Norm Evolution Tracker

States should not conduct or knowingly support cyber operations that intentionally damage critical infrastructure providing services to the public. This norm extends the longstanding international humanitarian law principle of distinction into the cyber domain, recognizing that attacks on civilian infrastructure can cause widespread humanitarian harm. It is the most frequently cited norm in international cyber policy discourse and the most frequently violated in practice.

States bear responsibility for cyber operations conducted by non-state actors operating under their direction, control, or with their knowing acquiescence. The norm derives from general principles of state responsibility and seeks to close the accountability gap created by state reliance on criminal proxies, patriotic hackers, and private military cyber contractors. Its application remains contested because the evidentiary threshold for proving effective control or direction varies across legal frameworks.

Cyber operations, including those conducted as countermeasures or in self-defence, must be proportional to the harm suffered or the legitimate military objective pursued. The principle requires that incidental civilian damage not be excessive relative to the concrete military advantage anticipated. Applying proportionality to cyber operations is challenging because cascading digital effects often propagate beyond the intended scope in ways that are difficult to predict or contain.

States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies. This norm reflects a growing consensus that stockpiling zero-day vulnerabilities for offensive purposes increases collective risk, as stockpiled exploits may leak or be independently discovered by adversaries. The tension between intelligence equities and defensive disclosure remains the central policy challenge.

States should refrain from conducting or supporting cyber operations aimed at disrupting the electoral processes or institutions of another state. Electoral infrastructure is increasingly recognized as a subset of critical infrastructure deserving heightened protection, given the direct relationship between electoral integrity and democratic legitimacy. This norm has gained traction following high-profile incidents of election-related cyber operations, though enforcement mechanisms remain weak.

States should refrain from pre-positioning offensive capabilities within the critical infrastructure of other states during peacetime. This emerging norm addresses the growing practice of implanting persistent access in energy, telecommunications, and water systems as a form of strategic preparation. Proponents argue that such pre-positioning is inherently destabilizing, analogous to mining a harbour in peacetime, while opponents contend it is indistinguishable from legitimate intelligence collection.