Protecting Critical Infrastructure in Cyber Warfare: Is It Time for States to Reassert Themselves?
When Russia uses a “combination of instruments, some military and some non-military, choreographed to surprise, confuse, and wear down" Ukraine, it is termed hybrid warfare. The term also refers to conflicts, which are both international and non-international in character, such as the ongoing conflict in Syria. Overlapping conventional and asymmetric tactics in an armed conflict — as when Russia simultaneously conducted cyber-attacks during a conventional invasion of Georgia in 2008 — also gets the hybrid warfare label. Or, as Professor Bobby Chesney wrote regarding U.S. operations in Somalia, hybrid warfare can include “a sophisticated approach that layers together a panoply of low-visibility (to the public both here and there) tools” to conduct counter-terrorism operations in failing states.
In other words, “hybrid warfare” has become a shorthand way to describe the various complexities of the modern battlefield. Hybrid warfare — regardless how the term is used — clearly raises several challenging and important legal issues. Some of these issues include finding a workable approach to enforcing the principle of distinction, properly classifying conflicts, and understanding the roles of the military and law enforcement in contemporary warfare. Yet, perhaps no aspect of hybrid warfare generates more legal questions than operations in cyberspace.
Cyberspace, defined as “a global domain within the information environment that encompasses the interdependent networks of information technology infrastructures, including the internet and telecommunication networks,” is quickly becoming the decisive battleground in warfare. National armed forces, and more specifically technologically advanced militaries, rely upon their information networks for command and control, intelligence, logistics, and weapon technology, making protecting these assets a priority. Arguably, however, the greatest vulnerability for an advanced State engaged in an armed conflict is its reliance on the cyber domain to operate the critical infrastructure essential for societal functions.
The catastrophic results of losing the essential services provided by critical infrastructure are immense and, potentially, could result in a State being incapable of conducting military operations. Recognizing this vulnerability, this Essay therefore critically examines how the law of armed conflict protects such objects and activities. In doing so, the Essay concludes that heightened protections for critical infrastructure from cyber-attacks are necessary and suggests looking to the existing framework of special precautionary protections as a model for greater legal safeguards.