Authored By: Devanshi Mehta
Loreto College, University of Calcutta (Recent Graduate)
Abstract
The December 2025 adoption of the International Criminal Court Office of the Prosecutor’s Policy on Cyber-Enabled Crimes under the Rome Statute represents a watershed moment in international criminal law. However, this development simultaneously exposes a profound crisis in jurisdictional coherence within the international legal order. This article critically analyses the emerging normative framework governing cyber-enabled international crimes, examining the structural fragmentation that undermines effective accountability. Through rigorous analysis of the ICC Policy, competing regional cybercrime conventions, and evolving state practice, this article argues that the current trajectory toward jurisdictional balkanisation threatens to create safe havens for cyber-enabled atrocities while fundamentally destabilising the protective architecture of international humanitarian law. The article further contends that the technical attribution challenges inherent in cyber operations, combined with the proliferation of divergent legal frameworks, have generated an accountability vacuum that sophisticated state and non-state actors systematically exploit.
I. Introduction
On December 3, 2025, the International Criminal Court Office of the Prosecutor issued its landmark Policy on Cyber-Enabled Crimes under the Rome Statute, marking the first major policy response by an international prosecuting authority to address how core international crimes may be committed or facilitated through cyber means. This policy intervention arrives at a critical juncture when cyberspace has evolved from a peripheral concern to a primary operational domain for the commission of genocide, crimes against humanity, war crimes, and the crime of aggression. As ICC Prosecutor Karim A.A. Khan articulated, the tools used to commit serious international crimes are constantly evolving — from bullets and bombs to social media, the internet, and artificial intelligence.
Yet beneath this ostensible progress lies a troubling reality. The international legal architecture governing cyber-enabled crimes is not merely underdeveloped; it is actively fragmenting into incompatible regional regimes, each reflecting divergent sovereignty priorities. The Budapest Convention on Cybercrime, which Western states positioned as a global instrument in 2001, has failed to achieve universal adoption. Instead, competing frameworks have emerged — including the African Union Convention on Cyber Security, the Shanghai Cooperation Organisation Agreement, and the League of Arab States’ Cybercrime Convention. These instruments embody fundamentally incompatible approaches, categorised as ordinary crimes, high politics, and domestic management paradigms, reflecting broader geopolitical contests over digital sovereignty.
This fragmentation generates catastrophic consequences for international criminal accountability. When the same cyber operation enabling persecution as a crime against humanity may be characterised as lawful intelligence gathering under one framework, cyber warfare under another, and a domestic security matter under a third, the concept of universal criminal jurisdiction becomes incoherent. The technical attribution challenges compound this crisis exponentially. Unlike kinetic warfare, where physical evidence establishes jurisdiction, cyber operations exploit the borderless architecture of information networks to deliberately obscure attribution. Sophisticated actors route attacks through intermediary servers across multiple jurisdictions, deploy autonomous AI-driven malware, and leverage commercial surveillance technology developed by private mercenary firms.
This article advances three principal arguments. First, the ICC’s 2025 Policy, while doctrinally sound, cannot solve the systemic crisis of jurisdictional fragmentation. Second, the patchwork of regional cybercrime frameworks creates intentional accountability gaps that states exploit. Third, technical attribution challenges combined with fragmented legal frameworks have generated a de facto impunity regime that threatens to render international humanitarian law obsolete absent urgent structural reform.
To develop these arguments, this article proceeds in four parts. Part II examines the normative architecture of the ICC’s 2025 Policy. Part III dissects jurisdictional fragmentation and the attribution crisis in international cybercrime law. Part IV proposes institutional reforms. The conclusion reflects on the existential challenge cyber-enabled international crimes pose to international criminal law.
II. The ICC Policy on Cyber-Enabled Crimes: Doctrinal Foundations and Structural Limitations
A. Technology Neutrality and the Rome Statute’s Adaptive Capacity
The cornerstone principle of the ICC Policy rests on the technology-neutral character of the Rome Statute. The Office of the Prosecutor explicitly affirms that crimes within the Court’s jurisdiction can be carried out wholly or partly through cyber means, provided the material elements are satisfied. This interpretive approach draws strength from the Vienna Convention on the Law of Treaties. Article 31 mandates that treaties be interpreted in good faith in accordance with the ordinary meaning of their terms in context and in light of object and purpose. The Rome Statute’s object — to end impunity for perpetrators of the most serious crimes — necessarily encompasses crimes committed through evolving technological means.
