Source: Getty

Why the World Needs a New Cyber Treaty for Critical Infrastructure

While states acknowledge the need to better protect critical infrastructure against cyber attacks, national and international efforts have brought limited results. The solution could be a global treaty that strengthens cooperation on this matter.

by Patryk Pawlak and Aude Géry
Published on March 28, 2024

Not a day passes without news about critical infrastructure—for energy, healthcare, transportation, or other sectors—being targeted by computer attacks. In early February, the cybersecurity agencies of five countries warned infrastructure operators of the presence of Chinese state-sponsored actors seeking to position themselves for cyber attacks on U.S. critical infrastructure “in the event of a major crisis or conflict with the United States.” A couple of months earlier, the media revealed that a nuclear site in the United Kingdom had been the target of a cyber attack, raising questions about the consequences of the potential malfunctioning of nuclear facilities.

Yet, while most countries recognize the need to protect critical infrastructure against cyber attacks, most also lack legislation to that effect. At the international level, too, cooperation in this area is limited. In 2015, the UN member states adopted a set of voluntary norms that cover critical infrastructure and agreed that existing international law also applies in cyberspace, but these decisions have had a negligible impact. On the contrary, the list of state victims of cyber attacks on national infrastructure remains long. According to the International Energy Agency, these attacks at least doubled across most sectors between 2020 and 2022. Cyber risks to critical infrastructure continue to rise—a trend exacerbated by the competitive geopolitical context and the West’s unequivocal support for Ukraine in the war against Russia.

Attacks on critical infrastructure might be becoming a new normal, but the response cannot be business as usual. The international community needs to consider adopting a global cyber treaty to protect critical infrastructure. In an area where many states are already actively involved, a treaty could complement existing rules and contribute to raising the global level of cybersecurity. Binding, prohibitive measures may meet resistance from governments, and the impact of such measures on the number and scale of cyber attacks would ultimately depend on states’ compliance. But positive obligations focused on cybersecurity and the safety of critical infrastructure operators could be a game changer in strengthening cyber resilience globally.

This proposal does not negate the applicability of existing international law in cyberspace. Rather, a new legal framework would provide additional guarantees by setting positive obligations and prohibiting certain types of action. Admittedly, the idea of a cyber treaty is not new. But this is not a rehash of Microsoft’s 2017 call for a Digital Geneva Convention or the more limited 2023 proposal by the German Council on Foreign Relations that urged states to sign bilateral declarations not to conduct cyber operations against selected critical infrastructure. Nor is it support for Russia’s 2023 revised concept for a cyber convention, which, despite its references to critical infrastructure protection, simply instrumentalized international law for clear political benefits.

Instead, this proposal is an invitation for states or groups of states, in particular the EU, to assume leadership and promote responsible state behavior in cyberspace on a concrete policy issue. In that sense, a new treaty would operationalize two ideas presented by the UN secretary general in 2023: to make critical infrastructure a cyber attack–free zone and to develop a global accountability mechanism in cyberspace. It would also advance earlier reflections in UN Security Council meetings on cyber attacks on critical infrastructure and states’ responsibilities.

There are five key reasons why rallying the international community around a critical infrastructure protection treaty is important now.

Responding to a Specific Global Challenge

The global nature of cyber attacks on critical infrastructure—which range from attacks on Costa Rica’s social security system and Australia’s financial sector to assaults on South African ports and Norwegian energy companies—highlights the need to strengthen international cooperation in this field. A focus on critical infrastructure protection is sufficiently narrow to avoid the primary sin of other proposals that either are too broad in scope, such as the 2023 Russian proposal, which focused on information security generally, or merely restate existing international obligations.

Cyber attacks on critical information infrastructure raise concerns about the functioning of digital societies and cause harm to civilian populations. As the digitization of services increases, supported by the development and rollout of new technologies such as artificial intelligence, the risks associated with connectivity will grow. The effects of these technologies go beyond their immediate consequences on the functioning of critical infrastructure and might significantly impact people’s ability to adapt to the systemic risks of climate change, environmental degradation, and resource scarcity. Because cyber attacks on critical infrastructure capture headlines and mobilize governments to act, they can also result in misunderstandings, escalation, and, ultimately, conflict. The increasing acceptance of active cyber defense and the development of cyber offensive capabilities as part of national cyber doctrines make worst-case scenarios more likely.

