Cyber Warfare and the Limits of International Criminal Law: Can Digital Attacks Amount to War Crimes?

[Mahmoud Abdelwahab is a Deputy Public Prosecutor in Egypt, Director of the Financial Crimes Division within the North Cairo Public Prosecution, and a certified trainer on the Council of Europe’s HELP platform]

The current Iran-U.S.-Israel hostilities have again demonstrated that modern armed conflict unfolds on two tracks at once: the kinetic and the digital. In recent days, Reuters reported that cyber operations accompanied joint U.S.-Israeli strikes on Iran, with Iranian websites and applications disrupted and experts warning of retaliatory cyber activity against U.S. and Israeli networks. That detail matters beyond the immediate headlines. It underscores a broader legal problem that has been building for years: cyber operations are no longer peripheral to armed conflict, yet accountability for them still lags behind doctrine.

International lawyers often speak as if the principal challenge is whether the law applies at all. In my view, that is no longer the hard question. Existing international humanitarian law and international criminal law already provide a framework capable of addressing at least the most serious cyber operations during armed conflict, as reflected in the International Committee of the Red Cross’ analysis of cyber operations in armed conflict and the expert commentary contained in the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. The harder question is narrower and more practical: when does a digital attack cross the line from an unlawful military operation into a war crime for which an identifiable individual may be held criminally responsible?

My argument is straightforward. There is no principled reason to place cyber operations outside the reach of war-crimes law when their foreseeable effects mirror those of conventional attacks. If a missile strike on a hospital may amount to a war crime, a cyber operation that disables the same hospital’s electricity, life-support systems, or emergency communications during armed conflict should raise the same legal concern. The problem is not a lack of legal categories. It is the combined weight of classification disputes, evidentiary difficulty, and the chronic weakness of attribution in the cyber domain.

The Law is Less Empty than it Sometimes Appears

The starting point should be stated plainly: cyber operations conducted in armed conflict do not take place in a legal vacuum. The ICRC has repeatedly emphasized that international humanitarian law protects civilians, civilian infrastructure, and civilian data against cyber harm, and that the ordinary rules of distinction, proportionality, and precautions continue to apply. The same premise runs through the Tallinn Manual 2.0, which, despite its non-binding status, remains the most influential restatement of how existing international law maps onto cyber operations.

That proposition should not be controversial. The law of armed conflict has never been technology-specific in the way popular discussion sometimes suggests. It regulates effects, targets, intent, and military necessity. A shell, a bomb, malware, or a command that manipulates industrial control systems are different means; they do not belong to different universes of law.

The Rome Statute is equally capable of accommodating this logic. Article 8 already criminalizes, among other conduct, intentionally directing attacks against civilians and civilian objects in international armed conflict. If one strips away the novelty of code and focuses on consequences, the doctrinal path is not especially exotic. A cyber operation that disables a dam, corrupts a hospital’s operating systems, or shuts down a power grid serving a civilian population may, in the right circumstances, fit squarely within pre-existing war-crimes prohibitions.

Effects Matter More than Form

The cleanest way to analyze cyber warfare under international criminal law is to focus on effects rather than form. That approach is also the most faithful to humanitarian logic. Civilians are not less harmed because the mechanism of violence is digital.

Recent events in the region illustrate the point indirectly. In June 2025, an Iranian missile strike damaged Soroka Medical Center in Beersheba, injuring dozens and disrupting operations at one of southern Israel’s principal hospitals. That incident was kinetic, not cyber. But it helps clarify the legal intuition that should guide cyber analysis. If the law is rightly concerned with the protection of hospitals from missile fire, it should be equally concerned with a wartime cyber operation that renders a hospital unable to ventilate patients, preserve blood supplies, process emergency imaging, or communicate with ambulances.

The key legal question is not whether a server was targeted instead of a building. It is whether the operation was directed against a protected object, whether civilian harm was intended or foreseeably excessive, and whether the attacker can plausibly claim a concrete and direct military advantage sufficient to justify the operation. Where the foreseeable consequence of malware is the disabling of a hospital’s core functions, the distinction between kinetic and digital attack starts to look morally and legally thin.

This is not merely a hypothetical concern. The ICRC has specifically highlighted hospitals and critical civilian infrastructure as objects protected against cyber attacks under the IHL Limits the Conduct of Cyber Operations principle of distinction. That point matters because the most dangerous cyber scenarios are often not spectacular in the cinematic sense. They are operational. A system failure in a hospital, water plant, or electricity network can produce cascading humanitarian harm without a visible explosion. International criminal law should not make visibility the threshold for seriousness.

