Unpacking due diligence in cyberspace

ABSTRACT

There is controversy as to whether due diligence in cyberspace is required as the result of a general rule in international law – namely, that States must not allow their territory to be used for acts contrary to the rights of other States – or because of a voluntary norm of responsible State behaviour, i.e. something that is expected but not legally required.

This paper analyses the legal status and content of due diligence in the cyber context, including with reference to position statements published by a growing number of States on these issues.

The paper also considers what due diligence measures are expected of States as a matter of policy, in order for them to act responsibly to tackle – on their own territory – malicious cyber activity that may have harmful effects in the territory of other States. The article concludes with recommendations – including that the debate on legal status should not hinder discussion on the implementation of stronger standards on due diligence as a matter of policy. Those standards should be the focus of the discussions on due diligence in the UN’s Open-Ended Working Group on developments in the field of information and telecommunications (OEWG).

KEYWORDS:

• Due diligence
• cyberspace
• international law

I. Introduction

Malicious cyber activity by both States and cyber criminals has grown exponentially over the last five years – including ransomware operations on critical infrastructure such as hospitals and national energy supplies. States have agreed on the need to take reasonable steps, within their capacity, to end malicious cyber activity taking place on their territory. ‘Due diligence’ is the conduct, or standard of conduct, expected of States in order to meet this responsibility.

This paper discusses due diligence in the context of cyberspace: its legal status, its content and what is required of States in practice. It draws on discussions conducted under the Chatham House Rule at a roundtable on ‘Due Diligence in Cyberspace’ held at Chatham House in January 2023, attended by experts from government, academia, the private sector and civil society.

Terminology

Care is needed in the usage of the term ‘due diligence’, both in the cyber context and more generally. In the private sector, due diligence is is an exercise that involves the identification and management of risk, including the risk of causing or contributing to human rights harm (see United Nations [UN] Guiding Principles on Business and Human Rights, 2011). In international law, the role and nature of due diligence has often been characterised inconsistently (McDonald 2019, 1043). In the sense used in this paper, due diligence is the responsible behaviour expected of a State in order for that State to avoid its territory being used to violate the rights of other States. ‘Due diligence’ can be construed as both conduct (diligent behaviour aimed at identifying and managing risk) and a standard of conduct (because the behaviour must reach the level that is ‘due’ in the circumstances).

This paper is structured as follows: Section II examines the legal status of due diligence in general international law, and the implications of that debate for due diligence in cyberspace. Section III discusses the meaning of due diligence in the cyber context. Section IV concludes by making recommendations for future dialogue on this topic, both at the UN and outside of it.

II. The debate on the legal status of due diligence in cyberspace

There is controversy as to whether due diligence in cyberspace is required as the result of a general rule in international law – namely, that States must not allow their territory to be used for acts contrary to the rights of other States – or because of a voluntary norm of responsible State behaviour, i.e. something that is expected but not legally required. If due diligence is required under a general rule of international law, then falling below the standard of conduct required could constitute a violation of international law, engaging State responsibility.

In the UN processes during which States have been discussing the application of international law to cyberspace, due diligence has been described as a voluntary ‘norm’, that is, an expected standard of behaviour. The UN Group of Government Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security reached agreement in its 2015 report that:

• ‘States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs’ (norm 13(c)); and

• ‘A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public’ (norm 13(f)).

The second half of paragraph 28(e) of the UN Group of Government Experts (2015) GGE report also relates to due diligence, when it provides (using the non-binding language of ‘should’ rather than ‘must’) that, ‘States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-State actors to commit such acts’ (emphasis added).

These voluntary commitments in the UN Group of Government Experts (2015) GGE report have since been reaffirmed, including in the report submitted by the GGE on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security to the UN General Assembly (UNGA) of May 2021, and the report issued by the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the context of International Security (OEWG) in March 2021. In relation to norm 13(c) above, the GGE stated in its report of May 2021 that, ‘the norm raises the expectation that a State will take reasonable steps within its capacity to end the ongoing activity in its territory’. While the UN processes are imperfect, reflecting only the minimum of what States are able to agree on a consensus basis, the position in the UN is indicative of the view of a number of States on this issue.

At the same time, several States have published statements indicating their view that due diligence in cyberspace is a binding obligation on States under international law. This group includes Costa Rica, the Czech Republic, Estonia, Finland, France, Germany, Italy, Poland, the Netherlands, Norway, Japan, Sweden and Switzerland (for relevant national positions, see International cyber law: interactive toolkit: due diligence). Some Latin American States have also made pronouncments that suggest they consider the exercise of due diligence in cyberspace to be a binding obligation (Hollis 2020, 58). The Tallinn Manual on the International Law Application to Cyber Operations 2.0 also considered due diligence to be a binding obligation in the context of cyberspace (Schmitt and Vihul 2017, Rules 6 and 7).

Other States have explicitly taken the position that there is not yet State practice sufficient to establish that there is an obligation of due diligence in cyberspace – whether deriving from a general rule of international law, or as a specific rule (or ‘lex specialis’) that has emerged in the cyber context. For example, Argentina, in its statement at the second substantive session of the OEWG of 11 February 2020, argued that ‘under international law, there is no obligation of due diligence when it comes to cybersecurity’ (Government of Argentina 2020). Israel has stated that due diligence ‘does not, at this point in time, translate into a binding rule of international law in the cyber context’ (Schondorf 2020). New Zealand is ‘not yet convinced that a cyber-specific “due diligence” obligation has crystallised in international law’; the US states that it ‘has not identified the State practice and opinio juris that would support a claim that due diligence currently constitutes a general obligation under international law’, while the UK argues that ‘the fact that States have referred to this as a non-binding norm indicates that there is not yet State practice sufficient to establish a specific customary international law rule of “due diligence” applicable to activities in cyberspace’ (International cyber law: interactive toolkit: due diligence). Canada has reserved its position pending further study of the topic, although it is notable that Canada’s national statement refers to the principle that ‘No State should knowingly allow its territory to be used for acts contrary to the rights of other States’ as an ‘expectation’ rather than an ‘obligation’ (Government of Canada 2022, para 27).

