ABSTRACT
Traces the historical vector of norms of responsible state behavior (originally tracked by the author from Estonia to Stuxnet in 2015) to recent cyber operations like SolarWinds, Wannacry, NotPetya, Cozy Bear, and Holiday Bear, with particular focus on the attack on Israel’s water desalination and purification systems allegedly undertaken by Iranian cyber operators in late 2019. The even more recent ransomware attacks by Russian-based criminal organizations against Colonial Pipeline and JB Meats in the United States are also among the cases considered. These suggest a regrettable degradation or “devolution” in what otherwise and earlier seemed the moderately hopeful evolution of increasingly responsible behavior among cyber adversaries toward greater target and victim discrimination and toward an emerging principle of proportionality that appeared to have guided adversaries away from destructive and indiscriminate physical effects-based tactics in cyber conflict of the sort that threatened the public a decade ago. Examination, evaluation, and codification of possible norms resulting notwithstanding from this otherwise disappointing trajectory.
