Command Responsibility and Cyberattacks

This article explores the attribution potential of command responsibility in the cyber realm. The focus is on military commanders under whose command cyberattacks have been conducted that constitute or cause violations of international humanitarian law. While the law on command responsibility has seen some significant developments in the early case law of the International Criminal Tribunal for the former Yugoslavia, its application and practical effect has been quite limited. Prosecutors often opt to charge under other theories of liability, such as aiding and abetting and Joint Criminal Enterprise. Securing convictions under these liability theories is less onerous. Over the years, however, command responsibility has been broadened. The recent International Criminal Court ruling in Bemba can be regarded as another step in expanding the reach of command responsibility. Taking account of a more expansive concept of command responsibility, I discuss three scenarios of cyberwar crimes where the link between the commander and the crime differ in proximity. Command responsibility is most likely to trigger liability when cyber units are integrated into the army and are part of regular operations (scenario 1). Outsourcing cyber operations, however, can trigger liability, even when hackers remain anonymous (scenario 2). This would, however, require proof of link between a commander’s subordinates and (anonymous) hackers. When there is no such link there can be no command responsibility (scenario 3).