This article argues that it is possible—given the right resources and expertise—to hold individual non-state actors responsible for violations of international humanitarian law (also known as ‘the laws and customs of war’) perpetrated with cyberweapons. It describes jurisdictional elements of violations of the laws and customs of war as well as points that prosecutors and investigators must consider when planning investigations of serious violations of international humanitarian law perpetrated in cyberspace. It addresses how certain theories of individual criminal responsibility for war crimes apply to offences committed by non-state actors during cyberwarfare and identifies particular evidentiary challenges arising from the particular qualities of cyberspace and cyberweapons. Individual accountability for war crimes perpetrated during cyber operations requires new thinking about the application of legal principles and theories during cyber conflict.

1. Introduction

Cyber operations allow non-state actors, with relatively minimal effort, to produce state-level violence during armed conflict.1 Fortunately, international legal norms that guide the behaviour of states, groups and individuals during peace and conflict also apply in cyberspace.2 The precise contours of the application, however, remain undefined.3 Accordingly, this article examines one aspect of this broad topic: the substantive and practical challenges that prosecutors confront when investigating and prosecuting serious violations of international humanitarian law (‘war crimes’)4 by non-state actors during cyberwarfare.

Essentially, computer programs (or ‘software’) are a series of instructions, expressed in mathematical terms, followed by a computer to achieve certain tasks. These mathematical statements are known as ‘algorithms’ and they function at ‘unbelievable speed’.5 Malicious software, ie computer code designed to damage or disable other programs, and/or to collect intelligence, is referred to as ‘malware’.6 For example, some forms of malware, known as ‘botnets’, permit belligerent parties to launch coordinated attacks against adversaries by asserting ‘command and control’ over computer servers.7 The latest generation of malware includes cyberweapons with extraordinary sophistication and capabilities, including the ability to operate undetected ‘in the wild’ of cyberspace for extended periods of time.8 Indeed, the science of cyberweapon technology is so complex that contemporary military commanders may possess only a limited understanding of how these weapons function.9

Much about cyberwarfare challenges our understanding of armed conflict10 and the application of international humanitarian law. Unlike kinetic weapon systems, cyberweapons are not machines composed of many physical components; they are collections of data used to communicate instructions to software or hardware.11 In addition to their technical complexity, one starkly evident quality of cyberweapons is (ironically) their invisibleness. This characteristic of software code, combined with the vast anonymity and ‘interconnectivity’12 of cyberspace, presents profound challenges for the prosecution of individuals responsible for war crimes committed with cyberweapons.

For example, each of the principle Internet ‘backbone routers’ (the states, institutions and corporations that provide the most important fiber optic links for the Internet) typically maintain over 70 000 ‘routes’ for sending cyber messages from computer to computer and network to network.13 Thus, the source or sources of a cyberattack may be hidden or obscured by virtual activity in computers anywhere in the world or on the Internet.14 This anonymity impedes the identification of perpetrators of crimes using cyberweapons, including determinations whether the executors of cyberattacks are combatants, civilians or civilians directly participating in hostilities.15

This article explains that it is possible—given the right resources and expertise—to hold individual non-state actors responsible for violations of international humanitarian law perpetrated with cyberweapons. Section 2 describes jurisdictional elements of violations of the laws and customs of war. Section 3 addresses points that prosecutors and investigators must consider when planning investigations of serious violations of international humanitarian law perpetrated in cyberspace. Section 4 addresses how certain theories of individual criminal responsibility for war crimes apply to offences committed by non-state actors during cyberwarfare. Section 5 identifies additional evidentiary challenges arising from the particular qualities of cyberspace and cyberweapons. Finally, I conclude that individual accountability for war crimes perpetrated during cyber operations requires new thinking about the application of legal principles and theories during cyber conflict.

2. Jurisdictional Elements of War Crimes: The Existence of an Armed Conflict and Its Nexus to the Offence

A. The Armed Conflict

Consistent with the practice of national judicial systems, the principle of individual guilt in international criminal law requires proof of objective and subjective elements16: the actus reus—the physical act necessary for the offence—and the mens rea—the necessary mental element.17 An accused can be convicted of a crime only if her mens rea comprises the actus reus of the crime.18

However, in addition to evidence pertaining specifically to the guilt of an accused, a prosecutor must also establish the existence of certain broad, jurisdictional (or ‘contextual’) elements of the offence. For example, with respect to alleged violations of international humanitarian law, the prosecution must demonstrate that an armed conflict—whether international or non-international—existed at the time of the alleged offence.19 No central authority exists under international law to identify or classify a situation as an armed conflict. Instead, states and parties to a conflict must determine the legal framework applicable to the conduct of their military operations.20

In a generic sense, armed conflicts involve two or more organised armed groups engaged in fighting of some intensity.21 However, international humanitarian law distinguishes between ‘international’ and ‘non-international’ armed conflicts. An international armed conflict exists whenever there is a resort to armed force between states.22

The concept of a non-international armed conflict, however, is treated differently in international humanitarian law treaties. Common Article 3 of the 1949 Geneva Conventions, for example, obliges parties to non-international armed conflicts to treat humanely persons taking no active part in hostilities and those placed ‘hors de combat’. Common Article 3 applies in all situations of non-international armed conflict.23 According to the ICRC Commentary to Common Article 3, such non-international armed conflicts:

are protracted armed confrontations occurring between governmental forces and the forces of one or more armed groups, or between such groups arising on the territory of a state [party to the Geneva Conventions.] The armed confrontation must reach a minimum level of intensity and the parties involved in the conflict must show a minimum of organization.24

Similarly, the International Criminal Tribunal for the Former Yugoslavia (ICTY) holds that a non-international armed conflict exists whenever there is protracted armed violence between government authorities and organised armed groups or between such groups within a state.25 ICTY case law discusses and defines the contours of the two essential criteria indicated by the ICRC, protracted combat and organised armed groups.26

Article 1 of Additional Protocol II to the 1949 Geneva Conventions, however, addresses a narrower range of non-international armed conflict, ie only those armed conflicts between state armed forces and ‘dissident armed forces or other organised armed groups which, under responsible command, exercise such control over a part of its territory as to enable them to carry out sustained and concerted military operations’ and to apply the rules of APII.27 Effectively, Article 1 of APII requires a greater degree of conflict as well as a higher level of organisation for ‘armed groups’ than Common Article 3.28 Moreover, Article 1 of APII excludes the possibility that protracted combat solely between two or more organised armed groups constitutes a non-international armed conflict.

