This article argues that it is possible—given the right resources and expertise—to hold individual non-state actors responsible for violations of international humanitarian law (also known as ‘the laws and customs of war’) perpetrated with cyberweapons. It describes jurisdictional elements of violations of the laws and customs of war as well as points that prosecutors and investigators must consider when planning investigations of serious violations of international humanitarian law perpetrated in cyberspace. It addresses how certain theories of individual criminal responsibility for war crimes apply to offences committed by non-state actors during cyberwarfare and identifies particular evidentiary challenges arising from the particular qualities of cyberspace and cyberweapons. Individual accountability for war crimes perpetrated during cyber operations requires new thinking about the application of legal principles and theories during cyber conflict.
Cyber operations allow non-state actors, with relatively minimal effort, to produce state-level violence during armed conflict.1 Fortunately, international legal norms that guide the behaviour of states, groups and individuals during peace and conflict also apply in cyberspace.2 The precise contours of the application, however, remain undefined.3 Accordingly, this article examines one aspect of this broad topic: the substantive and practical challenges that prosecutors confront when investigating and prosecuting serious violations of international humanitarian law (‘war crimes’)4 by non-state actors during cyberwarfare.
Essentially, computer programs (or ‘software’) are a series of instructions, expressed in mathematical terms, followed by a computer to achieve certain tasks. These mathematical statements are known as ‘algorithms’ and they function at ‘unbelievable speed’.5 Malicious software, ie computer code designed to damage or disable other programs, and/or to collect intelligence, is referred to as ‘malware’.6 For example, some forms of malware, known as ‘botnets’, permit belligerent parties to launch coordinated attacks against adversaries by asserting ‘command and control’ over computer servers.7 The latest generation of malware includes cyberweapons with extraordinary sophistication and capabilities, including the ability to operate undetected ‘in the wild’ of cyberspace for extended periods of time.8 Indeed, the science of cyberweapon technology is so complex that contemporary military commanders may possess only a limited understanding of how these weapons function.9
Much about cyberwarfare challenges our understanding of armed conflict10 and the application of international humanitarian law. Unlike kinetic weapon systems, cyberweapons are not machines composed of many physical components; they are collections of data used to communicate instructions to software or hardware.11 In addition to their technical complexity, one starkly evident quality of cyberweapons is (ironically) their invisibleness. This characteristic of software code, combined with the vast anonymity and ‘interconnectivity’12 of cyberspace, presents profound challenges for the prosecution of individuals responsible for war crimes committed with cyberweapons.
For example, each of the principle Internet ‘backbone routers’ (the states, institutions and corporations that provide the most important fiber optic links for the Internet) typically maintain over 70 000 ‘routes’ for sending cyber messages from computer to computer and network to network.13 Thus, the source or sources of a cyberattack may be hidden or obscured by virtual activity in computers anywhere in the world or on the Internet.14 This anonymity impedes the identification of perpetrators of crimes using cyberweapons, including determinations whether the executors of cyberattacks are combatants, civilians or civilians directly participating in hostilities.15
This article explains that it is possible—given the right resources and expertise—to hold individual non-state actors responsible for violations of international humanitarian law perpetrated with cyberweapons. Section 2 describes jurisdictional elements of violations of the laws and customs of war. Section 3 addresses points that prosecutors and investigators must consider when planning investigations of serious violations of international humanitarian law perpetrated in cyberspace. Section 4 addresses how certain theories of individual criminal responsibility for war crimes apply to offences committed by non-state actors during cyberwarfare. Section 5 identifies additional evidentiary challenges arising from the particular qualities of cyberspace and cyberweapons. Finally, I conclude that individual accountability for war crimes perpetrated during cyber operations requires new thinking about the application of legal principles and theories during cyber conflict.