Skeptics might argue that agreeing on a universal definition of critical infrastructure would be impossible, resulting in the failure of the whole process. But such an argument is oversimplistic. There are different ways of defining critical infrastructure. One approach could be to identify specific sectors or criteria linked to the effects of an infrastructure malfunction. This is the approach proposed in the Organisation for Economic Co-operation and Development’s (OECD’s) 2019 Recommendation on Digital Security of Critical Activities, which focused on “economic and social activities the interruption or disruption of which would have serious consequences” on certain targets, such as the health of citizens or the effective functioning of the government. Within this framework, it could be left to each state to decide exactly which infrastructure or services are subject to the obligations of any new treaty. The type of obligations would be decisive in determining whether international consensus is feasible.

As for any new treaty provisions that prohibit states from carrying out cyber operations against other states’ critical infrastructure, the wording would need to be more specific. It would be difficult to avoid defining the types of infrastructure concerned, to ensure the legal certainty required for this kind of obligation. The disadvantage of such a proposal is, of course, that anything not expressly forbidden might be considered allowed. The way around this difficulty could be to focus not on the target—that is, the material scope of the obligation—but on its effects. To give a specific example: in the case of attacks on the IT systems of wind farms, the provisions could concentrate not on efforts to disrupt the systems themselves but on the effects that malicious activity would have on citizens and businesses. The difficulty would then shift to reaching an agreement on what constitutes prohibited effects.

Definitional questions are less likely to become an issue in the case of positive obligations to promote international cooperation or adopt cybersecurity and safety standards, such as those agreed on by the International Organization for Standardization. The same applies to obligations concerning criminal offenses to do with cyber attacks. In short, the question of definitions will be a challenge but can be overcome given the spectrum of available approaches.

Skeptics might also suggest that limiting the scope of a new instrument to critical infrastructure protection will put a target on assets that are not defined as critical. But this, too, is far from true. Having a more specific law devoted to certain types of obligation does not mean that general international law and branches such as human rights law do not apply. If cyber operations by states against critical infrastructure were prohibited, the same activities against other types of infrastructure could still be unlawful based on other rules of international law. Even if a more limited scope is not ideal, taking the target off the backs of critical service providers by prohibiting attacks on them needs to be the first step to making cyberspace safer and more stable.

Of course, states might opt for a very broad designation of critical infrastructure. But such a designation would carry concrete commitments and costs for both the states concerned and the entities that manage critical infrastructure, including the costs associated with reporting and oversight. For instance, a report on the implementation of the EU’s 2016 directive on the security of network and information systems (the NIS Directive) shows that while most EU member states identified fewer than 500 operators of essential services, in Finland this number reached almost 11,000, including a particularly large number in the health sector. As a result, Finland has to ensure that these entities put in place adequate cybersecurity measures for risk management, supervision, and enforcement, which are quite resource intensive. Therefore, decisions about designations are driven by a need to balance the benefits of protecting infrastructure entities and the associated costs of complying with the obligations on them.

Solidifying Existing Progress

Negotiations on a new legal instrument would not start from zero but would benefit from ongoing debates about the application of existing international law in cyberspace. The progress achieved over two decades through discussion of the UN framework for responsible state behavior in cyberspace provides a solid foundation in terms of both positive obligations and prohibitions.

Three of the UN framework’s eleven voluntary norms of responsible state behavior speak directly to what states should or should not do to protect critical infrastructure. First, states should not conduct or knowingly support ICT activity, contrary to their obligations under international law, if that activity intentionally damages critical infrastructure or impairs its use to provide public services (norm 13f). Second, states should take appropriate measures to protect their critical infrastructure from ICT threats (norm 13g). Third, states should respond to requests for assistance from other states whose critical infrastructure is subjected to malicious ICT acts; states should also respond to requests to mitigate malicious ICT activity emanating from their territory and aimed at the critical infrastructure of other states (norm 13h).

Each of these norms was developed in more detail in the 2021 report of the UN Group of Governmental Experts (GGE). Numerous national submissions and statements delivered during the Open-Ended Working Group (OEWG) on cyber issues, established in 2020, provide further guidance about what a new treaty could cover when it comes to cooperative measures on security and safety. The UN Security Council also addressed the issue of critical infrastructure protection by calling for measures, including on cybersecurity, to prevent and respond to terrorist attacks on critical infrastructure.