The Policy demonstrates technology-neutral application across all four core crimes. For genocide under Article 6, acts such as killing members of a protected group or causing serious bodily or mental harm can be accomplished through cyber means. A coordinated cyber attack disrupting hospital infrastructure managing intensive care for predominantly Rohingya patients, resulting in preventable deaths, could constitute killing members of a protected group with requisite dolus specialis. Similarly, sophisticated information operations using AI-generated deepfake content to induce severe psychological trauma among a targeted ethnic community could amount to causing serious mental harm.
Crimes against humanity under Article 7 present particularly salient cyber manifestations. The Policy specifically addresses persecution through cyber surveillance technologies. When authoritarian regimes deploy spyware like NSO Group’s Pegasus against journalists and dissidents as part of a widespread or systematic attack, this satisfies both actus reus and mens rea requirements. The intentional and severe deprivation of fundamental rights based on group identity occurs through digital rather than kinetic means.
For war crimes under Article 8, the Geneva Conventions and Additional Protocols apply with equal force in cyberspace. The fundamental principles of distinction, proportionality, and precaution bind belligerents regardless of operational domain. A cyber operation intentionally disabling a water treatment facility serving civilians during international armed conflict constitutes a war crime of attacking civilian objects under Article 8(2)(b)(ii). The Tallinn Manual 2.0 confirms that cyber operations causing effects equivalent to kinetic operations are subject to the same international humanitarian law constraints.
B. Modes of Liability and the Private Sector Nexus
The Policy’s treatment of modes of liability under Article 25 extends beyond direct commission to encompass ordering, soliciting, inducing, and aiding and abetting cyber-enabled crimes. This proves critical given the commercial surveillance industry’s role in enabling state-sponsored persecution. Private entities such as NSO Group, Intellexa, and Candiru develop and supply sophisticated offensive cyber capabilities to state actors with knowledge of systematic deployment against human rights defenders.
The requisite mental element for aiding and abetting requires both knowledge that one’s conduct assists the principal perpetrator, and either purpose or awareness that the crime will be committed. Evidence from leaked internal databases reveals that surveillance technology vendors maintain extensive operational awareness through technical support arrangements and customised capability development. When Citizen Lab documented Pegasus spyware deployed against thirty-six journalists associated with Jamal Khashoggi’s murder, NSO’s continued provisioning potentially satisfies the aiding and abetting mens rea standard.
The Policy explicitly addresses crimes within commercial contexts, emphasising that the Rome Statute applies equally regardless of whether crimes occur within commercial frameworks. This clarification proves essential because the cyber surveillance industry systematically invokes commercial confidentiality and national security privileges to obstruct accountability investigations. The Policy’s commitment establishes crucial doctrinal foundation for piercing corporate veils shielding cyber mercenary firms.
C. Institutional Capacity Deficits and Evidentiary Challenges
Despite doctrinal coherence, implementation confronts severe institutional capacity constraints. Investigating cyber-enabled crimes requires highly specialised technical expertise that the OTP neither possesses internally nor routinely funds. Attributing malicious code, analysing network behaviour, and reconstructing cyber operations demand capabilities far exceeding traditional forensic investigations. The digital evidence preservation challenges compound exponentially when data resides across multiple jurisdictional clouds employing sophisticated encryption.
The Policy contemplates addressing expertise gaps through secondments, external consultants, and Article 93 assistance requests. However, these mechanisms prove inadequate. Secondments from states implicate potential conflicts of interest when investigating state-sponsored operations. Commercial forensic firms may possess capabilities but lack independence. Civil society organisations provide valuable documentation but cannot substitute for criminal investigation standards.
Furthermore, the evidentiary framework confronts the fundamental opacity of cyber operations. Unlike kinetic warfare, where satellite imagery and physical forensics establish records, cyber attacks may leave only ephemeral digital traces intentionally designed to mislead investigators. Advanced persistent threat actors routinely employ false flag techniques that deliberately implicate third parties. The Stuxnet attack demonstrated how sophisticated operations can remain undetected despite significant physical destruction. When the OTP must establish individual criminal responsibility beyond reasonable doubt, these attribution challenges threaten to render successful prosecutions extraordinarily rare.
