Protecting critical infrastructure from cyber attacks remains one of the hottest topics in the security world these days. As a result of the various discussions taking place, many lawmakers have called for the development of cyber norms specifically targeting critical infrastructure protection, even though a new set may not be necessary (emphasis added):
As Henry Farrell observed in his CFR Cyber Brief on promoting norms in cyberspace, “U.S. policymakers argue that the United States and others need to build norms to mitigate cybersecurity problems.” Addressing cyber threats to U.S. critical infrastructure, Admiral Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, asserted, “We have got to develop a set of norms or principles in this space.” Such emphasis on developing norms suggests that norms do not exist. However, cyberattacks by state or non-state actors against critical infrastructure are illegal under international law. In short, we have lots of norms, rather than a shortage of them.
In terms of criminal activities against critical infrastructure, the Council of Europe’s Convention on Cybercrime provides substantive and procedural rules that support states parties’ responses to such activities. The International Convention for the Suppression of Terrorist Bombings applies to attacks against infrastructure facilities through weapons or devices that can cause death, serious bodily injury, or substantial property damage, which can encompass cyberattacks by terrorist groups. A cyberattack by a state that damages critical infrastructure in another state would violate the international legal principle of non-intervention and, if sufficiently bad, might violate international law’s prohibition on the use of force.