2. Jurisdictional Elements of War Crimes: The Existence of an Armed Conflict and Its Nexus to the Offence
A. The Armed Conflict
Consistent with the practice of national judicial systems, the principle of individual guilt in international criminal law requires proof of objective and subjective elements16: the actus reus—the physical act necessary for the offence—and the mens rea—the necessary mental element.17 An accused can be convicted of a crime only if her mens rea comprises the actus reus of the crime.18
However, in addition to evidence pertaining specifically to the guilt of an accused, a prosecutor must also establish the existence of certain broad, jurisdictional (or ‘contextual’) elements of the offence. For example, with respect to alleged violations of international humanitarian law, the prosecution must demonstrate that an armed conflict—whether international or non-international—existed at the time of the alleged offence.19 No central authority exists under international law to identify or classify a situation as an armed conflict. Instead, states and parties to a conflict must determine the legal framework applicable to the conduct of their military operations.20
In a generic sense, armed conflicts involve two or more organised armed groups engaged in fighting of some intensity.21 However, international humanitarian law distinguishes between ‘international’ and ‘non-international’ armed conflicts. An international armed conflict exists whenever there is a resort to armed force between states.22
The concept of a non-international armed conflict, however, is treated differently in international humanitarian law treaties. Common Article 3 of the 1949 Geneva Conventions, for example, obliges parties to non-international armed conflicts to treat humanely persons taking no active part in hostilities and those placed ‘hors de combat’. Common Article 3 applies in all situations of non-international armed conflict.23 According to the ICRC Commentary to Common Article 3, such non-international armed conflicts:
are protracted armed confrontations occurring between governmental forces and the forces of one or more armed groups, or between such groups arising on the territory of a state [party to the Geneva Conventions.] The armed confrontation must reach a minimum level of intensity and the parties involved in the conflict must show a minimum of organization.24
Similarly, the International Criminal Tribunal for the Former Yugoslavia (ICTY) holds that a non-international armed conflict exists whenever there is protracted armed violence between government authorities and organised armed groups or between such groups within a state.25 ICTY case law discusses and defines the contours of the two essential criteria indicated by the ICRC, protracted combat and organised armed groups.26
Article 1 of Additional Protocol II to the 1949 Geneva Conventions, however, addresses a narrower range of non-international armed conflict, ie only those armed conflicts between state armed forces and ‘dissident armed forces or other organised armed groups which, under responsible command, exercise such control over a part of its territory as to enable them to carry out sustained and concerted military operations’ and to apply the rules of APII.27 Effectively, Article 1 of APII requires a greater degree of conflict as well as a higher level of organisation for ‘armed groups’ than Common Article 3.28 Moreover, Article 1 of APII excludes the possibility that protracted combat solely between two or more organised armed groups constitutes a non-international armed conflict.
Common Article 3’s broader scope for non-international armed conflicts permits the broadest possible application of international humanitarian law.29 It also facilitates the widest possible application of treaty and customary rules of international humanitarian law applicable to non-international armed conflicts to cyberwarfare. Thus, for the purposes of this article, I will apply the definition of non-international armed conflicts emanating from Common Article 3 and adopted by the ICTY.
In addition, for the purposes of this section, I will assume that evidence of the pre-condition of ‘armed force between states’ (for international armed conflicts) or the ‘protracted armed violence’ precondition (for non-international armed conflicts) exists.30 The discussion will focus on the requisite proof to establish, in the context of a non-international armed (cyber) conflict, the existence of an organised armed group.
The threshold of proof required to demonstrate this jurisdictional element is relatively low as evidence of ‘some level of organisation’ of the group will suffice.31 In the context of kinetic warfare, several broad categories of material, alone or combined, generally are sufficient to demonstrate that an ‘armed group’ is organised: (i) evidence of a command structure; (ii) evidence that the group can carry out coordinated operations; (iii) evidence pertaining to the logistical capacities of the group; (iv) evidence demonstrating that the group maintains a level of discipline and the ability to implement the basic obligations of international humanitarian law; and (v) evidence illustrating the group’s ability to speak with one voice.32
Given the particular characteristics of the cyber battlespace, however, these evidentiary categories of organisation for the kinetic context are less helpful when the ‘armed group’ consists solely of cyber actors launching attacks against the infrastructure of state armed forces or other insurgent factions.33 The concept of ‘organisation’ can change radically in cyberspace. Assuming that there is a plurality of members, the identity of the group as a ‘group’ may consist only of periodic exchanges of electronic data.34 The members of the group may hide their identities from each other in the anonymity of cyberspace.35 Although the cyber group may contain only a ‘handful’ of members, their ability to cause harmful consequences to the enemy’s ability to fight may be substantial. Conversely, the group may have many members scattered around the world, loosely (and virtually) connected via the Internet.