III. Jurisdictional Fragmentation and the Crisis of Normative Coherence
A. Competing Regional Frameworks and Divergent Sovereignty Paradigms
The fragmentation of international cybercrime law reflects fundamentally incompatible visions of sovereignty rather than mere technical implementation differences. Mailyn Fidler’s comprehensive analysis identifies three distinct approaches: the ordinary crime approach exemplified by the Budapest Convention, the high politics approach embodied in the Shanghai Cooperation Organisation Agreement, and the domestic management approach reflected in certain African and Arab frameworks. These categorisations reveal that cybercrime conventions serve as vehicles for broader sovereignty contests.
The Budapest Convention’s ordinary crime approach treats cybercrime as a technocratic transnational criminal matter addressable through established extradition and mutual legal assistance mechanisms. This framework prioritises effective adjudication through routine bureaucratic processes while depoliticising cyber operations. Western states championed this approach by leveraging existing international criminal cooperation institutions they largely designed and control. However, substantive provisions criminalising unauthorised computer access generate severe tensions with authoritarian states that reject constraints on government surveillance capabilities.
The high politics approach embedded in the Shanghai Cooperation Organisation Agreement explicitly prioritises state sovereignty over individual rights protections. This paradigm treats cyber operations as national security matters requiring direct state-to-state diplomatic engagement. Russia and China advanced this model to preserve operational flexibility for state-sponsored cyber operations while establishing rhetorical frameworks condemning Western digital penetration as information warfare. Substantive definitions frequently encompass content-based offences criminalising online expression that threatens regime stability — fundamentally incompatible with international human rights law.
The proliferation of incompatible frameworks generates catastrophic accountability gaps. Consider a hypothetical scenario: Iranian actors deploy malware against Saudi critical infrastructure, routing attacks through European cloud servers operated by an American technology company whose code development is outsourced to a Russian firm. Under the Budapest Convention, European states might characterise this as criminal unauthorised access subject to mutual legal assistance. The Shanghai framework could classify it as legitimate information warfare. Iranian law might categorise it as lawful intelligence gathering. Saudi Arabia could invoke self-defence principles under UN Charter Article 51.
B. The Attribution Crisis and Jurisdictional Ambiguity
Technical attribution challenges endemic to cyber operations interact with jurisdictional fragmentation to create systematic impunity. Attribution in international law encompasses two distinct concepts: factual attribution, establishing which entity conducted operations, and legal attribution, determining state responsibility for non-state actor conduct under the law of state responsibility. Both dimensions confront severe obstacles that traditional international law doctrines struggle to address.
Factual attribution requires establishing actual perpetrator responsibility through technical forensic analysis. Sophisticated actors deliberately exploit borderless internet infrastructure to obscure identities. Advanced persistent threat groups route attacks through compromised systems in multiple jurisdictions, employ encryption resisting cryptanalysis, and deploy false flag techniques embedding artifacts implicating third parties. The emergence of AI-driven autonomous cyber agents further complicates attribution by enabling malware that adapts its behaviour without direct human control, potentially generating effects exceeding original programming parameters.
Legal attribution under the International Law Commission’s Articles on State Responsibility employs standards of effective control and overall control to determine state responsibility for non-state actor conduct. The International Court of Justice established in Nicaragua that state responsibility requires effective control over specific operations, while the ICTY adopted the more permissive overall control standard in Tadić. However, both doctrines prove ill-suited for cyber operations where states deliberately maintain plausible deniability through arm’s-length proxy relationships.
Russia’s deployment of cyber operations through ostensibly independent hacktivist collectives during Ukrainian military operations exemplifies attribution manipulation. Groups such as Fancy Bear and Cozy Bear maintain operational relationships with Russian intelligence services while preserving formal independence, complicating legal attribution. When these groups conduct operations targeting Ukrainian critical infrastructure coinciding with kinetic strikes, establishing requisite state control requires extraordinary intelligence that most states cannot achieve. The resulting attribution ambiguity enables systematic deployment of cyber operations falling below armed attack thresholds while devastating civilian populations through cumulative effects.
C. The Accountability Vacuum and Systematic Exploitation
The convergence of jurisdictional fragmentation and attribution challenges has generated a de facto accountability vacuum that sophisticated actors systematically exploit. This impunity regime operates through three mutually reinforcing mechanisms: legal safe havens created by competing frameworks, technical opacity deliberately cultivated by perpetrators, and institutional capacity deficits preventing effective investigation.
