Cyber Diligence: A Low-Intensity Due Diligence Principle for Low-Intensity Cyber Operations?

Abstract

In its International Strategy for Cyberspace (2011), the White House stressed that: “The development of norms for state conduct in cyberspace does not require a reinvention of customary international law, nor does it render existing international norms obsolete. Long-standing international norms guiding state behaviour—in times of peace and conflict—also apply in cyberspace”. Among these customary rules, the principle of due diligence occupies a special place. The objective of this paper is to evaluate to what extent this principle can be transposed to low intensity cyber operations and to answer to some of the questions that this transposition could raise. I first address some questions related to the scope of the principle. For example, is the duty of due diligence strictly confined to the territory of states or could it also have an “extra-territorial” effect? And what could be the relevance of a “due diligence” principle for cyber activities taking place in a “cyberspace” with no specific geographical location? The article then turns to several problems concerning the nature and the content of the principle applied in the cyberspace. When exactly could we consider that a state has, or ought to have, knowledge of the fact that cyber operations undertaken on its territory “are used for acts contrary to the rights of others states”? What kind of measures should states adopt in order to comply with their duty of due diligence? Could the due diligence principle become a kind of Trojan horse in order to justify mass electronic surveillance programs and erode civil liberties starting with the right to privacy and the respect of correspondence? In order to answer these questions I use both general international law concerning the rights and duties of States and some more specific branches, such as the obligation of prevention in international environmental law or the theory of “positive obligations” of states in international human rights law. I end with some thoughts about the development – and the limits – of the concept of “cooperative cyber diligence”.