As is clear from the above, in the cyber context, whether or not the norm that ‘States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs' reflects a binding obligation on States is not settled. In order to address the question of legal status, it is first necessary to examine the position of due diligence under international law generally, before turning to the position in cyberspace.

The position under international law

In the context of international law, due diligence is neither a rule nor an obligation in itself, but rather a standard of conduct required of States pursuant to a particular rule of international law. Krieger, Peters and Kreuzer note that, ‘ … this standard of due diligence is, in law, necessarily ancillary to some (other) legal obligation and no free-floating obligation in itself’ (2020, 122). McDonald notes that States do not refer to general obligations of due diligence when pleading before the International Court of Justice (ICJ), but to specific primary rules of treaty or custom which require a particular act or omission by other States (2019, 1047). Due diligence, as a standard of State behaviour, requires a hook in order to be engaged, in the form of a pre-existing primary rule of international law (McDonald 2019, 1044).

It is generally agreed that there are certain specific obligations on States in international law to prevent, mitigate and redress certain types of harmful activity that emanate from their territory and can cause harm to other States. Firstly, there are obligations on States, under environmental law, to prevent harmful events and outcomes beyond their territories. Specific obligations are provided for in certain treaties, for example, Article 7 of the Convention on the Law of the Non-Navigational Uses of International Watercourses 2014. Beyond specific treaty provisions, a rule of customary international law has developed in environmental law, that States must take appropriate measures to prevent, reduce and control transboundary pollution and environmental harm that results from activities within their jurisdiction and control (Boyle and Redgwell 2021, 152–153).

Second, historically, there have been specific obligations on States that oblige them to exercise due diligence in order to abide by the law of neutrality, such as treaty obligations to prevent arms exports to belligerents, as well as to monitor their ports and territorial waters. Article 7 of the Treaty of Washington 1871 and the Hague Convention 1907 provide examples (Lemnitzer 2022, 801).

Third, there are treaties under which States have a duty to prevent certain specific activities, whether or not the activity takes place within or outside of their territory. For example, the Genocide Convention provides for an obligation on States parties to take certain steps to prevent the acts that the Convention seeks to prohibit. As the ICJ noted in the Bosnia Genocide case (2007), many other instruments contain a similar obligation, for example the Convention Against Torture (Article 2), the Convention on the Prevention and Punishment of Crimes against Internationally Protected Persons 1997 (Article 4) and the International Convention on the Suppression of Terrorist Bombings, 2001 (Article 15). The court in Bosnia Genocide observed that, ‘the content of the duty to prevent varies from one instrument to another, according to the wording of the relevant provisions and the nature of the acts to be prevented’ (para 429).

Finally, there are obligations on States to prevent specific acts on their own territory that would be contrary to the rights of other States. For example, UN Security Council Resolution 1373 of 28 September 2001 obliges all States to take a range of actions to ‘prevent and suppress, in their territories through all lawful means, the financing and preparation of any acts of terrorism’ (emphasis added).

In each of the cases above, the State is required to undertake due diligence in order to adequately discharge its protective duties under a primary rule of international law. The standard of conduct required of the State in each case depends on the primary rule in question (Draft Articles on State Responsibility of the International Law Commission (ILC), Commentaries, 2001 para 13; see also Bosnia Genocide case, para 430). The standard is specific to the context and may change over time (ITLOS Advisory Opinion in Case No. 17; 2011, para 117). The ILC has stated that duties of prevention, ‘are usually construed as best efforts obligations, requiring States to take all reasonable or necessary measures to prevent a given event from occurring, but without warranting that the event will not occur’ (ILC Draft Articles on State Responsibility, Commentaries, Art 14, 2001 para 14).

A general obligation on States to prevent their territory from being used for acts contrary to the rights of other States?

The first question is whether the specific obligations set out above emerge from a general rule in international law that States must exercise due diligence to prevent their territory from being used for acts contrary to the rights of other States. To establish a customary rule of international law, it is necessary to have evidence of general State practice accepted by States as law. The State practice referred to above arises in specific contexts. Judicial decisions are also a subsidiary means for the determination of rules of law (Article 38(1) of the Statute of the ICJ). In the Bosnia Genocide case, where the ICJ addressed the obligation in the Genocide Convention to prevent genocide, the court declined to infer a general ‘duty to prevent’ that applies across international law generally. At para 429, the court stated that,

‘[t]he decision of this Court does not, in this case, purport to establish a general jurisprudence applicable to all cases where a treaty instrument, or other binding legal norm, includes an obligation for States to prevent certain acts. Still less does the decision of the Court purport to find whether, apart from the texts applicable to specific fields, there is a general obligation on States to prevent the commission by other persons or entities of acts contrary to certain norms of general international law’ (emphasis added).

The cyber context is the prime locus for the debate on this issue, but State practice in this context is still embryonic, and reveals differing views. Some States and commentators conceive the ‘hook’ for an obligation of due diligence in the cyber context to be the principle of sovereignty (see, for example, the national positions of Costa Rica, Denmark, Estonia, France, Germany, Ireland, Norway, Sweden and Switzerland in International cyber law: interactive toolkit: due diligence). Sovereignty gives rise to rights for a State, for example that the territorial State has the right to regulate all activities on its territory – and also to corresponding obligations. It has been argued that these obligations include that a State must take reasonable measures to prevent activities emanating from its territory from harming other States’ sovereign rights, pointing in particular to the case law of the ICJ in support. Mikanagi, writing about the application of due diligence in the cyber context, cites the ICJ cases of Corfu Channel (1949) and Bosnia Genocide (2007), which are discussed further below, as well as the 1872 Alabama Claims Arbitration (Mikanagi 2021, 1032).

