Hybrid warfare no longer separates the digital from the physical. Adversaries combine cyber intrusions, information manipulation, maritime sabotage, and unmanned systems into campaigns designed to create persistent coercion below the threshold of declared armed conflict. For international policy to be meaningful, norms must reflect that convergence and close the gap between legal theory and operational reality.

First principle: clarify the legal thresholds that govern state conduct in cyberspace and across the cyber-kinetic boundary. The Tallinn Manual process and its ongoing revision work provide a technical legal baseline that states and military planners already use when deciding whether a cyber operation qualifies as a use of force, an armed attack, or an internationally wrongful act. Translating those analytic tools into clearer, widely accepted political commitments will reduce ambiguity and reduce the window for escalatory miscalculation.

Second principle: establish protective norms for identified categories of critical civilian infrastructure that are uniquely vulnerable to hybrid tactics. Undersea cables, electrical interconnectors, water treatment systems, civil aviation navigation aids, and commercial satellite ground stations all sit at the intersection of cyber and physical domains. The wave of undersea cable and related incidents in the Baltic region in late 2024 demonstrates how damage to physical infrastructure can rapidly produce cross-border effects on communications and energy without traditional kinetic signatures. Norms should prohibit deliberate damage to civilian critical infrastructure in peacetime and call for shared protection measures and joint investigative arrangements when incidents occur.

Third principle: create credible, collective mechanisms for attribution and calibrated response. Attribution is technical but it is also political. States that lead consensus-based attribution statements improve deterrence by narrowing deniability and raising costs for malicious actors. Attribution should be coupled to a menu of proportionate responses ranging from diplomatic measures and sanctions to coordinated cyber disruptions of hostile actors and law enforcement cooperation against criminal enablers. The United States and partner coalitions have already prioritized coordinated attribution and consequences in their strategies; international policy must expand cooperative frameworks so that small and medium powers can rely on coalition mechanisms rather than face retaliation alone.

Fourth principle: integrate norms into hybrid response toolkits and capacity building. Political agreements are only useful when they are implemented. The European Strategic Compass and the operationalization of hybrid rapid response capabilities show how policy can move toward operational readiness by combining civilian, military, and technical assets into deployable teams capable of rapid incident analysis, attribution support, and remediation assistance. Norms should therefore be tied to concrete instruments: rapid investigative teams, agreed forensic standards, shared playbooks for maritime and undersea incidents, and mechanisms for rapid information sharing across jurisdictions.

Fifth principle: regulate the cyber dimensions of autonomous and remote systems when used in hybrid campaigns. As drones, uncrewed surface and underwater vessels, and AI-enabled targeting tools proliferate, states must agree on constraints that reduce escalatory risk and civilian harm. That means commitments on dual-use delivery platforms and on practices such as misuse of commercial UAVs for sabotage, and it means integrating norms about transparency, non-interference, and responsible development into export controls, licensing, and multilateral confidence building.

Operational recommendations

1) A narrow, high-value list of protected systems. States should negotiate an initial list of civilian infrastructure elements that receive a heightened presumption of protection in peacetime. The list should be evidence-driven, time limited, and expandable. Inclusion does not immunize systems from legitimate military necessity in armed conflict, but it does raise the political cost of peacetime interference.

2) An incident playbook with shared forensic standards. International fora should agree on minimum technical and evidentiary standards for post-incident investigations so that independent technical findings can feed political processes. Shared standards speed attribution, enable mutual legal assistance, and reduce the space for competing narratives.

3) A coalition-based attribution mechanism. Build a durable consortium model that allows states to pool technical intelligence and, when appropriate, issue joint attribution and consequence packages. This should include pathways for smaller states to participate, and safeguards that limit politicization and false positives.

4) Confidence building and transparency measures. Regular exchanges on doctrine and intent, notifications of large-scale cyber exercises, and voluntary “no-attack” lists for humanitarian and emergency response systems will lower miscalculation risk. Multistakeholder exercises that include private operators of critical infrastructure are essential.

5) Norms for private sector behavior and supply chain resiliency. Since much critical infrastructure is privately owned, international norms must emphasize corporate cyber hygiene, information sharing, and resilience standards. Governments should incentivize responsible vendor practices through procurement rules and international cooperation to harmonize technical standards.

6) Capacity building tied to reciprocity. Agreements should incorporate capacity-building commitments so that states who agree to norms also help partners meet obligations for protection and monitoring. This reduces free-rider dynamics and strengthens regional resilience against hybrid campaigns.

7) A graduated response ladder. States should pre-define a calibrated menu of responses for peacetime malicious activity that falls short of armed attack. This ladder should range from public attribution and sanctions through to lawful cyber operations against clearly identified malicious infrastructure, accompanied by legal and oversight mechanisms.

Institutional pathway

Short term (0–18 months): codify a compact of political commitments among like-minded states that operationalizes existing legal frameworks and establishes shared forensic standards. Use UN multilateral processes and regional organizations to anchor these commitments, and pilot a coalition attribution mechanism in parallel.

Medium term (18 months–3 years): scale operational capacity with hybrid rapid-response teams that embed technical experts, legal advisors, and investigators who can deploy on request to examine cross-border incidents involving cyber-physical effects. Expand joint exercises that rehearse attribution, evidence sharing, and coordinated consequences.

Long term (3–5 years): institutionalize a routine, transparent dialogue at the UN or a comparable multilateral body that converts political norms into living practice. This forum should coordinate capacity building, update protected-systems lists, and assess norm adherence, while protecting sensitive sources and methods.

A closing caution

Norms are only as strong as the coalition that defends them. In an era of asymmetric and hybrid competition, the temptation to respond in ad hoc or unilateral ways is strong. States that want a stable international order must invest in the hard, often behind-the-scenes work of harmonizing law, agreeing technical standards, and sharing the burden of deterrence. That is how we make hybrid actors pay a price for coercive campaigns aimed at fracturing alliances and undermining civilian resiliency.

The next year offers a window for states to translate broad statements of principle into operational mechanisms that reflect the blended reality of cyber-physical conflict. If policy stays abstract, adversaries will continue to exploit seams between legal regimes and between digital and kinetic domains. If policy becomes operational, we gain leverage over hybrid campaigns and create practical incentives for responsible behavior in a world where bytes and bullets increasingly travel together.