Common Article 3’s broader scope for non-international armed conflicts permits the broadest possible application of international humanitarian law.29 It also facilitates the widest possible application of treaty and customary rules of international humanitarian law applicable to non-international armed conflicts to cyberwarfare. Thus, for the purposes of this article, I will apply the definition of non-international armed conflicts emanating from Common Article 3 and adopted by the ICTY.

In addition, for the purposes of this section, I will assume that evidence of the pre-condition of ‘armed force between states’ (for international armed conflicts) or the ‘protracted armed violence’ precondition (for non-international armed conflicts) exists.30 The discussion will focus on the requisite proof to establish, in the context of a non-international armed (cyber) conflict, the existence of an organised armed group.

The threshold of proof required to demonstrate this jurisdictional element is relatively low as evidence of ‘some level of organisation’ of the group will suffice.31 In the context of kinetic warfare, several broad categories of material, alone or combined, generally are sufficient to demonstrate that an ‘armed group’ is organised: (i) evidence of a command structure; (ii) evidence that the group can carry out coordinated operations; (iii) evidence pertaining to the logistical capacities of the group; (iv) evidence demonstrating that the group maintains a level of discipline and the ability to implement the basic obligations of international humanitarian law; and (v) evidence illustrating the group’s ability to speak with one voice.32

Given the particular characteristics of the cyber battlespace, however, these evidentiary categories of organisation for the kinetic context are less helpful when the ‘armed group’ consists solely of cyber actors launching attacks against the infrastructure of state armed forces or other insurgent factions.33 The concept of ‘organisation’ can change radically in cyberspace. Assuming that there is a plurality of members, the identity of the group as a ‘group’ may consist only of periodic exchanges of electronic data.34 The members of the group may hide their identities from each other in the anonymity of cyberspace.35 Although the cyber group may contain only a ‘handful’ of members, their ability to cause harmful consequences to the enemy’s ability to fight may be substantial. Conversely, the group may have many members scattered around the world, loosely (and virtually) connected via the Internet.

Similarly, in many ways, the notion of ‘logistical capabilities’ becomes much less relevant in the context of cyber operations. The group’s ‘logistical’ needs, for example, may encompass only occasional access to a computer and the Internet. Its weapons may be ‘stored’ in the mind of a single member and disseminated merely with the touch of a button. Moreover, during kinetic warfare, the ability to control territory is a strong indicator of the organisational level of an armed group.36 Cyber networks arguably constitute ‘territory’ as well,37 but the control of electronic ‘territory’ implies a different kind of control than the governmental authority traditionally exercised over geographic areas by state and non-state actors. Control over ‘cyber territory’ involves electronic domination of a virtual environment that, in theory, can be achieved by a small group of persons or even a single individual.

These conceptual differences are not insurmountable for a prosecutor trying to establish the existence of an ‘organised armed group’. First, as mentioned above, it is only necessary to demonstrate ‘some level of organisation’ exercised by the group.38 That is a pragmatic approach because if this evidentiary bar was set too high, it would be too difficult to prove the existence of a non-international armed conflict. Consequently, persons affected by kinetic and/or cyberwarfare would lose the protections of international humanitarian law.

However, with respect to non-state actors conducting cyber operations (and only cyber operations), it also is important that this bar not be set too low. Given the ubiquity and relative inexpense of computer technology and infrastructure, the number of non-international armed conflicts could grow exponentially as cyber ‘hactivists’, cyber terrorists and other actors claim some form of military association (and the political status accorded to such groups). Armed conflicts where belligerent parties are loosely defined and constantly shifting and reforming within the borderless and invisible cyber domain ‘is in fact a conflict that knows no boundaries, has no beginning and can never have an end’.39 Such virtual armed groups would swallow the rule requiring some level of organisation. The result would be the extension of the right of states to use deadly force (pursuant to the rules of international humanitarian law) in situations where international human rights law normally would (and should) apply.

Thus, determinations concerning whether a non-state actor that relies solely on cyber activity to harm state armed forces or another non-state actor meets the threshold standard of an ‘organised’ armed group must be performed carefully, on a case-by-case basis. Furthermore, circumstances may arise where evidence (or the lack thereof) of the organisational level of the non-state actor should not control the determination of whether international humanitarian law applies. For example, Blank and Corn advocate a ‘totality of circumstances’ analysis for determination of the existence of an armed conflict, rather than the legalistic approach governed by the Tadić criteria.40 Under their test, when the chaos and levels of violence unleashed by one or more parties obscures the identity and organisation of non-state armed groups, common sense and the object and purpose of international humanitarian law demands that the parties comply with this legal regime.41 This is not to suggest that the criteria of ‘level of organisation’ has lost its significance. Rather, it is a pragmatic strategy to ensure that civilians and other affected persons receive the protections due them under international humanitarian law, at least until more clarity is available with respect to the nature of the conflict.

B. The Nexus Between the Armed Conflict and the Acts of Omissions of the Accused

If the existence of an armed conflict (be it international or non-international) has been established, the Prosecution also must establish a link between the alleged acts of the accused and the armed conflict.42 This nexus requirement distinguishes war crimes from domestic crimes and prevents random criminal acts from being characterised as violations of the laws or customs of war.43 During kinetic warfare, indicators of a link between the conduct of the accused and armed conflict include, inter alia, ‘whether the perpetrator was a combatant, whether the victim was a non-combatant, whether the victim was a member of the opposing party, whether the act may be said to have served the ultimate goal of a military campaign, and whether the crime is committed as part, or in the context of, the perpetrator’s official duties.’44

These same indicators also are relevant with respect to alleged crimes perpetrated via cyber operations. For example, if, during an armed conflict, a commander orders cyber operations that amount to a war crime, evidence of the link between the conflict and the commander’s behaviour will be obvious. In addition, evidence indicating that the cyber operation contributes to the overall military objective(s) of the originator—such as attacks against enemy military personnel or objectives—will be particularly relevant.45

Accordingly, depending on the circumstances (and the applicable legal theory), the available evidence must support a finding that a nexus exists between the acts or omissions of the accused and an armed conflict under international law. Absent these jurisdictional components, the Prosecutor has no case.

3. Planning an Investigation for Serious Cybercrimes by Non-State Actors

This section will discuss the important legal and logistical decisions that must be made before commencing an investigation into serious cybercrimes during armed conflict.