In the Corfu Channel case (1949, para 22), the ICJ referred to, ‘ … every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States’. Most of the States that consider due diligence to be a binding obligation in the context of cyberspace cite the Corfu Channel case (see the national positions of Costa Rica, Germany, Italy, Japan, the Netherlands, Norway, Romania, Sweden and Switzerland in International cyber law: interactive toolkit: due diligence).

Some scholars cite other jurisprudence on international law in support of the existence of a general rule that States must not allow their territory to be used for acts contrary to the rights of other States. For example, Lahmann, arguing (in the cyber context) that a positive duty to prevent adversarial conduct originating from one State's territory against the territory and rights of other States exists as a customary rule, cites the Pulp Mills case (Lahmann 2020, 147). In Pulp Mills, the ICJ stated that ‘the principle of prevention is a customary rule, and as such it has its origins in the due diligence that is required of a State in its territory’ (para 101).

Others argue that current State practice, combined with the view that such practice is required by law (opinio juris), is insufficient to show that there is a general rule that States must not allow their territory to be used for acts contrary to the rights of other States, whether as flowing from the principle of sovereignty or otherwise (Kenny 2024, forthcoming). It has also been noted that the cases cited above in support of the existence of a general rule are by no means clear-cut on the issue, and are specific to their context. Heathcote argues that case law prior to the Corfu Channel case shows that it is only in relation to established rights that a due diligence obligation is owed, and that in the case of Corfu Channel, the right in question was that of innocent passage (Heathcote 2012, 299). In addition, while the quotation from the Corfu Channel case above looks like a general statement, it was a point that Albania conceded in its memorial in the case, and it was not actually argued; the court therefore made the statement without any other context as to where it came from. In the Pulp Mills case, the court identified obligations of due diligence upon States only insofar as they existed within the particular field of international environmental law (McDonald 2019, 1046) in which a specific rule of customary law has developed that States have a duty to prevent transboundary environmental harm.

The general principle of sovereignty has given rise to specific primary rules, such as the prohibition of intervention in another State's internal or external affairs, which is well-established and reflected in international law instruments such as the Friendly Relations Declaration. But whether the existence of a general rule under which States must not allow their territory to be used for acts contrary to the rights of other States – derived from the sovereignty principle – can be substantiated, remains a matter of controversy. Are cases such as Corfu Channel sufficient to establish the existence of such a rule, given the lack of State practice? If there is a general duty to prevent, what are the consequences for States in all other policy areas to which the duty must apply, beyond the cyber context? If there is no general rule in international law, there cannot be such an obligation in cyberspace either (unless, as is considered further below, a cyber-specific obligation of due diligence may be emerging).

Duty to prevent transboundary harm?

A further argument has been put forward by some scholars: that whether or not there is a rule requiring States to exercise due diligence to ensure their territory is not used for acts contrary to the rights of other States, there is a duty on States to prevent and redress significant transboundary harm in the context of cyberspace, which gives rise to its own due diligence obligations (see Dias and Coco, who suggest there are ‘strong reasons to suggest’ that the rule applies to ICTs, [2021, 174]; Walton [2016, 1460]).

In the Trail Smelter arbitration, an arbitral tribunal held that,

‘ … under the principles of international law … no State has the right to use or permit the use of its territory in such a manner as to cause injury by fumes in or to the territory of another or the properties or person therein when the case is of serious consequence and the injury is established by clear and convincing evidence.’

The Trail Smelter case has given rise, in the field of environmental law, to the principle of transboundary harm which, as Dias and Coco have noted, has different elements and legal consequences to the principle discussed by the ICJ in the Corfu Channel case. This includes the fact that the principle is only breached if a State fails to compensate the victim for the damage caused (Dias and Coco 2021, 168–179).

While Trail Smelter has led to important developments in international environmental law, it is not clear that a general due diligence obligation applies in all situations where there is a risk of transboundary harm from hazardous activities, regardless of the nature of the activity – and therefore also to cyber operations. For this, there would need to be general State practice, accepted by States as law. As noted above, the ICJ in the Bosnia Genocide case cautioned against an assumption that specific obligations in a particular context should be construed as conferring a general obligation that applies across all areas of international law (Bosnia Genocide case, para 429). State practice in the cyber context is growing, but it is notable that of those States that have referred to due diligence as a binding obligation (of which there are now over 25), only Costa Rica and Norway refer to the principle of transboundary harm.

It has also been argued that there are cross-cutting provisions in international law under which States are required to show a reasonable amount of care. For example, international human rights law imposes a series of positive obligations on States to adopt reasonable measures to protect the human rights of persons under their jurisdiction against threats posed by other entities. Provisions such as these will inform a State’s assessment of when action is needed, but do not have a bearing on whether there is a general rule that States must not allow their territory to be used for acts contrary to the rights of other States.

Policy concerns

The debate on the legal status of due diligence in cyberspace is conditioned by policy considerations on either side. On the one hand, if due diligence is required under a primary rule of international law, this provides victim States with a legal basis to demand immediate action to address behaviour by private actors that is having harmful effects on the victim State’s territory, but which would not otherwise be engaged by international law, since international law generally applies only to States. Take the scenario where malicious ransomware operations are being conducted by hackers from the territory of State A, and these operations are having detrimental effects on critical infrastructure in State B. The evidence available provides an insufficient basis to attribute the activity to State A. State A is aware of the activity and, if due diligence is required pursuant to a general rule, is obliged to take action at least to try to put an end to the activity. This scenario is factually similar to that of the ‘Colonial Pipelines’ case of May 2021, in which a US oil pipeline suffered a ransomware cyberattack. The FBI identified the criminal hacking group DarkSide as the responsible party. President Biden said on 10 May 2021 that, although there was no evidence that the Russian government itself was responsible, there was evidence that DarkSide was based in Russia and therefore that the Russian authorities ‘have some responsibility to deal with this’ (Helmore and Greve 2021).

