The concept of due diligence is well-established in international law. As enshrined in the first decision of the International Court of Justice (ICJ), the Corfu Channel case, due diligence was a reminder of “every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”. Due diligence has been described as a ‘good citizenship’ obligation, promoting the idea of an international community where states, to a certain extent, look out for one another. With a broad acceptance of the idea that international law applies to cyberspace and the relative lack of international treaties relating specifically to cyberspace, the concept of cyber due diligence has been explored mostly by academics. There have, however, been moves by governments to insert or imply due diligence requirements in national cyber policies, including in the USA and Europe. Recent academic explorations of the issue, such as the German Institute for International and Security Affairs’ “Due Diligence in Cyberspace” report examine specific guidelines for international and particularly European cyber policies. While the acknowledgement of cyber due diligence is a welcome development, there are many aspects to the obligation which are complicated by the nature of cyberspace.
It is noteworthy that the Tallinn Manual — a document put together by independent international law experts which “identifies the international law applicable to cyber warfare and sets out ninety-five ‘black-letter rules’ governing such conflicts” — mentions due diligence in cyberspace. Rule 5 explicitly notes that “A State shall not knowingly allow the cyber infrastructure located in its territory or under its exclusive governmental control to be used for acts that adversely and unlawfully affect other States”. Despite being a document that charts out rules as they apply to cyber warfare, the Manual addresses due diligence, which applies equally during peacetime. Even then, the nature of cyber attacks which could harm states caused disagreement about whether there was a duty to prevent such actions or only to react to them. States fulfil their due diligence obligations based on knowledge of harmful or illegal activity, but in international law, there are different types of knowledge.
States may have actual knowledge of harmful activity, for example, from victim reports or their own intelligence gathering. In such cases, the obligation is relatively clear cut; it is thornier if the state has ‘constructive knowledge’ of such activities. Constructive knowledge, as set out by the European Court of Human Rights in the Osman case and others, occurs when a state ‘ought to have known’ that certain activities were taking place or could take place. The ‘ought to have known’ standard could be seen as harsh on authorities dealing with cyber activities (even though international courts have not extended it beyond a few specific cases). On one hand, states have to monitor their cyber infrastructure to keep it secure and prevent its misuse, but on the other, the more they monitor the greater chance they are liable if they fail to prevent harmful activity. This tension is only made stronger by the range of cyber activities which can be conducted clandestinely, and which can harm other states. There is no established standard or level or harm for when the cyber due diligence norm is engaged. Cyber espionage can certainly harm other states, but is not illegal per se — where does this leave states which might suspect that cyber espionage is being conducted using their resources?
The conundrum of constructive knowledge leads to murky waters when dealing with cyber infrastructure. Combined with the broader principle of due diligence, it seems to encourage greater monitoring and control over cyber infrastructure. This is particularly true since harmful cyber activities can be conducted with fewer resources and personnel than other types of harmful activities; the vulnerability of cyber resources to non-state actors, for example, is greater than that of say nuclear weapons. Due diligence requirements can be partly satisfied by states enacting domestic laws which outlaw unauthorised use of computer systems or interfering with critical information infrastructure. States can only go so far, however, before they risk infringing individual human rights. The United Nations has affirmed the right to freedom of opinion and expression as well as the right to privacy when it comes to the internet. Many countries have struggled with balancing these rights as they expand both the connectivity of their populations and their wider cyber capabilities.
The variations in cyber capabilities across the globe — whether they be offensive, defensive, or related to enforcement more broadly — has in some ways hampered the creation of internationally binding cyber treaties. Countries are attempting to build their cyber capacities and widen their range of operations, which in many cases may include engaging non-state actors and other unorthodox strategies. From this uneven starting place, there are further difficulties. It is not always possible to accurately identify the perpetrator of a cyber attack, much less prevent them from acting or indeed put a stop to their actions once underway. A strong due diligence principle, as espoused by Europe, for example, makes sense on the surface. However, a uniform due diligence standard cannot work for the same reason a one-size-fits-all cyber treaty has not yet come about: in cyberspace, all states are not equal.
For developing countries particularly, the capacity to monitor vast populations and different types of cyber infrastructure may not satisfy due diligence requirements as they are currently being framed. Policymakers should look to the principle as it applies in wider international law, where due diligence obligations are closely tied to a state’s ability to take action. A report from the International Law Association Study Group on Due Diligence pointed out: “ is well-established that developing States may not be able to control activities in their territory in a similar manner to developed States,” which then has a bearing on “the evaluation of whether they have breached their due diligence obligation”. Tying the responsibility — to act, inspect, protect or prevent — to capability is paramount in the cyber context given the variegated methods of conducting cyber attacks. For example, there is another scenario when countries may run afoul of due diligence: if a cyber attack transits its infrastructure. Though there is no consensus yet on whether so-called ‘transit states’ have a responsibility to act, if the current model of due diligence in cyberspace proceeds, it may become a reality.
A layered and nuanced due diligence principle for cyberspace is critical given that breaching the obligation can lead to disastrous consequences. If a state is perceived to have failed to act or warn another state, the ‘wronged’ state can take action — countermeasures which would otherwise be unlawful. The scope of such countermeasures is as broad as can be contemplated. They can be cyber countermeasures or conventional countermeasures, aimed at public or private entities, and they can have wide-ranging effects. If invoking another state’s failed due diligence obligation can be an excuse to conduct cyber operations in that state, then the obligation needs greater clarity. As part of efforts towards an open internet and greater connectivity between nations, due diligence can be beneficial in encouraging good neighbourly behaviour. It should also prevent the development of safe havens where non-state actors can sow cyber disruption. However, it can only do that if it is applied according to the cyber-standing of each state, otherwise it becomes a boon for more cyber-capable countries and a burden for those still striving for those heights.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.