A. Case Selection

The investigation and prosecution of serious violations of international humanitarian law normally requires significant amounts of resources. Prosecutors and courts do not have the capacity to redress every crime and hold accountable every offender. Therefore, prosecutors must make difficult decisions as to which cases warrant their attention. At the ICTY, guidelines for the commencement of investigations emphasised a number of factors for consideration including:

  1. the seriousness of the crimes, the numbers of victims, the duration of the offences and the scope of destruction;

  2. the role of the person under investigation, especially his or her position in the political or military hierarchy, the extent of his or her authority and his or her alleged participation in the crimes under investigation; and

  3. whether the persons and the crimes to be investigated were exceptionally notorious, although the persons did not hold a formal hierarchical position.46

Generally, the same selection criteria used for crimes linked to kinetic warfare should apply to cybercrimes committed by non-state actors during armed conflict. Investigation of a cyberattack that takes control of a civilian airliner and flies it into the ground, or releases the water held in check by a dam onto a civilian population, will be more appropriate than an inquiry into a cyberattack that disrupts the power supply of a school. A commander who plans and orders multiple, destructive and unlawful cyberattacks will bear a greater level of responsibility than a single operator who, in response to an instruction, launches one of the cyber strikes.47

Massive kinetic crimes, such as the mass murders and expulsions of entire communities from their homes common to contemporary armed conflict, require the assistance of large numbers of persons and the coordinated use of substantial resources.48 The human scale and systemic nature of such conduct usually presents multiple investigative avenues. For example, to evaluate whether a political figure illegally used speech to commit, instigate and/or aid and abet crimes against humanity, such as extermination, rape, deportation, etc, prosecutors and investigators will review the politician’s televised speeches, radio broadcasts and interviews and published writings. In addition, investigative staff will interview the persons who saw, heard and/or read those expressions in order to adduce the effect of that speech on the targeted audience, which may be the general public, an army brigade, a platoon of insurgents, etc.

However, in comparison to war crimes using kinetic means and methods, the sheer invisibleness and anonymity of cyberspace creates a great disadvantage for investigators and prosecutors. A cybercrime that results in mass destruction may accrue from a bit of invisible malware that has lain dormant for a period of time and altered its own structure to avoid detection and attribution. Thus, in the cyber context, selection of cases for investigation and prosecution will turn on the question whether some evidence exists of the identity of the perpetrators and their superiors, accomplices, etc, as well as the seriousness and notoriety of the crime.

B. Cyberwar Crimes

Pursuant to international humanitarian law, the laws of targeting, including the rules of distinction49 and proportionality,50 must apply when parties launch attacks with cyberweapons during armed conflict. The deliberate violation of these rules is a war crime, codified, inter alia, in the Rome Statute of the International Criminal Court (ICC).51

The interconnectivity of the Internet and the dual-use nature of many components of cyber infrastructure complicate efforts to prove that damage and harm caused by a cyberattack arose from a violation of the laws of war. Many cyber networks, both hardware and software, serve military and civilian purposes.52 By definition, they qualify as military objectives53 and lose their immunity from attack.54 Thus, proof of a deliberate cyberattack on civilians and/or civilian objects would be most convincing in situations—like the civilian airliner scenario mentioned above—where the target of the malware attack is computer infrastructure clearly separate from military networks and installations.

Nevertheless, attacks that employ certain means and/or methods that cannot discriminate between civilians and civilian objects and military objectives are ‘tantamount to direct targeting of civilians’.55 Similarly, encouragement of soldiers to fire weapons for which they lack training may be indicative of the indiscriminate nature of an attack.56 Furthermore, the indiscriminate nature of an attack may be circumstantial evidence that the attack actually was directed against the civilian population.57 Thus, if a non-state actor employs an unsophisticated or imprecise cyberweapon that cannot be targeted at a specific military objective or objectives, the individuals involved will be responsible for a war crime.58

Perceived violations of the proportionality rule may become common during cyberwarfare due to indirect effects of an attack that emanates through cyberspace. But the results of an attack are irrelevant to proportionality analysis in international humanitarian law.59 The prosecutor must prove that, at the moment the attack was launched, the anticipated incidental damage to civilians and/or civilian objects was clearly excessive to the expected military advantage.60 This is a reasonableness test, ie whether a reasonably well-informed person in the circumstances of the person responsible for the attack, making reasonable use of the information available to her, could have expected clearly excessive civilian casualties to result from the attack.61

Thus, the proportionality rule ‘is not a standard of precision’.62 Rather, military commanders must use their common sense and good faith when they weigh up the humanitarian and military interests at stake.63 In the context of cyberwarfare, however, the potential (although not necessarily the likelihood) for incidental damage is enormous, even for the most discriminate attack. Some cyberweapons such as the ‘Stuxnet’ worm, are extraordinarily discriminate and precise.64 Nevertheless, even the ‘Stuxnet’ malware eventually found its way into the Internet, where it autonomously attacked thousands of computer systems around the world with far less precision than its designers intended.65

Some general considerations for a ‘reasonable’ proportionality assessment for an attack using cyberweapons may be helpful. First, the less sophisticated and precise the malware, the greater should be the expected incidental damage. Similarly, a cyberweapon with the ability to destroy (in whole or in part) the enemy’s computer infrastructure will possess a greater likelihood for incidental damage than malware that merely slows or otherwise disrupts the functioning of computer hardware. Moreover, malware that self-mutates so as to avoid detection (and deactivation) also carries a higher potential for incidental damage. Furthermore, with respect to the use of cyberweapons, part of the ‘reasonable commander’ standard for the proportionality analysis is a strong understanding of the functions and capabilities of the malware selected for the attack.66 From a criminal law perspective, the hard cases of proportionality will arise when a competent, knowledgeable commander orders a cyberattack using a relatively precise weapon, to achieve a limited military advantage.

4. Theories of Direct Individual Criminal Responsibility for Serious (Cyber) Violations of the Laws and Customs of War

If the Prosecutor can prove that cyberweapons were used to perpetrate a war crime, she still must demonstrate the individual criminal responsibility of the person(s) responsible. That requires proof of one or more modes of individual criminal responsibility recognised in international law.67 In this section, for the purpose of brevity, I will focus on four of these theories of liability: (i) Commission (including co-perpetration and participation in a common criminal purpose), (ii) Ordering, (iii) Instigation or Inducement, and (iv) Aiding and Abetting.

