Treaty on the Prohibition of Cyber Warfare (TPCW)

Draft v1.0, 2026 

Authors: SecPoint

 

A proposed international framework to prohibit destructive cyber warfare against civilian systems and critical infrastructure, including the use of proxy APT groups by states.

 

Executive Summary

The Treaty on the Prohibition of Cyber Warfare, or TPCW, is a proposed international framework designed to prohibit destructive cyber operations against civilian systems and critical infrastructure. As societies become more dependent on interconnected technologies, the risks created by state-sponsored cyber campaigns, proxy actors, and criminal cyber groups continue to grow. Cyber operations are no longer limited to espionage or data theft.They increasingly threaten hospitals, power grids, water systems, industrial facilities, emergency services, financial institutions, and democratic processes.

The TPCW is based on a simple principle: cyber operations that can cause widespread civilian harm, major economic disruption, or destabilization of national security should be treated as an international threat requiring clear legal and political boundaries. The treaty seeks to prohibit such attacks, strengthen state accountability, reduce the use of proxies and Advanced Persistent Threat groups, and establish a cooperative structure for cyber peace, resilience, and transparency.

The purpose of the TPCW is not to prevent defensive cyber security, lawful research, or vulnerability remediation. Its purpose is to define and prohibit destructive cyber warfare in the same spirit that earlier international agreements restricted other classes of dangerous weapons and methods of attack. The digital domain must not remain a lawless battlefield where states and proxies can attack civilian infrastructure with impunity.

Global Threat Assessment

Cyber threats have developed into a global strategic challenge with direct consequences for public safety, economic stability, and international peace. High profile incidents have demonstrated that cyber attacks can spread across borders rapidly and affect hundreds of thousands of systems within hours. The 2017 WannaCry ransomware outbreak disrupted hospitals, businesses, and government services worldwide. The 2021 Colonial Pipeline incident showed how a single cyber attack could disrupt fuel distribution and trigger panic buying and economic uncertainty.

State actors and state-linked groups have repeatedly been accused of conducting cyber operations against power grids, government institutions, telecommunications networks, and healthcare systems. Russia-linked operations against Ukrainian energy infrastructure, North Korean ransomware activity, Chinese state-linked espionage, and Iranian cyber campaigns illustrate how cyber power is now deeply integrated into geopolitical competition. At the same time, non-state groups often operate as proxies, contractors, or tolerated actors, which makes attribution and accountability more difficult.

Without meaningful international intervention, cyber threats are likely to escalate further. The increasing interdependence of digital systems means that a successful attack on one sector can create cascading failures in others. A cyber attack on electricity can impact hospitals, transportation, finance, water treatment, and public safety simultaneously. The threat is therefore not limited to technical disruption. It is systemic.

Evolution of State Cyber Operations

State cyber operations began primarily as intelligence and espionage tools. Early efforts focused on surveillance, information gathering, influence operations, and theft of strategic or industrial secrets. Over time, however, states developed increasingly offensive cyber capabilities with the potential to produce effects similar to sabotage or kinetic disruption.

One of the clearest turning points was the emergence of malware designed to interfere with industrial and nuclear processes, most notably Stuxnet in 2010. From that point onward, cyber operations could no longer be viewed solely as intelligence instruments. They had become tools of strategic disruption. Later incidents involving power grid attacks, election interference, industrial sabotage, supply chain compromise, and ransomware campaigns further demonstrated that cyber operations can create widespread societal and economic harm.

This evolution shows that cyber conflict has moved from the shadows into the center of modern statecraft. Digital operations now influence military doctrine, diplomacy, national security planning, economic competition, and domestic stability. The TPCW is intended to respond to this change by drawing a clear line between legitimate defensive cyber activity and unacceptable destructive cyber warfare.

APT Ecosystems and State Collaboration

Advanced Persistent Threat groups, commonly known as APTs, play a central role in modern cyber conflict. These groups typically conduct long term, targeted operations using sophisticated tooling, stealth, persistence, and specialized tradecraft. In many cases, they are believed to operate directly under state intelligence or military structures. In other cases, they operate in looser ecosystems that combine private hackers, contractors, patriotic volunteers, criminal facilitators, and tolerated proxy groups.