In scenarios such as these, conceiving of due diligence as an obligation that States are required to fulfil, pursuant to a general rule of international law, would provide a legal basis by which to hold Russia to account for failure to address the behaviour of private actors on its territory, in two ways. First, it would enable the international community to call out Russia for a violation of international law if it failed to take action to try to stop the hackers’ activity on its territory. Second, in the eyes of at least some States and scholars, it would provide a basis to take not only political and diplomatic measures against Russia, but also countermeasures or referral to the UN Security Council (see the French and Swiss national positions in International cyber law: interactive toolkit: due diligence). The policy arguments for due diligence as a legal basis for holding perpetrator States to account are particularly attractive in circumstances in which there is compelling technical evidence to attribute a malicious cyber operation to a State, but where the attributing State is uncertain whether there has been a violation of international law or lacks evidence that would prove such a violation. Japan, for example, suggests that a due diligence obligation may provide grounds for invoking the responsibility of the State from whose territory the cyber operation originated, even if it is difficult to prove the attribution of a cyber operation to any State (Government of Japan, UN's Official Compendium of Voluntary National Contributions on How International Law Applies to Cyberspace, 2021).

On the other hand, some States and scholars consider that conceiving due diligence as required by a general rule of international law (i.e. that States must not allow their territory to be used for acts contrary to the rights of other States) is problematic from a policy perspective, both because it may place an undue burden on States, and because it is currently unclear what the scope of the putative due diligence obligation is, and therefore what is required of a State in practice. This lack of clarity is of particular concern where the State from whose territory the malicious cyber activity is emanating may be at risk of countermeasures if it does not adequately discharge the obligation.

It should be noted that the use of countermeasures in this context in any event raises several challenges. Some States are nervous about the use of countermeasures in the cyberspace context, given the risk of abuse inherent in them (see, for example, Brazil’s submission to the UN’s Official Compendium of Voluntary National Contributions on How International Law Applies to Cyberspace, 2021). Use of countermeasures in the due diligence context could risk escalating disputes between States (see Talbot Jensen and Watts 2017, 1573–1574), particularly in contexts in which, as here, States have differing views as to whether the underlying conduct was a violation of international law in the first place. Further, countermeasures are governed by strict conditions, as set out in the ILC’s Draft Articles on State Responsibility 2001, including a requirement to notify the responsible State of the decision to take countermeasures, call on the responsible State to fulfil its obligations arising from the internationally wrongful act, and a requirement that the nature of the countermeasure is proportionate to the original breach of international law (Article 51). These conditions are designed to safeguard against miscommunication and unintended escalation, but States have differing views as to how (and in the case of some conditions, whether) they apply in the context of cyberspace (see the diverse national positions in International cyber law: interactive toolkit: Countermeasures).

Even if a violation is established, it may be difficult for the victim State to devise countermeasures that would be proportionate to the violation of failure to conduct due diligence adequately. It is questionable, for example, whether a hack back – i.e. cyber counteraction taken to mitigate or stop malicious cyber activity – would be proportionate in this scenario (see Lahmann 2020, 131 on the problems that hack backs raise in this regard).

Insofar as due diligence in cyberspace is required pursuant to a general rule, there may also be evidential difficulties in proving that violation of such an obligation has occurred, based on a State’s activity or the lack of it, because in the cyber context much State practice takes place in secret. It may be difficult to establish that the State in question had, or should have had, knowledge of the malicious cyber activity emanating from its territory. The characteristics of cyberspace, particularly the sheer volume and speed of cyber activity emanating at any one time from a State’s territory, and the use of increasingly sophisticated concealing techniques by perpetrators of malicious cyber operations, complicate the question of how far a State should be expected to ‘know’ of a particular harmful cyber incident on its territory, either at the time or in advance. This brings us on to the scope of due diligence and what it means in practice in the cyber context.

III. The meaning of due diligence in cyberspace

For those who suggest that States are obliged to carry out due diligence pursuant to a general rule, which applies in cyberspace as in other areas of international law, it is necessary to understand what is meant by the obligation, otherwise the assertion has little meaning. Among those who argue that there is a general rule that States must not allow their territory to be used for acts contrary to the rights of other States, there are differing views as to the content of the associated due diligence obligation. Several factors have been suggested as relevant in order to delineate the scope of the obligation: the level of knowledge that a State is required to have; the types of activity that a State is required to carry out; and the seriousness of the harm caused by the malicious cyber activity on the territory. Each is examined below.

Level of knowledge

Under the narrowest conception of the putative due diligence obligation, a State must have actual knowledge that the malicious cyber activity is taking place on its territory, for example, as a result of notification from another State. In their national statements on due diligence in the cyber context, certain States discuss the expectation that a State should take action when it is ‘aware of an internationally wrongful act originating from or routed through its territory’ (Government of Australia 2020)’ suggesting actual knowledge, or ‘at the least … when a State has received a credible notification from another State’ (Japan). New Zealand explicitly states that it considers that a legally binding due diligence obligation should only apply where States ‘have actual, rather than constructive, knowledge of the malicious activity’ (see relevant government statements at International cyber law: interactive toolkit:due diligence).

A standard of actual knowledge has the advantage of clarity of scope – if a State receives a good faith notification from an affected State, with supporting information, it can work with partners to investigate the cyber activity concerned and, if appropriate, take action to bring it to an end. It also places the least burden on States in practice. It has been endorsed, as a matter of policy, by some States that do not consider due diligence to constitute a binding obligation, for example, the US: ‘[w]e do … believe that if a State is notified of harmful activity emanating from its territory it must take reasonable steps to address such activity’ (emphasis added).

Others argue that the standard of knowledge is constructive knowledge on the part of the State, i.e, that, regardless of whether the State actually knew about the malicious cyber activity on its territory, it should have known about it, based on objective factors, including the information available to the State at the time. Of those States that have indicated support for due diligence as a binding obligation in cyberspace, several consider constructive knowledge to be the relevant standard of knowledge required of a State, for example, the Czech Republic, Norway, Romania, Sweden and Switzerland (see national positions set out in International cyber law: interactive toolkit: due diligence), as did the International Group of Experts involved in the Tallinn Manual 2.0 (Schmitt and Vihul 2017, para 39 of commentary to Rule 6).

