Abstract
Abstract With a long history in international law, the concept of due diligence has recently gained traction in the cyber context, as a promising avenue to hold states accountable for harmful cyber operations originating from, or transiting through, their territory, in the absence of attribution. Nonetheless, confusion surrounds the nature, content and scope of due diligence. It remains unclear whether it is a general principle of international law, a self-standing obligation or a standard of conduct, and whether there is a specific rule requiring diligent behaviour in cyberspace. This has created an ‘all-or-nothing’ discourse: either states have agreed to a rule or principle of ‘cyber due diligence’, or no obligation to behave diligently would exist in cyberspace. We propose to shift the debate from label to substance, asking whether states have duties to protect other states and individuals from cyber harms. By revisiting traditional cases, as well as surveying recent state practice, we contend that – whether or not there is consensus on ‘cyber due diligence’ – a patchwork of different protective obligations already applies, by default, in cyberspace. At their core is a flexible standard of diligent behaviour requiring states to take reasonable steps to prevent, halt and/or redress a range of online harms.
Highlights
Due diligence has recently become a buzzword in the ‘cyber domain’
The confusion partly stems from the inconsistent use of the label ‘due diligence’ as a general principle of law or international law, one or more state obligations or a standard of behaviour applying in different areas of international law.[9]. To avoid those confusions and contradictions, we propose to shift the debate from label to substance
Two of these can be traced to primary obligations of general international law: (i) the duty of states not to knowingly allow their territory to be used for acts that are contrary to the rights of third states, articulated in the Corfu Channel case,[11] which we call the ‘Corfu Channel’ principle;[12] and (ii) states’ duty to prevent and remedy significant transboundary harm, even if caused by lawful activities, known as the ‘no-harm’ principle.[13]
Summary
Due diligence has recently become a buzzword in the ‘cyber domain’. The renewed interest in the concept can be explained by the persistent challenges of factually and legally attributing malicious cyber operations to states. In what is this article’s main contribution to the current academic debate, Section 4 maps out four sets of protective duties requiring states to prevent, halt or redress certain harms by behaving diligently in cyberspace Two of these can be traced to primary obligations of general international law: (i) the duty of states not to knowingly allow their territory to be used for acts that are contrary to the rights of third states, articulated in the Corfu Channel case,[11] which we call the ‘Corfu Channel’ principle;[12] and (ii) states’ duty to prevent and remedy significant transboundary harm, even if caused by lawful activities, known as the ‘no-harm’ principle.[13] In addition, specific bodies of international law establish due diligence duties which apply to cyberspace. Though not a silver bullet against current cybersecurity challenges, we conclude that this international legal ‘patchwork’ of protective obligations does provide a solid and comprehensive legal basis for harm prevention and accountability
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have