Written by Sarah Wydra

Introduction

On August 13, 2025, the Norwegian Police Security Service disclosed pro-Russian hackers were likely behind a breach of the Bremanger dam’s control system in April 2025.¹See Ferdinand Knapp, Russian Hackers Took Control of Norwegian Dam, Police Chief Says, Politico Europe (Aug. 13, 2025), https://www.politico.eu/article/russian-hackers-took-control-norwegian-dam-police-chief-says. The breach is attributed to a weak password and insufficient access controls.²See Anna Ribeiro, Lake Risevatnet dam hack exposes industrial cyber gaps as weak passwords risk critical infrastructure attacks, Industrial Cyber (July 1, 2025), https://industrialcyber.co/industrial-cyber-attacks/lake-risevatnet-dam-hack-exposes-industrial-cyber-gaps-as-weak-passwords-risk-critical-infrastructure-attacks. As a result, 500 liters of water per second were released for a period of four hours.³See Knapp, supra note 1. Although the dam is primarily used for fish farming, the scale of the attack highlights an increase in infrastructure sabotage driven by nation-state interests.⁴See Andrew Doyle, Norway Attributes Dam Cyberattack to Russian Hackers, Sec. Daily Rev. (Aug. 22, 2025), https://dailysecurityreview.com/cyber-security/norway-attributes-dam-cyberattack-to-russian-hackers. Russia has a long track record of employing state-sponsored groups to target critical infrastructure, including the 2022 deployment of “Industryer2” malware designed to plunge Ukraine’s eastern regions into darkness.⁵See Rob Wright, Industroyer2: How Ukraine Avoided Another Blackout Attack, SearchSecurity (TechTarget) (Aug. 10, 2022), https://www.techtarget.com/searchsecurity/news/252523694/Industroyer2-How-Ukraine-avoided-another-blackout-attack. Russia provides a critical case study in cyber conflict. Historically focused on Eastern Europe, Russia’s operations now extend west, as seen in the Norway infiltration.⁶See Benedicte Dobbinga, Research: Europe Increasingly Targeted by Russian Sabotage, Leiden Univ. (Jan. 20, 2025), https://www.universiteitleiden.nl/en/news/2025/01/research-europe-increasingly-targeted-by-russian-sabotage. Scholars warn that these incidents reveal a growing “cyber dimension of hybrid warfare,” where cyberattacks are the weapon drawn on a modern battlefield.⁷Nedelcho Mihaylov, Cyber Dimensions of a Hybrid Warfare, CyberPeace Institute. (Apr. 8, 2025), https://cyberpeaceinstitute.org/news/cyber-dimensions-of-a-hybrid-warfare/#ftnt20; Marta Chodyka et al., Critical Infrastructure Security Management in the Era of Cyber Threats, European Research Studies Journal, vol. XXVIII, no. 2, pp. 610–21, 611 (2025) (“Cyber attacks on energy, water, transportation or financial systems are becoming increasingly sophisticated, and their effects can be comparable to the consequences of traditional physical attacks”). Attacks on critical infrastructure can paralyze an entire state without conventional military force, with effects that rival conventional warfare.⁸See Emma Burrows, Norwegian Police Say Pro-Russian Hackers Were Likely Behind Suspected Sabotage at a Dam, AP News (Aug. 13, 2025), https://apnews.com/article/russia-norway-dam-sabotage-cyberattack-16673f35c17aacf5ed871918136bdf6f; Waldemar Skomra & Katarzyna Wojtasik, Critical Infrastructure as a Target for Hybrid Operations: Case Studies of Attacks Against the Facilities and Systems of CI, Terroryzm—Studia, Analizy, Prewencja (Special Issue) 13, 14, 15 (2025) (stating in the case of a coordinated attack on several sectors, such as energy, transport and telecommunications, without the use of conventional military force, the effects can be comparable to warfare).

Yet, current international law has largely failed to adequately account for cyberattacks by state-sponsored groups on critical infrastructure.⁹See Anusha Pakkam, The Evolving Interpretation of the Use of Force in Cyber Operations: Insights from State Practices, Lieber Inst. (Nov. 25, 2024), https://lieber.westpoint.edu/evolving-interpretation-use-of-force-cyber-operations-insights-state-practices. Undefined principles of “use of force” and “armed attack” in cyberspace prevent States’ ability to legally respond to these attacks.¹⁰See Matthew C. Waxman, Cyber Attacks as “Force” Under UN Charter Article 2(4), 87 Int’l L. Stud. 43 (2011), https://scholarship.law.columbia.edu/faculty_scholarship/847. A binding cyber treaty, grounded in voluntary norms, could close the accountability gap by clarifying these definitions and establishing accountability that enables States to lawfully respond in self-defense to state-sponsored cyberattacks on critical infrastructure.