Where the Real Difficulty Begins

If the substantive law is not empty, why have cyber war-crimes prosecutions remained so elusive? The first answer is attribution.

In ordinary criminal cases, prosecutors build a narrative from witnesses, physical evidence, documents, and motive. Cyber cases are different. Traffic is routed through multiple jurisdictions; actors use proxies, compromised infrastructure, rented botnets, and layers of deniability; and state practice often relies on public attribution standards that are politically persuasive but evidentially incomplete. What may satisfy a diplomatic press conference will not necessarily satisfy proof beyond a reasonable doubt.

This distinction is central. International criminal law is not designed simply to condemn a state’s behavior in the abstract. It is designed to identify natural persons: the commander who ordered the operation, the operator who executed it, the official who knowingly approved it, or the superior who failed to prevent or punish it within the applicable mode of liability. That requires far more than a generalized conclusion that a cyber operation was “Iranian,” “Israeli,” or “state-linked.” It requires a chain of proof tying a concrete act to a concrete person.

The current conflict again shows the problem. Reuters reported a wave of cyber disruption targeting Iranian digital services in the aftermath of U.S.-Israeli strikes, but attribution remained qualified and contested, with experts pointing to state-sponsored and hacktivist actors while formal responsibility remained opaque. That is typical of the field. Much of cyber conflict is publicly visible yet forensically incomplete.

The second difficulty is characterization. Not every hostile cyber operation in wartime is an “attack” in the international humanitarian law sense. Some operations steal data; some degrade communications temporarily; some manipulate information; some produce inconvenience without destruction. The line between espionage, sabotage, psychological operations, and attack is sometimes blurred. That uncertainty matters because war-crimes analysis depends on identifying the relevant conduct with precision.

Still, uncertainty at the margins should not obscure the core case. Where a cyber operation foreseeably causes death, injury, or serious disruption to protected civilian objects, the argument for legal relevance becomes significantly stronger. Once the operation resembles traditional battlefield harm in its consequences, doctrinal hesitation begins to look less like caution and more like inertia.

The Accountability Gap is Becoming Harder to Defend

What is emerging, then, is not a legal vacuum but an accountability gap. The law recognizes civilian protection. Expert guidance explains how it applies in cyberspace. States routinely affirm that international law governs cyber operations. Yet practical enforcement remains rare, and the rarity itself may be shaping behavior.

That gap has strategic consequences. If cyber operators believe that disruptive attacks on civilian infrastructure are less likely to trigger meaningful individual accountability than kinetic strikes producing similar harm, the law unintentionally creates an incentive structure. It tells sophisticated actors that digital coercion may offer many of the same operational advantages with fewer personal legal risks.

International criminal law should resist that asymmetry. The purpose of war-crimes law is not to preserve familiar categories of violence; it is to preserve humanitarian limits in changing forms of conflict. In that sense, the question is not whether cyber warfare is novel enough to require concern. The question is whether legal institutions are willing to treat digital methods seriously when the human consequences are no less grave.

The more persuasive position is to acknowledge both realities at once. First, existing law is already sufficient to reach at least some cyber operations as war crimes. Second, investigators and prosecutors need more specialized technical capacity, better cooperation mechanisms, and more disciplined evidentiary strategies if those cases are ever to move from commentary to courtroom. None of that requires a new treaty as a precondition for action. It requires a sharper willingness to use the law that already exists.

Conclusion

Cyber warfare is often presented as a frontier problem, and in one sense it is. The tools are evolving quickly, attribution remains difficult, and states continue to exploit ambiguity. But from the perspective of international criminal law, the deeper principle is old and should remain familiar: methods change, humanitarian limits do not.

A digital attack should not fall outside war-crimes scrutiny simply because the immediate mechanism is code rather than explosives. When cyber operations are directed against civilians or civilian objects, or when they foreseeably cause the same kind of grave harm that would plainly be unlawful if delivered kinetically, international criminal law already has the conceptual tools to respond. The real risk is not that the law cannot see cyber harm. It is that institutions will keep treating that harm as analytically interesting but operationally out of reach.

That would be a mistake. The current Middle East conflict is a reminder that modern war is hybrid by default. Accountability must become the same.