories under passing control, the identification of the proper context of a cyber attack will likely be an extremely complicated exercise, all the more so considering the supra-territorial nature of the cyber activity itself.
The approach of differentiating between the first-hand, immediate effects and the secondary, protracted consequences raises questions as well. It appears that what here is described as immediate effects should rather be considered as part of extended criminal action. It seems unlikely that a cyber operation is aimed simply at changing the chemical composition of water (Florida example) or the frequencies in a motor in a nuclear facility (Stuxnet incident). Any kinetic changes in the environment that commission of criminal act is accompanied with (e.g., a bullet leaving firearm and entering someone’s body) can be terminologically called an immediate effect and be relevant for certain legal analysis, but are fairly irrelevant for a criminal law determination of crime consequence (compare). Instead, a consequence is normally the ultimate objective that the perpetrator is trying to achieve (poisoning population, destroying centrifuges, etc.), which becomes a constituting element of a crime whenever (a) a perpetrator intended or had an advance knowledge thereof and directed an attack to achieve it; (b) there is a causality link between attack and the consequence (in case of inchoate crimes, potential causality); (c) the consequence is of sufficient gravity to be prosecuted under RS. Any outcome of a cyber operation that satisfies these requirements can be, thus, relevant, regardless of these outcomes having a first- or second-level character.
The purpose of this article is to present additional, somewhat contrasting but mostly supplementary perspectives on approaching the criminalisation of cyber operations under the RS. Such approaches should be varied, considering the ‘anonymous’ and incalculable nature of cyber activities and their consequences, which challenge traditional understandings of legal concepts. The bottom line of the piece is that the crime formulations offered in RS have the potential to capture a wide range of unlawful cyber conduct and there is no need for introducing new offences (as argued here). In this process, shifting the focus from interpreting computer data as targeted object to considering the data handling as a part and parcel of criminal act seems to have several advantages demonstrated above.