This layered structure benefits states by creating plausible deniability. A government can deny formal responsibility while still gaining strategic advantage from attacks carried out by aligned or tolerated actors. This model has become one of the most dangerous features of cyber conflict. It weakens accountability, complicates attribution, and encourages escalation.

The TPCW therefore treats proxy warfare as a central problem, not a secondary one. No state should be permitted to directly or indirectly sponsor, finance, coordinate, tolerate, or outsource cyber operations to criminal groups, APT groups, contractors, hacktivists, or foreign state-aligned actors. Signatories should be required to criminalize such cooperation, investigate actors operating from their territory, and assist in international attribution and enforcement.

Psychological and Societal Impact of Cyberwarfare

Cyber warfare does not only damage systems. It also damages trust. Public confidence in institutions can be severely weakened when hospitals are disrupted, elections are manipulated, or essential services are compromised. Even when no immediate physical destruction occurs, cyber attacks can create fear, confusion, anger, and a lasting sense of insecurity.

Influence operations, disinformation campaigns, leaked private communications, and attacks designed to humiliate institutions all contribute to this psychological dimension. Citizens may begin to doubt the reliability of elections, the safety of digital infrastructure, or the competence of public authorities. In this way, cyber operations can become tools of societal destabilization as well as technical disruption.

The TPCW recognizes that cyber conflict includes this broader societal dimension. While the treaty is centered on destructive cyber warfare, it also supports measures that protect information integrity, strengthen public resilience, and discourage hybrid campaigns that exploit psychological fear and mistrust as weapons.

Humanitarian Consequences

The humanitarian consequences of cyber warfare can be severe. If hospital systems are attacked, medical care may be delayed, diagnostic systems can fail, emergency services may become unavailable, and human lives can be put at risk. If water treatment systems are compromised, entire populations may be exposed to contamination, interruption of clean water access, or environmental damage. If power systems are disabled, the impact can extend quickly to healthcare, communications, heating, refrigeration, transportation, and public safety.

The humanitarian principle behind the TPCW is clear. Civilian lives must not be placed at risk through destructive cyber operations. The treaty therefore applies the spirit of humanitarian law to the digital era by prohibiting cyber attacks on civilian infrastructure and requiring cooperation in post-attack recovery and mitigation.

The digital battlefield cannot be treated as morally neutral simply because the weapon is software rather than explosives. The human effects may be equally grave.

Critical Infrastructure Vulnerabilities

Modern critical infrastructure often relies on a mixture of new digital systems and older industrial technologies that were never designed for hostile internet-connected environments. Many sectors continue to use legacy platforms, outdated industrial protocols, insecure remote access systems, and weak segmentation between operational technology and administrative networks.

This creates a broad attack surface across energy systems, water facilities, industrial plants, transportation networks, telecom infrastructure, emergency communications, and finance. In many cases, vulnerabilities are not just technical but structural. Operators may lack visibility, patching capability, or dedicated cyber defense resources. Supply chain weaknesses, third-party software dependencies, and insecure vendor access further increase risk.

The TPCW calls for stronger resilience standards, mandatory vulnerability assessments, and international cooperation to protect infrastructure that is essential to civilian life. Cyber vulnerabilities in these sectors should not be viewed as isolated IT issues. They are matters of national and international security.

Protected Critical Cyber Infrastructure Zones, or PCCIZ

A central concept of the TPCW is the creation of Protected Critical Cyber Infrastructure Zones, or PCCIZ. These zones identify categories of systems that must be treated as off-limits for destructive cyber operations. Just as certain facilities and civilian targets receive special protection in armed conflict, core digital infrastructure should receive explicit international protection in cyberspace.

PCCIZ should include, at minimum, the following sectors:

  • Hospitals and healthcare systems
  • Water treatment and wastewater infrastructure
  • Power generation, transmission, and distribution systems
  • Hydroelectric dams and flood-control infrastructure
  • Emergency services and emergency communications
  • Financial systems and core payment infrastructure
  • Telecommunications and internet backbone services
  • Election systems and core democratic processes
  • Schools and other essential public institutions
  • Transportation control systems including rail, aviation, and maritime safety networks

The purpose of PCCIZ is to make clear that some targets must never be treated as acceptable battle space, regardless of political tension, retaliation logic, or claims of strategic necessity.