When it comes to specific offenses related to cyber operations, attacks on critical infrastructure are rarely mentioned in cyber crime treaties. A notable exception is the African Union’s 2014 Convention on Cyber Security and Personal Data Protection, known as the Malabo Convention. The convention calls on the signatory states to adopt legislative and/or regulatory measures to designate and protect their critical information infrastructure. In addition, the 2010 Beijing Convention on the Suppression of Unlawful Acts Relating to International Civil Aviation refers to cyber operations, including by criminalizing such operations against air navigation facilities.

In terms of prohibitions, the situation is drastically different. Other than voluntary and nonbinding norms, such as those in the UN framework, there are very few—if any—international documents that prohibit cyber operations against critical infrastructure conducted by states in peacetime. It must be noted that any treaty prohibition would probably be limited in scope. For instance, although the abovementioned norm 13f recommends that states abstain from conducting cyber operations against critical infrastructure, the scope of the norm is limited by two additional criteria: the specific effects of the prohibited operations and their unlawfulness under existing international law. Ultimately, this limited scope results in the norm offering less protection than general international law. For similar provisions in a new treaty, there would need to be a clear disclaimer that such prohibitions do not affect other, existing prohibitions that arise from general international law.

A more promising approach to a potential new treaty could be to focus on gray zones in international law. Despite great efforts to ensure transparency and clarify the application of international law in cyberspace, such as the Cyber Law Toolkit and the Oxford Process on International Law Protections in Cyberspace, there is no overall consensus in this area. The more states publish on international law, the harder it becomes to find areas of convergence. Given the divergences in the interpretation of international law, prohibiting cyber operations against critical infrastructure could add a layer of legal protection. To borrow the words of the United Kingdom’s former attorney general Suella Braverman, “differences in legal reasoning must not obscure the common ground” that protecting critical infrastructure is of utmost importance for international peace and security.

An alternative path, and probably a more appealing one from the perspective of strengthening the international legal framework, would be to focus less on the prohibition of cyber attacks and more on the cybersecurity and safety of critical infrastructure. Such an approach could proceed in parallel with efforts to clarify the application of international law in cyberspace. Indeed, by developing new obligations that also aim at ensuring security and stability in cyberspace and regulating states’ conduct on this topic, states would signal that international law is the primary normative framework that guides their actions. In addition, the adoption of clear, positive obligations on cybersecurity and safety, as well as cooperation on this issue, would pave the way for the development of an autonomous legal regime based on internal coherence among the various rules that regulate critical infrastructure protection.

The current practice is far from coherent, despite a general commitment to the framework of responsible state behavior. UN processes and national positions on the application of existing international law in cyberspace can serve as an important source of inspiration. There is also a large body of national laws, regulatory frameworks, and policies adopted by governments that can feed into discussions about new treaty provisions. Numerous binding and nonbinding international instruments contain relevant obligations for critical infrastructure protection, crisis management, cooperation between computer emergency response teams (CERTs), certification schemes, cybersecurity measures, public-private partnerships, and information sharing on threats. Notable examples of such instruments include the Organization of American States’ Declaration on Protection of Critical Infrastructure From Emerging Threats, the Association of Southeast Asian Nations’ Critical Information Infrastructure Protection Framework, and the Malabo Convention.

Other multilateral organizations have issued similar documents, such as the International Telecommunication Union’s perspective on critical information infrastructure protection, the OECD’s Recommendation on Digital Security of Critical Activities, the G7 Statement on Economic Resilience and Economic Security, and the Critical Five shared narrative on critical infrastructure. The EU has adopted several regulatory frameworks to strengthen the resilience of critical infrastructure, including the NIS II Directive, the Critical Entities Resilience Directive, and the proposed Cyber Solidarity Act.

Strengthening Accountability

A new treaty would also respond to the need for more accountability in cyberspace. The current state of play, whereby states are not held accountable for attacks on critical infrastructure that could cause harm to thousands of civilians, is unacceptable. Declarations that existing international law applies in cyberspace have not brought any concrete changes to the situation, as states have been reluctant to use current mechanisms.

Whether a new treaty strengthens accountability would depend on secondary obligations related to monitoring of the treaty’s implementation, a dispute settlement mechanism, and institutional provisions, such as the establishment of a permanent secretariat. As for follow-up mechanisms, it has long been established that international control based on publicity, whereby states have to report whether and how they have implemented provisions of a convention, plays an important role in advancing accountability. A specific calendar for implementation could be envisaged.