Similarly, in many ways, the notion of ‘logistical capabilities’ becomes much less relevant in the context of cyber operations. The group’s ‘logistical’ needs, for example, may encompass only occasional access to a computer and the Internet. Its weapons may be ‘stored’ in the mind of a single member and disseminated merely with the touch of a button. Moreover, during kinetic warfare, the ability to control territory is a strong indicator of the organisational level of an armed group.36 Cyber networks arguably constitute ‘territory’ as well,37 but the control of electronic ‘territory’ implies a different kind of control than the governmental authority traditionally exercised over geographic areas by state and non-state actors. Control over ‘cyber territory’ involves electronic domination of a virtual environment that, in theory, can be achieved by a small group of persons or even a single individual.
These conceptual differences are not insurmountable for a prosecutor trying to establish the existence of an ‘organised armed group’. First, as mentioned above, it is only necessary to demonstrate ‘some level of organisation’ exercised by the group.38 That is a pragmatic approach because if this evidentiary bar was set too high, it would be too difficult to prove the existence of a non-international armed conflict. Consequently, persons affected by kinetic and/or cyberwarfare would lose the protections of international humanitarian law.
However, with respect to non-state actors conducting cyber operations (and only cyber operations), it also is important that this bar not be set too low. Given the ubiquity and relative inexpense of computer technology and infrastructure, the number of non-international armed conflicts could grow exponentially as cyber ‘hactivists’, cyber terrorists and other actors claim some form of military association (and the political status accorded to such groups). Armed conflicts where belligerent parties are loosely defined and constantly shifting and reforming within the borderless and invisible cyber domain ‘is in fact a conflict that knows no boundaries, has no beginning and can never have an end’.39 Such virtual armed groups would swallow the rule requiring some level of organisation. The result would be the extension of the right of states to use deadly force (pursuant to the rules of international humanitarian law) in situations where international human rights law normally would (and should) apply.
Thus, determinations concerning whether a non-state actor that relies solely on cyber activity to harm state armed forces or another non-state actor meets the threshold standard of an ‘organised’ armed group must be performed carefully, on a case-by-case basis. Furthermore, circumstances may arise where evidence (or the lack thereof) of the organisational level of the non-state actor should not control the determination of whether international humanitarian law applies. For example, Blank and Corn advocate a ‘totality of circumstances’ analysis for determination of the existence of an armed conflict, rather than the legalistic approach governed by the Tadić criteria.40 Under their test, when the chaos and levels of violence unleashed by one or more parties obscures the identity and organisation of non-state armed groups, common sense and the object and purpose of international humanitarian law demands that the parties comply with this legal regime.41 This is not to suggest that the criteria of ‘level of organisation’ has lost its significance. Rather, it is a pragmatic strategy to ensure that civilians and other affected persons receive the protections due them under international humanitarian law, at least until more clarity is available with respect to the nature of the conflict.
B. The Nexus Between the Armed Conflict and the Acts of Omissions of the Accused
If the existence of an armed conflict (be it international or non-international) has been established, the Prosecution also must establish a link between the alleged acts of the accused and the armed conflict.42 This nexus requirement distinguishes war crimes from domestic crimes and prevents random criminal acts from being characterised as violations of the laws or customs of war.43 During kinetic warfare, indicators of a link between the conduct of the accused and armed conflict include, inter alia, ‘whether the perpetrator was a combatant, whether the victim was a non-combatant, whether the victim was a member of the opposing party, whether the act may be said to have served the ultimate goal of a military campaign, and whether the crime is committed as part, or in the context of, the perpetrator’s official duties.’44
These same indicators also are relevant with respect to alleged crimes perpetrated via cyber operations. For example, if, during an armed conflict, a commander orders cyber operations that amount to a war crime, evidence of the link between the conflict and the commander’s behaviour will be obvious. In addition, evidence indicating that the cyber operation contributes to the overall military objective(s) of the originator—such as attacks against enemy military personnel or objectives—will be particularly relevant.45
Accordingly, depending on the circumstances (and the applicable legal theory), the available evidence must support a finding that a nexus exists between the acts or omissions of the accused and an armed conflict under international law. Absent these jurisdictional components, the Prosecutor has no case.
3. Planning an Investigation for Serious Cybercrimes by Non-State Actors
This section will discuss the important legal and logistical decisions that must be made before commencing an investigation into serious cybercrimes during armed conflict.
