The IAEA and other stakeholders, such as the Nuclear Threat Initiative (NTI) and Chatham House, have issued comprehensive guidance on how to enhance the cybersecurity of nuclear facilities at the national and international levels. Some states have also enacted domestic regulations to address cyber-nuclear risks in line with this guidance. Yet little work has been done to assess the rules of international law that apply to the protection of civil nuclear infrastructure from malicious cyber operations.
States have agreed that international law continues to apply in cyberspace, just as it applies to other technologies. This means that international law also applies to the cybersecurity of the civil nuclear sector and other critical infrastructure, including healthcare facilities, public transport, financial networks, and water and sanitation systems.The rules of international law are also mirrored in several norms of responsible state behaviour in the use of ICTs. These norms were developed by the UN Group of Governmental Experts (GGE) in 2015, and reaffirmed by all UN member states in 2021.Although the norms are not legally binding, they reflect ‘the expectations and standards of the international community regarding the behaviour of States in their use of ICTs’. International law, on the other hand, is binding on states through various sources, including treaties (i.e., agreements concluded between states governed by international law) or customary international law (i.e., unwritten rules that are formed through general state practice accepted as law).
No specific international legal regime protects the civil nuclear sector from cyber operations or other cybersecurity risks. Nonetheless, several rules of international law – whether general or specific in nature – apply to the issue, both in peacetime and during armed conflict.
No specific international legal regime protects the civil nuclear sector from cyber operations or other cybersecurity risks. Nonetheless, several rules of international law – whether general or specific in nature – apply to the issue, both in peacetime and during armed conflict. The purpose of this section is to lay out some of those rules, outlining the nature and level of protection they afford to civil nuclear infrastructure against the different cyberthreats discussed in the previous section. This section focuses on general rules of international law, such as sovereignty and non-intervention, as well as on some specific legal regimes, such as international human rights law and international humanitarian law (IHL). However, other rules and regimes not dealt with here for reasons of space might also apply to different aspects of the protection of civil nuclear infrastructure from cyber operations. Examples include international criminal law and disaster relief laws.
It is also important to note that most rules of international law, including some of those discussed here, are primarily binding on states. Therefore, any violation of such rules depends on the relevant conduct – an act or omission – being attributable to a state. Acts of private entities, however, are fairly common in the cyber context. Such acts may be attributed to a state insofar as the private entity concerned is, for example, under the complete dependence, direction or effective control of the state in question.
a. General protections under international law
i. Sovereignty
There is some controversy over whether sovereignty is just a guiding principle or a binding rule of customary international law.However, the latter view is more widely accepted.Assuming that sovereignty is indeed a binding rule, it stipulates that states have sovereign rights over their territories, property and population, as well as an obligation not to interfere in the sovereign prerogatives of other states.This rule might be breached by physical incursions into another state’s territory, and arguably by remote activity that interferes with or usurps another state’s inherently governmental functions.This means that when a state carries out a cyber operation that causes physical harm – or, in some instances, loss of functionality of ICT equipment or infrastructure – in another state’s territory, such action could amount to a violation of sovereignty.This notably includes instances where a cyber operation results in the need to repair or replace physical components of the targeted infrastructure. For example, a cyber operation that permanently or temporarily disables nuclear centrifuges or temperature sensors used for cooling nuclear reactors would likely violate the affected state’s sovereignty.
There are different views on whether cyber espionage per se is lawful under international law.But there is some agreement that, depending on the methods used, an intelligence operation could amount to a violation of a state’s sovereignty or other rules of international law. This means that the mere fact that an operation had a surveillance purpose would not preclude it from being internationally wrongful.
In the civil nuclear sector, cyber operations affecting the confidentiality, integrity or availability of data can seriously disrupt critical services, including the provision of energy and medical treatments using radiological materials. Such operations could, therefore, violate the sovereignty of targeted states.
ii. Non-intervention
A corollary of state sovereignty is the prohibition of intervention: states must not interfere in the internal or external affairs of other states by coercive means. A state’s internal or external affairs include the choice of its political, economic, social and cultural systems, its foreign policy, and other matters on which it can freely decide. The principle of non-intervention is well grounded in customary international law and applies in the cyber context.
There is no question that choices relating to nuclear or energy policy are a state prerogative and, as such, part of a state’s internal or external affairs. Accordingly, a cyber operation such as a distributed-denial-of-service attack or a ransomware attack directly damaging or disrupting a civil nuclear facility could easily be construed as coercive even if the targeted facility were operated by a private company. This would be the case, for example, if such an operation sought to curtail – or in effect curtailed – the targeted state’s ability to determine how best to use its nuclear resources. Certain information operations affecting the civil nuclear sector may also be coercive; these may include threats to attack civil nuclear facilities, and disinformation about radiation levels or the safety of nuclear energy more generally.
iii. Non-use of force
Under Article 2(4) of the UN Charterand customary international law, states must refrain from the threat or use of force against the territorial integrity or political independence of any state.Uses of force that rise to the level of an armed attack trigger the right to individual and collective self-defence, as recognized in Article 51 of the UN Charter and customary international law.Both the prohibition on the use of force and the right to self-defence apply in cyberspace.This means that cyber operations that, by their scale and effects, are akin to a kinetic use of force or that amount to a threat to use force would violate the prohibition. Examples include cyber operations causing or expected to cause death, injury or physical damage in the territory of another state, as was arguably the case with the Stuxnet worm in 2010.In the same vein, cyber operations of a higher intensity that are comparable to a conventional armed attack would trigger the right to individual and collective self-defence.Cyber operations causing significant loss of life or damage to or destruction of property could qualify as armed attacks.