A treaty could also provide more transparency on the steps that states need to take in the case of a dispute over the convention’s interpretation. For example, the treaty could explicitly provide for consultations, either among its signatories or with a third party. But a treaty could also go further and include provisions that refer to the jurisdiction of a judicial organ or arbitrator. This type of provision would be particularly needed in the case of prohibitive provisions because of the contentious nature of attribution in cyber operations. For this reason, the treaty must foresee the establishment of dispute settlement provisions.

Yet, a high standard of accountability might still be difficult to achieve. The states most frequently associated with hostile cyber operations are not the biggest fans of international dispute settlement mechanisms. There is a high risk that they would never sign up to a treaty with any dispute settlement teeth, would object to such provisions, or, worse, would work to ensure that such clauses never make it into the draft text. This does not mean, however, that the treaty would have no impact. For instance, even though the International Criminal Court does not enjoy universal recognition as an accountability mechanism for violations of international law, it might still play an important role when it comes to pointing out misuses of cyberspace for war crimes, crimes against humanity, genocide, and even aggression by one state against another.

Even if negotiations on an accountability mechanism for interstate relations fail, the democratic accountability of governments toward their citizens should not be underestimated. The establishment of a cybersecurity treaty is an accountable process because it testifies to states’ sense of responsibility: making sure that the infrastructure on which their citizens rely to conduct their everyday activities is safe and secure.

Refocusing Cyber Capacity Building

A new treaty on critical information infrastructure protection would also contribute to streamlining and professionalizing international cyber capacity-building efforts. Global investment in infrastructure projects and digital transformation is increasing, but only a handful of donors have proper strategies for de-risking or mainstreaming cybersecurity into such projects.

The 2021 UN GGE report listed several concrete cyber capacity-building measures that link directly to critical infrastructure protection, such as developing national ICT policies, strategies, and programs; enhancing the capacity of CERTs and computer security incident response teams (CSIRTs) and strengthening arrangements for their cooperation; improving the security, resilience, and protection of critical infrastructure; and enhancing the technical and legal capacities of all states to investigate and resolve serious ICT incidents. The results of these measures have been uneven and hampered by a duplication of efforts. For example, multiple donors have provided funding for the establishment of CERTs or supported the same governments in developing their national cybersecurity strategies, especially among the so-called darlings. Meanwhile, progress toward other relevant goals, such as the development of national cyber crisis response plans and risk-mitigation frameworks, is lagging.

A treaty chapter devoted to technical assistance and cyber capacity building would help address some of these gaps. One of the difficulties is that provisions related to critical infrastructure protection, as well as cooperative measures in this area, are scattered across different UN reports. Understanding the priorities identified in consecutive policy documents and their cumulative added value is difficult. For instance, each of the reports of the UN GGE and the OEWG contains different recommendations and often reintegrates only parts of previous goals. The annex on confidence-building measures to the 2023 OEWG annual progress report contained several priorities but without providing clear guidance on how they had been identified and whether there was any hierarchy to their importance.

By clarifying what states must do to protect critical infrastructure, a new treaty would help states prioritize and take concrete actions. It would also enable states to identify gaps in their capacities to ensure compliance with the treaty. Such clear and targeted setting of goals could enhance the effectiveness of international cyber capacity-building efforts. This approach has worked particularly well in the context of the Budapest Convention on Cybercrime and associated capacity-building projects, such as Global Action on Cybercrime (GLACY/GLACY+) and other joint projects of the EU and the Council of Europe. A treaty chapter on technical assistance and capacity building would provide a more strategic orientation to the current scattered efforts of international and regional organizations, multilateral development banks, and other groups of stakeholders.

Injecting New Life Into UN Processes

Finally, a new treaty on critical infrastructure protection might inject a fresh sense of purpose into the UN processes on responsible state behavior in cyberspace. In particular, it may offer guidance for advancing discussions about the Cyber Program of Action (PoA) and present a potential solution if the UN fails to maintain a single track after 2025, when the OEWG ends. There is already a French-led proposal for the Cyber PoA to replace the working group, but as the OEWG’s March 2024 session showed, there is no agreement on the way forward. This makes the scenario of two parallel processes quite likely.

In the scenario in which the Cyber PoA becomes the single platform for these discussions, it could adopt an issue-specific approach, starting with a focus on critical infrastructure protection. First proposed in 2020, the Cyber PoA process has so far failed to provide a clear vision of what it aims to achieve. Bringing discussions about a critical infrastructure cyber protection treaty under the PoA umbrella as a priority area would give the proposal more focus. It would also mean pressing the reset button on discussions about the 2023 revised draft of the information security treaty spearheaded by Russia. A counterproposal more focused on critical infrastructure protection would allow the Cyber PoA’s supporters to own and shape the treaty debate, rather than being constantly on the defensive regarding treaty proposals. It would also give the rest of the international community a chance to engage in discussions about the treaty in a content-driven way.

