In cybersecurity, protecting critical infrastructure has long been important. In the early days of this policy area, the Clinton administration identified the need to protect critical infrastructure from cyberattacks. The Obama administration’s Framework for Improving Critical Infrastructure Cybersecurity highlights the importance of protecting critical infrastructure from cyber threats. Other governments exhibit similar concerns. Recently, Germany passed legislation mandating critical infrastructure operators improve their cybersecurity. Internationally, the United States has advocated a non-binding or “soft law” norm that countries should not damage critical infrastructure in other nations, and the UN Governmental Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) apparently accepted this idea during its 2015 session. Given national and international activity on critical infrastructure protection, is this area producing new norms for cyberspace?
As Henry Farrell observed in his CFR Cyber Brief on promoting norms in cyberspace, “U.S. policymakers argue that the United States and others need to build norms to mitigate cybersecurity problems.” Addressing cyber threats to U.S. critical infrastructure, Admiral Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, asserted, “We have got to develop a set of norms or principles in this space.” Such emphasis on developing norms suggests that norms do not exist. However, cyberattacks by state or non-state actors against critical infrastructure are illegal under international law. In short, we have lots of norms, rather than a shortage of them.
In terms of criminal activities against critical infrastructure, the Council of Europe’s Convention on Cybercrime provides substantive and procedural rules that support states parties’ responses to such activities. The International Convention for the Suppression of Terrorist Bombings applies to attacks against infrastructure facilities through weapons or devices that can cause death, serious bodily injury, or substantial property damage, which can encompass cyberattacks by terrorist groups. A cyberattack by a state that damages critical infrastructure in another state would violate the international legal principle of non-intervention and, if sufficiently bad, might violate international law’s prohibition on the use of force.
If binding international law prohibits states from damaging critical infrastructure in other countries, what does a non-binding norm against the same activity contribute to norm development in cyberspace? The GGE agreed in 2013 that the UN Charter, including its principles on non-intervention and the use of force, applies in cyberspace, so the norm on not attacking critical infrastructure could be a cyber-specific application of these general rules. But, if so, this corollary should be binding under international law. Norm development usually does not move from binding rules to voluntary guidelines. Another way to interpret the non-binding norm is that the rules against intervention and the use of force are not effective in cyberspace, which requires building consensus around a cyber specific norm. But, it’s not clear why a non-binding norm will be more effective than two of the most fundamental rules of international law.
Less commented upon is the possible emergence of a norm requiring national and international action to defend critical infrastructure against cyberattacks. Countries can improve national critical infrastructure cybersecurity without needing international norms. However, as cyber threats to critical infrastructure have grown more serious, states have started to use international law to address these threats. This activity highlights international interest in strengthening cybersecurity in national critical infrastructure and reveals the need for more cooperation.
This potential norm arises from states using international law to advance critical infrastructure protection in two ways. First, countries increasingly use multilateral, regional, and bilateral processes to address critical infrastructure cybersecurity, including activities in, for example, the International Atomic Energy Agency, International Civil Aviation Organization, NATO, the EU, and ASEAN. Generally, these efforts involve non-binding efforts to strengthen national cyber defenses for critical infrastructure, improve information sharing on cyber threats, and facilitate assistance to other countries. Second, some countries use international law directly. An EU directive on critical infrastructure requires operators to protect themselves against cyber threats. The African Union Convention on Cyber Security and Personal Data Protection mandates that states parties take action to protect critical infrastructure in their jurisdiction.
Such international activities perhaps indicate the development of a “soft law” norm that includes “cyber due diligence” obligations on countries with respect to national critical infrastructure and responsibilities to cooperate with other nations in strengthening cybersecurity for critical infrastructure. Such a norm could have other implications, including, for example, how countries deal with “zero day” vulnerabilities of concern for critical infrastructure operations. State behavior is not yet sufficient to claim that this norm is anything more than incipient, but perhaps this aspect of protecting critical infrastructure deserves more attention as efforts on developing norms for cyberspace continue.