Some states have specifically indicated in their national positions on international law in cyberspace that cyber operations targeting civil nuclear infrastructure, especially nuclear plants or reactors, could amount to a prohibited use of force or an armed attack.They have pointed to a nuclear plant meltdown, disruption to a nuclear reactor’s cooling process, and the ensuing widespread loss of life or damage as potential consequences of such cyber operations.
iv. Due diligence obligations
Another important corollary of state sovereignty is the obligation, incumbent on each and every state, ‘not to allow knowingly its territory to be used for acts contrary to the rights of other States’ – this is known as the Corfu Channel principle.A related obligation is the no-harm principle, which requires states to ‘take all appropriate measures to prevent significant transboundary harm or at any event to minimize the risk thereof’. Both are so-called ‘obligations of due diligence’, grounded in customary international law. They require states to behave responsibly with a view to preventing, stopping or redressing certain harms, irrespective of who or what is the source of harm – whether a state, a non-state actor or an accident. The higher the degree of harm or risk of harm, the greater the degree of care required from states. Where there is a risk of serious or irreversible environmental damage – as with the release of radiation – the precautionary principle comes into play, encouraging states to take preventive measures even in the face of scientific uncertainty.
There has been some debate as to whether these due diligence obligations apply in cyberspace. Part of the controversy comes from the fact that the GGE has recognized that states ‘should not knowingly allow their territory to be used for internationally wrongful acts using ICTs’ as a non-binding norm of responsible state behaviour in cyberspace. That said, the GGE also made clear in its report that ‘norms do not seek to limit or prohibit action that is otherwise consistent with international law’. This suggests that the non-binding ‘norm’ framing cannot deprive a certain rule of its pre-existing international legal status.Thus, due diligence obligations arguably apply in the cyber context, given their wide scope and general applicability across all areas of state activity.
In cyberspace, compliance with those obligations means that states must do what they can to prevent, stop or redress known or foreseeable cyber operations that could contravene the rights of another state or cause significant harm in another state. There is little doubt that such harm includes physical damage such as loss of life, injury, or damage to property or the environment. These are all possible consequences of cyber operations targeting a civil nuclear facility’s industrial control systems.
Several measures could fulfil due diligence obligations in the civil nuclear sector. Of particular importance are the computer security measures recommended by the IAEA, which include: nuclear and computer security laws, regulations and policies; risk assessment and management; incident detection and response; control of access to nuclear facilities and their systems; network security; patch management; encryption; security audits and assessment; information sharing; incident response and reporting; training and awareness; capacity-building; and international cooperation.
b. Specific legal regimes
i. International human rights law
International human rights law is made up of human rights treaties as well as customary international law. These give rise to obligations a) to respect or refrain from interfering with human rights, b) to protect those rights, i.e. to take positive steps to prevent or redress human rights violations, and c) to ensure the full and progressive realization of those rights. There is no question that human rights apply online as they do offline, subject to jurisdictional requirements. Several human rights are implicated by cyber-nuclear risks, but the most prominent are the rights to life, health and privacy, and the freedoms of information and expression.
As noted earlier, cyber operations targeting industrial control systems at civil nuclear facilities can lead to equipment malfunction and the release of ionizing radiation. Radiological release, even if unlikely, can cause death or serious illness in human beings and damage to the environment, which are harms that might breach the rights to life and health.The same conclusion applies to cyber operations that manipulate, corrupt or block the transmission of data from sensors in nuclear equipment, where correct measurements are essential to the equipment’s proper functioning. Cyber operations can also disrupt energy supply, in turn affecting the health and well-being of an entire population. Moreover, cyber operations targeting health facilities where radioactive materials are used, such as in X-ray machines and radiotherapy centres, can directly interfere with the delivery of essential medical treatment.
Cyber operations targeting civil nuclear infrastructure can also affect the privacy of individuals, particularly the staff of nuclear facilities. This is especially the case with electronic surveillance operations targeting personal data held by civil nuclear facilities. Another example would be spear-phishing campaigns targeting staff to gain access to those facilities. Cyber operations against the civil nuclear sector can also have a psychological impact. Concerns such as the reasonable fear of radiation release may affect the mental well-being of individuals, thus breaching the rights to health and privacy.