Individual ‘commission’ of a crime entails the physical perpetration of a crime or engendering a culpable omission in violation of criminal law.68 The actus reus of this mode of criminal liability is that the accused participated, physically or otherwise directly, in the material elements of a crime, through positive acts or omissions, whether individually or jointly with others.69 In addition to the actus reus, as mentioned above, attribution of criminal responsibility for any of the crimes that fall within the jurisdiction of the ad hoc tribunals and/or the ICC ‘depends on the existence of the relevant state of mind or degree of fault’.70

At the ad hoc international criminal tribunals, the requisite mens rea for commission is that the perpetrator acted with the intent to commit the crime, or with an awareness of the probability, in the sense of the substantial likelihood, that the crime would occur as a consequence of his/her conduct.71 The Rome Statute, however, excludes the application of the dolus eventualis standard, as well as the mens rea of recklessness, at the ICC.72 At the ICC, the criminal mens rea exists if the accused means to commit the crime, or, he is aware that by her actions or omissions, the crime ‘will occur in the ordinary course of events.’73

Frequently, ‘commission’ by an individual accused is the simplest mode of criminal liability to prove. Nevertheless, in the context of cyberwarfare, the problem of attribution of attacks, and the intent of the attacker can present formidable obstacles. Courts are unlikely to convict individuals for ‘commission’ of unlawful cyberattacks if prosecutors cannot provide forensic evidence demonstrating, beyond a reasonable doubt, that an individual or individuals launched a particular attack from a particular computer or network. This will be challenging as, for example, a computer located in one country may launch an attack controlled by a person situated in another part of the globe.74 Moreover, designers may develop malware that mutates automatically, making identification of the code and attribution more difficult.75

In addition to commission of a crime ‘as an individual’, accused may also incur liability as a ‘co-perpetrator’ if they commit a crime ‘jointly with another person’, or ‘through another person’.76 To establish that an accused person committed a crime ‘jointly with another’, it must be established that two or more individuals worked together in the commission of the crime.77 There must be an agreement—express or implied, previously designed or arising extemporaneously—that links the co-perpetrators and that justifies the ‘reciprocal imputation of their respective acts’.78 The accused must provide an essential contribution to the agreement that results in the commission of the relevant crime.79 The accused must be aware of her essential contribution, and must act with the intention that the crime occur, or with the awareness that by implementing the common plan, the crime ‘will occur in the ordinary course of events.’80

The theory of commission ‘through another person’ arises in situations where an accused makes use of another person who carries out the criminal conduct, ‘by virtue of the accused’s control over that person, and the latter’s conduct is therefore imputed on the former’.81 For example, the arrest warrant issued by the ICC against Libyan leader Mohammed Gaddafi based Gaddafi’s criminal liability on his ability to control the (mis)conduct of Libyan authorities and thereby commit crimes ‘through’ them.82

These forms of co-perpetration can also serve as bases for liability for unlawful acts of cyberwarfare. For example, an individual who, pursuant to an agreement, designs and produces malware that a co-perpetrator will use to commit a war crime, may be liable under the theory of ‘jointly’ committing a crime. Similarly, a person who wields great power and authority may compel one of her subordinates to use malware to violate international humanitarian law. If the crime occurs, the person in power can be responsible for committing a crime ‘through’ the underling.

In addition, at the ICC, individuals can incur criminal responsibility if they contribute to the commission, or attempted commission of a crime by a plurality of persons acting with a common criminal purpose.83 At the ad hoc tribunals, culpable participation in a common criminal purpose is referred to as a ‘joint criminal enterprise’ and requires a significant contribution to the realisation of the crime.84

Contributions to a common criminal purpose can include non-cyber as well as cyber activities. For example, if members of a non-state organised armed group decide to shut down all of the state’s hospitals, the success of the criminal plan may turn on a cyberattack on the hospital computer networks. The designer of the malware that damages the networks makes an essential contribution, as does the person who (intentionally) launches the malware towards its target. However, the persons who (intentionally) finance the malware development or provide the computer hardware needed to carry out the attack also make important contributions and thereby also incur accessory criminal liability.85

Responsibility under the mode of ‘ordering’ ensues when a person in a position of authority orders an act or omission with the awareness of the substantial likelihood that a crime will be committed in execution of that order, and, if the person receiving the order subsequently commits the crime.86 Orders need not take a particular form and the existence of orders may be established using circumstantial evidence.87 Liability ensues if the evidence demonstrates that the order substantially contributed to the perpetrator’s criminal conduct.88

In the context of cyberwarfare, it may be difficult to identify persons who hold a ‘position’ of authority over others. The measurement of authority in the virtual environs of cyberspace requires knowledge of the relative powers and abilities of often anonymous parties who may use cyber activities and infrastructure to obfuscate their identities and communications. ‘Rank’ or other traditional de jure forms of leadership may give way to more horizontal structures and dynamics that depend more on cyber skills and (enemy) vulnerabilities than the capacity to command and control.89

The modes of liability of soliciting and inducing fall into the broader category of ‘instigation’ or ‘prompting another to commit a crime’, in the sense that they refer to conduct by which a person influences another to commit a crime.90 The instigating acts or omissions must clearly contribute to the conduct of the persons who subsequently commit the crimes.91 Proof must also exist that the defendant intended to provoke or induce the commission of the crime, or was aware of the substantial likelihood that the commission of a crime would be a probable consequence of his acts.92

Proving criminal liability under the mode of instigation may be exceptionally difficult in the context of cyber operations. Instead of visible forms of expression that prompts criminal behaviour, instigation between cyber actors may take on new, electronic forms. For example, the release of a particular bit of computer code or use of certain computer language might influence other actors to commit crimes. How will a prosecutor identify such prompting behaviour from one anonymous individual to another within the invisible domain of cyberspace? Even if the prosecutor can identify the cyber inducement, she must also demonstrate that the electronic prompt (intentionally) contributed to the conduct of the person who actually perpetrated the crime. These evidentiary challenges will likely require non-electronic forms of evidence, such as witness testimony or contemporary reports by persons involved, that can explain the instigatory cyber communications and behaviour that prompted an unlawful act.

The requirements of ‘aiding and abetting’ are a contested area of international criminal law. At the ICTY, Appeals Chambers have divided over the question whether this mode of criminal responsibility requires that assistance to perpetrators be ‘specifically directed’ to the execution of specific crimes. In the case of Momčilo Perisić, one Chamber held that specific direction is an element of the actus reus of aiding and abetting.93 Subsequently, however, a differently constituted Chamber emphatically and ‘unequivocally’ rejected the Perisić approach.94 In Šainović, et al, the majority held that, under customary international law, the actus reus of aiding and abetting is ‘practical assistance, encouragement, or moral support which has a substantial effect on the perpetration of the crime’.95 The mens rea is the knowledge that the acts assist the commission of the crime.96

It is possible to imagine several modalities for aiding and abetting crimes perpetrated with cyberweapons. One person might identify a vulnerable civilian object, a second might produce malware to exploit the vulnerability while a third conducts the attack, and a fourth person creates obfuscating malware to conceal the origin of the attack.97 Each person would provide a substantial contribution to the commission of the war crime. Proof of the contributor’s criminal mens rea depends on her knowledge that crimes occur as a result of the group’s cyber activity. If it is a matter of common knowledge that a pattern of attacks on civilian cyber infrastructure exists, this would suggest that, at least after the initial attack(s), the contributor knew that her acts would assist the commission of the crime.98

5. Additional Evidentiary Challenges

A. The Meaning of ‘Relevant and Probative’ Evidence in Cyberspace

To be admissible in a criminal trial, evidence must be relevant and probative.99 ‘Relevant’ evidence is material that speaks to an issue at stake in the trial.100 ‘Probative’ refers to the presence of indicia of reliability regarding the accuracy and authenticity of the evidence.101 The illustration below illustrates the challenges of fulfilling these criteria with respect to crimes committed during cyber conflict.