A. Case Selection
The investigation and prosecution of serious violations of international humanitarian law normally requires significant amounts of resources. Prosecutors and courts do not have the capacity to redress every crime and hold accountable every offender. Therefore, prosecutors must make difficult decisions as to which cases warrant their attention. At the ICTY, guidelines for the commencement of investigations emphasised a number of factors for consideration including:
the seriousness of the crimes, the numbers of victims, the duration of the offences and the scope of destruction;
the role of the person under investigation, especially his or her position in the political or military hierarchy, the extent of his or her authority and his or her alleged participation in the crimes under investigation; and
whether the persons and the crimes to be investigated were exceptionally notorious, although the persons did not hold a formal hierarchical position.46
Generally, the same selection criteria used for crimes linked to kinetic warfare should apply to cybercrimes committed by non-state actors during armed conflict. Investigation of a cyberattack that takes control of a civilian airliner and flies it into the ground, or releases the water held in check by a dam onto a civilian population, will be more appropriate than an inquiry into a cyberattack that disrupts the power supply of a school. A commander who plans and orders multiple, destructive and unlawful cyberattacks will bear a greater level of responsibility than a single operator who, in response to an instruction, launches one of the cyber strikes.47
Massive kinetic crimes, such as the mass murders and expulsions of entire communities from their homes common to contemporary armed conflict, require the assistance of large numbers of persons and the coordinated use of substantial resources.48 The human scale and systemic nature of such conduct usually presents multiple investigative avenues. For example, to evaluate whether a political figure illegally used speech to commit, instigate and/or aid and abet crimes against humanity, such as extermination, rape, deportation, etc, prosecutors and investigators will review the politician’s televised speeches, radio broadcasts and interviews and published writings. In addition, investigative staff will interview the persons who saw, heard and/or read those expressions in order to adduce the effect of that speech on the targeted audience, which may be the general public, an army brigade, a platoon of insurgents, etc.
However, in comparison to war crimes using kinetic means and methods, the sheer invisibleness and anonymity of cyberspace creates a great disadvantage for investigators and prosecutors. A cybercrime that results in mass destruction may accrue from a bit of invisible malware that has lain dormant for a period of time and altered its own structure to avoid detection and attribution. Thus, in the cyber context, selection of cases for investigation and prosecution will turn on the question whether some evidence exists of the identity of the perpetrators and their superiors, accomplices, etc, as well as the seriousness and notoriety of the crime.
B. Cyberwar Crimes
Pursuant to international humanitarian law, the laws of targeting, including the rules of distinction49 and proportionality,50 must apply when parties launch attacks with cyberweapons during armed conflict. The deliberate violation of these rules is a war crime, codified, inter alia, in the Rome Statute of the International Criminal Court (ICC).51
The interconnectivity of the Internet and the dual-use nature of many components of cyber infrastructure complicate efforts to prove that damage and harm caused by a cyberattack arose from a violation of the laws of war. Many cyber networks, both hardware and software, serve military and civilian purposes.52 By definition, they qualify as military objectives53 and lose their immunity from attack.54 Thus, proof of a deliberate cyberattack on civilians and/or civilian objects would be most convincing in situations—like the civilian airliner scenario mentioned above—where the target of the malware attack is computer infrastructure clearly separate from military networks and installations.
