By Tobias Winkler (MP, Germany)

Op-ed originally published at European Interest on 25 June 2025

On the morning of 25 December 2024, as families across Ukraine prepared to celebrate Christmas, Russian forces launched one of the most intense attacks on the country’s energy infrastructure since the start of the war. At around 6:00 AM, more than 78 missiles and 106 drones rained down on thermal and hydroelectric power stations across multiple regions. The strikes killed at least one energy worker, wounded civilians, and knocked out electricity for hundreds of thousands. Emergency crews worked through the night to restore basic services. Yet by the afternoon of 26 December, nearly 100,000 people in Kharkiv were still without heating, while large parts of Kyiv and other cities faced rolling blackouts. The assault was a stark reminder: in Russia’s war against Ukraine, energy infrastructure is not just collateral damage—it is a deliberate target.

From power grids and healthcare systems to undersea data cables and satellite networks, our critical infrastructure is under constant attack. Today’s wars are fought not only with missiles, drones and soldiers but more and more with keyboards and sabotage. Civilian infrastructure is now a primary target, and the consequences are deadly. Disrupting essential services has become a central tactic, waged through both overt attacks and covert operations.

The people of Ukraine have borne the brunt of the war’s widespread devastation, leaving entire communities deprived of basic services such as electricity, drinking water, and gas. Yet Ukraine is not alone in facing these threats. Attacks on undersea cables, digital state infrastructure, and systemically important companies are rising worldwide, from the Baltic Sea to the Indo-Pacific.

Critical infrastructure is no longer a single sector or technology but a sprawling web of interdependent lifelines—neonatal wards, cloud-data centres, undersea cables, food-export terminals, even the satellites that time-sync financial markets. Although the risk surface has diversified, global commitments to protect these assets have not kept pace; they remain scattered, voluntary and sector-specific. The gap between what needs shielding and what is actually covered by international rules is widening by the day.

What makes these strikes so dangerous is the systemic cost: a single outage in one grid can shutter factories on another continent and send grain prices soaring. Yet global agreements still treat power plants and data cables as economic afterthoughts, not civilian lifelines with the same special protection status as hospitals under the Geneva Conventions.

As these threats become more widespread, urgent international action is crucial to assist free and open societies in both peace and wartime. While institutions like the OSCE have long focused on safeguarding energy infrastructure from terrorist threats, the growing risks now call for stronger, more defined global commitments to defend all essential services.

Right now, that response is scattered and fragmented. Within the United Nations alone, at least five separate tracks mention critical infrastructure — Security Council Resolution 2341 on terrorist threats, the Sendai Framework for Disaster Risk Reduction, Sustainable Development Goal 9, the GGE/OEWG cyber-norms process and, most recently, the draft Programme of Action on responsible State behaviour in cyberspace — yet none of these instruments shares a definition, reporting channel or enforcement mechanism. NATO’s new Critical Undersea Infrastructure Network guards the seabed; the G7 issues cable-security principles. Each forum tackles a slice—yet no umbrella binds military, cyber-security and civilian regulators together.

The world is more interconnected than ever. A disruption in one country’s power grid can trigger cascading failures in supply chains, health systems, or financial services across continents. Essential state functions like healthcare, energy, sanitation, public transportation, and emergency systems are now digitally operated, exposing them to cyberattacks whose paralysing impacts extend far beyond national borders. A targeted strike on a power grid or water supply can send shockwaves through economies, slow down global supply chains, and endanger citizens’ safety across regions. For example, Russia’s targeting of Ukraine’s grain infrastructure did not only reduce Ukraine’s production and export capacity, it also increased global grain prices and weakened food security.

While the costs of recovery from attacks on critical infrastructure are consistently high, preventive measures have often lagged behind. This has left the global security architecture exposed to a range of vulnerabilities. International legal frameworks remain inadequate, leaving significant gaps in accountability, enforcement, and indeed the very definition of critical infrastructure. As a result, incidents affecting essential services frequently occur in a legal and political grey zone, where accountability is difficult to establish and responses risk unintended escalation.

This shift in warfare is especially concerning for economically developed, liberal democracies, disproportionately at risk due to their open societies and digitalised state functions. In turn, liberal democracies have the tools to lead the change, understanding that it's not just a matter of national security, but an indispensable element of preserving our rules-based international order.

The human cost of inaction is far too high. The disruption of essential services devastates citizens’ health and safety. In Ukraine, Russia’s attacks on critical infrastructure deprived millions of basic necessities, including electricity, heating, and drinking water, while cyberattacks crippled telecommunication networks, increasing risks to public safety and critical services. Beyond the immediate hardships, these attacks cause long-term economic damage, resulting in job losses, rising living costs, and a weakened society.

Failure to act would simply erode public trust in our democratic institutions. As essential services fail, citizens lose confidence in the ability of governments to protect them, leading to social unrest and political instability. We cannot afford to let these threats continue unchecked. It is time for stronger international commitments to defend critical infrastructure, not only to protect our societies but also to preserve the values of democracy and security we hold dear. The only remaining question is: how do we move forward?

No nation is an island. As citizens as well as public figures, we must urge our governments to pursue a strong international commitment, modernise their legal frameworks, improve their attribution capabilities, and establish transparent protocols for information sharing – especially between public institutions and the private sector, which often owns and operates critical infrastructure. We all depend on systems that cross borders — from energy to information to trust. The next blackout, data breach, or water crisis may not be triggered by nature, but by a hostile actor. We must be ready.

The OSCE Parliamentary Assembly holds a unique responsibility in this fight. Its founding document, the Helsinki Final Act, enshrines the principles of sovereignty, territorial integrity, inviolability of frontiers, refraining from the use of force, peaceful resolution of disputes and respect for human rights and fundamental freedoms – all of which are under a direct threat from attacks on critical infrastructure. With the Helsinki Final Act’s 50th anniversary, the moment has come to expand those principles with a Helsinki Principle 11: the inviolability of civilian critical infrastructure.

It is time for the OSCE to initiate a Critical-Infrastructure Compact—a rolling negotiation that spans capitals, parliaments and industry to set up international commitments in protection of critical infrastructure. The compact would: (1) agree a shared checklist of indispensable assets; (2) pledge that no state will target them; and (3) mandate an independent fact-finding mechanism able to attribute attacks and publish its findings. Anchored in the Helsinki process, the compact can knit together the sector-specific efforts already under way at the UN, NATO and other forums such as the G7/G20, translating scattered norms into region-wide obligations.

Critical infrastructure is the civilian of the twenty-first century. Elevating its protection to Principle 11 would extend Helsinki’s promise from safeguarding people to safeguarding the systems that sustain them. It would signal continuity of purpose, provide a common reference point for future national legislation and ensure that the OSCE remains relevant to the security challenges of the modern age.

Tobias Winkler is a Member of Parliament from Germany and serves as Rapporteur of the OSCE Parliamentary Assembly's General Committee on Political Affairs and Security.