Constructive knowledge, as a higher standard than actual knowledge, imposes a more onerous burden on States. While a standard of constructive knowledge can be distinguished from a positive duty on the State to acquire knowledge, arguably it could imply some obligation on a State at least to make some basic enquiries, particularly if information about malicious cyber activity is in the public domain or if the State has a history of such activity on its territory. At the same time, as a matter of practicality, constructive knowledge has the advantage that the victim State can rely on objective evidence rather than having to inquire into the mental element, i.e. what a State actually knew, which can be hard to prove in practice.

Threshold of harm

Some that consider due diligence to constitute a binding obligation in cyberspace have sought to delineate the scope of the obligation by reference to a threshold of harm. Japan and Romania, for example, cite cyber harm that has ‘serious adverse consequences’ for other States as a factor conditioning whether due diligence is required of the State in question (see International cyber law: interactive toolkit: due diligence). The International Group of Experts involved in the Tallinn Manual 2.0 considered that the due diligence ‘rule’ embraces all cyber operations that are contrary to the rights of the affected State under international law (drawing from the Corfu Channel case) and that have ‘serious adverse consequences’ for other States (Schmitt and Vihul 2017, para 15 of commentary to Rule 6).

The experts took the language of ‘serious adverse consequences’ by analogy from application of the due diligence principle in the context of international environmental law (it appears in the ILC’s Draft Articles on Transboundary Harm in the environmental context, 2001, and in the various cases on which the Draft Articles draw, for example Pulp Mills and Trail Smelter). However, as noted above, it is doubtful whether there is a general duty to prevent transboundary harm that applies universally across international law at present, and as such, whether such a duty applies automatically in the cyber context. The International Group of Experts involved in the Tallinn Manual 2.0 conceded that ‘the precise threshold at which the due diligence principle applies is unsettled in international law’ and had differing views on where the threshold might lie (some favouring a lower threshold, such as ‘significant’ or ‘substantial’ harm; Schmitt and Vihul 2017, para 25 of the commentary to Rule 6). The issue of harm also carries the risk of subjectivity, since States will be the principal actors assessing whether the threshold has been met, and what one State considers harmful to its rights another may not. There is certainly a logic to the idea that the more serious the harm to other States, the more due diligence will be required on the part of the State from whose territory the harm is emanating (Lemnitzer 2022, 801) – but this logic does not have a bearing on legal status, as it applies whether or not due diligence constitutes a binding obligation or conduct expected under the voluntary norms.

Activity required of a state in order to comply with the obligation

If due diligence is a legal requirement in the cyber context, a third way in which its scope could be delineated is through the activity required of States in order to comply with the obligation. At its narrowest, the behaviour required could be simply for the territorial State to take reasonable measures to put an end to malicious cyber activity contrary to the rights of other States that is taking place on the State’s territory. This is the view taken in the Tallinn Manual 2.0, although the Manual also notes that ‘the precise scope of action required under the due diligence obligation is unsettled’ and the experts had differing views of what was required of States and when (Schmitt and Vihul 2017, para 2 of commentary to Rule 7 on Compliance with the Due Diligence Principle). In the view of the Tallinn Manual experts, the behaviour required of a State does not extend to prevention of the malicious cyber activity, and as such there is no need for the State to take proactive measures such as monitoring cyber activities on its territory (Schmitt and Vihul 2017, para 10 of commentary to rule 7).

A broader obligation to strive to prevent the activity

Others, who argue for the existence of an obligation on States to conduct due diligence in the cyber context, consider that the scope of the due diligence requirement is broader in nature, amounting to an obligation on a State to conduct due diligence in advance of malicious cyber activity, in order to prevent – or at the very least to strive to prevent – such activity from occurring on its territory, as well as to stop and redress such activity. According to this view, a higher standard of conduct is required of States – a ‘basic duty of vigilance’, which is of a ‘continuing nature’ (Lahmann 2020, 152).

Under this broader conception of the scope of due diligence, a State must, as a matter of law, take certain actions in advance of any malicious cyber activity on its territory, rather than simply react to them. It has been suggested that the following measures are elements of the standard of conduct necessary for States to exercise diligent behaviour in the cyber context:

- A basic legal framework to cover, at a minimum, the most serious kinds of cyber harms, e.g. criminalization of malicious cyber activity or requiring companies to report cyber incidents in order to be able to generate accurate threat assessments.

- Technical and procedural measures to prevent or stop malicious cyber activity on the territory, including monitoring, to assist in intercepting and tracing a malicious cyber operation.

- A central organizational structure for dealing with cybersecurity matters, to implement the legal framework and coordinate responses to malicious cyber activity.

- The building of capacity: internally, to improve the quantity and quality of the workforce dealing with cybersecurity practices, and externally, for example, by helping another State to train a capable cyber workforce.

- International cooperation, including notification by the victim State to the State from whose territory the cyber harm is emanating, and requesting assistance to stop it.

(Coco and Dias 2021, 771).

The extent to which a State needs to take each of the measures above, or indeed go further, will depend on its capacity and resources. The due diligence standard in international law is one of conduct, not result (ITLOS Advisory Opinion in Case No. 17; 2011, 110). For developing States, the expectation of what they need to do is lower, commensurate with their capacities, whereas more developed States are expected to continue to acquire capacity and to offer it to other States if appropriate. States with advanced capabilities should also do more to incentivize private companies to prevent harm emanating from their technologies and platforms, for example by working with them to improve corporate cybersecurity.