In the alternative post-2025 scenario, in which a new OEWG and a Cyber PoA exist in parallel, the former could provide a platform for general deliberations while the latter is used for more focused discussions on specific issues. This distinction would have to be embedded in the respective UN resolutions. A focus on critical infrastructure protection in the Cyber PoA would make the process into a platform that brings a clear added value to discussions in the OEWG while avoiding duplication. This approach could, for instance, follow the model of the UN’s comprehensive PoAs for Least-Developed Countries, which have been adopted on numerous occasions, each time focused on a different issue. That would allow the UN community to move forward in a constructive way, with a concrete deliverable in sight and without putting additional strains on participating states, by limiting the number of meetings and avoiding duplication.

The Cyber PoA could also be used as a mechanism to provide guidelines for the implementation and monitoring of preventive measures in a new treaty. For instance, the UN PoA on Small Arms and Light Weapons foresees national implementation reports, which constitute the basis for identifying good practices and lessons learned. Signatories to this PoA have also agreed to put in place the International Tracing Instrument, which obliges states to properly mark weapons, keep records, and cooperate on weapons tracing. These requirements are examples of how the Cyber PoA could serve as a platform to develop additional guidelines for the implementation of a potential cyber treaty.

Who Will Lead the Way?

Admittedly, the proposal for a new cyber treaty represents a significant departure from the current dominant position adopted by many Western governments. Yet, this call does not require states to abandon their existing positions. The much broader set of current approaches to positive obligations, compared with prohibitions, suggests that international consensus is more likely to emerge on the former than the latter. In that context, the UN secretary general’s July 2023 recommendation to “declare that infrastructure essential for public services and to the functioning of society is off-limits to malicious cyberactivity” seems extremely ambitious.

Any state or group of states that assumes leadership in this domain will need to invest in intensive diplomatic efforts to engage with international partners on each side of the debate. Any cyber treaty proposal will be controversial in the current geopolitical context, as demonstrated by the negotiations for a UN cybercrime treaty that have been ongoing since May 2021. Bringing a focus on critical infrastructure into the equation makes things even more complicated. Ultimately, however, whether such a treaty has any chance of success will depend on states’ willingness to reach agreement on its scope and accountability mechanism. From an international legal point of view, this means finding consensus on multiple issues: specific offenses related to computer attacks on critical infrastructure, cooperation measures to prevent and remedy cyber operations against critical infrastructure, information sharing on national legislation, and cybersecurity and safety measures.

The EU is a suitable candidate to pick up this challenge. Over the past ten years, the EU has invested significantly in strengthening its critical infrastructure protection against cyber attacks. It has developed a sophisticated legal framework for establishing a high level of cybersecurity across the union through the NIS and NIS II Directives and the Digital Operational Resilience Act. The EU has also agreed on cybersecurity requirements for products with digital elements through the Cyber Resilience Act and is working to bolster its cyber emergency mechanisms and ensure mutual assistance in case of incidents through the Cyber Solidarity Act. And the EU has strengthened the networks for technical, operational, and political cooperation between the EU institutions and the member states in case of large-scale cyber incidents involving critical infrastructure.

To provide secure connectivity for its citizens and protect the principle of open markets, the EU has resisted calls for blanket prohibitions and adopted a risk-based methodology, as in the union’s toolbox for 5G security. The EU has also confirmed on multiple occasions its commitment to the application of international law in cyberspace and the strengthening of the normative framework for responsible state behavior. The EU’s commitments to the protection of human rights online and to a human-centered vision of digital transformation provide the credibility that discussions about a new treaty will require.

Aude Géry is a senior researcher in public international law and digital security at Geopolitics of the Datasphere (GEODE), a research and training center at the University of Paris 8. Her research focuses on the interpretation of international law in cyberspace and multilateralism in the field of digital security.

The authors would like to thank Raluca Csernatoni, Sven Herpig, Kubo Mačak, Paul Timmers, Gavin Wilde, and Fan Yang for their comments on earlier versions of this article. All mistakes and omissions are the authors’ alone.

Carnegie does not take institutional positions on public policy issues; the views represented herein are those of the author(s) and do not necessarily reflect the views of Carnegie, its staff, or its trustees.