Industrial Sabotage Case Studies

Several major cyber incidents demonstrate the dangers of industrial sabotage. The Shamoon malware disrupted Saudi Aramco and showed how cyber operations could damage vital energy sector operations. The SolarWinds compromise illustrated the scale and stealth with which supply chain attacks can infiltrate governments and enterprises worldwide. Attacks against Ukrainian infrastructure highlighted the vulnerability of power grids and operational technology under state-linked pressure.

These incidents are valuable not only as warnings but as evidence. They show that cyber sabotage is no longer theoretical. It is an established operational reality. The TPCW draws on such examples to define prohibited conduct, guide enforcement mechanisms, and build support for preventive norms before future incidents cause even greater damage.

PCCIZ Legal Framework

The legal framework for PCCIZ treats designated civilian cyber infrastructure as internationally protected. A destructive cyber attack against such systems should be regarded as a grave violation of international norms and, depending on scale and effect, potentially as an act equivalent to armed aggression.

The TPCW would require signatory states to incorporate PCCIZ protections into domestic law, establish criminal and civil penalties for violations, and cooperate in international monitoring and dispute resolution. An international review body should be empowered to examine allegations, coordinate expert assessments, and issue compliance findings.

A serious treaty cannot rely only on moral language. It must provide legal categories, obligations, and procedures.

Cyber Weapon Definitions

For the TPCW to function effectively, cyber weapons must be clearly defined. Cyber weapons should be understood as software, hardware, methods, exploits, or operational techniques designed or deployed to disrupt, damage, degrade, manipulate, deny access to, or destroy digital systems in ways that cause significant societal, industrial, economic, or humanitarian harm.

This includes malware, destructive payloads, ransomware used for strategic coercion, exploit chains intended for sabotage, denial-of-service capabilities used against protected sectors, and intrusion methods that deliberately create dangerous physical consequences.

At the same time, the treaty should distinguish offensive cyber weapons from legitimate defensive tools. Vulnerability scanners, penetration testing tools, incident response platforms, and research frameworks are not prohibited when used lawfully and defensively. Intent, context, and effect matter.

Prohibition of Proxy Warfare

The TPCW explicitly prohibits proxy cyber warfare. States must not use intermediaries to carry out attacks they are unwilling to claim directly. This includes criminal gangs, hacktivist fronts, intelligence-linked contractors, private cyber firms acting covertly, or foreign groups operating with indirect sponsorship.

This prohibition is essential because proxy warfare is one of the main reasons cyber conflict remains difficult to regulate. Without an anti-proxy rule, states will continue to exploit deniability as a strategic shield. The treaty must therefore impose liability not only for direct state attacks, but also for cyber operations that a state sponsors, facilitates, tolerates, or benefits from indirectly.

State Responsibility and Liability

Under the TPCW, states are responsible for cyber operations that they conduct directly and for serious operations originating from their territory when they knowingly tolerate or fail to address them. State responsibility includes obligations to prevent, investigate, attribute where possible, and cooperate in remediation and enforcement.

Where violations cause measurable harm, liability should include reparations, compensation frameworks, and diplomatic or legal consequences. This reinforces deterrence and signals that cyber attacks are not consequence-free simply because they occur in a digital domain.

Transparency and Reporting Standards

Transparency is essential for reducing mistrust and preventing escalation. Signatory states should submit periodic reports on major cyber incidents, defensive measures, institutional cyber resilience efforts, and relevant policy developments. Sensitive operational details may remain protected, but a baseline of reporting is necessary to build confidence and support collective defense.

The TPCW also encourages standardized reporting formats for infrastructure incidents, attribution assessments, and requests for international assistance. Transparency does not eliminate conflict, but it helps reduce ambiguity and strengthens accountability.

International Cooperation Framework

No country can secure cyberspace alone. The TPCW therefore promotes international cooperation across governments, regulatory bodies, CERTs, infrastructure operators, research institutions, and security professionals. Cooperation should include joint exercises, coordinated emergency response planning, intelligence sharing, mutual aid during serious incidents, and support for countries with weaker cyber resilience capacity.