This means that States without much capacity will not be non-compliant if they are, for lack of resources (financial, human, technological, etc.), unable to prevent or stop harm. But there is an objective minimum standard that they should meet, even with few resources (Pantechniki SA Contractors & Engineers v Albania 2009, 81). This raises the question of what that minimum obligation should look like in the cyber context. It could be argued, for example, that in terms of the technical measures referred to above, every State is obliged to establish a national Computer Emergency Response Team (CERT) to enable the State to respond to requests for assistance, act as a point of contact internationally, or, if appropriate, receive assistance from friendly States with more sophisticated cyber capabilities. In practice, the setting up of a CERT need not require much of a State in terms of resources – at a minimum, it could be the provision to other States of the contact details of a small number of designated officials, or perhaps, in due course, the provision of those details to the global Points of Contact Directory that the OEWG is working to develop and operationalise (see Dominioni 2023).

Once a State is on notice of cyber harm emanating from its territory, the expectation of what it is required to do may increase, going beyond a general expectation of vigilance to include specific actions to counter the specific cyber operation. France, for example, considers failure by States or non-State actors to terminate operations that would violate the sovereignty of another State, if conducted by the territorial State, to be a violation of international law (French Ministry of Defence 2019), which can give the victim State the right to take countermeasures.

If there is a binding obligation, where does it end?

In practice, it can be difficult to draw the line between what is required of a State as a matter of law, and what as a matter of discretion. Even if it is accepted that certain baseline capacity-building measures are legally required as part of a State's due diligence efforts – for example, establishment of a basic CERT – are the broader activities listed above also required, or are they merely a matter for a State’s discretion? It is particularly controversial whether measures to legislate and monitor are required as a matter of law. Issues that are ripe for further discussion in this context include:

• - Does the scope of the putative obligation include a requirement that the State in question must legislate to provide the government with appropriate powers to tackle malicious cyber operations, for example by criminalising certain conduct?

• - Is there a minimum obligation of reasonable monitoring, and if so, what does this require of States in practice? Should monitoring only take place where there has been credible information about a malicious cyber operation emanating from a State’s territory, and/or where the operation in question is serious, or is there a general obligation to monitor on an ongoing basis? It has been argued that cybersecurity monitoring should be distinguished from surveillance and should require merely a broad assessment of systems and continual scanning for problematic patterns (Dias and Coco 2021, 183). But in practice, the distinction may be less clear-cut. There is a risk that any obligation on States to proactively monitor ICTs within their territory could be abused by illiberal or authoritarian states looking to exert more control over their citizens and companies, contrary to international human rights law – particularly the rights to privacy and freedom of expression. Or, given these risks, is there a more minimal requirement for States to cooperate internationally on malicious cyber operations, including through transparent reporting of the information they possess?

• - If the State from whose territory the malicious cyber activity is emanating lacks the ability to take preventative measures, is the territorial State required to accept help from other States, or from the private sector funded by another State, where such assistance is offered? Conversely, are States with greater capacity required to cooperate and offer help to victim States?

Policy and practical concerns

In addition to the questions above, there is the fact that, in practice, States may have to make trade-offs between resources directed towards preventing their territory from being used for malicious cyber activity that may harm the rights of other States on the one hand, and a State’s own sovereign interests on the other. All States have finite resources available. Given the volume of cyber interactions passing through a State’s territory at any one time, and the speed at which they occur, how far must States go in order to identify and prevent malicious cyber activity on their territory in advance and in a timely fashion? Most formulations of the standard of conduct required by States in relation to responsible behaviour in cyberspace require States to take ‘reasonable steps’ to tackle malicious cyber activity on their territory. What is adequate or reasonable will obviously depend on the circumstances in each case. In most cases, national security issues will be relevant, and will often need to be handled by the State in secret.

For example, State A knows there is malicious cyber activity emanating from its territory, which may have harmful effects in other States. State A could inform other States about this activity, or seek to unilaterally disrupt it, but in either case, such action could prejudice potentially sensitive national capabilities by throwing a spotlight on them. This in turn could jeopardise the ability of State A to act against malicious actors, in the interests of national security, in more serious cases in the future. State A therefore decides not to act, despite having the ability to do so. This scenario is far from hypothetical: leaks of national security documents suggest that there is a substantial body of State practice of deliberate inactivity, i.e. when a State had the ability to take action but chose not to (see, for example, the 2018 analysis by Bencasath and the Crysys team of the tool used by the US National Security Agency to monitor signatures of known Advanced Persistent Threats (APTs), which emerged from the ‘Shadow Broker’ leaks). This example underlines some of the policy tensions between the notion of due diligence as a binding obligation on the one hand, and operational considerations on the other. It also highlights some of the evidentiary challenges involved in proving whether a State has complied with a requirement to take preventative measures.

Emergence in cyberspace of a specific ‘obligation to prevent’?

As noted above, if there is no general rule in international law that States must not allow their territory to be used for acts contrary to the rights of other States, there cannot be such a rule in cyberspace either (absent the emergence of a cyber-specific rule). Other specific duties to prevent, including some of those listed on page 4, may nevertheless still be engaged in cyberspace, insofar as there is a cyber dimension to the activity concerned (for example, cyberterrorism). So too will cross-cutting duties of care that arise under e.g. international human rights law and international humanitarian law, insofar as relevant on the facts. (For discussion of their application in the context of cyberspace, see Coco and Dias 2021, 179–194).

It is possible that a cyber-specific customary rule could emerge, or be emerging, with due diligence as the standard of behaviour. As noted above, a customary rule to prevent transboundary harm, with concomitant obligations of due diligence, has emerged in the field of international environmental law. Indeed, some have argued that State practice in relation to the measures above lends support for the existence – or could at least contribute to the formation – of such a rule; McDonald (2019, 1053) notes how due diligence practice by States can serve a law-generating function over time. State practice may be difficult to assess, however, given the challenge of distinguishing between which practices are undertaken by States out of habit or policy, and which from a sense of legal obligation (McDonald 2019, 1049). As has been noted above, States will only make their cyber actions public where they can do so in a way that is consistent with their national security interests.

