This article explores the attribution potential of command responsibility in the cyber realm. The focus is on military commanders under whose command cyberattacks have been conducted that constitute or cause violations of international humanitarian law. While the law on command responsibility has seen some significant developments in the early case law of the International Criminal Tribunal for the former Yugoslavia, its application and practical effect has been quite limited. Prosecutors often opt to charge under other theories of liability, such as aiding and abetting and Joint Criminal Enterprise. Securing convictions under these liability theories is less onerous. Over the years, however, command responsibility has been broadened. The recent International Criminal Court ruling in Bemba can be regarded as another step in expanding the reach of command responsibility. Taking account of a more expansive concept of command responsibility, I discuss three scenarios of cyberwar crimes where the link between the commander and the crime differ in proximity. Command responsibility is most likely to trigger liability when cyber units are integrated into the army and are part of regular operations (scenario 1). Outsourcing cyber operations, however, can trigger liability, even when hackers remain anonymous (scenario 2). This would, however, require proof of link between a commander’s subordinates and (anonymous) hackers. When there is no such link there can be no command responsibility (scenario 3).
By entering this website, you consent to the use of technologies, such as cookies and analytics, to customise content, advertising and provide social media features. This will be used to analyse traffic to the website, allowing us to understand visitor preferences and improving our services. Learn more