Nevertheless, attacks that employ certain means and/or methods that cannot discriminate between civilians and civilian objects and military objectives are ‘tantamount to direct targeting of civilians’.55 Similarly, encouragement of soldiers to fire weapons for which they lack training may be indicative of the indiscriminate nature of an attack.56 Furthermore, the indiscriminate nature of an attack may be circumstantial evidence that the attack actually was directed against the civilian population.57 Thus, if a non-state actor employs an unsophisticated or imprecise cyberweapon that cannot be targeted at a specific military objective or objectives, the individuals involved will be responsible for a war crime.58
Perceived violations of the proportionality rule may become common during cyberwarfare due to indirect effects of an attack that emanates through cyberspace. But the results of an attack are irrelevant to proportionality analysis in international humanitarian law.59 The prosecutor must prove that, at the moment the attack was launched, the anticipated incidental damage to civilians and/or civilian objects was clearly excessive to the expected military advantage.60 This is a reasonableness test, ie whether a reasonably well-informed person in the circumstances of the person responsible for the attack, making reasonable use of the information available to her, could have expected clearly excessive civilian casualties to result from the attack.61
Thus, the proportionality rule ‘is not a standard of precision’.62 Rather, military commanders must use their common sense and good faith when they weigh up the humanitarian and military interests at stake.63 In the context of cyberwarfare, however, the potential (although not necessarily the likelihood) for incidental damage is enormous, even for the most discriminate attack. Some cyberweapons such as the ‘Stuxnet’ worm, are extraordinarily discriminate and precise.64 Nevertheless, even the ‘Stuxnet’ malware eventually found its way into the Internet, where it autonomously attacked thousands of computer systems around the world with far less precision than its designers intended.65
Some general considerations for a ‘reasonable’ proportionality assessment for an attack using cyberweapons may be helpful. First, the less sophisticated and precise the malware, the greater should be the expected incidental damage. Similarly, a cyberweapon with the ability to destroy (in whole or in part) the enemy’s computer infrastructure will possess a greater likelihood for incidental damage than malware that merely slows or otherwise disrupts the functioning of computer hardware. Moreover, malware that self-mutates so as to avoid detection (and deactivation) also carries a higher potential for incidental damage. Furthermore, with respect to the use of cyberweapons, part of the ‘reasonable commander’ standard for the proportionality analysis is a strong understanding of the functions and capabilities of the malware selected for the attack.66 From a criminal law perspective, the hard cases of proportionality will arise when a competent, knowledgeable commander orders a cyberattack using a relatively precise weapon, to achieve a limited military advantage.
4. Theories of Direct Individual Criminal Responsibility for Serious (Cyber) Violations of the Laws and Customs of War
If the Prosecutor can prove that cyberweapons were used to perpetrate a war crime, she still must demonstrate the individual criminal responsibility of the person(s) responsible. That requires proof of one or more modes of individual criminal responsibility recognised in international law.67 In this section, for the purpose of brevity, I will focus on four of these theories of liability: (i) Commission (including co-perpetration and participation in a common criminal purpose), (ii) Ordering, (iii) Instigation or Inducement, and (iv) Aiding and Abetting.
Individual ‘commission’ of a crime entails the physical perpetration of a crime or engendering a culpable omission in violation of criminal law.68 The actus reus of this mode of criminal liability is that the accused participated, physically or otherwise directly, in the material elements of a crime, through positive acts or omissions, whether individually or jointly with others.69 In addition to the actus reus, as mentioned above, attribution of criminal responsibility for any of the crimes that fall within the jurisdiction of the ad hoc tribunals and/or the ICC ‘depends on the existence of the relevant state of mind or degree of fault’.70
At the ad hoc international criminal tribunals, the requisite mens rea for commission is that the perpetrator acted with the intent to commit the crime, or with an awareness of the probability, in the sense of the substantial likelihood, that the crime would occur as a consequence of his/her conduct.71 The Rome Statute, however, excludes the application of the dolus eventualis standard, as well as the mens rea of recklessness, at the ICC.72 At the ICC, the criminal mens rea exists if the accused means to commit the crime, or, he is aware that by her actions or omissions, the crime ‘will occur in the ordinary course of events.’73
Frequently, ‘commission’ by an individual accused is the simplest mode of criminal liability to prove. Nevertheless, in the context of cyberwarfare, the problem of attribution of attacks, and the intent of the attacker can present formidable obstacles. Courts are unlikely to convict individuals for ‘commission’ of unlawful cyberattacks if prosecutors cannot provide forensic evidence demonstrating, beyond a reasonable doubt, that an individual or individuals launched a particular attack from a particular computer or network. This will be challenging as, for example, a computer located in one country may launch an attack controlled by a person situated in another part of the globe.74 Moreover, designers may develop malware that mutates automatically, making identification of the code and attribution more difficult.75
In addition to commission of a crime ‘as an individual’, accused may also incur liability as a ‘co-perpetrator’ if they commit a crime ‘jointly with another person’, or ‘through another person’.76 To establish that an accused person committed a crime ‘jointly with another’, it must be established that two or more individuals worked together in the commission of the crime.77 There must be an agreement—express or implied, previously designed or arising extemporaneously—that links the co-perpetrators and that justifies the ‘reciprocal imputation of their respective acts’.78 The accused must provide an essential contribution to the agreement that results in the commission of the relevant crime.79 The accused must be aware of her essential contribution, and must act with the intention that the crime occur, or with the awareness that by implementing the common plan, the crime ‘will occur in the ordinary course of events.’80
The theory of commission ‘through another person’ arises in situations where an accused makes use of another person who carries out the criminal conduct, ‘by virtue of the accused’s control over that person, and the latter’s conduct is therefore imputed on the former’.81 For example, the arrest warrant issued by the ICC against Libyan leader Mohammed Gaddafi based Gaddafi’s criminal liability on his ability to control the (mis)conduct of Libyan authorities and thereby commit crimes ‘through’ them.82
These forms of co-perpetration can also serve as bases for liability for unlawful acts of cyberwarfare. For example, an individual who, pursuant to an agreement, designs and produces malware that a co-perpetrator will use to commit a war crime, may be liable under the theory of ‘jointly’ committing a crime. Similarly, a person who wields great power and authority may compel one of her subordinates to use malware to violate international humanitarian law. If the crime occurs, the person in power can be responsible for committing a crime ‘through’ the underling.