An international cyber peace framework must be practical as well as aspirational. Cooperation is what turns principles into protection.

ENISA and NATO Alignment Models

The TPCW should align, where appropriate, with existing cyber defense frameworks such as ENISA within the European Union and NATO’s evolving cyber posture. Alignment does not mean duplication. It means ensuring that the treaty supports existing resilience and collective defense models while adding a stronger prohibition framework for destructive cyber warfare.

For EU member states, ENISA could support guidance, compliance coordination, best practices, and resilience benchmarking. For NATO members, the treaty could inform how protected sectors and prohibited cyber conduct are treated in alliance planning and crisis response.

Attribution Challenges and Solutions

Attribution remains one of the hardest problems in cyber security. Attackers routinely use stolen infrastructure, layered obfuscation, false flags, compromised third-party systems, and globally distributed operations to conceal responsibility. This makes legal and diplomatic response difficult.

The TPCW should therefore encourage the creation of international attribution centers, evidence-sharing procedures, common forensic standards, and structured cooperation between technical experts, governments, and trusted institutions. Attribution will never be perfect, but it can be improved enough to support accountability and deterrence.

Zero-Day Regulation Models

Zero-day vulnerabilities pose a major dilemma. States may wish to retain them for intelligence or offensive purposes, but stockpiling such vulnerabilities creates systemic risk for everyone else, especially when those vulnerabilities affect widely used software or critical infrastructure environments.

The TPCW should encourage responsible disclosure timelines, restrictions on offensive stockpiling, and international norms that prioritize civilian protection over offensive advantage. A regulated framework for zero-days would reduce the risk that undisclosed vulnerabilities become silent weapons against protected infrastructure.

ICS and SCADA Threat Appendix

Industrial Control Systems and Supervisory Control and Data Acquisition environments are among the most sensitive cyber targets in the modern world. These systems operate factories, energy networks, chemical processes, pipelines, water treatment, and many other forms of critical infrastructure. Their compromise can produce physical consequences in the real world.

Threats in this area include malicious logic manipulation, unsafe process changes, remote access compromise, supply chain tampering, safety system disablement, and ransomware impacting operational continuity. The treaty should therefore encourage segmentation, monitoring, secure remote access, auditing, and high assurance protection of operational technology environments.

Policy Appendix on Sanctions

Violations of the TPCW should trigger meaningful consequences. These may include economic sanctions, technology export restrictions, diplomatic penalties, targeted legal action, suspension from cooperative frameworks, and public attribution statements. Enforcement should be proportional to severity, but it must be credible.

A treaty without consequences is not a deterrent. Sanctions and penalties are necessary to reinforce the seriousness of protected sectors and prohibited conduct.

National Adoption Model

For the TPCW to work, states must implement it domestically. National adoption should include ratification, incorporation into law, designation of responsible oversight bodies, criminalization of prohibited conduct, compliance reporting, and sector-specific resilience standards. States should also develop training programs, public awareness efforts, and implementation roadmaps for critical infrastructure operators.

This model allows the treaty to move from high-level principle to operational practice.

Data Protection and Civil Rights

Cyber security must not become a pretext for unlimited surveillance or erosion of civil liberties. The TPCW should explicitly affirm the importance of privacy, due process, freedom of expression, and proportionality in defensive cyber policies. Measures taken in the name of cyber peace must remain consistent with human rights and democratic accountability.

This is especially important because the legitimacy of cyber defense depends not only on effectiveness, but on trust.

Economic Impact Analysis

Cyber attacks already impose enormous costs on the global economy through ransom payments, recovery expenses, business interruption, legal exposure, insurance costs, reputational harm, and long-term resilience investments. As digital dependency increases, the economic stakes rise with it.

The TPCW should frame compliance not only as a moral or strategic necessity, but also as an economic benefit. Preventing attacks on critical sectors protects market stability, reduces systemic shock, and lowers the long-term cost of unmanaged cyber conflict.

