For years, some cybersecurity advocates and advocates have been calling for a sort of Geneva Convention For cyber war, new international laws that would carry clear consequences for anyone hacking critical civilian infrastructure, such as power grids, banks and hospitals. Today, the lead prosecutor at the International Criminal Court in The Hague made clear that he intends to impose these consequences – no new Geneva Convention is required. Instead, he explicitly stated for the first time that The Hague would investigate and prosecute any hacking crimes that violate existing international law, just as it does for war crimes committed in the physical world.
In a little noticed article Published last month in the quarterly publication Foreign Policy Analytics, the lead prosecutor of the International Criminal Court, Karim Khan, clarified the new commitment: his office will investigate cybercrimes that potentially violate the Rome Statute, the treaty that defines power of the Court to prosecute illegal acts. , including war crimes, crimes against humanity and genocide.
“Cyberwar does not take place in the abstract. On the contrary, it can have a profound impact on people’s lives,” writes Khan. “Attempts to impact critical infrastructure such as medical facilities or control systems for electricity generation can have immediate consequences for many, especially the most vulnerable. Therefore, as part of its investigations, my Office will collect and review evidence of such conduct.
When WIRED contacted the International Criminal Court, a spokesperson for the prosecutor’s office confirmed that this was now the office’s official position. “The Office considers that, in appropriate circumstances, conduct in cyberspace may potentially constitute war crimes, crimes against humanity, genocide and/or a crime of aggression,” the spokesperson wrote, “ and that such conduct is potentially actionable in court. Court where the matter is sufficiently serious.
Neither Khan’s article nor his office’s statement to WIRED mention Russia or Ukraine. But the new declaration of the ICC prosecutor’s intent to investigate and prosecute hacking crimes comes amid growing international attention to Russian cyberattacks targeting Ukraine before and after its all-out invasion of its neighbor in early 2022. In March last year, the Human Rights Center at the University of Berkeley School of Law sent a formal request to the ICC Prosecutor’s Office urging him to consider prosecuting Russian hackers for war crimes for their cyberattacks in Ukraine— even as prosecutors continued to gather evidence of more traditional physical war crimes committed by Russia during its invasion.
In the Berkeley Human Rights Center’s request, formally known as an Article 15 document, the Human Rights Center focused on cyberattacks carried out by a known Russian group under the name Sandworm, a unit within the Russian military intelligence agency GRU. Since 2014, the GRU and Sandworm, in particular, have waged a series of cyberwars attacks on critical civilian infrastructure in Ukraine, beyond anything seen in Internet history. Their brazen hacks included targeting Ukrainian power utilities and triggering the only two outages ever caused by cyberattacks upon the release of NotPetya malware destroying data which spread from Ukraine to the rest of the world and caused more than $10 billion in damage, including to hospital networks in Ukraine and the United States.
Although the Berkeley group’s submission initially focused on the 2015 and 2016 Sandworm attacks on Ukraine’s power grid as the clearest example of cyberattacks with physical effects comparable to those of traditional warfare, it then summer expanded his argument to include Sandworm’s NotPetya cyberattack, as well as a third attempt by the hackers to sabotage Ukraine’s power grid and another cyberattack on the Viasat satellite modem network used by the Ukrainian military, which caused satellite modem outages across Europe.