Current International Law

The U.N. Charter provides the foundation for regulating force in international law.¹¹See generally, U.N. Charter arts. 2(4), June 26, 1945, 59 Stat. 1031, T.S. No. 993. Article 2(4) prohibits the “threat or use of force against the territorial integrity or political independence of any state.”¹²See id. The term “force” in Article 2(4) is widely interpreted to refer specifically to “armed force,” such as military force by a State’s armed forces or non-state actors acting on its behalf.¹³Enenu Onyikwu Okwori, Cyber-Attacks as an Emerging Use of Force under International Law, 11 Aberdeen Student L. Rev. 33 (2022). Article 51 then preserves “the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations.”¹⁴U.N. Charter arts. 51, June 26, 1945, 59 Stat. 1031, T.S. No. 993 (emphasis added). The International Court of Justice has clarified that these provisions apply regardless of the weapon involved,¹⁵See Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 93 ¶ 195 (June 27)  (“[T]he Court sees no reason to deny that, in customary law, the prohibition of armed attacks may apply to the sending by a State of armed bands to the territory of another State, if such an operation, because of its scale and effects, would have been classified as an armed attack rather than as a mere frontier incident had it been carried out by regular armed forces.”). while the International Law Commission’s Draft Articles on Responsibility of States for Internationally Wrongful Acts holds States responsible for actions taken by them or by state-sponsored groups.¹⁶Int’l Law Comm’n, Draft Articles on Responsibility of States for Internationally Wrongful Acts, U.N. Doc. A/56/10 (2001). However, the Charter and its non-binding successors were drafted in the pre-digital era, where its provisions are explicit in governing conventional warfare but far less clear in the cyber context.

Drawing From the Tallinn Manual 2.0

One framework that has attempted to close the accountability gap created by Articles 2(4) and 51 when applied to cyberspace is the Tallinn Manual 2.0.¹⁷Michael N. Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Cambridge Univ. Press (2nd. Ed. 2017) [hereinafter Tallinn Manual 2.0]. The Tallinn Manual 2.0 was developed by academic experts under NATO’s Cooperative Cyber Defense Centre of Excellence.¹⁸See id. at 1; Justin Malzac, Leveraging Domestic Law Against Cyberattacks, 11 Nat’l Sec. L. Brief 1 (2021). It tailors existing international law to cyberspace, offering an effects-based definition of “use of force” and “armed attack.”¹⁹See Tallinn Manual 2.0, supra note 17, at 330 (proposing “Rule 69 – Definition of use of Force” in which “[A] cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of use of force”). It further establishes that when a State equips an armed group with malware and the skills to conduct cyber operations against another state, and those operations rise to the level of a use of force, the sponsoring State itself is considered to have committed a use of force.²⁰See id. at 332 (comparing state-sponsorship of a group equivalent to the Nicaragua judgment of the ICJ). The Tallinn Manual 2.0 highlights the protections a binding cyber treaty could establish to protect States’ critical infrastructure from state-sponsored cyber-attacks.²¹See id. at 334 (stating cyber operations that cause physical harm on critical national interests are likely uses of force). Without such codification, adversarial States will continue exploiting the legal vacuum by outsourcing attacks to state-sponsored hackers.

Defining “Use of Force” and “Armed Attack”

International law currently struggles to define when a cyber operation conducted by a state-sponsored group constitutes a “use of force” to qualify as an “armed attack” on critical infrastructure.²²See Pakkam, supra note 9.   A cyber treaty could adopt the Tallinn Manual 2.0’s effects-based definition, which focuses on the severity and consequences of an attack rather than the means or target.²³See Tallin Manual 2.0, supra note 17, at 330. This definition establishes that state-sponsored cyberattacks on critical infrastructure, when akin to destructive physical attacks, constitute armed attacks.²⁴See id. at 332, 333 (a state that provides support to a proxy group in order to conduct cyberattacks against another State to physically damage or destroy objects are uses of force). For example, a state-sponsored cyberattack that “completely blows out a power grid” may be deemed a use of force amounting to an armed attack under a binding cyber treaty because it is equivalent to a missile striking a power grid to achieve the same response.²⁵See id.; Wright, supra note 5 (describing a State that uses malware to attack an energy company can leave more than 2 million people in the dark). On the other hand, a state-sponsored cyberattack on non-critical infrastructure, such as a dam used for fish farming, would likely not qualify as an armed attack due to its lack of severity.²⁶See Tallin Manual 2.0, supra note 17, at 334 (arguing a cyberattack on property that causes mere inconvenience than physical harm to individuals will likely not constitute an armed attack); See generally, Doyle, supra note 4 (describing a Russian cyberattack on a Norwegian dam that was only used for fish farm and was not considered critical infrastructure). A binding definition of  “use of force” and “armed attack” against critical infrastructure by state-sponsored hackers will also create legal safeguards for victim States to act in self-defense.²⁷See id. at 344, 345 (stating state-sponsored groups that undertake cyber operations on behalf of one State directed against another State that meet the required scale and effects level amount to an armed attack allowing a self-defense response). In the previous examples, the State in which the power grid is located would have the legal right to act in self-defense against the adversarial State, while the State home to the fish farming dam would not. Therefore, a new treaty would hold adversarial States accountable for cyberattacks conducted on their behalf, diminishing the legal vacuum that has let them use state-sponsored hackers to harm civilians.²⁸See Patryk Pawlak & Aude Géry, Why the World Needs a New Cyber Treaty for Critical Infrastructure, Carnegie Endowment (Mar. 28, 2024) https://carnegieendowment.org/research/2024/03/why-the-world-needs-a-new-cyber-treaty-for-critical-infrastructure?lang=en.

