Symposium | Symposium on the ICC Office of the Prosecutor’s Draft Policy on Cyber-Enabled Crimes
Cyber-Enabled Crimes under the Rome Statute: Interactions with the UN OEWG Process
by Stephany Aw
Published on 13 May 2025
The Draft Policy on Cyber-Enabled Crimes under the Rome Statute (the Draft Policy) represents recent efforts by the Office of the Prosecutor (OTP) of the International Criminal Court (ICC) to grapple with the role that cyber technology increasingly plays in the commission of international crimes within the ICC’s jurisdiction. The Draft Policy sets out how the OTP intends to investigate and prosecute cyber-enabled crimes, which the Draft Policy defines as crimes within the ICC’s jurisdiction that are committed or facilitated by cyber means.
The international criminal law focus of the Draft Policy should not, however, belie the interactions that the Draft Policy may have with other areas of international law, some of which are under consideration at multilateral fora such as the United Nations (UN) Open-Ended Working Group (OEWG) on the security of and in the use of information and communications technologies (ICTs). The Draft Policy’s discussion on the prohibition of the use of force (in the context of the crime of aggression) and international humanitarian law (in the context of war crimes) stand out in this regard.
In the absence of substantive reference to the OEWG’s work in the Draft Policy (the OTP acknowledges the OEWG only once, in the introduction), this post analyses how the Draft Policy compares with the positions taken by States at the OEWG, focusing for present purposes on the OTP’s discussion on the prohibition of the use of force in the context of cyber-enabled crimes of aggression. Consequently, this post calls for continued caution in the Draft Policy’s approach towards questions of how international law applies in cyberspace and, in a similar vein, advocates for the acknowledgement of a wider representation of views in the final iteration of the Draft Policy.
The legal effect of the OEWG process
Before undertaking a substantive comparison between the legal positions adopted in the Draft Policy and at the OEWG, some preliminary comments should be made on the legal effect of the OEWG process.
Under UNGA 75/240, the OEWG, which is due to publish its final report after the end of its eleventh substantive session in July 2025, is mandated to ‘continue to study, with a view to promoting common understandings… how international law applies to the use of [ICTs] by States’. The OEWG is the latest iteration of a long line of multilateral processes at the UN concerning States’ use of ICTs in the context of international security, the cumulation of which has been instrumental in securing international agreement that international law applies to cyberspace. In particular, the OEWG processes have inclusively allowed the opportunity for all UN Member States to express their views on how international law applies in cyberspace.
The outcomes of the OEWG process, such as its consensus reports, do not create rules of international law. However, where such outcomes articulate a view on the application of international law, this may provide evidence of the existence and content of a rule of customary international law. Individual States’ comments at the OEWG may also serve as evidence of, if not practice, at least the opinio juris necessary to establish such a rule. Conversely, where the OEWG is not able to reach a consensus, and individual States’ views appear to differ on the existence and content of a rule of customary international law, more care should be taken in making assertions regarding such a rule.
Prohibition on the threat or use of force: A comparison between the Draft Policy and positions at the OEWG
The Draft Policy provides the OTP’s view on when a cyber operation may qualify as an ‘act of aggression’, an essential element of the crime of aggression set out in Article 8bis(1) of the Rome Statute. Under Article 8bis(2) of the Rome Statute, an act of aggression is defined as ‘the use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations [(the Charter)]’. In the Draft Policy, the OTP considers that a cyber operation may amount to a prohibited use of force under Article 2(4) of the Charter, and therefore an act of aggression within the meaning of Article 8bis(2), depending on the effects of that operation. It cites as an example of such a cyber operation a case where ‘the operators of one State launch cyber operations against the armed forces of another State… thereby causing death, injury or physical damage’ (para 75). The OTP further caveats that the assessment is less clear where the cyber operation does not cause such consequences, and indicates its mindfulness of the ‘potentially evolving practice and positions of States on these issues’ (para 75). How do these positions square with discussions at the OEWG?
