ABSTRACT
I explore reasons why existing defense has failed to prevent cyber attacks on critical infrastructure. I study one of the least studied notions of cyberspace behavior known as target distinction. Drawn from customary international law, the principle posits that states should tell their wartime targets between combatants and noncombatants and use force only toward military objects. States should not target critical infrastructure, like gas pipelines, because to do so harms civilian populations who use it.
I investigate four issues that keeps the principle from preventing attacks on critical infrastructure. The first is its inability to capture the networked nature of critical infrastructure beyond the simple dual-use (military and cyber) purposes. The second defect is the interpretive confusion that the principle generates over the rules of engagement. The third problem is the omission from its coverage of actors other than nation states. By design, the principle condones cyber attacks by nonstate actors on infrastructure, or by those whose linkage to state sponsors cannot be legally established. Finally, the principle is prone to fail when hackers lack proper understanding of what it does and does not allow.
Acknowledgments
I presented an early version of this article at the 2022 annual meeting of the International Studies Association in Nashville. I thank Michael Poznansky for constructive comments and Saint Louis University College of Arts and Sciences and the Department of Political Science for financial support on this research.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 I thank one of the reviewers for raising this important point.
2 I thank one of the reviewers for this comment.
3 Gallais and Filiol, “Critical Infrastructure,” pp. 80-87. The surveyed entities are Argentina, Asia-Pacific Telecommunity, Australia, Austria, Belgium, Brazil, Canada, Chile, Czech Republic, Denmark, Estonia, EU, Finland, France, Germany, Greece, Hungary, Iceland, India, Ireland, Italy, Japan, Kenya, Latvia, Lithuania, Luxembourg, Mauritius, Malaysia, Mexico, NATO, the Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Russia, Singapore, Slovakia, Slovenia, Spain, Sweden, Switzerland, UK, and USA.
4 Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, p. 420.
5 Article 24(2) of the draft Additional Protocol II.
6 Claudia Saladin, “Precautionary Principle in International Law,” International Journal of Occupational and Environmental Health, Vol. 6, No. 4 (2000).
7 Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, p. 11.
8 Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, p. 348.
9 Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, p. 470.
10 Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, p. 30.