Legal safe havens emerge when states refuse to criminalise cyber operations or decline extradition by invoking national security exceptions. Russia harbours cybercriminal organisations generating billions through ransomware while maintaining informal understandings that avoid targeting Russian entities. North Korea deploys state-sponsored operations to evade sanctions and fund nuclear programs through cryptocurrency theft. When these states invoke sovereignty principles refusing cooperation with international criminal investigations, the fragmented jurisdictional framework provides no effective recourse.
Technical opacity allows perpetrators to exploit attribution challenges deliberately. When states conduct operations through commercial surveillance vendors or hacktivist proxies, they create evidentiary barriers preventing prosecution even where jurisdictional authority exists. NSO Group’s deployment of surveillance technology against human rights defenders illustrates this strategy. Israel maintains it cannot regulate commercial surveillance exports because such regulation would compromise intelligence relationships. NSO Group invokes commercial confidentiality, refusing client disclosure. Victim states lack the technical capacity to conduct forensic investigations establishing liability chains.
Institutional capacity deficits prevent accountability even where jurisdiction and evidence theoretically exist. The ICC Office of the Prosecutor acknowledges that investigating cyber-enabled crimes exceeds current technical capabilities absent substantial external support. Most domestic jurisdictions face even more severe constraints. When advanced persistent threat actors conduct operations across dozens of jurisdictions employing sophisticated anti-forensic techniques, few law enforcement agencies possess comprehensive investigation resources. The resulting accountability vacuum enables cyber-enabled atrocities to proliferate with minimal deterrent effect.
IV. Toward Jurisdictional Coherence: Institutional Reforms and Normative Reconstruction
A. Establishing an International Cyber Attribution Agency
Restoring accountability requires establishing an independent International Cyber Attribution Agency with the technical capacity to conduct forensic investigations meeting criminal prosecution standards. Current attribution mechanisms rely on national intelligence agencies whose findings remain classified — limiting evidentiary value for criminal proceedings — or private cybersecurity firms whose commercial incentives compromise independence. An ICAA modelled on the International Atomic Energy Agency could provide credible attribution determinations through transparent methodologies while protecting sensitive sources through controlled disclosure procedures.
The ICAA’s mandate should encompass three core functions. First, developing standardised technical attribution methodologies combining network forensics, malware analysis, and behavioural profiling to establish factual perpetrator identity with sufficient confidence for criminal proceedings. Second, maintaining global monitoring infrastructure through partnerships with internet service providers to preserve ephemeral digital evidence before its destruction. Third, providing expert testimony and technical assistance to international and domestic tribunals investigating cyber-enabled atrocities.
Critically, the ICAA must operate with strict independence from state intelligence agencies while maintaining access to classified threat intelligence through controlled information-sharing protocols. The governance structure should parallel the IAEA Board model, balancing geographic representation with technical expertise requirements. Funding through assessed contributions would ensure operational sustainability while avoiding voluntary contributions that could compromise independence. The ICAA could begin operations focused on cyber-enabled crimes against humanity and war crimes within ICC jurisdiction, expanding progressively as institutional capacity develops.
B. Harmonising Regional Frameworks Through Protocol Convergence
Addressing jurisdictional fragmentation requires diplomatic initiatives pursuing normative convergence across competing regional frameworks rather than aspirational universal treaty adoption. The Budapest Convention’s expansion efforts have demonstrably failed to achieve global consensus given fundamental sovereignty disagreements. A more pragmatic approach would develop supplementary protocols to existing regional instruments establishing minimum harmonised standards for cyber operations potentially constituting international crimes.
These protocols could establish core principles that states across sovereignty paradigms might accept. First, cyber operations causing death or serious physical injury to civilians during peacetime should be universally criminalised regardless of regional framework characterisation. Second, states should commit to prosecuting or extraditing individuals responsible for cyber-enabled genocide, crimes against humanity, and war crimes, consistent with complementarity principles. Third, minimum international human rights standards should constrain cyber surveillance and information operations even where legitimate national security interests exist.
The International Law Commission could facilitate protocol development through its standard-setting function. The ILC’s current work program includes topics on identification and legal consequences of peremptory norms of general international law, which provides doctrinal foundation for establishing jus cogens prohibitions on cyber-enabled atrocities. Regional organisations could negotiate protocol adoption through parallel processes, with the United Nations General Assembly providing coordination mechanisms ensuring substantive alignment. This bottom-up harmonisation approach accommodates sovereignty sensitivities while establishing minimum accountability standards.
