Cyber operations against critical infrastructure under norms of responsible state behaviour and international law

Abstract

Abstract There has been agreement at the United Nations level about a set of norms of responsible state behaviour in cyberspace, including norm (f) which prohibits cyber operations that cause intentional damage or impairment to critical infrastructure (CI). This article examines norm (f) in light of existing international law prohibiting malicious cyber operations against CI. It argues that norm (f) introduces complexity to the application of the law in this context that is counterproductive to developing clarity about the cyber operations against CI that are prohibited by international law. This is due to the subjectivity of the concept of CI, the contradictory legal status of norm (f), and due to existing uncertainties in how international law applies to state conduct in cyberspace which are compounded by norm (f). The article concludes that states need to develop more clarity about the relationship between international law and the norms of responsible state behaviour in cyberspace, and about how international law applies to cyber operations, particularly where CI is targeted.