On the other hand, Hultquist, a combat veteran who served in Afghanistan and Iraq, also wonders whether cyber war crimes should be a priority given Russia’s ongoing physical war crimes in Ukraine. “There’s a stark difference between cyberattacks and attacks on the physical ground right now,” he says. “You simply cannot achieve the same effects with cyberattacks that you can when you’re bombing things and tanks are rolling down streets.”
Berkeley’s Freeman agrees that any ICC charges against Sandworm for cyber war crimes shouldn’t detract or distract from its investigation of traditional war crimes in Ukraine. But those ongoing, on-the-ground war crime investigations are likely to take years to bear fruit, she says; the investigation and prosecution of war crimes in Yugoslavia’s 1990s conflict, for instance, took decades. Freeman argues that prosecuting Sandworm for Russia’s 2015 and 2016 cyberattacks, by contrast, would be “low-hanging fruit,” given the evidence already assembled by security researchers and Western governments of the group’s culpability. That means it could offer immediate results while other Russian war crimes investigations continue. “A lot of what you need to try this case is there,” says Freeman. “You could bring this case to get some justice, as a first step, while other investigations are ongoing.”
Sandworm’s hackers already face criminal charges in the US. And last month, the State Department went so far as to issue a bounty of up to $10 million for information that could lead to the capture of the six hackers. But Freeman argues that the gravity of convicting the hackers as war criminals would have a larger deterrent effect, and might help actually lead to their arrest, as well. She points out that 123 countries are parties to the Rome Statute and obliged to help capture convicted war criminals—including some countries that don’t have extradition treaties with the United States, such as Switzerland and Ecuador, which might otherwise serve as safe havens for the hackers.
If ICC prosecutors did bring war crimes charges against Sandworm for its blackout attacks, the case would have to clear certain legal hurdles, says Bobby Chesney, director of the Strauss Center for International Security and Law at the University of Texas Law School. They’d have to convince the court that the attacks occurred in the context of war, for instance, and that the power grid wasn’t a military target, or that the attacks disproportionately affected civilians, he says.
But the more fundamental idea of extending the international laws of war to cover cyberattacks with physical effects—while unprecedented in ICC cases—is an easy argument to make, he says.
“All you have to do is ask, ‘What if the Russians had set up bombs at the relevant electrical substations to achieve the same effect? Is that a war crime?’ That’s the exact same sort of question,” says Chesney. He compares the new “cyber domain” of warfare to other kinds of warfare like aerial and submarine warfare, which were once new modes of war but no less subject to international law. “For all these new operational domains, extending the existing law-of-war concepts of proportionality and distinctions to them is a no-brainer.”
But the cyber domain is nonetheless different, says Freeman: It has no borders, and it allows attackers to instantly reach across the world, regardless of distance. And that makes holding Russia’s most dangerous hackers accountable all the more urgent. “Sandworm is continually active, and continually executing serious attacks with impunity,” she says. “The risk it presents is incredibly serious, and it puts the entire world at the front lines of this conflict.”
Correction 9:22pm ET, May 12, 2022: A previous version of this article incorrectly stated Cuba’s support of the Rome Statute. Cuba has not signed the statute. We regret the error.