C. Expanding Universal Jurisdiction and Complementarity
Universal jurisdiction doctrine must expand to encompass cyber-enabled international crimes, given the borderless nature of cyber operations. Traditional universal jurisdiction applies to piracy, torture, and genocide based on their heinous character threatening the international community. Cyber-enabled crimes against humanity and war crimes satisfy the same normative justification, given their grave threats to international peace and security. States should enact domestic implementing legislation establishing universal jurisdiction over cyber-enabled Rome Statute crimes regardless of territorial nexus or perpetrator nationality.
Recent European jurisdictional developments demonstrate the potential of universal jurisdiction. Germany’s Federal Prosecutor has investigated Syrian government officials for cyber-enabled persecution through surveillance technologies deployed against opposition activists, asserting universal jurisdiction based on the crimes against humanity character of those acts. France has pursued prosecutions against commercial spyware vendors under its universal jurisdiction statute for complicity in torture through surveillance technology sales to repressive regimes. These precedents establish that cyber-enabled international crimes can be effectively prosecuted under universal jurisdiction frameworks when territorial or nationality jurisdiction proves unavailable.
Expanding complementarity mechanisms would further enhance accountability by enabling ICC jurisdiction where states prove genuinely unable to investigate cyber-enabled crimes due to technical capacity limitations. Article 17 of the Rome Statute establishes that cases are inadmissible where states with jurisdiction are genuinely investigating or prosecuting. However, when states lack the technical infrastructure for cyber forensics investigations, the inability criterion should trigger ICC jurisdiction even in the absence of unwillingness to prosecute. The Pre-Trial Chamber should interpret inability broadly when addressing cyber-enabled crimes, given their extraordinary technical demands.
V. Conclusion: The Existential Challenge to International Criminal Law
The December 2025 ICC Policy on Cyber-Enabled Crimes represents a crucial doctrinal advance affirming that international criminal law applies with equal force in cyberspace. However, this policy intervention cannot overcome the systemic fragmentation crisis enabling cyber-enabled atrocities to proliferate with minimal accountability. The proliferation of incompatible regional cybercrime frameworks, combined with the attribution challenges inherent in cyber operations, has generated an impunity regime that sophisticated actors systematically exploit to devastating effect.
The stakes of this crisis extend beyond particular prosecutions to implicate international criminal law’s fundamental legitimacy. If the legal architecture governing the most serious crimes cannot adapt to the defining warfare modality of the twenty-first century, its claim to universal applicability becomes hollow rhetoric. When authoritarian regimes deploy commercial surveillance technology to systematically persecute human rights defenders through cyber means while Western democracies conduct their own targeted operations against adversary civilian infrastructure, the selective enforcement pattern reinforces perceptions that international criminal law serves great power interests rather than universal justice.
The institutional reforms proposed — establishing an International Cyber Attribution Agency, harmonising regional frameworks through protocol convergence, and expanding universal jurisdiction — represent necessary but not sufficient conditions for restoring accountability. Ultimately, addressing cyber-enabled international crimes requires political will from states to subordinate short-term operational flexibility to long-term normative stability. So long as major powers prioritise preserving their own cyber warfare capabilities over establishing binding constraints, the fragmentation crisis will intensify.
The trajectory of international criminal law in the cyber age remains contingent on choices the international community makes. The establishment of clear attribution mechanisms, harmonised normative frameworks, and enhanced institutional capacity could channel cyber operations into regulated pathways subject to accountability. Alternatively, continued fragmentation and strategic ambiguity could render international humanitarian law obsolete as a meaningful constraint on state conduct. The ICC’s 2025 Policy demonstrates that the doctrinal foundations for accountability exist. Whether those foundations support a functional accountability regime — or merely memorialise aspirational principles that sophisticated actors routinely evade — will depend on the political commitment states demonstrate to implementation.
The existential challenge that cyber-enabled crimes pose ultimately reflects broader tensions between technological change and legal stability. International law has historically adapted to technological innovation through incremental processes lagging developments by years or decades. Nuclear weapons prompted the Nuclear Non-Proliferation Treaty more than two decades after the first nuclear deployments. Chemical weapons regulation evolved through multiple failed attempts before achieving comprehensive prohibition. However, cyber technology development pace far exceeds these precedents, with capabilities and threats evolving on annual rather than generational timeframes. If international criminal law cannot accelerate its adaptive mechanisms to match this pace, it risks irrelevance — not through formal rejection, but through gradual obsolescence.
