Cyberattacks against critical infrastructure (CI) have evolved from isolated incidents to coordinated campaigns by both state and non-state actors. Cyber threats have become increasingly sophisticated and frequent, particularly those that leverage artificial intelligence (AI). Technologists have noted that AI-powered cyberattacks can bypass traditional defenses, with recent breakout times as short as fifty-one seconds, illustrating the rapid evolution of these threats.[1] These advancements are further exacerbated by China’s increasing offensive cyber capabilities that pose rising threats to CIs, thereby shrinking response windows and making real-time defense capabilities essential.

A closed-door discussion titled “Safeguarding Cybersecurity of Critical Infrastructure” was organized at the Global Technology Summit 2025, co-hosted by Carnegie India and the Ministry of External Affairs, Government of India. The event brought together cybersecurity experts from Australia, Germany, the Netherlands, and France, along with industry leaders, legal experts, academics, and senior Indian policymakers. The discussion aimed to identify vulnerabilities in CI protection, discuss ways to enhance national cybersecurity resilience through international cooperation for incident response, and deliberate coordination required between government, the private sector, and international partners for protecting CI. Based on the discussion, this essay outlines four key challenges: varying definitions of CI across countries, gaps in international cooperation for norm enforcement, difficulties in public-private information sharing, and vulnerabilities in the hardware supply chain.

Defining Critical Infrastructure

Participants unanimously agreed that the fundamental issue underpinning the difficulty in securing CI against cyber threats was the lack of a shared understanding of what constitutes CI.

Inconsistencies in the definition of CI across countries persist because each nation prioritizes and protects different sectors based on its own frameworks and threat perceptions. This creates challenges for a coordinated crisis response, as illustrated during the 2017 NotPetya attack. When the attack stopped container transport at Rotterdam’s port, city authorities struggled to respond effectively because Maersk’s APM Terminals, despite being vital to port operations, was not classified as CI. This definitional gap prevented national support mobilization and delayed crisis coordination. While this example illustrates challenges for national responses, it poses an even greater challenge at the international level, where varying definitions of CI could hinder aligned threat assessment, mutual aid, and collective response efforts.

Another factor that contributes to the varying definitions of CI is that attackers often define CI based on its potential to cause maximum disruption, while official government definitions fail to reflect real-world vulnerabilities and attack trends. It is therefore difficult for states to rely on a fixed definition of CI. This underscores the importance of adopting a flexible and adaptive approach to defining CI. Recognizing this and the recent advancements in technology, experts emphasized the need to formally include data storage and processing systems as part of CI, given the growing centrality of data in modern societies. Going forward, achieving greater international alignment on dynamic, threat-informed CI definitions will be critical to enabling coordinated cybersecurity responses and building global resilience.

International Cooperation and Fragmented Norms

Most states and international organizations agree that existing international laws apply to cyberspace just as they do offline.^[2] For example, the Geneva Conventions of 1949 still provide established legal foundations relevant to cyber warfare to protect civilian infrastructure during conflicts.

Participants noted that while there have been some challenges in enforcing existing laws, new international processes like the Global Digital Compact (GDC) and the Open-ended Working Group on security of and in the use of information and communications technologies are being formed. These emerging processes aim to develop norms focused on protecting CI by discouraging attacks on another state’s CI, enhancing national cyber resilience, and fostering mutual assistance and solidarity among nations.

Participants also talked about adopting mechanisms such as public attribution of cyberattacks at global forums, like the UN, and the creation of tools like digital emblems for labelling vital online services as CI, to prevent cyberattacks. An example of this is the EU Cyber Diplomacy Toolbox, which allows countries in the EU to coordinate responses in the region using public or private attribution and sanctions.  

Critical Gaps in Public-Private Coordination

Experts highlighted the need for states to proactively engage with the private sector to bolster the cybersecurity of CI. For example, MasterCard’s use of generative AI to prevent cyberattacks and its ability to identify compromised cards can be helpful for states to tackle emerging cybersecurity threats in the financial sector. Experts agreed that leveraging private sector intelligence and expertise, particularly in threat detection and incident response, is essential for a nation’s comprehensive cybersecurity strategy.

Supply Chain Vulnerabilities and Technology Sovereignty

Supply chain vulnerabilities, especially those related to Chinese IT products used in CI, are a significant concern. Hardware risks are challenging because end-users often lack visibility in the manufacturing processes, making it hard to identify backdoors or compromised firmware that could facilitate cyberattacks. Experts stressed the need for common standards and certifications to ensure product security and limit engagement with risky vendors. Collaborating with vendors from allied countries and developing secure domestic manufacturing capabilities are essential steps for ensuring supply chain integrity and reducing dependency on potentially compromised hardware sources.

Industry representatives also underscored the importance of creating indigenous intellectual property and investing in domestic technologies to enhance security and reduce dependence on foreign solutions. They also recommended adopting zero-trust approaches to hardware security, which involve continuous verification of hardware integrity, device authentication, regular firmware checks, and network segmentation to prevent breaches.

The roundtable revealed that safeguarding CI requires coordinated responses across multiple dimensions. While definitional inconsistencies, international cooperation gaps, public-private coordination challenges, and supply chain vulnerabilities represent significant barriers, ongoing efforts by various countries and organizations demonstrate growing recognition of these challenges and commitment to building more resilient cybersecurity frameworks.

[1] Insights from a roundtable on cybersecurity for critical infrastructure at the Global Technology Summit 2025, organized by Carnegie India and the Ministry of External Affairs, Government of India, on April 11, 2025.

[2] Most states and several international organizations, including the UN General Assembly’s First Committee on Disarmament and International Security, the G20, the European Union, ASEAN, and the OAS, have affirmed that existing international law applies to the use of information and communication technologies (ICTs) by states.