Any measure that is proposed as part of a legal requirement must be realistic and capable of implementation. Questions about notification, how one determines if a State is in breach, the legal consequences of a State’s failure to comply, and whether there is a duty on a State to offer or receive assistance are unresolved in the cyber context as yet. In discussing them, we do not need to reinvent the wheel, as they arise in debates on due diligence in many other areas of international law (see, for example, the proposal for a notice requirement in Article 8 of the UN Draft Articles on Transboundary Harm, 2001). It will be useful for policymakers to discuss these questions further against the background of the history and development of due diligence in other contexts, including environmental law and the law on neutrality.

Avenues for further discussion of legal status

As is clear from the above, several States support the idea that due diligence is required pursuant to a general rule of international law that States must not allow their territory to be used for acts contrary to the rights of other States. The views of these States, which as noted above include Costa Rica, Japan, and several European countries, are significant. But several other States take a different position, and in the short term at least, it is unlikely that a common position will be reached – quite apart from the fact that many other States have not yet published their legal positions on this issue. In the meantime, it is important that discussions about best practice and strong standards expected of States in this area continue at the UN, without getting overly diverted by the ‘rule versus voluntary norm’ debate.

Further clarity on due diligence as a matter of international law is needed, but given divergent views on legal status to date – even among like-minded States – it may be that, at the present time, discussions on legal status can be addressed most constructively in fora other than the OEWG, with insights from those fora then feeding in, as appropriate, to the OEWG. For example, the issue of due diligence also arises in the cybercrime context, with relevant read-across to the cybersecurity context. The first draft of the Convention on Cybercrime that is being negotiated in the UN General Assembly Third Committee, (published in June 2023 by the Chair of the Ad Hoc Committee to Elaborate a Comprehensive Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes) includes chapters on technical assistance and international cooperation to limit the impact of harmful cyber activity emanating from the territory of other States. One of the topics in the discussions on the draft convention has been the need for all States to put in place procedural safeguards to share information, strengthen cybersecurity practices and use technologies that increase resilience against malicious cyber operations – all of which are forms of due diligence.

To date, the discussions in the Third Committee have been largely siloed from the cybersecurity debates in the OEWG. But the lines between cybersecurity and cybercrime are blurring, with political attacks often masked as criminal operations such as ransomware, and States using proxies hidden by aliases. Due diligence offers a means to hold States responsible for failure to prevent a range of cyber harms, no matter who caused them and what form they take. The debates on due diligence in the OEWG should therefore draw on discussions in the Third Committee in this area. Indeed, establishing stronger links between the two processes would be mutually beneficial (see Hansel and Silomon 2023, 29–31).

There is also an important role for multi-stakeholder meetings outside the UN in facilitating open and constructive discussion on the legal status and contours of due diligence in the cyber context. Due diligence has been discussed in some detail, for example, at roundtable meetings of international law experts, drawn from various sectors including government, private sector, civil society and academia, convened under the auspices of the Oxford Process on International Law Protections in Cyberspace; by the International Law Programme at Chatham House; and in the ongoing consultations on the third edition of the Tallinn Manual on the International Law Applicable to Cyber Operations (Schmitt and Vihul 2017).

The benefit of these meetings is that they bring together a range of different actors that have a genuine desire to move the debate forwards, without the political point-scoring sometimes evident in debates at the UN. These meetings facilitate the identification of points of commonality and difference, and allow for more in-depth discussion of these challenging legal issues than the current agenda at the OEWG permits. Similar initiatives have been helpful in making progress on difficult legal issues in other contexts, which has then fed into legislation. For example, multi-stakeholder workshops on cross-border data flows for law enforcement purposes have informed recent EU rules on cross-border access to e-evidence.

It is however important that multistakeholder meetings on the application of due diligence in cyberspace are complementary to – rather than risk cutting across or undermining – discussions at the OEWG. One way of ensuring that insights from these meetings can feed back into the UN processes is through the holding of informal multi-stakeholder side meetings as part of the OEWG process (as the Oxford Process on International Law Protections in Cyberspace has done) and through the writing and dissemination of articles that summarise insights from expert roundtables, of which this piece is an example.

Reaching agreement on due diligence in cyberspace: what would a good outcome look like?

Regardless of ongoing debates about the legal status of due diligence, it is vital that States understand, and reach agreement on, what is needed in order for them to adequately discharge their responsibility to identify and address malicious cyber activity emanating from their territory and, more generally, to build an environment in which cyber harms can be tackled in more effective ways. Reaching agreement at the international level on strong standards of conduct – at least as a matter of policy – will help these standards to be implemented in practice and, in some cases, become enshrined in domestic law.

It is clear from the above that best practice should entail governments working both individually and in collaboration with other actors on cyber due diligence, particularly with the private sector and civil society, and with international partners. At the international level, efforts to deepen cooperation on due diligence in cyberspace should focus on practical measures that States can take to implement the voluntary norms on due diligence, and seek to make clearer what is expected of States in order to do so. Several States, particularly Australia and Canada, have advocated that the OEWG’s work programme should adopt this practical approach. Indeed, Canada has circulated a norms guidance text which provides helpful suggestions on the content of the norms and how they should be operationalised (Canadian Position Paper on OEWG 2021–2025; 2021). For example, in relation to norm (c) –that ‘States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs’ – Canada has proposed that, ‘[i]f a State identifies malicious cyber activity emanating from another State’s territory or cyber infrastructure, a first step could be notifying that State. Computer Emergency Response Teams (CERTs) are crucial to being able to identify such activity’. Canada’s paper also suggests how a notification process might work (for example, via the sharing of possible Indicators of Compromise, such as IP addresses and computers used for malicious ICTs and malware information) and ways in which States should work with the private sector to develop concrete tools such as certification processes, best practice guides, response mechanisms and, as appropriate, national regulation.

