Reports of cyber operations have increased so dramatically in recent years that they have become commonplace. The reality that most attacks to date have resulted in relatively benign consequences—inconvenience and offence through defacement of government websites and/or temporary suspension of access—only serves to heighten awareness of the damage that could result from much more serious attacks on networks controlling, for example, vital public transport and emergency infrastructure, the financial system and sensitive communications networks. The threat of apocalyptic consequences has galvanized States into proactive cyber defence measures—spawning an entirely new category of bureaucracy that until recently might readily have been cynically dismissed as manipulative fear-mongering to justify yet more human and financial resources allocated to the public sector.

That governments should proactively mitigate emergent and potentially catastrophic risks is an a priori notion. Citizens of a State whose government did not take cyber defence seriously would be entitled to feel aggrieved—particularly in the aftermath of a serious cyber attack where the lack of proaction on the part of central authorities was exposed. In contrast, expectations should be significantly lower for any proactive clarification of the applicable international law. The making of new, or even the clarification of the content of existing, international law has tended to be more reactive—requiring a major catalyst to expose the need for either clarification or regulation. It has been rare in the history of international law for new development to pre-empt subsequent catastrophe.