In addition, at the ICC, individuals can incur criminal responsibility if they contribute to the commission, or attempted commission of a crime by a plurality of persons acting with a common criminal purpose.83 At the ad hoc tribunals, culpable participation in a common criminal purpose is referred to as a ‘joint criminal enterprise’ and requires a significant contribution to the realisation of the crime.84
Contributions to a common criminal purpose can include non-cyber as well as cyber activities. For example, if members of a non-state organised armed group decide to shut down all of the state’s hospitals, the success of the criminal plan may turn on a cyberattack on the hospital computer networks. The designer of the malware that damages the networks makes an essential contribution, as does the person who (intentionally) launches the malware towards its target. However, the persons who (intentionally) finance the malware development or provide the computer hardware needed to carry out the attack also make important contributions and thereby also incur accessory criminal liability.85
Responsibility under the mode of ‘ordering’ ensues when a person in a position of authority orders an act or omission with the awareness of the substantial likelihood that a crime will be committed in execution of that order, and, if the person receiving the order subsequently commits the crime.86 Orders need not take a particular form and the existence of orders may be established using circumstantial evidence.87 Liability ensues if the evidence demonstrates that the order substantially contributed to the perpetrator’s criminal conduct.88
In the context of cyberwarfare, it may be difficult to identify persons who hold a ‘position’ of authority over others. The measurement of authority in the virtual environs of cyberspace requires knowledge of the relative powers and abilities of often anonymous parties who may use cyber activities and infrastructure to obfuscate their identities and communications. ‘Rank’ or other traditional de jure forms of leadership may give way to more horizontal structures and dynamics that depend more on cyber skills and (enemy) vulnerabilities than the capacity to command and control.89
The modes of liability of soliciting and inducing fall into the broader category of ‘instigation’ or ‘prompting another to commit a crime’, in the sense that they refer to conduct by which a person influences another to commit a crime.90 The instigating acts or omissions must clearly contribute to the conduct of the persons who subsequently commit the crimes.91 Proof must also exist that the defendant intended to provoke or induce the commission of the crime, or was aware of the substantial likelihood that the commission of a crime would be a probable consequence of his acts.92
Proving criminal liability under the mode of instigation may be exceptionally difficult in the context of cyber operations. Instead of visible forms of expression that prompts criminal behaviour, instigation between cyber actors may take on new, electronic forms. For example, the release of a particular bit of computer code or use of certain computer language might influence other actors to commit crimes. How will a prosecutor identify such prompting behaviour from one anonymous individual to another within the invisible domain of cyberspace? Even if the prosecutor can identify the cyber inducement, she must also demonstrate that the electronic prompt (intentionally) contributed to the conduct of the person who actually perpetrated the crime. These evidentiary challenges will likely require non-electronic forms of evidence, such as witness testimony or contemporary reports by persons involved, that can explain the instigatory cyber communications and behaviour that prompted an unlawful act.
