Where Pipes Meet Policy: A Critical Look at the Case for Converging SCADA Security and Cyber Diplomacy
The Central Argument
The document under review makes a case that is, at its core, about a missing layer in critical infrastructure governance. SCADA — Supervisory Control and Data Acquisition — systems run the unglamorous machinery of modern life: power grids, water treatment plants, pipelines, industrial control systems. The paper's thesis is that the technical and policy frameworks built to secure these systems have matured considerably, but they exist largely disconnected from the geopolitical and diplomatic dimension of how nations actually negotiate, contest, and set the rules that govern this infrastructure internationally. The proposed fix is to fold "cyber diplomacy" — the tools, norms, and negotiating practices states use to manage conflict and cooperation in cyberspace — directly into SCADA governance frameworks, rather than treating technical security policy and international relations as separate tracks.
This is a genuinely useful framing, and it identifies a real gap. Most SCADA security frameworks (the kind referenced later in the paper — software protection policy, communication security policy, perimeter policy, audit policy) are written as if the adversary and the standard-setter exist in a politically neutral vacuum. In reality, as the paper correctly notes, the entities writing the standards that critical infrastructure operators around the world adopt are themselves geopolitical actors with strategic interests. That observation deserves to be taken seriously, even where the paper's execution of it is uneven.
The SCO Section: Useful Context, Overstated Connective Tissue
The paper's opening move is to examine the Shanghai Cooperation Organization as an example of "Eastern" cyber-diplomatic norm-setting, contrasted implicitly with a more familiar Western, multistakeholder model. The factual backbone here is solid: the SCO was founded in 2001, its member states have repeatedly pushed information-security agreements and draft codes of conduct through the UN General Assembly (2011 and the expanded 2015 version), and the bloc's framing of "information security" — which includes content and ideological concerns, not just network integrity — does genuinely diverge from the Western technical-security-only conception of cybersecurity. The tension the paper identifies between an SCO view that treats online content itself as a security threat to be regulated, versus a liberal-democratic view that treats the same regulation as a human rights concern, is a real and well-established fault line in international cyber-norms debates.
Where the section runs into trouble is connective tissue: the paper raises the SCO's cyber-sovereignty agenda and China's broader sovereignty push, then pivots to SCADA governance without ever closing the loop on how SCO information-security norms specifically shape SCADA standard-setting as opposed to broader internet governance and content regulation. These are related but distinct domains — content governance and industrial control system security operate through different institutions, different standards bodies, and different threat models. The paper would be stronger if it drew a more explicit causal or institutional link (for example, showing how SCO-aligned states' domestic SCADA regulations or procurement practices for critical infrastructure reflect the sovereignty framework described, rather than asserting the connection implicitly). As written, the SCO discussion functions more as scene-setting for "non-Western perspectives exist and differ" than as direct evidence about SCADA standard-setting specifically.
The paper's own aside — questioning the "legitimacy" of SCO cyber-diplomatic discourse given that Taliban-governed Afghanistan holds observer status and given the war in Ukraine — is a fair point worth taking further than the single sentence devoted to it. If an organization's normative credibility is central to the paper's framework for evaluating cyber diplomacy tools, that credibility problem deserves more than a passing aside; it cuts against the paper's own later suggestion that frameworks like the SCO's represent a coherent alternative pole to Western standard-setting.
The Standards Section: The Strongest Part of the Paper
The discussion of NIST, the Standards Coordination Office, and the contest over global technical standards is the most substantively grounded section. The paper correctly identifies that standards are not neutral technical artifacts — they're set through a messy combination of private industry leadership, international industry associations, and (increasingly) explicit state strategy, with no single oversight process governing legitimacy or fairness in how they're set. The reference to the National Defense Authorization Act's Section 9414, directing NIST to study the effect of Chinese government policy on international standards-setting bodies, is a real and specific policy mechanism that grounds the paper's broader argument in something concrete rather than purely conceptual.
The "Made in China 2025" and "China Standards 2035" discussion extends this well. The core insight — that a state which successfully embeds its preferred technical specifications into international standards gains durable structural advantage for its domestic companies, independent of any single trade dispute or diplomatic incident — is an accurate and important one in technology-standards literature. The Huawei 5G patent reference at the paper's conclusion reinforces this point concretely: patent counts in standard-essential technology translate directly into licensing leverage and supply-chain dependency, which is precisely the kind of structural power the paper is trying to describe as falling outside conventional diplomatic toolkits.
What's missing here is engagement with the counterargument that standards competition is not unique to China, nor automatically illegitimate. The U.S., EU, and other blocs also actively shape standards bodies to favor their domestic industries — this is closer to a structural feature of how international standardization works under any major economic power than a uniquely Chinese tactic. The paper's framing occasionally drifts toward treating Chinese standards influence as inherently suspect while treating NIST's role as neutral technical stewardship, when both are, in fact, state-adjacent actors pursuing national competitiveness goals through standards bodies. A more rigorous version of this argument would name that symmetry explicitly and then argue why China's approach is qualitatively different (state-ownership of key standard-setting firms, lack of reciprocal market access, etc.) rather than leaving the asymmetry implicit.