In the latest consensus report of the OEWG, States reaffirmed Article 2(4) of the Charter, adding that ‘conduct using ICTs that does not amount to a violation of the prohibition on the threat or use of force may, depending on the circumstances, be contrary to other principles of international law…’ The Draft Policy’s view that cyber operations can amount to a use of force prohibited under Article 2(4) of the Charter therefore seems to find some alignment with States’ positions at the OEWG. However, unlike the Draft Policy, the OEWG’s consensus reports have not yet provided details on the threshold that a cyber operation must meet to be considered a prohibited threat or use of force. The views raised by States at the OEWG also demonstrate some differences concerning this threshold. For example, States finding alignment with the Common African Position on the Application of International Law to the Use of ICTs in Cyberspace appear to take a similar approach to that of the OTP, acknowledging that cyber operations expected to cause physical damage, injury or death comparable to that of a kinetic operation would amount to a prohibited use of force. Some go further and reserve the possibility that cyber operations not causing physical damage may also amount to a prohibited use of force. Yet others have reserved their positions entirely, opining that there needs to be further discussion amongst States, or else remaining silent on the question of the requisite threshold.
The Draft Policy appears to have taken a somewhat middle-ground approach amongst these differing views, i.e. the approach that cyber operations are a prohibited use of force where they cause death, injury or physical damage while reserving the possibility of proceeding on the basis that a prohibited use of force has occurred even without a cyber operation causing these effects.
Comments on the Draft Policy’s approach towards prohibition of the use of force in cyberspace
As seen above, the Draft Policy is in some respect consistent with the position of States at the OEWG, namely the position that conduct using ICTs can amount to a prohibited use of force. In others, namely the question of the threshold for finding when a cyber operation amounts to a prohibited use of force, it is less so. The Draft Policy has nevertheless probably taken as defensible an approach as it can without completely staying silent on this issue since its articulation of the abovementioned threshold finds consonance with the views expressed by at least some States. Even so, two points are worth noting.
First, it is open to question whether there is now a practical need for the OTP to set a conclusive threshold for when it considers that a cyber operation constitutes a prohibited use of force. The OTP has itself acknowledged that currently, it is more likely that crimes of aggression will be committed via a range of acts, including kinetic or physical operations, so that the OTP is unlikely to consider cyber operations in isolation from other elements of a campaign of aggression. This being the case, there should be a careful weighing of the practical necessity of fixing the abovementioned threshold against the continued development of States’ positions on the matter.
Second, reflection on the discussions and outcomes at the OEWG, which will soon issue its final consensus report, should feature more significantly in the final iteration of the Draft Policy. The OEWG reports have thus far demonstrated some difficulty in obtaining consensus on detailed articulations of how certain rules of international law apply in cyberspace, and serve as a reminder of the need for the OTP to tread with caution in the formulation of its Draft Policy.
More substantive references to the discussions and outcomes of the OEWG (in addition to other sources) would also help provide a more balanced account of States’ views on the issues covered by the Draft Policy. At the moment, the Draft Policy’s main points of reference appear to be works of scholarship (the forthcoming Tallinn Manual 3.0 and the 2021 Council of Advisers’ Report on the Application of the Rome Statute of the International Criminal Court to Cyberwarfare), rather than the concrete views and practice of States. The OEWG process by no means stands as the only, or perfect forum for clarifying how international law applies in cyberspace. However, it currently offers the most representative platform for States to make their views on this issue known. It is these States’ views, as in all areas of developing international law, that should be central to the OTP’s application of international law in its investigation and prosecution of cyber-enabled crimes.
Stephany Aw is a DPhil candidate at the University of Oxford, and was previously Deputy Senior State Counsel at the Attorney-General’s Chambers of Singapore. This post was written in the author’s personal capacity and does not represent the views of the Singapore Government. Email: stephany.aw@law.ox.ac.uk