Relevant cyber evidence will include malware found within infected/damaged computers and servers. The construction and ‘experience’ of that malware, however, is complex and open to challenge. For example, with respect to cyberweapons, after launch, computer code travelling in cyberspace is split into multiple data ‘packages’ which typically traverse different civilian or dual-use cyber structures before reaching its intended destination/target.102 Thus, new malware viruses can arrive at a cyberspace destination in pieces and subsequently self-assemble to perform its task.103 At trial, testimony from a cyber forensic expert will be necessary to explain what the malware is, how it functions, and how it affected the targeted computer.

But in the cyber domain it is typically unclear, even to the author of a cyberattack, which route(s) her data packages will use in order to arrive at their intended target.104 Furthermore, in future cyber conflicts millions of data packages will move in all directions.105 Because of the interconnectedness of cyberspace, it will rarely be possible to prove at which moment which components of the cyber infrastructure were used for a particular military operation.106 The probative value of the forensic expert’s evidence may diminish, therefore, unless she can explain, with precision, the journey of the malware from the non-state actor’s computer to the intended target, and how, if at all, that migration affected the malware

B. Cyberwarfare and the Line Between Lawful Intent and Criminal Mens Rea

In addition, the nature of cyberweapons presents new challenges in distinguishing a criminal intent or mens rea from an accidental event. Because software usually is a detailed expression of mathematical statements, it does not fail in the same way as a mechanical system.107 Software does not ‘break’; instead it fails in a conceptual sense.108 Moreover, besides failures caused by mistakes in the computer code, software also can function unpredictably due to design errors, which lead to poor interaction between different systems.109 For example, as mentioned above, software code may evolve or mutate, resulting in cyber activities or attacks that cause damage or destruction beyond that intended by the computer programmers, operators and their commanders.110 The conceptual complexity of the technology, therefore, may obfuscate the true nature of the intent of the persons who employ the malware.

Thus, what appears, at first blush, to be a deliberate attack on civilian cyber infrastructure, may actually represent accidental and/or unforeseen indirect harm emanating from a (lawful) operation directed at military objectives. Conversely, it would be incorrect to assume that all carefully designed and sophisticated malware is intended to operate against precise and lawful targets. Some cyberweapons are designed specifically to afford ‘arbitrary, malicious functionality’.111 Thus, proof of a criminal mindset for a cyberattack will likely require more than cyber evidence. Witness testimony and documentary evidence concerning the intent of the perpetrators will be necessary to explain and corroborate the electronic data, as well as the prosecutor’s theory of individual responsibility.

6. Conclusions

The authors of the Tallinn Manual observed that ‘the application of the law of armed conflict to cyber operations can prove problematic’.112 In the criminal context, that is probably an understatement. The particularly challenging characteristics of cyberspace and cyberweapons demand new thinking, and new forensic techniques, for investigating and proving criminal responsibility. As cyber technologies—both benign and malevolent—continuously evolve, the technical and legal skills of prosecutors and investigators must also develop apace. Nevertheless, it is possible—given the right resources and expertise—to hold individual non-state actors accountable for violations of the laws and customs of war perpetrated with cyberweapons.

