New Technologies in International Law / Tymofeyeva, Crhák et al.

cost a city 775 million dollars only in a year, 61 a cheese distribution center which creates massive product shortages. 62 These are all recent examples of critical infrastructures being targeted by cyber-attacks and the ominous consequences that follow. It has become apparent that regulation is urgently needed. However, international law, has lagged significantly behind in its regulation of cyber operations, specifically on critical infrastructures. While the European Union is busy creating comprehensive regulations and directives which aim on the protection of critical infrastructures, 63 international law has been debating for the first ten years whether it applies to cyberspace, 64 and when this debate ended, how it can be applied, and if it is better to first apply non-binding norms. 65 This delay has created an even bigger gap and one may argue that has given states the signal that they will go unpunished if they organize or sponsor major cyber-attacks, hidden or not behind proxies. In this paper I submit that international law already has the tools to contribute to an effective protection of critical infrastructures against cyber operations, namely the due diligence -and by extension the no-harm- obligation, and the rule prohibiting intervention in the internal affairs of another state. I believe that these rules, with certain modifications-necessary for them to properly function in the cyber environment-can be important legal protections against cyber-attacks, by threatening legal repercussions both to aggressor and to negligent states who allow their systems to be used for such malicious purposes. Starting with due diligence and no-harm, I will give a brief recount of their origin and position within international law and I will underline their flexibility as international legal rules. Furthermore, I will consider the difficulties that they may face when applied to cyberspace and finally analyze how certain elements of the rules may be modified in order to apply to cyberspace. Subsequently, I will turn to the non-intervention principle analyzing its origins and its elements. Moreover, I will reflect on how these elements function in the cyber domain and whether they should be tweaked towards an effective application of the rule. 61 Fox-Sowell S, ‘New York lost $775M in cyberattacks on critical infrastructure in 2022, report says’ ( Statescoop , 10 October 2023) accessed 31 October 2023. 62 Maruf R, ‘The surprising reason you can’t find cream cheese anywhere’ ( CNN Business , 18 December 2021) accessed 31 October 2023. 63 See for example Regulation (EU) 2019/881, OJ L 151, European Parliament and Council, 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) OJ L 151; Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union [2022] OJ L333/80, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) OJ L 333. 64 UNGA, ‘Group of Governmental Experts on Developments in the Field of Information and Tele- communications in the Context of International Security’, UN Doc. A/68/98, para 19 (2013). 65 UNGA, ‘Group of Governmental Experts on Developments in the Field of Information and Tele- communications in the Context of International Security’, UN Doc. A/70/174, para 24 (2015).

25