Cyber Peace Roadmap

The TPCW should be implemented in phases. In the short term, states can adopt basic prohibitions, recognize protected sectors, and establish reporting channels. In the medium term, stronger cooperation, attribution, and enforcement systems can be developed. In the longer term, the treaty can evolve into a broader cyber stability regime that addresses emerging technologies, offensive capabilities, and international digital norms.

A phased roadmap makes the treaty realistic and scalable.

Incident Response Architecture

Effective response requires layered coordination. The TPCW should support an architecture in which national CERTs, sector-specific response units, regional hubs, and international coordination bodies work together during serious incidents. Standardized procedures for notification, evidence handling, emergency support, and public communication would improve speed and reduce chaos.

The goal is not only to punish attacks after the fact, but to limit harm while events are unfolding.

Long-term Treaty Evolution

Cyber threats evolve quickly. Artificial intelligence, autonomous operations, quantum computing, new industrial technologies, and evolving platform dependencies will create new risks. The TPCW should therefore include amendment mechanisms, periodic review conferences, and expert working groups to ensure the treaty remains relevant.

A treaty for cyberspace must be durable, but also adaptable.

Harmonization with International Law

The TPCW should complement, not contradict, existing legal frameworks such as the Budapest Convention on Cybercrime, humanitarian law principles, UN cyber norms, and relevant regional frameworks. Its role is to fill the gap where current law remains too broad, too fragmented, or too underdeveloped for the realities of destructive cyber warfare.

Harmonization is important because cyber stability will require layered governance rather than isolated legal instruments.

Comparative Treaty Analysis

The TPCW shares some logic with earlier arms control and weapons prohibition treaties. Like the Chemical Weapons Convention, it aims to prohibit a class of harmful capabilities and establish accountability mechanisms. Unlike nuclear treaties, however, the cyber domain does not revolve around scarce materials or visible stockpiles. It revolves around code, access, secrecy, and strategic ambiguity.

This difference means that verification models must be adapted. The TPCW must learn from prior arms control, while recognizing the unique characteristics of software-based conflict.

Technical Glossary

APT: Advanced Persistent Threat. A prolonged, targeted cyber intrusion, often linked to state or highly capable organized actors.

Zero-Day: A previously unknown vulnerability exploited before a patch or mitigation is widely available.

SCADA: Supervisory Control and Data Acquisition. Systems used to monitor and control industrial processes.

ICS: Industrial Control Systems. Hardware and software used to manage industrial operations.

PCCIZ: Protected Critical Cyber Infrastructure Zones. Designated categories of civilian and critical digital infrastructure that must be protected from destructive cyber operations.

Full PCCIZ Classification

The TPCW proposes a tiered classification system for protected infrastructure.

Tier 1 includes life-critical systems such as hospitals, emergency response networks, water supply systems, safety systems, and key power infrastructure.

Tier 2 includes economically critical systems such as finance, telecommunications, major industrial production, digital identity systems, and core logistics platforms.

Tier 3 includes supporting public systems whose disruption may not immediately endanger life but can still destabilize society, such as schools, municipal platforms, and administrative networks.

Each tier should have protection requirements, resilience expectations, and explicit prohibitions on offensive targeting.

Verification and Compliance Mechanism

To ensure credibility, the TPCW should establish a verification and compliance structure. This may include periodic state reporting, independent expert review panels, technical advisory groups, compliance hearings, and international review conferences. A standing body should be empowered to receive incident submissions, review evidence, issue findings, and recommend responses.

Verification in cyberspace will never resemble traditional arms inspections exactly, but a treaty still requires procedures that transform principles into measurable commitments.

Closing Statement

In adopting the Treaty on the Prohibition of Cyber Warfare, states would affirm that the digital domain must not become a lawless theater for attacks on civilian life, critical infrastructure, and democratic stability. The TPCW is not only a prohibition framework. It is a declaration that modern societies deserve protection from destructive cyber aggression.

The future of technology should be shaped by resilience, trust, cooperation, and human progress, not by escalating digital warfare. Through the TPCW, nations can take a serious step toward cyber peace and a safer international order.

SecPoint welcomes dialogue with policymakers, researchers, critical infrastructure operators, and international institutions interested in cyber peace, cyber resilience, and the protection of civilian systems.