The requirements of ‘aiding and abetting’ are a contested area of international criminal law. At the ICTY, Appeals Chambers have divided over the question whether this mode of criminal responsibility requires that assistance to perpetrators be ‘specifically directed’ to the execution of specific crimes. In the case of Momčilo Perisić, one Chamber held that specific direction is an element of the actus reus of aiding and abetting.93 Subsequently, however, a differently constituted Chamber emphatically and ‘unequivocally’ rejected the Perisić approach.94 In Šainović, et al, the majority held that, under customary international law, the actus reus of aiding and abetting is ‘practical assistance, encouragement, or moral support which has a substantial effect on the perpetration of the crime’.95 The mens rea is the knowledge that the acts assist the commission of the crime.96
It is possible to imagine several modalities for aiding and abetting crimes perpetrated with cyberweapons. One person might identify a vulnerable civilian object, a second might produce malware to exploit the vulnerability while a third conducts the attack, and a fourth person creates obfuscating malware to conceal the origin of the attack.97 Each person would provide a substantial contribution to the commission of the war crime. Proof of the contributor’s criminal mens rea depends on her knowledge that crimes occur as a result of the group’s cyber activity. If it is a matter of common knowledge that a pattern of attacks on civilian cyber infrastructure exists, this would suggest that, at least after the initial attack(s), the contributor knew that her acts would assist the commission of the crime.98
5. Additional Evidentiary Challenges
A. The Meaning of ‘Relevant and Probative’ Evidence in Cyberspace
To be admissible in a criminal trial, evidence must be relevant and probative.99 ‘Relevant’ evidence is material that speaks to an issue at stake in the trial.100 ‘Probative’ refers to the presence of indicia of reliability regarding the accuracy and authenticity of the evidence.101 The illustration below illustrates the challenges of fulfilling these criteria with respect to crimes committed during cyber conflict.
Relevant cyber evidence will include malware found within infected/damaged computers and servers. The construction and ‘experience’ of that malware, however, is complex and open to challenge. For example, with respect to cyberweapons, after launch, computer code travelling in cyberspace is split into multiple data ‘packages’ which typically traverse different civilian or dual-use cyber structures before reaching its intended destination/target.102 Thus, new malware viruses can arrive at a cyberspace destination in pieces and subsequently self-assemble to perform its task.103 At trial, testimony from a cyber forensic expert will be necessary to explain what the malware is, how it functions, and how it affected the targeted computer.
But in the cyber domain it is typically unclear, even to the author of a cyberattack, which route(s) her data packages will use in order to arrive at their intended target.104 Furthermore, in future cyber conflicts millions of data packages will move in all directions.105 Because of the interconnectedness of cyberspace, it will rarely be possible to prove at which moment which components of the cyber infrastructure were used for a particular military operation.106 The probative value of the forensic expert’s evidence may diminish, therefore, unless she can explain, with precision, the journey of the malware from the non-state actor’s computer to the intended target, and how, if at all, that migration affected the malware
B. Cyberwarfare and the Line Between Lawful Intent and Criminal Mens Rea
In addition, the nature of cyberweapons presents new challenges in distinguishing a criminal intent or mens rea from an accidental event. Because software usually is a detailed expression of mathematical statements, it does not fail in the same way as a mechanical system.107 Software does not ‘break’; instead it fails in a conceptual sense.108 Moreover, besides failures caused by mistakes in the computer code, software also can function unpredictably due to design errors, which lead to poor interaction between different systems.109 For example, as mentioned above, software code may evolve or mutate, resulting in cyber activities or attacks that cause damage or destruction beyond that intended by the computer programmers, operators and their commanders.110 The conceptual complexity of the technology, therefore, may obfuscate the true nature of the intent of the persons who employ the malware.
Thus, what appears, at first blush, to be a deliberate attack on civilian cyber infrastructure, may actually represent accidental and/or unforeseen indirect harm emanating from a (lawful) operation directed at military objectives. Conversely, it would be incorrect to assume that all carefully designed and sophisticated malware is intended to operate against precise and lawful targets. Some cyberweapons are designed specifically to afford ‘arbitrary, malicious functionality’.111 Thus, proof of a criminal mindset for a cyberattack will likely require more than cyber evidence. Witness testimony and documentary evidence concerning the intent of the perpetrators will be necessary to explain and corroborate the electronic data, as well as the prosecutor’s theory of individual responsibility.
The authors of the Tallinn Manual observed that ‘the application of the law of armed conflict to cyber operations can prove problematic’.112 In the criminal context, that is probably an understatement. The particularly challenging characteristics of cyberspace and cyberweapons demand new thinking, and new forensic techniques, for investigating and proving criminal responsibility. As cyber technologies—both benign and malevolent—continuously evolve, the technical and legal skills of prosecutors and investigators must also develop apace. Nevertheless, it is possible—given the right resources and expertise—to hold individual non-state actors accountable for violations of the laws and customs of war perpetrated with cyberweapons.