Towards a lowest common denominator? Settling for a better protection of ‘life-sustaining’ critical infrastructures

By: Thibault Moulin

The failure of the fifth session of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) in 2017 put an abrupt halt to the definition of detailed rules for applying existing international law in cyberspace. If Cuba, China and Russia disagreed with the potential application of international humanitarian law or self-defence in cyberspace at the time,[i] the number of states that refuse to define rules might have grown since, as illustrated by the lack of support from the USA to the Paris Call for Trust and Security in Cyberspace. If states still aim at achieving a consensual agreement on what is acceptable – and what is not – in cyberspace, focusing on ‘lowest common denominators’ might appear as a potential solution.

As a matter of fact, most states agree that protecting critical infrastructures is essential. Measures were adopted at the regional scale, such as the EU Council directive 2008/114/EC, and several steps were also taken on the domestic sphere to protect them. Decrees and orders were for instance implemented by France[ii] and the USA,[iii] strategies in Germany,[iv] and laws in Belgium,[v] Spain etc.[vi] In the report of the UN GGE in 2015, a consensus revealed that ‘[a] State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public’.[vii] A majority of states then supported a similar statement in the Paris Call, and pledged to ‘[p]revent and recover from malicious cyber activities that threaten or cause significant, indiscriminate or systemic harm to individuals and critical infrastructure’.

States do not only agree that critical infrastructures should benefit from a better protection, they also tend to agree on what is a critical infrastructure. According to the EU, ‘critical infrastructure’ means ‘an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions’.[viii] Belgian definition is only slightly different.[ix] Germany defines ‘critical infrastructures’ as ‘organizational and physical structures and facilities of such vital importance to a nation's society and economy that their failure or degradation would result in sustained supply shortages, significant disruption of public safety and security, or other dramatic consequences’.[x] The American definition is the following: ‘the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters’.[xi] They include, in Australia, ‘those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security’.[xii] In Chile, a critical information infrastructure ‘includes the installation, networks, services and physical and information technology equipment whose impairment, degradation, rejection, interruption or destruction may have an important impact on the security, health and wellbeing of people and on the effective operation of the State and the private sector’.[xiii] Even China is looking for a better protection of these critical infrastructures.[xiv]

Jack Goldsmith wrote in 2011, though, that this ‘supposed alliance of interests is misleading’.[xv] For instance, he argued that ‘China is committed to the deployment of malicious agents inside our critical infrastructure (including banking systems) to make up for its relative weakness in traditional military capabilities in the event of a hot war. Combining this consideration with its relatively powerful control over its own critical infrastructures, China might think itself relatively better off, vis a vis the United States, by not giving up cyber threats against civilian infrastructures, including banking’. He adds that, ‘[s]imilarly, Iran or North Korea might want to maintain the threat of shutting down our electricity grid—even if doing so heightened the vulnerability of its own grid’. Even the refusal of the USA to join Paris Call might be linked to critical infrastructures at some point, as Washington apparently ‘worries about commitments to avoid using cyberattacks as a prelude to military action’ and ‘had a secret program, code-named “Nitro Zeus,” which called for turning off the power grid in much of Iran if the two countries had found themselves in a conflict over Iran’s nuclear program’.[xvi] Even in peacetime, states might admittedly not be ready to give up any interference with critical infrastructures – as illustrated by the series of counter-attacks between Iran and Saudi Arabia, and carried out on energy networks –[xvii] but the lack of direct casualties in the wake of such strikes is instructive. Even if discussions on the application of use of force or international humanitarian law are put off, it could be interesting for states to contemplate an agreement on a lowest common denominator: the prohibition of cyber-activities that target critical infrastructures, when they are likely to cause dramatic effects for life.