1 E Jensen, ‘Cyber Attacks: Proportionality and Precautions in Attack’ (2013) 89 International Law Studies 198, 198, 201.
2 ‘International Strategy for Cyberspace: Prosperity, Security and Openness in a Networked World’ May 2011, 9. <> accessed 1 August 2016.
3 ibid.
4 Art 8 of the Rome Statute of the International Criminal Court (ICC), contains a comprehensive list of specific war crimes and/or grave breaches of the Geneva Conventions of 12 August 1949 <> accessed 1 August 2016.
5 B Gates, ‘EdX Course CS50x3’ (Week 1, Computer Science 50, Harvard College 2015).
6 K Hamlen, ‘Stealthy Software: Next Generation Cyber-attacks and Defenses’ (Proceedings of the 11th IEEE Intelligence and Security Informatics Conference (ISI), Seattle, Washington, USA, June 2013) 109–12 <∼hamlen/hamlen13isi.pdf> accessed 20 May 2015.
7 ibid.
8 ibid.
9 A group of international humanitarian law experts recently made a cryptic reference to this lack of comprehension of cyberweapons technology by those who command its use: ‘[g]iven the complexity of cyber operations, the high probability of affecting civilian systems, and the sometimes limited understanding of their nature and effects on the part of those charged with approving cyber operations, mission planners should, where feasible, have technical experts available to them in determining whether appropriate precautionary measures have been taken.’ (Emphasis added), MN Schmitt (ed), Tallinn Manual on International Law Related to Cyber Warfare (CUP 2013) r 52(6).
10 H Lin, ‘Cyber Conflict and International Humanitarian Law’ (2012) 94 International Review of the Red Cross 866, 515, 516.
11 H Eggen Røislien, ‘Thoughts on Autonomous Weapon Systems and Meaningful Human Control of Cyber’ (Open Democracy, 7 November 2014) <> accessed 1 August 2016.
12 C Droege, ‘Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians’ (Summer 2012) 94 International Review of the Red Cross 886, 539.
13 ‘Internet Protocol Version 6 (IPV6) and Internet Communication’ (TechNet) <> accessed 1 August 2016. Modifications to the Internet are expected to simplify this infrastructure. ibid.
14 One commentator describes cyber operations as ‘a medium where anonymity is the norm and distance and proximity are largely irrelevant’. H Harrison Dinniss, ‘Participants in Conflict: Cyber Warriors, Patriotic Hackers and the Laws of War’ in Dan Saxon (ed), International Humanitarian Law and the Changing Technology of War (Martinus Nijhoff/Brill 2013) 251, 252. Thus, cyberattacks are the perfect tool for clandestine operations ‘and one of their main advantages is that the author can hide under the invisibility cloak of plausible deniability’. M Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 39–40.
15 According to Art 51(3) of Additional Protocol I to the Geneva Conventions of 12 August 1949 (API), ‘[c]ivilians shall enjoy the protection afforded by this Section, unless and for such time as they take a direct part in hostilities’. For clarification of the phrase ‘civilian directly participating in hostilities’, see N Melzer, Interpretive Guidance on the Notion of Direct Participation in Hostilities Under International Humanitarian Law (ICRC 2009).
16Prosecutor v Duško Tadić (Judgment) ICTY-94-1-A (15 July 1999) para 194.
17Prosecutor v Zejnil Delalić, et al (Judgment) IT-96-21-T (16 November 1998) paras 424 and 425.
18Prosecutor v Mladen Naletilić, aka ‘Tuta’ and Vinko Martinović, aka ‘Ṧtela’ (Judgment) IT-98-34-A (3 May 2006) para 114. A conviction absent mens rea would violate the presumption of innocence. ibid. Thus, to convict an accused of a crime, she must, at a minimum, have had knowledge of the facts that made her conduct criminal. ibid. Similarly, at the Permanent ICC, a conviction can occur ‘only if the material elements are committed with intent and knowledge’ Art 30 ICCSt. This conjunctive approach requires the accused to possess a volitional element encompassing two possible situations: (i) she knows that her actions or omissions will bring about the objective elements of the crimes, and she undertakes such actions or omissions with the express intent to bring about the objective elements of the crime; or (ii) although she does not have the intent to accomplish the objective elements of the crime, she is nonetheless aware that the consequence will occur in the ordinary course of events. Decision on Confirmation of Charges, Prosecutor v Germain Katanga & Ngudjolo (Pre-trial Chamber) ICC-01/04-01/07 (30 September 2008) para 529; Corrigendum to Decision on Confirmation of Charges, Prosecutor v Abdallah Banda & Saleh Jerbo (Pre-trial Chamber I) ICC-02/05-03/09 (7 March 2011) para 153.
19Prosecutor v Duško Tadić, a/k/a ‘Dule’ (Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction) IT-94-1 (2 October 1995) para 67. The term ‘violence’ in this context does not necessarily require the use of kinetic force. Rather, it refers to the effects or consequences, rather than the means or methods, of the use of force against an enemy. Schmitt (n 9) rr 13(4) and 30(3). Indeed, an ‘armed’ conflict may consist of cyber operations partly or exclusively. ibid, rr 22 and 23(2). Report of the Netherlands Advisory Council on International Affairs and the Advisory Committee on Public International Law, ‘Cyber Warfare’ (December 2011) No 77, AIV/No 22 CAVV, 36. International humanitarian law applies from the commencement of such armed conflicts and extends beyond the termination of hostilities until a general conclusion of peace is reached; or, in the case of internal conflicts, a peaceful settlement is achieved. ‘Until that moment, international humanitarian law continues to apply in the whole territory of the warring States or, in the case of internal conflicts, the whole territory under the control of a party, whether or not actual combat takes place there.’ ibid, para 70.
20 ICRC ‘Commentary to Common Art 3 to Geneva Convention I’ (2016) para 42 <> accessed 30 March 2016.
21 International Law Asssociation, Final Report on the Meaning of Armed Conflict in International Law (ILA 2010) 32.
22Prosecutor v Duško Tadić, a/k/a ‘Dule’ (Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction) IT-94-1-A (2 October 1995) para 70. 2016 ICRC Commentary to Common Art 3 to Geneva Convention I (n 20) para 66.
23 ICRC ‘Commentary to Art 1, APII’ paras 4447 and 4453.
24 ICRC ‘Commentary to Common Art 3 to Geneva Convention I (n 20) para 423.
25 Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction (n 19) para 70.
26 For an exhaustive discussion of the different factors that can be considered when evaluating the intensity of the conflict and the organisational level of armed groups, see Prosecutor v Ljube Boškoski and Johan Tarčulovski (Judgment) IT-04-82-T (10 July 2008) paras 176–292.
27 Protocol Additional to the Geneva Conventions of 12 August 1949 and Relating to the Protection of Victims of Non-International Armed Conflicts (Protocol II) (8 June 1977) <> accessed 30 March 2016. Thus, APII does not apply to situations of internal disturbances, such as riots or other isolated and sporadic acts of violence.
28 ICRC Commentary to Art 1 (n 23) paras 4463–70.
29 Similarly, Art 8(2)(e) of the Rome Statute of the International Court, which defines particular war crimes occurring during a non-international armed conflict, does not limit its application to those situations that include the conditions expressed in Additional Protocol II.
