By: Thibault Moulin
The failure of the fifth session of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) in 2017 put an abrupt halt to the definition of detailed rules for applying existing international law in cyberspace. If Cuba, China and Russia disagreed with the potential application of international humanitarian law or self-defence in cyberspace at the time,[i] the number of states that refuse to define rules might have grown since, as illustrated by the lack of support from the USA to the Paris Call for Trust and Security in Cyberspace. If states still aim at achieving a consensual agreement on what is acceptable – and what is not – in cyberspace, focusing on ‘lowest common denominators’ might appear as a potential solution.
As a matter of fact, most states agree that protecting critical infrastructures is essential. Measures were adopted at the regional scale, such as the EU Council directive 2008/114/EC, and several steps were also taken on the domestic sphere to protect them. Decrees and orders were for instance implemented by France[ii] and the USA,[iii] strategies in Germany,[iv] and laws in Belgium,[v] Spain etc.[vi] In the report of the UN GGE in 2015, a consensus revealed that ‘[a] State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public’.[vii] A majority of states then supported a similar statement in the Paris Call, and pledged to ‘[p]revent and recover from malicious cyber activities that threaten or cause significant, indiscriminate or systemic harm to individuals and critical infrastructure’.
States do not only agree that critical infrastructures should benefit from a better protection, they also tend to agree on what is a critical infrastructure. According to the EU, ‘critical infrastructure’ means ‘an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions’.[viii] Belgian definition is only slightly different.[ix] Germany defines ‘critical infrastructures’ as ‘organizational and physical structures and facilities of such vital importance to a nation's society and economy that their failure or degradation would result in sustained supply shortages, significant disruption of public safety and security, or other dramatic consequences’.[x] The American definition is the following: ‘the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters’.[xi] They include, in Australia, ‘those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security’.[xii] In Chile, a critical information infrastructure ‘includes the installation, networks, services and physical and information technology equipment whose impairment, degradation, rejection, interruption or destruction may have an important impact on the security, health and wellbeing of people and on the effective operation of the State and the private sector’.[xiii] Even China is looking for a better protection of these critical infrastructures.[xiv]
Jack Goldsmith wrote in 2011, though, that this ‘supposed alliance of interests is misleading’.[xv] For instance, he argued that ‘China is committed to the deployment of malicious agents inside our critical infrastructure (including banking systems) to make up for its relative weakness in traditional military capabilities in the event of a hot war. Combining this consideration with its relatively powerful control over its own critical infrastructures, China might think itself relatively better off, vis a vis the United States, by not giving up cyber threats against civilian infrastructures, including banking’. He adds that, ‘[s]imilarly, Iran or North Korea might want to maintain the threat of shutting down our electricity grid—even if doing so heightened the vulnerability of its own grid’. Even the refusal of the USA to join Paris Call might be linked to critical infrastructures at some point, as Washington apparently ‘worries about commitments to avoid using cyberattacks as a prelude to military action’ and ‘had a secret program, code-named “Nitro Zeus,” which called for turning off the power grid in much of Iran if the two countries had found themselves in a conflict over Iran’s nuclear program’.[xvi] Even in peacetime, states might admittedly not be ready to give up any interference with critical infrastructures – as illustrated by the series of counter-attacks between Iran and Saudi Arabia, and carried out on energy networks –[xvii] but the lack of direct casualties in the wake of such strikes is instructive. Even if discussions on the application of use of force or international humanitarian law are put off, it could be interesting for states to contemplate an agreement on a lowest common denominator: the prohibition of cyber-activities that target critical infrastructures, when they are likely to cause dramatic effects for life.
[i] Stefan Soesanto and Fosca D'Incau, ‘The UN GGE is dead: Time to fall forward’(ECFR, 15 August 2017) https://www.ecfr.eu/article/commentary_time_to_fall_forward_on_cyber_gov...
[ii] Décret n° 2015-351 du 27 mars 2015 relatif à la sécurité des systèmes d'information des opérateurs d'importance vitale et pris pour l'application de la section 2 du chapitre II du titre III du livre III de la première partie de la partie législative du code de la défense.
[iii] Executive Order -- Improving Critical Infrastructure Cybersecurity (12 February 2013); National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (12 February 2014) www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
[iv] Federal Ministry of the Interior, ‘National Strategy for Critical Infrastructure Protection (CIP Strategy)’ (17 June 2009) https://www.bmi.bund.de/SharedDocs/downloads/EN/publikationen/2009/kritis_englisch.pdf?__blob=publicationFile&v=1
[v] Loi relative à la sécurité et la protection des infrastructures critiques (1 July 2011).
[vi] Ley 8/2011, de 28 de abril, por la que se establecen medidas para la protección de las infraestructuras críticas.
[vii] ‘Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security – Note by the Secretary General’, A/70/174 (22 July 2015), p. 8.
[viii] Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
[ix] Loi relative à la sécurité et la protection des infrastructures critiques, art. 3(4). ‘[I]nfrastructure critique : installation, système ou partie de celui- ci, d’intérêt fédéral, qui est indispensable au maintien des fonctions vitales de la société, de la santé, de la sûreté, de la sécurité et du bien-être économique ou social des citoyens, et dont l’interruption du fonctionnement ou la destruction aurait une incidence significative du fait de la défaillance de ces fonctions’.
[x] Federal Ministry of the Interior, ‘National Strategy for Critical Infrastructure Protection (CIP Strategy)’, p. 4.
[xi] Executive Order -- Improving Critical Infrastructure Cybersecurity, s. 2.
[xii] Commonwealth of Australia, 'National Guidelines for Protecting Critical Infrastructure from Terrorism' (2015), p. 3 https://www.nationalsecurity.gov.au/Media-and-publications/Publications/Documents/national-guidelines-protection-critical-infrastructure-from-terrorism.pdf
[xiii] Chilean Government, ‘National Cybersecurity Policy’ (2017) p. 16 https://www.ciberseguridad.gob.cl/media/2017/04/NCSP-ENG.pdf
[xiv] China, ‘National Cyberspace Security Strategy’ (2016) https://chinacopyrightandmedia.wordpress.com/2016/12/27/national-cybersp...
National critical information infrastructure refers to information infrastructure that affects national security, the national economy and the people’s livelihood, where whenever data is leaked, it is destroyed or loses its functionality, national security and the public interest may be gravely harmed, including but not limited to basic information networks providing public telecommunications, radio and television transmission, and other such services, as well as important information systems in areas and State bodies such as energy, finance, transportation, education, scientific research, hydropower, industry and manufacturing, healthcare and medicine, social security, public undertakings, etc., important Internet application systems, etc. Adopt all necessary measures to protect critical information infrastructure and its important data from attack and destruction. Persist in laying equal stress on technology and management, simultaneously developing protection and deterrence, focus on identification, prevention, monitoring, early warning, response, handling and other such segments, in establishing and implementing a critical information infrastructure protection system, expand input in areas such as management, technology, talent and finance, synthesize measures and policies according to the law, and realistically strengthen security protection of critical information infrastructure.
[xv] Jack Goldsmith, ‘cybersecurity treaties: a skeptical View’ (2011), Future Challenges in National Security and Law.
[xvi] David Sanger, ‘U.S. Declines to Sign Declaration Discouraging Use of Cyberattacks’, New York Times (12 November 2018) https://www.nytimes.com/2018/11/12/us/politics/us-cyberattacks-declarati...
[xvii] Dan Efrony and Yuval Shany, ‘A Rule Book on The Shelf? Tallinn Manual 2.0 on Cyber Operations and Subsequent State Practice’ (2018) 112(4) AJIL. 583, p. 603.