The Gravity of Russia’s Cyberwar against Ukraine

[Lindsay Freeman is the Director of the Technology, Law and Policy Program at the Human Rights Center, UC Berkeley School of Law.

Amanda Ghahremani is a lawyer specializing in international criminal law and a Research Fellow at the Human Rights Center, UC Berkeley School of Law.

Sophie Lombardo is a second year law student at UC Berkeley School of Law and a Graduate Student Researcher at the Human Rights Center. ]

With so many atrocities committed in the context of Russia’s aggression against Ukraine–from the killing of civilians to the torture of POWs to the deportation of children–why should prosecutors care about cyber-attacks? This is the question that the Human Rights Center at the UC Berkeley School of Law sought to answer in its recent submission to the Office of the Prosecutor (OTP) of the International Criminal Court (ICC). In March 2023, the Berkeley team submitted its second article 15 communication on cyberwar in the Russia-Ukraine conflict, which presents the case for charging five Russian cyber-attacks against Ukraine’s critical infrastructure as war crimes either because they were directed at civilian objects or were indiscriminate in nature.

While the harms associated with cyber-attacks may appear negligible when compared to the physical destruction, injury, and death inflicted by traditional arms in Ukraine, cyber weapons can cause massive economic, political, and psychological damage, particularly on civilian populations. They can also inflict the same types of physical harm caused by kinetic attacks. As a consequence, cyber-attacks can satisfy the ICC’s gravity threshold. Professor Jennifer Trahan argues that the ICC’s gravity threshold will be an obstacle to charging most cyber operations under the Rome Statute. While true, the cyber-attacks in the Center’s submission meet the requisite threshold.

The proposed case comprises five incidents involving the most dangerous cyber threats facing the world today: (1) malware that disrupts systems controlling operational technology; and (2) malware that is indiscriminate by design. The cyber operations documented by the Berkeley team have caused extensive damage to critical infrastructure, such as power grids, satellite communications networks, and computer systems. They have also impacted millions of direct and indirect victims, both inside and outside of Ukraine. This post synthesizes the ICC’s jurisprudence regarding gravity and demonstrates how Russia’s cyberwar against Ukraine meets the gravity threshold.

The Gravity Threshold at the International Criminal Court

While article 17(1)(d) of the Rome Statute requires all cases to be sufficiently grave, the Prosecutor wields discretion to consider a case’s gravity during case selection and prioritization. Thus, gravity is both a prerequisite for the admissibility of a case (as determined by the judges) and a criterion for case selection (as determined by the Prosecutor). Gravity is assessed based on the case as a whole and not on individual incidents. As the ICC Elements of Crimes specifies, war crimes are particularly grave when they are “part of a large-scale commission” or committed “pursuant to a plan or policy.”

By virtue of the crimes within the ICC’s jurisdiction, all cases will necessarily be grave, and admissibility will hinge on additional serious characteristics. However, the Court has applied a permissive standard, requiring it not “to choose only the most serious cases” but rather “not to prosecute cases of marginal gravity” or “peripheral” to its mandate. Over the past twenty years, the ICC has clarified in numerous decisions that a case’s gravity will be assessed holistically, on the basis of both qualitative and quantitative factors.

The OTP’s policy paper establishes the guiding principles by which the Office exercises its discretion, considering the “scale, nature, manner of commission and impact of the crimes” in making its assessment. It identifies gravity as the “predominant case selection criteria,” embedded into considerations of both the “degree of responsibility of alleged perpetrators and charging.” In light of that fact, “the Office’s strategic objective [is] to focus its investigations and prosecutions […] on the most serious crimes within a given situation,” as the “international community as a whole” would view them.

ICC jurisprudence has consistently affirmed the role that qualitative factors play in determining whether a case meets the threshold, holding that the number of victims alone cannot form the basis of a gravity determination, and that factors such as “‘the nature, manner[,] and impact of the [alleged] attack’” are central to the inquiry. This standard has been extended to situations such as the Situation in the Republic of Kenya, in which Pre-Trial Chamber II reasoned that “it is not the number of victims that matter[s], but rather the existence of some aggravating or qualitative factors attached to the commission of crimes.”

In Prosecutor v. Abu Garda, the Appeals Chamber considered whether an intentional attack on a Darfuri peacekeeping mission satisfied the gravity threshold. Although the number of direct victims was relatively low–twelve peacekeepers were killed, and eight others’ lives were threatened–the Court observed that the offense impacted not just the immediate victims and their families, but also the “millions of Darfurian citizens” whom they had been charged to protect. In Prosecutor v. Al Mahdi, the Trial Chamber found that a mid-level perpetrator’s targeted attack on historic mosques and mausoleums in Timbuktu, Mali, satisfied the gravity threshold because it struck a blow at the heart of the community’s religious, historic, and cultural life. The Court found that “[t]he targeted buildings were not only religious buildings but also had a symbolic and emotional value for the inhabitants of Timbuktu,” reflecting their commitment to Islam. While the Court noted it generally considered crimes against persons to be more grave than crimes against buildings, here, the alleged crime’s careful execution, duration, number of victims, and emotional impact on the broader population rendered it sufficiently grave.

The findings on gravity in both Abu Garda and Al Mahdi demonstrate the ‘expressivist’ function of the ICC, which, as international law expert Matthew E. Cross explains, “places emphasis on the significance of criminal prosecution and punishment as symbolizing the legal and moral condemnation of the constituents of international criminal law.” Therefore, the ICC must not only consider cases that provide justice for individual victims, but also “impact cases” that can identify norms, clarify and strengthen existing laws, create progressive jurisprudence, and send a message to perpetrators of atrocities around the world that no one is above the law.