30 No clear standard exists to determine the ‘protacted’ nature of armed violence, also referred to as the ‘intensity of the conflict’. M Schmitt, ‘Classification of Cyber Conflict’ (2012) 17 Journal of Conflict & Security Law 2, 245–60, 258. A broad range of criteria may be applicable depending on the facts of a particular case. LjubeBoškoski and Johan Tarčulovski (n 26) paras 177–93 and 208–49. The Inter-American Commission for Human Rights has held that armed clashes between dissident groups and state armed forces for as little as 30 hours can trigger the application of international humanitarian law. Juan Carlos Abella v Argentina 11.137 (18 November 1997) paras 154–56.
31Ljube Boškoski and Johan Tarčulovski (n 26) paras 197–98.
32 ibid, paras 199–203.
33 Absent kinetic activities, cyber operations alone can result in a non-international armed conflict. Schmitt (n 9) r 23(2). The experts who drafted the Tallinn Manual concluded, however, that, due to the precondition of protracted violence to establish a non-international armed conflict, ‘cyber operations alone can trigger a non-international armed conflict in only rare cases’. ibid, r 23(7). That observation, however, appears to be inconsistent with the possibility for damage and harm inherent in cyberwarfare. David Turns describes ‘the potential effects of hostile [cyber] operations’ as ‘the stuff of nightmares’ ‘Cyber War and the Concept of “Attack” in International Humanitarian Law’ in D Saxon (ed), International Humanitarian Law and the Changing Technology of War (Martinus Nijhoff 2013) 213.
34 Of course, unlike most operations during kinetic warfare, a single invisible individual can launch multiple (invisible) attacks from different cyber locations, making it difficult to establish, in the first place, the existence of a group.
35 The fact that the members of the group do not meet physically does not preclude sufficient level of organisation. Schmitt (n 9) r 23(13).
36 Art 1 of APII, ‘Relating to the Protection of Victims of Non-International Armed Conflicts’, explains that the Protocol encompasses organised armed groups, which, inter alia, exercise control over territory of a state party.
37 The commentary of the Tallinn Manual observes that ‘[c]ontrol over cyber activities alone is insufficient to constitute control of territory for Additional Protocol II purposes (although control over cyber activities may be indicative of the degree of territorial control a group enjoys).’ (Emphasis added) r 23(17).
38 For example, ‘a distinct online group with a leadership structure that coordinates its activities’ might qualify as an organised armed group. Schmitt (n 9) r 23(13).
39 N Lubell, Extraterritorial Use of Force Against Non-State Actors (OUP 2011) 130.
40 L Blank and G Corn, ‘Losing the Forest for the Trees: Syria, Law, and the Pragmatics of Conflict Recognition’ (2013) 46 Vanderbilt Journal of Transnational Law 3, 693–746.
41 ibid 696–97, 701–02, 730–31 and 740–42.
42Prosecutor v Vlastimir Dorđević (Judgment) IT-05-87/1-T (23 February 2011) para 1527. See also Schmitt (n 9) r 20(5) (opining that international humanitarian law does not apply unless a nexus exists between the cyber activity and an armed conflict).
43Vlastimir Dorđević, ibid, para 1527. Importantly, given the particular geographic qualities of cyberwarfare, the alleged offences need not occur at a time and in a place where fighting is actually taking place. ibid.
44 ibid.
45 Contrast such acts with conduct of a purely criminal or private nature that occur during armed conflict. Schmitt (n 9) r 35(6).
46 United Nations Interregional Crime and Justice Research Institute (UNICRI), ICTY Manual on Developed Practices (2009) 14–15.
47 On command responsibility in cyberspace see E van Sliedregt, ‘Command Responsibility and Cyberwar’ (in this volume) Journal of Conflict and Security Law.
48 UNHRC ‘Report of the Independent International Commission of Inquiry on the Syrian Arab Republic’ (23 November 2011) UN Doc A/HRC/S-17/2/Add.1, paras 101–07 <> accessed 30 March 2016. Prosecutor v Vujadin Popović, et al (Judgment) IT-05-88-T (10 June 2010) paras 1050–72.
49 ‘The civilian population as such, as well as individual civilians, shall not be the object of attack’ and ‘[c]ivilian objects shall not be the subject of attacks or reprisals.’ Arts 51(2) and 52(1), Additional Protocol 1 to 1949 Geneva Conventions. Moreover, ‘[i]ndiscriminate attacks are prohibited.’ ibid, Art 51(4).
50 ‘[T]hose who plan or decide upon an attack shall … refrain from deciding to launch any attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated; … .’ Art 57(2)(a)(iii) API.
51 Art 8(2)(b)(i)–(iv) (17 July 1998) <> accessed 1 August 2016.
52 Geiβ and Lahmann argue that ‘[e]ach and every bit of memory capacity or computer power, wherever it resides, has military potential at all times.’ R Geiβ and H Lahmann, ‘Cyber Warfare: Applying the Principle of Distinction in an Interconnected Space’ (2012) 45 Israel Law Review 381, 389.
53 Art 52(2) API.
54 ‘Civilian objects are protected against attack, unless and for such time as they are military objectives.’ r 10, ICRC Customary International Humanitarian Law Study <> accessed 30 March 2016.
55Strugar (Judgment) IT-01-42-A (17 July 2008) fn 689 (citing Prosecutor v Stanislav Galić (Judgment) IT-98-29-T (5 December 2003) fn 101).
56Strugar, ibid, para 274.
57Galić (n 55) para 132.
58 Due to its lack of sophistication, however, this more rudimentary malware is more susceptible to detection than more advanced cyberweapons. Email from Sarah McKune, Senior Researcher, The Citizen Lab, to author (3 February 2015).
59 Y Dinstein, The Conduct of Hostilities under the Law of International Armed Conflict (2nd edn, CUP 2010) 132.
60 The adjective ‘excessive’ is important because, as Professor Dinstein observes, incidental civilian damage during armed conflict is inevitable due to the impossibility of keeping all civilians and civilian objects ‘away from the circle of fire in wartime’. Y Dinstein, ‘The Principle of Distinction and Cyber War in International Armed Conflicts’ (2012) 17 Journal of Conflict & Security Law 261, 269. However, the term does not lend itself to empirical calculations as it is impossible to prove that a particular factory is worth X number of civilians. A Rogers, Law on the Battlefield (2nd edn, Manchester UP 2004) 20.
61Galić (n 55) para 58.
62The Targeted Killing Case (Judgment) Supreme Court of Israel President A Barak (11 December 2005) para 58.
63 ICRC Commentary to Art 57, API (n 50) para 2208.
64 WJ Broad, ‘Israel Test on Worm Called Crucial in Iran Nuclear Delay’ The New York Times (15 January 2011) <>.
65 G Keizer, ‘Why Did Stuxnet Worm Spread?’ (Computer World, Framingham, Massachusetts, USA, 1 October 2010) <> accessed 30 March 2016.
66 This requirement is also relevant to the question whether a cyberattack was indiscriminate.
67 For a general overview of the modes (or theories) of liability, see A Cassese, International Criminal Law (2nd edn, OUP 2008) 186–252.
68Prosecutor v Fatmir Limaj, et al.(Judgment) IT-03-66-T (30 November 2005) para 509.
69 ibid.
70Bemba (Decision Pursuant to Art 61(7)(a) and (b) of the Rome Statute on the Charges of the Prosecutor Against Jean-Pierre Bemba Gombo) ICC-01/05-01/08 (15 June 2009) para 427; Zejnil Delalić (n 17) para 425.
71Limaj (n 68).
