• Homepage
  • Blog
  • General
  • The OTP’s Draft Policy on Cyber-Enabled Crimes: Opportunities and Challenges

Symposium | Symposium on the ICC Office of the Prosecutor’s Draft Policy on Cyber-Enabled Crimes

The OTP’s Draft Policy on Cyber-Enabled Crimes: Opportunities and Challenges

By Florentina Pircher
Published on 16 May 2025

“The International Criminal Court (ICC) at The Hague, Netherlands, on 23 July 2024” by Tony Webster. This file is licensed under the Creative Commons Attribution 2.0 Generic license.

The Office of the Prosecutor (OTP) of the International Criminal Court (ICC) recently published its ‘Draft Policy on Cyber-enabled Crimes under the Rome Statute’ (the policy), which is open for comments until 30 May 2025.

At the very outset, the policy sets out that the Rome Statute and the Court’s jurisdiction are ‘technology-neutral’ (para 10). This is a welcome recognition by the OTP that the cyber sphere is not ‘devoid of law’, but that the use of information and communication technologies (ICT) is already governed by international law. Such an acknowledgement in itself is not surprising but in fact widely shared among international lawyers (see here and here). It sets the right tone for a policy that, if followed by the proper implementation, has the potential of reaching many of its objectives, chief among them the goal of ensuring effective investigation and prosecution of cyber-enabled crimes under the Statute (para 14).

Nevertheless, the road to the effective repression of cyber-enabled crimes is paved with several obstacles, some of which are acknowledged in the policy and others that still need addressing. Drawing in part on a working paper which I recently co-authored with Kubo Mačák, and in the hope of supporting the finding of timely solutions, this blog post examines some of the accomplishments and remaining challenges of the policy, focusing on the investigation and prosecution of cyber-enabled war crimes.

Broad scope of the policy

Cyber-enabled war crimes are not only a concern for future armed conflicts but have already become a feature of today’s armed conflicts. This is even more so the case following the OTP’s definition of what amounts to a cyber-enabled war crime. According to the policy, even scant connection to ICT in the commission or facilitation of a war crime warrants considering it a cyber-enabled crime. This includes the ‘use of software to assign and authorise’ unlawful attacks (para 27) or an order being ‘communicated by means of digital communications technology’ (para 83).

The policy also extends to crimes committed in connection with artificial intelligence (AI), an essential inclusion in times where we are witnessing AI-powered rapid expansion of military attacks and violence with dire humanitarian consequences on civilians of unprecedented scale. The use of AI-enabled decision-support systems (AI-DSS), including in situations under the OTP’s investigation is already raising serious doubts when it comes to legal compliance. The impact of these systems clearly highlights the necessity of developing techniques for their investigation and prosecution as well as a thorough cyber policy.

Selected challenges to address and resolve

Unfortunately, there are some key barriers to investigation and prosecution, many of which apply to all crimes under the Rome Statute. The first is the problem of tracing cyber activities to a specific person, also referred to as attribution (mentioned in passing in para 122). Given the great potential for anonymity in cyberspace, it can be difficult to identify the device from which a cyber-operation originated, let alone the human behind it. This challenge is further exacerbated by the wide variety of actors, including civilians and private companies, involved in cyber conduct during armed conflicts. Given the centrality of this challenge in any discussion of accountability for cyber-enabled crimes, comprehensive solutions for addressing the attribution issue will be necessary in order to substantiate the policy’s credibility.

