Symposium | Symposium on the ICC Office of the Prosecutor’s Draft Policy on Cyber-Enabled Crimes
Introduction to the Symposium on the ICC Office of the Prosecutor’s ‘Draft Policy on Cyber-Enabled Crimes under the Rome Statute’
By Priya Urs
Published on 13 May 2025
In a statement issued on 7 March 2025, the Office of the Prosecutor of the International Criminal Court (ICC, the Court) published its ‘Draft Policy on Cyber-Enabled Crimes under the Rome Statute’ and invited comments from ‘all partners, especially from States Parties, civil society, interested private sector corporations, and other organisations with particular expertise in this area’. The draft policy ‘sets out how the Office will use its mandate and powers to investigate and prosecute cyber-enabled crimes within the Court’s jurisdiction (para 1), defining cyber-enabled crimes as ‘the perpetration by cyber means of the international crimes set out in the Rome Statute, and the facilitation by cyber means of such crimes, however committed’ (para 2). Additionally, the policy will apply to ‘cyber conduct which does not amount to the perpetration or facilitation of crimes within the jurisdiction of the Court, but which provides legally required context, or correlates with, or is otherwise probative of these crimes’ (para 2). The draft policy canvasses a range of issues: the existence and exercise of the jurisdiction of the ICC; the elements of the crimes, including offences against the administration of justice; the application of relevant modes of responsibility; and practical considerations, such as the need for technical expertise.
The publication of the draft policy is an important step towards the clarification not only of prosecutorial policy but also the applicability of international criminal law to conduct in cyberspace. The discussions to date of the application of international law to cyber operations, including at the UN Open-Ended Working Group on security of and in the use of information and communications technologies (OEWG), have excluded any specific consideration of international criminal law. The UN OEWG, which operates through the consensus of participating UN member states, is mandated by the General Assembly to ‘develop the rules, norms and principles of responsible behaviour of States’ in cyberspace (para 1). The Office of the Prosecutor’s draft policy is a different exercise entirely, focusing on individual criminal responsibility and prosecutorial policy at the ICC specifically. In spite of these differences, Stephany Aw, in her post, identifies the points at which the two exercises coincide, including in addressing the definition of an ‘act of aggression’ in the law on the use of force, which constitutes the foundation for the Rome Statute’s definition of the ‘crime of aggression’ (Rome Statute art 8 bis (1)). She asks whether the proposed policy could not give more careful consideration to the views of states (including states parties to the Rome Statute), expressed in the UN OEWG, on what constitutes the threat or use of force and an ‘act of aggression’ respectively in the cyber context. Conversely, she cautions against the over-reliance on ‘expert-led initiatives’, such as the forthcoming Tallinn Manual 3.0 and its predecessors (draft policy, para 11).
Setting aside the question of the sufficiency of references to states’ views, the general approach of the draft policy to cyber-enabled crimes is largely consistent with what is now a common refrain in discussions on the regulation of cyberspace: ‘while cyber-specific lawmaking can be helpful in certain areas, existing international law is largely adequate in covering cyber operations and other cyber-enabled conduct’ (para 9). On this view, the Rome Statute is declared to be ‘technology neutral’ and its provisions are said to ‘clearly apply’ to the commission or facilitation of relevant crimes ‘by cyber means’ (para 10). Kenneth Chan Yoon Onn points to the pragmatic reasons for taking such an approach, which, in the light of the rapidly changing technology landscape, insures the ICC against obsolescence. Yet he also warns against using it to too easily fit the commission or facilitation of crimes by cyber means within the Court’s jurisdiction (see draft policy para 10). Without sufficient elaboration, he argues, such an approach risks compromising the Statute’s commitment to the principle of legality through what could be perceived to be the effective expansion of its jurisdiction ratione materiae by analogy (Rome Statute art 22). Similarly, Chan cautions against an expansive approach to the Court’s jurisdiction ratione loci in the cyber context.
Christine Carpenter identifies other critical issues on which international law may not be ‘largely adequate’ (draft policy para 9) and on which the draft policy, as a result, is insufficiently clear: the use of artificial intelligence to perpetrate or facilitate the commission of international crimes and the satisfaction in this context of the requisite mental element or mens rea for individual criminal responsibility. The draft policy defines the term ‘cyber’ broadly, referring to ‘the range of activities involving information and communications (digital) technology, including artificial intelligence (AI)’ (draft policy para 20). It suggests that where the use of artificial intelligence ‘result[s] in’ international crimes, ‘such cases would need to be resolved in accordance with the same principles as any other case including the requirement for mens rea’ (draft policy para 87). For Carpenter, this catch-all approach fails to adequately address the unique challenges posed by artificial intelligence, in particular when its use creates a vacuum as to human responsibility. She helpfully draws attention to suggestions for how to address this regulatory gap in the existing literature, including in international humanitarian law, which the Office of the Prosecutor will no doubt need to consider in due course.
The urgent need to address the implications of the use of cyber operations and artificial intelligence, in particular in the commission of war crimes, which might already feature in situations under investigation by the Office of the Prosecutor, is likewise emphasised in the post by Florentina Pircher. Pircher points, first, to the difficulties of attribution of cyber conduct to individuals and, second, to the need for a comprehensive approach to assessing the effects of such conduct for the purpose of satisfying the admissibility requirement of the ‘sufficient gravity’ of a case (Rome Statute art 17(1)(d)). She then draws attention to a more practical, if equally significant, aspect of the draft policy, namely the emphasis placed on the need for cooperation with the private tech sector (draft policy para 100), which the Office has already initiated through a conference convened in partnership with Microsoft (draft policy para 17). This ‘demand’ for ‘effective partnerships’ (draft policy para 98), in Pircher’s view, should be met with care, in particular with a view to prosecutorial independence (Rome Statute art 42).
In the spirit of constructive engagement with the Office of the Prosecutor’s invitation for public comments, the four contributions to this symposium provide a range of views on different aspects of the draft policy. Ultimately, however, each contributor recognises the need for the Office to strike a balance between two competing pulls: on the one hand, the urgent need for clarification as to the application of the law and the articulation of prosecutorial policy to stay abreast of technological developments, and, on the other hand, the need to carefully consider the specific legal challenges posed by such developments, with each contributor cautioning, in their own way, against too hasty an approach to the extension of existing law and practice to ‘cyber-enabled’ crimes.
My thanks to the four authors for their excellent contributions and to the editors, including the managing editor, of CIL Dialogues for hosting this symposium.