The ICC’s entry into the cyber domain through its 2025 Policy marks a pivotal moment when international criminal law confronts this adaptive imperative. The policy’s success or failure will determine whether international humanitarian law can remain relevant as warfare increasingly occurs in digital domains where traditional concepts of territory, combatants, and civilians dissolve into ambiguity. For victims of cyber-enabled persecution, surveillance-facilitated crimes against humanity, and digital warfare targeting civilian infrastructure, abstract debates over jurisdictional frameworks and attribution standards translate directly into questions of justice or impunity. The international community’s response to the fragmentation crisis will ultimately reveal whether international criminal law serves as a genuine constraint on power, or merely a legitimating ideology that sophisticated actors manipulate while vulnerable populations suffer without recourse.
Reference(S):
Article 19, ICC Cyber-Enabled Crimes Policy: A Strong Step for Accountability and Human Rights (Dec. 9, 2025), https://www.article19.org/resources/icc-cyber-enabled-crimes-policy-a-strong-step-for-accountability-and-human-rights/.
CircleID, ICC Cyber-Enabled Crimes and DNS Abuse: Accountability Questions for Infrastructure Operators (Dec. 2025), https://circleid.com/posts/icc-cyber-enabled-crimes-and-dns-abuse-accountability-questions-for-infrastructure-operators.
Fidler, Mailyn, Fragmentation of International Cybercrime Law, Utah L. Rev. (2025).
Gleicher, Nathaniel, The Rome Statute in the Digital Age: Confronting Emerging Cyber Threats, Just Security (Oct. 6, 2025), https://www.justsecurity.org/118463/rome-statute-digital-age-cyber/.
International Court of Justice, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Judgment, 1986 I.C.J. Rep. 14 (June 27, 1986).
International Criminal Court, ICC Office of the Prosecutor Launches Public Consultation on Policy on Cyber-Enabled Crimes under the Rome Statute (Mar. 22, 2025), https://www.icc-cpi.int/news/icc-office-prosecutor-launches-public-consultation-policy-cyber-enabled-crimes-under-rome.
International Criminal Court, Office of the Prosecutor, Policy on Cyber-Enabled Crimes under the Rome Statute (Dec. 2025).
International Criminal Tribunal for the former Yugoslavia, Prosecutor v. Dusko Tadić, Case No. IT-94-1-A, Judgment (July 15, 1999).
International Journal of Research Trends and Innovation, Jurisdictional Gaps in Cyber Terrorism (Apr. 2025), https://www.ijrti.org/papers/IJRTI2504309.pdf.
International Law Commission, Draft Articles on Responsibility of States for Internationally Wrongful Acts (2001).
International Law Commission, Seventy-Sixth Session, https://legal.un.org/ilc/sessions/76/ (last visited Feb. 5, 2026).
Journal of Law & Cyber Warfare, Tallinn Manual 3.0: Sovereignty and Attribution in 2025 (July 22, 2025), https://www.jlcw.org/2025/07/22/tallinn-manual-3-0-sovereignty-and-attribution-in-2025-cyber-warfare/.
Princeton University, Princeton Principles on Universal Jurisdiction (2001).
QIL QDI, Attributing Cyber Operations under International Law: Political and Legal Aspects (June 13, 2025), https://www.qil-qdi.org/attributing-cyber-operations-under-international-law-political-and-legal-aspects/.
Rome Statute of the International Criminal Court, July 17, 1998, 2187 U.N.T.S. 3.
Schmitt, Michael N. & Liis Vihul (eds.), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge Univ. Press 2017).
ScienceDirect, Digital Borders and Beyond: Establishing Normative Grounds for Cybersecurity and Sovereignty in International Law, Computer Law & Security Review (Aug. 12, 2025), https://www.sciencedirect.com/science/article/abs/pii/S2212473X25000537.
United Nations Charter, June 26, 1945, 1 U.N.T.S. XVI.
Vienna Convention on the Law of Treaties, May 23, 1969, 1155 U.N.T.S. 331.
World Economic Forum, 4 Steps Towards Creating an International Agency Against Cybercrime (Apr. 2025), https://www.weforum.org/stories/2025/04/4-steps-cybercrime-interpol/.