Another issue concerns the difficulty of quantifying harm caused by cyber-enabled crimes. Identifying a methodology for this is particular relevant in the context of the ICC, which is mandated to only prosecute crimes of ‘sufficient gravity’ (Article 17(1)(d) Rome Statute; policy para 95-97). The ‘potential human cost’ of cyber-enabled conduct can vary widely, from directly aiming attacks at specific individuals to interfering with the operation of large-scale industrial facilities. In light of the broad scope of the policy, quantifying the harm caused by some cyber-enabled war crimes might be quite straightforward while other situations will be very challenging. Additionally, cyber-enabled conduct can cause vastly different types of harm, spanning beyond physical and psychological harm to social and economic harm. The policy implicitly acknowledges the relevance of different types of effects, for example by mentioning possible ‘spill-over’ effects on critical services (para 97). The nature of cyberspace may, however, also give way to second- or third-order effects, such as cascading failures as well as escalation of armed conflicts more widely. Wider societal costs can even include, for instance, the stifling of political agency due to mass surveillance required for feeding AI-supported systems. A gravity assessment as well as a case selection that is cognizant of such larger effects of cyber conduct would constitute valuable contributions to rethinking conventional and often limited understandings of the harm caused by kinetic warfare.

In other situations, reaching a certain gravity threshold will not be an issue, even if the analysis is limited to first-order effects. This includes the example of AI-DSS used in Gaza today, the effects of which would meet any gravity threshold, no matter how high it is set. Nevertheless, AI-enabled war crimes come with a whole set of additional obstacles to ensuring investigation and prosecution, which have already been expertly outlined by others (see for instance here and here).

Partnerships and their potential pitfalls

In order to find solutions to any of these challenges and to have a chance at successfully investigating and prosecuting cyber-enabled war crimes, the OTP will need to acquire substantial technical expertise and tools. Key players capable of providing such support are private technology companies. The need for cooperation with the private sector therefore features heavily across the OTP’s policy, starting with the list of objectives set out in the beginning (para 14). In this vein, the OTP has, for instance, already partnered with Microsoft to find technical solutions needed for ensuring the investigation and prosecution of cyber-enabled crimes.

Relying on cooperation with private technology companies comes with its own potential pitfalls. First, recent sanctions against the ICC discussed and imposed by the United States (US) may put on hold any plans of partnerships with companies headquartered in the US, such as Microsoft. Existing sanctions are already putting the OTP’s access to its digital evidence platforms at risk. If further sanctions are imposed or the existing ones are expanded, they may have even more far-reaching consequences for the OTP’s capacity to address cyber-enabled crimes (let alone for the operation of the ICC as a whole).

Second, while cooperation and support from private actors is generally welcome, many of the private actors with access to tools and expertise (not to mention resources) needed for enabling investigations of cyber-enabled crimes are the very same actors already involved in military uses of cyber and AI. This includes the OTP’s partner Microsoft, which is allegedly involved in supporting militaries fighting in Palestine and Ukraine, both situations that have given rise to arrest warrants for war crimes. Investigations relying on the help of actors which may play a role in enabling, in one way or another, these war crimes raise concerns of independence, impartiality and credibility that the OTP should consider before expanding its partnerships or entering into new ones.

Both of these pitfalls highlight the need for the OTP to be proactive in finding workarounds and alternatives to partnering with private companies. Fortunately, profit-driven actors are no longer the only players in the cyber field. The OTP should also consider investing more heavily into its cooperation with civil society instead, including organisations specializing in the investigation of international crimes like Bellingcat or Forensic Architecture.

Conclusion

The policy is a clear win in terms of facilitating investigations and prosecutions of core international crimes. Not only does it enable the OTP to better address crimes that may otherwise have escaped its net, but it is also important for strengthening prosecutions at the domestic level (para 14). Furthermore, the development of such a policy can already be considered successful if it manages to shape debates and encourage filings related to cyber-enabled crimes. For instance, it may be a much needed contribution to combating the normalisation of the use of tools like AI-DSS on the battlefield. Nevertheless, in order to achieve any of these objectives, the policy will need to be followed up with clear action. Addressing the challenges outlined above will be crucial for ensuring the effectiveness and credibility of the final policy as well as the OTP as a whole.

Florentina Pircher is an independent international law consultant who has worked for several humanitarian and human rights organisations. She obtained her LLM from the Geneva Academy of International Humanitarian Law and Human Rights.