The International Criminal Court’s ‘Expressivist’ Function

As shown above, the exercise of the Court’s symbolic power is not unprecedented. When Sudanese militia forces killed twelve African Union peacekeepers in Darfur, it was not merely an attack on those twelve individuals, but an attack on the millions of civilians those peacekeepers were sent to protect. Thus, the Abu Garda case sought to strengthen legal protections for peacekeepers around the world. When Mali-based jihadists destroyed ten mosques and mausoleums in Timbuktu, it was not simply an attack on ten buildings, but an attack on all of the inhabitants in the region who vested the cultural property with great religious and emotional significance. Thus, the Al Mahdi case established legal protections for cultural heritage property.

Similarly, when Russian government hackers took out the Ivano-Frankivsk power grid in the winter of 2015, the Kyiv power grid in the winter of 2016, and a third power grid in 2022, they were not just attacks on three power grids, but attacks on every home, office, hospital, and essential service running on that power. As argued in the Human Rights Center’s filing: “they were attacks on the heating that keeps people warm in winter; the refrigeration that keeps food from spoiling; the traffic lights that ensure public safety; the financial services that protect people’s livelihoods and support the exchange of critical goods and services; the medical facilities people rely on for their health; the systems that insulate hazardous nuclear and chemical sites from urban centers; and the transportation, utilities, and communications that connect the Ukrainian community with each other and the outside world.” Thus, a case against Russian cyber forces would recognize strong legal protections for the civilian critical infrastructure that sustains daily life in the Digital Age.          

The Threat of ICS-Targeted Malware and Indiscriminate Attacks

Modern societies rely daily on industrial control systems (ICS), which are, as cybersecurity expert Sergio Caltagirone explains, “the ‘hidden computers’ and networks that underpin modern life.” These systems support power generation, “keeping the heating on and economies running,” reinforce levies that prevent flooding, “protecting lives and maintaining millions of acres of usable farmland,” and sustain the safe and efficient processing of food, “feeding more people and preventing illnesses.”

As described by threat analysts at Mandiant, Malware targeting ICS represents “an exceptionally rare and dangerous cyber-attack capability.” ICS-targeted malware is built to attack the systems controlling operational technology (OT) as opposed to information technology (IT). While the harm caused by IT-based cyber operations should not be taken lightly, they tend to fall below the threshold of “attack” under international humanitarian law (IHL). On the other hand, OT-based cyber operations can result in disruption, sabotage and, most significantly, physical destruction.

To date, only a few known ICS-targeted malware capabilities have been developed: Stuxnet, Triton, Havex, BlackEnergy3, Industroyer, Industroyer2, and Incontroller. Due to the technical skills, time, and financial resources needed to create this rare breed of malware, they all have been attributed to state actors. Other than Stuxnet, which was used on Iranian centrifuges to slow uranium enrichment and was attributed to the United States and Israel, the others have all been attributed to the Russian government and government-owned labs. The latter four–BlackEnergy3, Industroyer, Industroyer2, and Incontroller–all emerged in the Ukraine conflict.  In recent years, ICS-specific malware have become more complex, advanced, and easier to use. Thus, this type of malware is evolving in a dangerous direction with each new iteration increasing in its sophistication.

Cyber-attacks intended to cause physical destruction are the clearest violations of IHL if they occur in the context of an armed conflict and target civilian objects.  As Laurent Gisel and Lukasz Olejnik explain, specialized cyber operations against ICS and other OT can cause “intended or unintended physical effects (e.g. destruction or explosions), which may lead to a loss of human life (directly or indirectly).” Even though it may be difficult to assess the full scale potential human cost, these effects can be severe. As Sergio Caltagirone observes:

“With increasing connectivity and the proliferation of malware and knowledge, all of this is at risk of cyber-attacks. Without these industrial systems, millions or more may suffer from the lack of medical care, food, drinking water, or heating during winter and cooling during summer. It is a humanitarian imperative to protect these systems from disruption and to protect human life.”

A second mounting threat in our modern existence is malware that cannot distinguish between civilian objects and military objectives and cannot be controlled once it has been deployed, which is analogous to biological or chemical weapons traveling through the air or land mines buried in the ground. Indiscriminate cyber-attacks involving destructive, self-spreading malware like NotPetya or malware that causes excessively broad effects such as some wipers present a paramount risk that must be deterred. Since the internet consists of interconnected networks, a small localized attack can snowball into a worldwide catastrophe, as was the case with Sandworm’s NotPetya attack. In what became the costliest cyber-attack in history, the NotPetya code directed the malware to spread, as stated in a U.S. Department of Justice indictment, “automatically, rapidly, and indiscriminately,” reaching networks in 65 countries and rendering computer systems  around the world inoperable. 

Although the internet’s intrinsic connectedness and lack of territorial boundaries deliver huge benefits to users, those assets are also vulnerabilities. These types of malware exploit the architecture of the internet, weaponizing its interconnected networks, interoperable systems, and open information channels to wreak global havoc. The sheer reach of the internet enables crimes to be committed from remote distances, presenting new risks to the safety and security of civilians around the world.

Russian Cyber-Attacks Against Ukrainian Infrastructure are Sufficiently Grave

Over the past year, the world has witnessed a barrage of Russian cyber-attacks aimed at civilian targets, deployed at an unrelenting pace, and posing a persistent threat to civilians and critical infrastructure in Ukraine. As Russia fails to achieve its desired outcomes on the battlefield, the number and severity of cyber-attacks will continue to escalate. The ICC Prosecutor has a unique opportunity to bring a case that could set meaningful legal precedent and take an essential first step towards protecting civilians against 21st century threats during armed conflicts.