72The Prosecutor v Thomas Lubanga Dyilo (Trial Judgment) ICC-01/04-01/06 (14 March 2012) para 1011.
73 ibid, para 1018.
74 Lin (n 10) 522.
75 For example, ‘reactively adaptive’ malware ‘intelligently learns’ how to mutate to avoid detection by defensive software. V Mohan and K Hamlen, ‘Frankenstein: Stitching Malware from Benign Binaries’ (Proceedings of the 6th USENIX Workshop on Offensive Technologies (WOOT), Bellevue, Washington, August 2012) 77–84. Similarly, in ‘genetic programming’, algorithms mutate malware code to avoid detection and, through ‘natural selection’, mutated code that successfully avoids exposure survives and continues to function. Email from Kevin Hamlen, Associate Professor, Computer Science Department, University of Texas at Dallas to author (18 June 2014).
76 Rome Statute, Art 25(3)(a).
77 Judgment on the Appeal of Mr Thomas Lubanga Dyilo Against His Conviction (Appeal) ICC-01/04-01/06 A 5 (1 December 2014) para 445.
78 ibid.
79Thomas Lubanga Dyilo (n 72) para 1018. Put differently, persons who incur liability via this mode are deemed to have ‘control over the crime’. The Prosecutor v Germain Katanga (Judgment Pursuant to Art 74 of the Statute) ICC-01/04-01/07 (7 March 2014) paras 1393–1406.
80Thomas Lubanga Dyilo (n 72) para 1018.
81 Judgment on the Appeal of Mr Thomas Lubanga Dyilo Against His Conviction (n 77) para 465.
82 Effectively, Gaddafi had control over the ‘apparatus of power’ in Libya. ‘Gaddafi rules Libya. Since the 1969 coup détat, Libya adopted a legal system that confers on Gaddafi absolute power and authority. … Gaddafi’s instructions are binding and have the force of law … .’ Prosecutor’s Application Pursuant to Art 58 as to Muammar Mohammed Abu Minyar Gaddafi, et al ICC-01/11 (16 May 2011) para 4 <> accessed 1 August 2016. Katanga (n 18) paras 1403–12.
83 Rome Statute, Art 25(3)(d).
84Popović, et al (Judgment) IT-85-88-T (10 June 2010) para 1027, citing Momčilo Krajišnik (Judgment) IT-00-39-A (17 March 2009) para 215; Radoslav Brđanin (Judgment) IT-99-37-A (3 April 2007) para 430; Miroslav Kvočka, et al.(IT-98-30/1-A) (28 February 2007) para 97. The theory of ‘joint criminal enterprise’ contains three sub-categories. The first category refers to cases where all co-accused, acting pursuant to a common design, possess the same criminal intent. The accused must voluntarily participate in an aspect of the common purpose and the accused must intend the criminal result. The second category of cases—sometimes referred to as the ‘concentration camp cases’—include circumstances where the accused participate in the enforcement of a system of repression, with knowledge of the nature of the system and the intent to further the common criminal design. The third category of cases includes situations involving a common purpose to pursue one course of criminal conduct where one of the accused ‘commits an act which, while outside the common design, was nevertheless a natural and foreseeable consequence of the effecting of that common purpose’. Prosecutor v Duško Tadić (Judgment) IT-94-a-A (15 July 1999) paras 187–204.
85 Criminal responsibility under Art 25(3)(d) of the Rome Statute is a form of accessory liability. Lubanga Appeal Judgment (n 77) para 472.
86Prosecutor v Ferdinand Nahimana, et al (Judgement) ICTR-99-52-T (3 December 2003) para 481; Boškoski & Tarčulovski (Judgment in Appeals Chamber) IT-04-02-A (19 May 2010) para 160.
87Boškoski & Tarčulovski, ibid, para 160.
88 ibid.
89 For example, while new kinetic weapons often are designed years before conflicts, cyberweapons must be designed after a decision has been made to use it, as the rapid development of technology continuously creates new cyber vulnerabilities and methods to defend against them. Interview with Col H Folmer, Commander of Cyber Command, Netherlands Ministry of Defence (The Hague, 20 January 2015).
90The Prosecutor v Laurent Gbagbo (Decision on the Confirmation of Charges Against Laurent Gbagbo) ICC-02/11-01/11 (12 June 2014) para 243.
91Prosecutor v Radoslav Brđanin (Judgment) IT-99-36-T (1 September 2004) para 269.
92 ibid.
93Prosecutor v Momčilo Perisić (Judgment) IT-04-81-A (28 February 2013) paras 25–36.
94Prosecutor v Nikola Šainović et al (Judgment) IT-05-87-A (23 January 2014) paras 1617–50. Likewise, at the Special Court for Sierra Leone, the Appeals Chamber also rejected any ‘specific direction’ requirement as part of the actus reus of aiding and abetting. Marko Milanović, ‘SCSL Appeals Chamber Affirms Charles Taylor Conviction’ (EJIL: Talk! 26 September 2013) <> accessed 30 March 2016.
95Šainović (n 94) paras 1626 and 1649. Subsequently, the ICTY Appeals Chamber affirmed the Ṧainović holding in Prosecutor v Vujadin Popović, et al (Judgment) IT-05-88-A (30 January 2015) para 1758 and Prosecutor v Jovica Stanišič & Franko Simatović (Judgment) IT-03-69/A (9 December 2015) paras 104–06.
96 ibid, para 1649.
97 M Schmitt, ‘Classification of Cyber Conflict’ (2013) 89 International Law Studies 233, 246 (describing these different roles as evidence of ability of a virtual organisation to act in a coordinated manner).
98Prosecutor v Zlatko Aleksovski (Judgment) IT-95-14/1-A (24 March 2000) paras 169–72. The ICTY Appeals Chamber held that the evidence demonstrated that the accused (the commander/warden of a prison) was aware that detainees under his responsibility were being mistreated by soldiers on a recurring basis over a period of time. Nevertheless, the accused continued to send the detainees to work for those soldiers. Therefore, the accused bore individual criminal responsibility for aiding and abetting the mistreatment of the victims.
99 r 89(C), Rules of Procedure and Evidence, ICTY <> accessed 30 March 2016. On the use of digital evidence before the International Court of Justice, see M Roscini, ‘Digital Evidence as a Means of Proof Before the International Court of Justice’ (in this volume) Journal of Conflict and Security Law.
100Prosecutor v Milan Martić (Decision Adopting Guidelines on the Standards Governing the Admission of Evidence) IT-95-11-T (19 January 2006) Annex A, paras 1 and 10.
101Prosecutor v Slobodan Milosević (Decision on Admissibility of Prosecution Investigator’s Evidence) IT-02-54-AR73.2 (30 September 2002) paras 18–24l; Prosecutor v Dario Kordić & Mario Cerkez (Decision on Appeal Regarding Statement of a Deceased Witness) IT-95-14/2-A (21 July 2000) paras 22–27.
102 Geiβ and Lahmann (n 52) 126–27.
103The National Plan for Research and Development in Support of Critical Infrastructure Protection (The Executive Office of the President, Office of Science and Technology Policy, The Department of Homeland Security, Science and Technology Directorate 2004) 54 <> accessed 30 March 2016.
104 Geiβ and Lahmann (n 52) 386.
105 ibid.
106 ibid 386–87.
107 J Lyons, ‘ARIANE 5, Flight 501 Failure, Report by the Inquiry Board’ (19 July 1996) <∼arnold/disasters/ariane5rep.html> accessed 30 March 2016.
108 ibid (observing that ‘software is an expression of a highly detailed design and does not fail in the same sense as a mechanical system’).
109 ibid. ‘Spy Plane Causes Air Traffic Chaos’ (BBC News, 6 May 2014) <>.
110 Mohan and Hamlen (n 75). Email from Kevin Hamlen to author (n 75).
111 V Mohan and K Hamlen, ‘Frankenstein: A Tale of Horror and Logic Programming’ 25(4) (ALP Newsletter Digest, December 2012) 3 <∼hamlen/mohan12alp.pdf> accessed 30 March 2016.
112 Schmitt (n 9) r 20(9).