Some states may resist the idea of a binding cyber treaty, contending that non-binding norms provide sufficient guidance, and others may argue that the UN Charter already governs cyber operations. Yet the growing wave of Russian-sponsored cyberattacks against critical infrastructure suggests otherwise.²⁹See generally Knapp, supra note 1. Voluntary norms set out in the Tallinn Manual 2.0 lack enforceability, and current international law fails to capture the ever-evolving cyberspace. Together, these limitations demonstrate that existing approaches are inadequate to deter cyberattacks on critical infrastructure by state-sponsored hackers.

Conclusion

While the Russian-sponsored cyberattack on the Bremanger dam is not likely to constitute a use of force amounting to an armed attack under international law, cyberattacks like Industroyer2 underscore the need for a binding cyber treaty to protect critical infrastructure. The global digital world has advanced well beyond the scope of Articles 2(4) and 51, exposing how traditional international law fails to govern modern-day warfare.³⁰See Okorwi, supra note 13 at 34. Instead, adopting the Tallinn Manual 2.0’s definition of “use of force” and “armed attack” in a cyber treaty would better safeguard essential services on which civilian populations depend.³¹See Pawlak & Géry, supra note 28 (“Cyber attacks on critical information infrastructure raise concerns about the functioning of digital societies and cause harm to civilian populations.”). Further research into developing an internationally agreed-upon glossary of terms related to cyber operations would be beneficial to reduce ambiguity in future international discussions of legal instruments.³²See generally Justin Malzac, Leveraging Domestic Law Against Cyberattacks, 11 Nat’l Sec. L. Brief 1, 7 (2021) (stating there is little consensus on cyber definitions).   However, in the short term, as pro-Russian hackers are more apt to exploit critical infrastructure vulnerabilities through fear-driven operations,³³See Miranda Bryant, Russian hackers seized control of Norwegian dam, spy chief says, The Guardian (Aug. 14, 2025) https://www.theguardian.com/world/2025/aug/14/russian-hackers-control-norwegian-dam-norway (“The aim of this type of operation is to influence and to cause fear and chaos among the general population. Our Russian neighbour has become more dangerous.”). like the Bremanger dam incident, mitigation depends on increased federal and state funding.³⁴See generally Anna Ribeiro, Oslo warns of escalating Russian cyber threat after dam breach, citing Moscow as biggest risk to national security, Industrial Cyber (Aug. 15, 2025) https://industrialcyber.co/industrial-cyber-attacks/oslo-warns-of-escalating-russian-cyber-threat-after-dam-breach-citing-moscow-as-biggest-risk-to-national-security (“Funding may come from federal grants like the state and local cybersecurity grant program, but there is to date, no legislation to support this.”). Expanded investment in skilled cybersecurity professionals, monitoring tools, operator training, and proactive defenses would make it harder for state-sponsored hackers to compromise a country’s critical infrastructure.³⁵See id. (“[U]tilities lack the resourcing to attract and retain qualified practitioners and are using more managed services to monitor networks and operational technologies as a means of minimizing the impact of successful attacks.”); see Ribeiro, supra note 2 (“Not every vulnerability become an incident, but this attack underscores the urgency of proactively securing remote interfaces, especially in systems never designed for internet connectivity.”). Yet, only a binding cyber treaty can effectively protect Western states’ critical infrastructure by deterring adversarial state-sponsored cyberattacks and providing a clear legal framework for self-defense in the event of such attacks.