This analysis argues that sporadic national policies and voluntary norms are not enough to protect critical infrastructure from cyberattacks in today’s volatile geopolitical climate. Despite growing threats, from Chinese state-sponsored hackers pre-positioning in U.S. grids to actual attacks on European energy and nuclear facilities, most countries still lack adequate laws and the current international cooperation is limited and ad-hoc. The authors mention that even though UN member states agreed in 2015 that international law applies in cyberspace and adopted norms to refrain from targeting critical infrastructure, these measures have had “negligible impact” as the list of cyber incidents keeps growing. With cyber-attacks on vital systems becoming a “new normal” amid great-power tensions (e.g. Russia–Ukraine war fallout), the paper calls for a binding global treaty focused on safeguarding critical infrastructure. Such a treaty, the authors suggest, could establish positive obligations for states (like minimum cybersecurity standards and assistance during incidents) and prohibit reckless behavior, without necessarily mirroring Russia’s politicized proposals or an overly broad “Digital Geneva Convention.” They urge the EU and like-minded partners to take the lead in crafting this agreement, as a concrete step to “raise the global level of cybersecurity” and strengthen collective resilience.
