I explore reasons why existing defense has failed to prevent cyber attacks on critical infrastructure. I study one of the least studied notions of cyberspace behavior known as target distinction. Drawn from customary international law, the principle posits that states should tell their wartime targets between combatants and noncombatants and use force only toward military objects. States should not target critical infrastructure, like gas pipelines, because to do so harms civilian populations who use it. I investigate four issues that keeps the principle from preventing attacks on critical infrastructure. The first is its inability to capture the networked nature of critical infrastructure beyond the simple dual-use (military and cyber) purposes. The second defect is the interpretive confusion that the principle generates over the rules of engagement. The third problem is the omission from its coverage of actors other than nation states. By design, the principle condones cyber attacks by nonstate actors on infrastructure, or by those whose linkage to state sponsors cannot be legally established. Finally, the principle is prone to fail when hackers lack proper understanding of what it does and does not allow. © 2023 Informa UK Limited, trading as Taylor & Francis Group.