When everything is critical, who protects it? What do cyber norms actually tell us to do? And how, and by whom?
Dependence on digital infrastructures is continuously increasing, from energy grids to healthcare systems, making them an ever more attractive target for malicious cyber operations. As these risks intensify, the urgency grows to move beyond political declarations toward meaningful, coordinated action.
States have endorsed the UN framework for responsible State behaviour in cyberspace – including norms and CBMs that call for the protection of critical infrastructure. Regional organisations such as the OSCE and ASEAN have agreed to similar CBMs. But who implements these norms and CBMs? Who ensures they are upheld not only by governments, but also by the operators, engineers, developers, and researchers behind the world’s most essential systems?
These questions were discussed at the Geneva Dialogue’s session at the Singapore International Cyber Week (SICW) on 21 October. The session presented the Geneva Manual on Responsible Behaviour in Cyberspace exploring the evolving roles and responsibilities of all stakeholders in implementing cyber norms and confidence-building measures for critical infrastructure protection.
Through a multistakeholder interactive conversation, the session highlighted challenges, shared emerging good practices, and examined how diplomatic agreements are being interpreted, operationalised, and embedded into real-world decisions.
The session was opened by Mr Daniel Klingele, Senior Advisor, International Security Division, Swiss Federal Department of Foreign Affairs (FDFA), and Mr Christopher Anthony, Director, Critical Information Infrastructure (CII) Division, Cyber Security Agency of Singapore (CSA). They framed the discussion on critical infrastructure protection and challenges for international cooperation.
Ms Anastasiya Kazakova, Cyber Diplomacy Knowledge Fellow and Geneva Dialogue Project Coordinator, DiploFoundation, presented the newly launched Chapter 2 of the Geneva Manual (May 2025), which conveys seven key messages from non-state stakeholders on the protection of critical infrastructure. The chapter highlights:
- The need to broaden the definition of damage in UN Norm F beyond physical destruction to include service disruptions, collateral effects, and other non-physical harms.
- Calls for states to provide clear legal and policy guidance to private entities and CI operators.
- The importance of harmonised, risk-based baseline cybersecurity requirements across jurisdictions.
- Protection of responsible vulnerability disclosure and the preservation of trusted cross-border technical collaboration, even amid rising geopolitical tensions.
Participants then engaged in a scenario exercise on a hospital cyberattack, later revealed as a supply chain compromise requiring international cooperation.
The exercise was led by Mr Tan E Guang Eugene, Research Fellow, S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University, Singapore, with contributions from:
- Mr Teo Xiang Zheng, Vice President, Head of Advisory, Ensign Infosecurity
- Ms Shariffah Rashidah Syed Othman, Deputy Director General, Personal Data Protection Department, Ministry of Digital, Malaysia
- Mr Christopher Anthony, Director, Critical Information Infrastructure (CII) Division, Cyber Security Agency of Singapore (CSA)
The session concluded with a fireside chat moderated by Mr Vladimir Radunović, Director of Cybersecurity & E-diplomacy, DiploFoundation, featuring Mr Marc Henauer, Senior Political and International Affairs Officer, Swiss National Cyber Security Centre (NCSC), and Dr Bushra Al Blooshi, Director of Governance and Risk Management for Cybersecurity, Dubai Electronic Security Center. The experts discussed the implications of geopolitical fragmentation: the risks of competing digital ecosystems undermining global cybersecurity, but also the potential for resilience and innovation in a more diverse digital landscape.