Operationalisation of the norms relating to due diligence should also be included in regional discussions on responsibility in cyberspace. The European Union (EU) has been pushing for greater coordination and communication of cybersecurity responsibilities at the national and EU levels for several years, as well as underlining the importance of multi-stakeholder involvement in these discussions. The EU’s Cybersecurity Strategy, published in December 2020, aims to address EU Member States’ operational capacity to prevent, deter and respond, and to promote cooperation to advance a global and open cyberspace. As part of the strategy, the EU has enacted the European Cyber Resilience Act and the Digital Operational Resilience Act (Reg. 2022/2554) and established a Joint Cyber Unit, designed to ensure an EU coordinated response to large-scale cyber incidents and crises and to offer assistance in recovering from these incidents, as well as creating a network of Security Operations Centres across the EU. ASEAN’s Cybersecurity Cooperation Strategy 2021–2025 seeks to build closer cooperation and coordination among ASEAN Member States on dealing with the cyberthreat landscape, including the development of an ASEAN Regional Plan of Action (RAP) on the Implementation of Norms of Responsible States Behaviour in Cyberspace (ASEAN Cybersecurity Strategy 2021–2025, Dimension 2).

At the domestic level, many States are already investing significant effort and resources to protect their critical infrastructure and nationals from cyberthreats. For example, by January 2023, 94% of UN Member States had enacted legislation on cybercrime or were in the process of doing so (Council of Europe, Global State of Cybercrime Legislation, 2013–2023: A Cursory Overview, 2022, 3). Increasingly, States are also helping each other to prevent and defend against malicious cyber operations, with private sector providers also playing an important role. For example, Costa Rica received technical assistance from a number of States – including the US, Spain and Israel – as well as from Microsoft, in order to restore its services after a series of extensive ransomware operations in 2022 that led to the president proclaiming a national emergency. A range of international assistance to Ukraine – including from States such as the US and UK, and technical assistance from private sector providers including Microsoft, Amazon and Google, has been vital in limiting the effectiveness of Russian cyberattacks conducted as part of Russian attacks on Ukraine and in helping to build capacity and address vulnerabilities (Beecroft 2022).

The international, regional and domestic examples above underline the need for States to think practically about what cyber due diligence requires of them – whether as a matter of law, policy or both. These initiatives can help States to understand the concrete measures they should take, as a minimum. Greater international cooperation can also further understanding of which measures States are generally able to take themselves, and which may benefit from capacity-building from developed States, through the sharing of knowledge or the provision of other support. Finally, the initiatives above highlight the vital importance of international cooperation and public-private partnerships as part of effective cyber due diligence, and the need for a review of whether, particularly in States outside the EU, the current procedures and mechanisms available are adequate.

IV. Conclusions and recommendations

1. Due diligence is a standard of State conduct and is a legal requirement if attached to a general rule of international law. There is no consensus on the question of whether there is such a rule requiring States not to allow their territory to be used for acts contrary to the rights of other States.

2. Insofar as due diligence is a binding obligation required of States pursuant to a general rule, its content is disputed. Some consider that the obligation is modest in scope, requiring simply that States take reasonable measures to put an end to malicious cyber activity on their territory when they have actual knowledge of it. Others understand the obligation to be broader, with constructive knowledge as the appropriate standard, and requiring the building of at least some capacity in advance.

3. Any measure that is proposed as part of a legal obligation must be realistic and capable of implementation. It can be difficult to distinguish, when considering due diligence in cyberspace, what is sound policy from what is legally required of a State. The history of due diligence in other contexts of international law may help resolve some questions on scope and implementation. Expert meetings, with participants drawn from a range of sectors and regions, convened by academic and other institutions, may be the most productive forum for such discussions at the present time, and can help increase legal understanding and capacity, as well as informing discussions in the OEWG. OEWG discussions can also be informed by discussions on due diligence in the context of the draft UN Convention on Cybercrime.

4. Even if a general rule does not exist in international law, or a specific duty in the cyber context has not yet fully crystallised as a matter of customary law, there is great benefit in having strong standards for responsible State behaviour in cyberspace as a matter of policy. There is agreement that such behaviour is at the least reflected in the voluntary norms.

5. The measures set out on pages 11–12 should be given close attention by States, as a blueprint for the exercise of robust due diligence in cyberspace. Insofar as possible within a State’s resources, States should work towards the implementation of each of these measures, and arguments about their legal status should not distract from that.

6. Work should therefore continue in the OEWG and elsewhere on reaching agreement on standards of conduct, by which States should abide. There is value in further guidance for States on how to behave diligently in practice, and in capacity-building programmes that help States with fewer resources to do so.

Acknowledgments

The author would like to thank Elizabeth Wilmshurst KC CMG, Talita Dias, Tsvetelina Van Benthem and the anonymous peer reviewers for their helpful comments on this article as well as the participants at the roundtable held at Chatham House in January 2023 on ‘Due Diligence in Cyberspace'.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Correction Statement

This article has been corrected with minor changes. These changes do not impact the academic content of the article.

Additional information

Notes on contributors

Harriet Moynihan

Harriet Moynihan is an associate fellow in the International Law programme at Chatham House. Harriet’s research focuses on the role and application of international law in responsible state behaviour in cyberspace. Harriet regularly writes and speaks on these issues, and is the author of Chatham House’s research paper The Application of International Law to State Cyberattacks: Sovereignty and Non-intervention.

Show less

Harriet's research also focuses on the role of international human rights law in internet governance, including the regulation of online harms and disinformation, as well as on China and international law, and business and human rights. Harriet was a visiting research fellow at the Bonavero Institute of Human Rights, and Mansfield College, University of Oxford, in 2019. Prior to joining Chatham House, Harriet was a legal adviser at the UK Foreign and Commonwealth Office, where she advised on a wide range of public international law issues and represented the UK on legal issues in bilateral and international fora. Before that, Harriet was a competition lawyer at Clifford Chance LLP, where she worked in the firm’s London and Singapore offices.