Given that the definitional context of article 2 (4) cannot be used for a classification of state-to-state cyber attacks, the current analysis will proceed to trying on the suit of ‘aggression’. Can a cyber attack be considered as the fourthinternational crime within the jurisdiction of the International Criminal Court, raising individual criminal responsibility for a head-of-state, provided that the required nexus with the hacker –or group of hackers- is established?Until recently, the relative literature on the topic tried to equate cyber attacks with acts of aggression using as a start-point the Consensus Definition of Aggression, adopted by the UN General Assembly in Resolution 3314 (XXIX) in 1974.
However, the Assembly of State Parties of the ICC in the recent Review Conference of the Rome Statute in Kampala, Uganda, finally adopted the following definition of aggression, reproducing almost verbatim the abovementioned UNGA definition.
Resolution RC/Res.6, Article 8 bis, Crime of aggression:
For the purpose of this Statute, “crime of aggression” means the planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.
For the purpose of paragraph 1, “act of aggression” means the use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations. Any of the following acts, regardless of a declaration of war, shall, in accordance with United Nations General Assembly resolution 3314 (XXIX) of 14 December 1974, qualify as an act of aggression:
a) The invasion or attack by the armed forces of a State of the territory of another State, or any military occupation, however temporary, resulting from such invasion or attack, or any annexation by the use of force of the territory of another State or part thereof;
b) Bombardment by the armed forces of a State against the territory of another State or the use of any weapons by a State against the territory of another State;
c) The blockade of the ports or coasts of a State by the armed forces of another State;
d) An attack by the armed forces of a State on the land, sea or air forces, or marine and air fleets of another State;
e) The use of armed forces of one State which are within the territory of another State with the agreement of the receiving State, in contravention of the conditions provided for in the agreement or any extension of their presence in such territory beyond the termination of the agreement;
f) The action of a State in allowing its territory, which it has placed at the disposal of another State, to be used by that other State for perpetrating an act of aggression against a third State;
g) The sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to the acts listed above, or its substantial involvement therein.
At this point, it has to be mentioned that this essay will not deal with the established –particularly stringent– criteria for the exercise of jurisdiction by the Court and the –significantly diminished and subject to UNSC determination– powers of the Prosecutor.
In the effort to subsume the cyber attacks under the newly-defined crime of aggression, one stumbles upon the phrase ‘armed force’. Are the cyber warfare to be considered ‘arms’ according to the traditional meaning? International law does not offer a concrete definition of arms. Oxford Dictionary defines arms as ‘weapons’, which in turn are defined as ‘instruments or tools designed or used for inflicting bodily harm or physical damage’. Thus, cyber warfare definitely falls within the scope of this definition.
A further argument in favour of this is stems from the Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons by the International Court of Justice, in ruling that ‘he Charter neither expressly prohibits, nor permits, the use of any specific weapon, including nuclear weapons’.
Similarly, in a further analysis of the abovementioned enumeration of the acts that amount to acts of aggression, the phrase ‘armed forces’ constitutes an obstacle to the classification of cyber attacks as acts of aggression. Even if a research is conducted within the jus in bello international instruments, the results are limited.
The Additional Protocol I of the 1949 Geneva Conventions provides in article 43 that ‘he armed forces of a Party to a conflict consist of all organized armed forces, groups and units which are under a command responsible to that Party for the conduct or its subordinates’; a tautology which –obviously– is not particularly clarifying.
However, if one turns to states’ practice on a global level, it will be evident that cyber forces are beginning to constitute a separate branch of every technologically advanced state’s army. This matter is discussed further in the Current States’ Practice section of this paper.
Thus, if taken for granted that a cyber force can constitute part of a state’s armed forces, it is very easy for cyber attacks to fall within the legal scope of acts (a), (b), (c), (d) and (e) of aggression as enumerated above. As for (g), cyber attacks are perpetrated by hackers, who can be considered as ‘mercenaries’, assuming that a state hires them to wage targeted cyber attacks. The attribution of their actions to the perpetrator-state will be discussed infra.
Consequently, cyber warfare operations can potentially fit the definition of the crime of aggression as provided in article 8 bis.