The international community has steadily built a framework of voluntary norms and interpretive guidance that applies existing law to state conduct in cyberspace. These building blocks are necessary but not sufficient when cyber operations cross the threshold into armed conflict or when hybrid campaigns blend kinetic and digital effects. Policymakers must move from broad statements of principle to implementable, verifiable measures that protect civilians, preserve stability, and reduce the risk of escalation.

The baseline: law, norms, and practical gaps

Since 2015 states and UN processes have articulated voluntary norms of responsible state behavior and in 2021 the Group of Governmental Experts reaffirmed the applicability of international law to state conduct in cyberspace while cataloguing confidence building measures and capacity building priorities. These norms set expectations on critical infrastructure, supply chains, incident response and cooperation, and noninterference in the internal affairs of other states. They are foundational political commitments and a useful reference for conflict settings.

At the same time, legal interpretation projects and humanitarian organizations have emphasized that international humanitarian law applies in armed conflict and that cyber operations can create serious civilian harms. The Tallinn Manual series provides an authoritative, expert-driven reading of how long standing legal rules map onto cyber operations. The International Committee of the Red Cross has urged states to clarify how IHL obligations should translate into operational safeguards for civilians and civilian infrastructure in cyber contexts. These sources point to an urgent need for clearer thresholds and practical safeguards.

Implementation obstacles are practical and political. Attribution difficulties, the ubiquity of dual use infrastructure, the role of nonstate actors, and the cross-border effects of commercial technologies limit the efficacy of voluntary norms on their own. Scholarly and policy work has highlighted that norms without accountability measures or operational guidance produce gaps that can be exploited during conflict. Any policy package for conflicts must therefore combine normative clarity with operational modalities for verification, response and remediation.

Policy recommendations

1) Define operational thresholds for when cyber activity triggers IHL protections and when an operation may be considered a use of force or an armed attack. Rationale. Ambiguity about thresholds creates dangerous room for differing state interpretations during crises. A limited, negotiable set of markers based on effects, intent, and consequences will help practitioners calibrate responses and reduce inadvertent escalation. Use the Tallinn Manual reasoning as a starting interpretive text while working toward a common, politically agreed short list of indicators.

2) Codify protection requirements for civilian critical infrastructure and civilian data during armed conflict. Rationale. States and humanitarian actors have warned about the humanitarian consequences of disrupting civilian services and data systems. A focused protocol that obliges feasible precautions, advance risk assessments, and post-incident remedial measures will protect civilians while remaining practicable for military planners. The ICRC’s recommendations on protecting civilian data and infrastructure should be incorporated into operational doctrine and multilateral guidance.

3) Make attribution processes more transparent and multilateral. Rationale. Attribution is challenging but necessary for accountability. States should commit to shared procedures for evidence standards, confidence building through joint technical assessments, and third party technical channels that preserve sensitive data while enabling collective determination. This should include protocols for controlled, timebound information sharing with trusted technical partners and relevant international bodies. Scholarly analyses warn that gaps in attribution undermine norm compliance unless counterbalanced with transparent processes.

4) Establish an incident response and deconfliction mechanism specifically for conflict-related cyber incidents. Rationale. Existing CERT and CSIRT networks play vital roles in peacetime, but conflict contexts require a secure, politically backed mechanism for rapid information exchange to reduce miscalculation. This could take the form of a treaty-level or UN-facilitated channel that operates during crises to validate incidents, coordinate mitigation for civilian systems, and manage escalation risk. The system should include representation from technical, military and humanitarian sectors.

5) Build accountability pathways that combine incentives and consequences. Rationale. Purely voluntary norms need reinforcement. Practical measures include agreed public incident reporting standards, independent technical assessment teams, graduated sanctions or dispute resolution procedures for severe violations, and incentives for states that demonstrate consistent compliance. Accountability does not require a single global court for cyber issues. It does require predictable, politically durable processes that link evidence to responses. Policy analysts have underscored that norms without accountability produce credibility gaps that adversaries will exploit.

6) Integrate the private sector and civil society into norm implementation and verification. Rationale. Much of the cyber ecosystem is privately owned and operated. Inclusion of major providers, infrastructure operators, and independent researchers in norm implementation, joint exercises, and transparency measures is essential. Mechanisms should protect sensitive commercial information while enabling independent forensic contributions to attribution and remediation. Private actors should be incentivized to adopt conflict-appropriate incident disclosure practices and to participate in multilateral response channels.

7) Prioritize capacity building and regional approaches. Rationale. Global norms mean little if many states lack the technical or policy capacity to implement them. International assistance programs should focus on strengthening national incident response capabilities, secure supply chain management, legal and policy frameworks, and humanitarian protections. Regional organizations can translate global norms into context specific confidence building measures and rapid liaison arrangements during conflicts. The UN process has already emphasized capacity building as foundational.

8) Address nonstate actors and coercive private sector behavior. Rationale. Norms aimed only at states will not stop mercenary groups, criminal actors, or malicious private sector practices that affect conflict dynamics. States should commit to domestic legislation that criminalizes support to malicious cyber actors, to measures that curb the sale and proliferation of offensive cyber capabilities without oversight, and to international cooperation frameworks for countering cyber-enabled mercenary activities. Scholarly work has shown that norms struggle to address the nonstate dimension unless paired with domestic enforcement and international cooperation.

9) Create a multistakeholder review and update cadence that keeps pace with technology. Rationale. Rapid changes in AI, automation, and offensive tooling mean that normative frameworks must be living instruments. A regular review mechanism, with input from states, militaries, technical experts, civil society and the private sector, will allow updates, test scenarios, and lessons learned to be integrated into doctrine and practice without waiting for crises to force change. The UN processes and multilateral fora should host those reviews.

Implementation roadmap

Short term (6 to 18 months)

  • Convene a high level panel to agree on a compact set of operational thresholds and definitions relevant to conflict.
  • Pilot a conflict incident deconfliction channel with a small, diverse group of states plus technical observers and humanitarian liaisons.
  • Begin regional capacity building programs focused on incident response for civilian infrastructure.

Medium term (18 to 36 months)

  • Negotiate and adopt an instrument that binds participating states to verification and transparency mechanisms for serious conflict-related cyber incidents. The instrument can remain incremental and modular, starting with procedural commitments rather than comprehensive binding prohibitions.
  • Institutionalize multilateral attribution consultation procedures with protected evidentiary sharing protocols.

Long term (36 months and beyond)

  • Work toward an integrated norm complex that ties operational law, humanitarian protections and accountability procedures to technology specific safeguards for AI and automated cyber tools used in or near conflict zones.
  • Expand regional mechanisms and embed norm compliance into military doctrine and procurement practices.

Conclusion

The core goal is simple. When cyber operations intersect with armed conflict they must be governed by rules that minimize civilian harm, reduce the risk of escalation, and provide predictable accountability. The international community already has a framework to build on. The urgent task for 2024 and beyond is to convert political consensus into concrete operational measures that survive the fog of war. That requires legal clarity, practical incident mechanisms, multistakeholder engagement, capacity building, and durable accountability. If states act now to fill the gaps between principle and practice they will reduce the odds that future conflicts spill across the cyber and kinetic divide in ways that are catastrophic for civilians and for global stability.