The SCADA Governance Section: Technically Sound, Diplomatically Thin
The bulk of the document — covering acceptable use policy, software protection, communication security, perimeter policy, remote access, personnel security, configuration management, and audit policy — is a competent, fairly standard SCADA security policy framework. It tracks closely with established industrial control system security guidance (the kind of structure found in NIST SP 800-82 and similar ICS security frameworks), correctly emphasizing the operational distinctions that make SCADA security different from conventional IT security: the intolerance for downtime, the danger of routine IT practices like antivirus scanning disrupting time-critical operations, the physical consequences of failure, and the longer procurement and patching cycles tied to vendor certification requirements.
This section is useful as a reference document, but it is where the paper's central thesis — converging cyber diplomacy with SCADA governance — becomes thinnest in execution. Having argued at length that diplomatic and geopolitical tools need to be embedded into SCADA governance, the actual policy framework presented largely reproduces a conventional technical security policy structure, with cyber diplomacy appearing as occasional add-on language ("the role of cyber diplomats... is also equally important," "a framework on Cyberdiplomacy in SCADA system governance can fasten the process of standardization") rather than as a structurally integrated element. Concretely, what would integration look like? The paper gestures at it — noting, for instance, that international laws and bodies like the International Criminal Court of Justice need updated processes for handling SCADA-related incidents, and that procurement and data-sharing policies should account for free trade agreements and cross-border data governance regimes — but never develops a worked example of, say, what a "Stakeholder Engagement and International Relationships" policy section would actually specify in practice when a SCADA vendor, an operator, and a foreign government are all implicated in an incident.
One factual point worth flagging: the reference to the "International Criminal Court of Justice" conflates two separate institutions — the International Criminal Court (ICC, which prosecutes individuals for war crimes and crimes against humanity) and the International Court of Justice (ICJ, which adjudicates disputes between states). Neither institution currently has a developed mandate or track record for handling SCADA-related incidents, which makes the claim that they "must update processes and procedures to handle this incident" more aspirational than descriptive of an existing or even clearly emerging institutional pathway.
The Latin America Reference: An Unsubstantiated Claim
The paper asserts that "case studies in the case of Latin American countries have shown that ungoverned information networks will eventually sprout vulnerabilities," without citing which case studies, which countries, or what the actual findings were. This is the kind of claim that needs either a citation or removal — as written, it functions as an appeal to unspecified authority rather than evidence, and it's also somewhat tangential to the paper's main thread about SCO/China standards dynamics, since it isn't connected back to the rest of the argument.
Structural and Methodological Observations
A few patterns recur across the document worth naming directly:
The paper repeats several passages nearly verbatim (the SCO definition appears twice in close proximity in the opening section; the "standards can also be proprietary and for-profit" example about phone operating systems appears twice as well). This suggests the document may be an unedited draft or a merge of separate working sections rather than a fully polished final piece — worth flagging if this is heading toward publication, since the repetition currently reads as an editing oversight rather than intentional emphasis.
The paper also self-references its own scope limitations in a way that's unusual for a finished piece — explicitly noting it has excluded the role of the UN, US, and EU in SCADA governance because "it was already covered in the previous articles." This is useful transparency but signals that the document is one installment in a series rather than a self-contained analysis, which matters for how the reader should weigh the absence of those major actors from the discussion. A reader encountering this piece without the prior installments would reasonably wonder why the US and EU — arguably the two most consequential actors in setting Western-aligned technical standards that the paper repeatedly contrasts against Chinese approaches — are absent from a piece otherwise centered on exactly that contrast.
The social constructivist framing mentioned only in the conclusion ("the article highlights a social constructivist approach to SCADA governance and cyber diplomacy") is asserted rather than demonstrated. Constructivism in international relations theory specifically emphasizes how norms, identities, and shared understandings (rather than just material power) shape state behavior — and the paper's strongest material (NIST standards competition, Made in China 2025) actually reads more naturally through a realist or structural-power lens focused on material and economic leverage. If constructivism is meant to be the paper's analytical throughline, that framework needs to be introduced and applied earlier and more explicitly, rather than named only as a closing label.
Overall Assessment
The paper identifies a genuinely underexplored gap — the disconnect between technical SCADA security policy and the diplomatic/geopolitical contest over the standards and norms that shape critical infrastructure governance globally — and its strongest contribution is grounding that gap in concrete, verifiable policy mechanisms like NDAA Section 9414 and the China Standards 2035 initiative. Its weaker sections are the ones that gesture at connections (SCO norms to SCADA standards specifically; cyber diplomacy to the detailed SCADA policy framework) without fully building the bridge, leaving the "convergence" promised in the title more asserted than demonstrated by the paper's own structure. As a foundational piece flagging the problem and assembling relevant building blocks, it succeeds; as a worked framework showing how the convergence would actually function in a specific governance scenario, it remains a research agenda rather than a completed argument — which is, to be fair, also how the paper itself characterizes its conclusion, explicitly framing the piece as opening "many venues for research" rather than closing the question.
Member discussion