Information operations involving the civil nuclear sector can also interfere with the right to freedom of expression and information – the right of individuals to freely seek, receive and impart information and ideas of all kinds, regardless of frontiers. In particular, this right requires states to refrain from disseminating false or misleading information, and to promote the dissemination of truthful information, online and offline
ii. International humanitarian law
International humanitarian law (IHL) is grounded in treaties and customary international law. It applies during international or non-international armed conflict to govern the deployment of all kinds of weapons and military operations, which would logically include any involving ICTs. IHL prohibits attacks against civilian objects, including civil nuclear facilities and arguably civilian data stored therein.Cyber operations ‘reasonably expected to cause injury or death to persons or physical damage or destruction to objects by means or effects’ constitute an attack for the purposes of IHL. As noted earlier, this is arguably the case with cyber operations targeting industrial control systems at civil nuclear facilities. In the view of the International Committee of the Red Cross (ICRC), cyber operations designed to disable or render dysfunctional a computer or a computer network and that significantly disrupt essential services may also constitute an attack under IHL, even if no physical damage ensues. This could include cyber operations against a variety of systems used by nuclear power plants – including those other than industrial control systems, such as databases and commercial networks – where such operations significantly disrupt the provision of nuclear energy.
Under Additional Protocol I to the Geneva Conventions, and arguably under customary international law as well, particular care must be taken in the case of installations containing dangerous forces, including nuclear electrical generating stations, to prevent such forces from being released and severe losses from occurring among the civilian population.
The principle of precaution requires parties to an armed conflict to take constant care to spare civilians and civilian objects during any military operation. Under Additional Protocol I to the Geneva Conventions, and arguably under customary international law as well, particular care must be taken in the case of installations containing dangerous forces, including nuclear electrical generating stations, to prevent such forces from being released and severe losses from occurring among the civilian population. The principle of proportionality also stipulates that the expected incidental harm against civilians and civilian objects must not be greater than the concrete military advantage anticipated from an attack.Given the potentially catastrophic effects of cyber operations against civil nuclear infrastructure, it is hard to see how the incidental harms could be proportionate in such cases.
For example, in 2017, during the armed conflict in eastern Ukraine, a cyber operation hit the Chernobyl power plant, crippling its radiation-monitoring system. This system is vital to maintaining the safety of civilians on the site and in areas around it. Thus, the cyber operation likely amounted to an armed attack under IHL, and its risks likely outweighed any military advantage sought. Similarly, as discussed earlier, the effects of a cyber or hybrid attack against the Zaporizhzhia nuclear power plant could include not only the disruption of power supply to civilians in Ukraine but also the release of radiation. Therefore, such an attack would likely be disproportionate.
To bolster the implementation of IHL at the national level, states should consider including specific sections on how IHL applies to cyber operations against civil nuclear infrastructure in their national defence and cybersecurity strategies, as well as in their military manuals and rules of engagement.
iii. Nuclear-specific treaties
Several treaties deal with different aspects of nuclear safety and security. These do not have specific provisions for cyber-nuclear threats. However, their scope is sufficiently wide to cover different types of intentional or accidental cyber incidents affecting civil nuclear facilities.
The most relevant of these treaties is the Convention on the Physical Protection of Nuclear Material (CPPNM) and its 2005 Amendment.As noted by the IAEA, ‘computer security is a cross-cutting discipline that has interactions with all other areas of security in a nuclear facility’.Accordingly, ‘electronic compromise can lead to degradation or loss of certain physical protection functions’.On this basis, intentional cyber operations targeting civil nuclear facilities could amount to the crime of nuclear sabotage. Under Article 7 CPPNM, nuclear sabotage includes any ‘act directed against a nuclear facility, or an act interfering with the operation of a nuclear facility, where the offender intentionally causes, or where he knows that the act is likely to cause, death or serious injury to any person or substantial damage to property or the environment by exposure to radiation or release of radioactive substances’. Furthermore, under Article 2A CPPNM, states must establish, implement and maintain an appropriate physical protection regime applicable to nuclear material and nuclear facilities under their jurisdiction. The aim is to protect nuclear material and nuclear facilities against sabotage, and to mitigate or minimize the radiological consequences thereof. Further, where there is a credible threat of sabotage of nuclear material, states must cooperate, including by sharing relevant information with other states and the IAEA, in line with Article 5 CPPNM.
The International Convention for the Suppression of Acts of Nuclear Terrorism criminalizes as ‘nuclear terrorism’ serious forms of nuclear sabotage, including any unlawful and intentional use of or damage to a nuclear facility in a manner that releases or risks the release of radioactive material – whether by physical or digital means.This convention also requires states to cooperate with a view to preventing and countering acts of nuclear terrorism in their territory, including when such acts are carried out or facilitated by cyber operations. States parties must also ‘make every effort to adopt appropriate measures to ensure the protection of radioactive material, taking into account relevant recommendations and functions of the [IAEA]’.