Due diligence

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition[edit | edit source]

Due diligence
According to the traditional formulation by the ICJ in the Corfu Channel case, every State is under an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”.[1] In the cyber context, the UN General Assembly urged States already in 2000 to “ensure that their laws and practice eliminate safe havens for those who criminally misuse information technologies”.[2]

It is the matter of some controversy whether the principle of due diligence reflects a binding obligation applicable to cyber operations.[3] It has also been proposed that in the cyber context, it is preferable to construe due diligence as a standard of attribution rather than as a standalone primary rule of international law.[4] Nevertheless, the present analysis proceeds on the basis that as a matter of lex lata, due diligence constitutes a general international obligation for every State not to knowingly allow its territory to be used for internationally wrongful acts using cyber means.[5] This view has also been endorsed by several States, including Australia,[6] Czech Republic,[7] Estonia,[8] Finland,[9] France,[10] and the Netherlands.[11]

Due diligence does not entail a duty of prevention,[12] but rather an obligation of conduct.[13] A State breaches its due diligence obligation in the presence of the following cumulative elements:

  1. The existence of acts (by a non-State actor or a third State) contrary to the rights of a victim State,[14]
  2. which are conducted from or through the territory of the potentially responsible State (or from or through the territory or cyber infrastructure under its control),[15]
  3. which would have been unlawful if conducted by the potentially responsible State,[16]
  4. which have serious adverse consequences for the victim State,[17]
  5. with respect to which the potentially responsible State has actual or constructive knowledge,[18] and
  6. upon which the potentially responsible State can act, but fails to take all feasible measures.[19]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of the Czech Republic (2020) (2020), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Israel (2020) (2020), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2021) (2021).

National positions[edit | edit source]

Australia (2020)[edit | edit source]

"To the extent that a State enjoys the right to exercise sovereignty over objects and activities within its territory, it necessarily shoulders corresponding responsibilities to ensure those objects and activities are not used to harm other States. In this context, we note it may not be reasonable to expect (or even possible for) a State to prevent all malicious use of ICT infrastructure located within its territory. However, in Australia's view, if a State is aware of an internationally wrongful act originating from or routed through its territory, and it has the ability to put an end to the harmful activity, that State should take reasonable steps to do so consistent with international law."[20]

Czech Republic (2020)[edit | edit source]

As for ensuring cyber security worldwide, the Czech Republic would like to point out one very important element - application of due diligence to the use of ICTs. As already mentioned by some of my colleagues in the segment on international law, and as recognized by the Czech Republic, States have a legal obligation to act against unlawful and harmful cyber activities emanating from their territory or conducted through cyber infrastructure under their governmental control, provided that they are aware of, or should reasonably be expected to be aware of, such activities. This is not an obligation of result, but rather an obligation of conduct. And here lies the key problem and link to capacity building.

The Czech Republic recognizes that logically, State’s capacity to adequately exercise its due diligence obligation is intrinsically linked to that State’s cyber resilience capacities. Such factors should be taken into consideration when evaluating the particular measures taken by the acting State.[21]

Estonia (2019)[edit | edit source]

"[...] states must keep on strengthening their own resilience to cyber threats and disruptions, both individually and collectively. Therefore, states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states. They should strive to develop means to offer support when requested by the injured state in order to identify, attribute or investigate malicious cyber operations. This expectation depends on national capacity as well as availability, and accessibility of information. As I mentioned here last year, we have to also consider the capacities of different states to be able to control such operations that exploit their infrastructure or systems. Therefore, meeting this expectation should encompass taking all feasible measures, rather than achieving concrete results.

And this also means that further effort must go to cyber capacity building and development cooperation to increase states’ capacity to prevent and respond to cyber threats. I hope that Estonia can serve as a model in partnering with other countries, especially in assisting those that do not have robust enough cyber defence systems. Our attention so far has been to Georgia and Ukraine – countries that face constant malicious cyber operations. Because by the end of the day – our own cyber security also depends on this."[22]

Estonia (2021)[edit | edit source]

The due diligence obligation of a state not to knowingly allow its territory to be used for acts that adversely affect the rights of other states has its legal basis in existing international law and applies as such in cyberspace.

"The due diligence obligation derives from the principle of sovereignty. A state has the exclusive right to control activities within its territory. At the same time, this means that it is also obliged to act when its territory is used in a manner that adversely affects the rights of other states.

Without this obligation, international law would leave injured states defenceless in the face of malicious cyber activity that emanates from other states’ territories. This is particularly relevant when state responsibility cannot be established. Therefore, states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states. Such reasonable efforts are relative to national capacity as well as the availability of and access to information. Meeting this expectation encompasses taking all feasible measures in order to end the ongoing malicious cyber activity.

Estonia is at the position that the obligation of due diligence requires consideration of the technical, political and legal capacities of a state. In addition, due diligence is related to taking action by applying all lawful and feasible measures in order to halt an ongoing malicious cyber operation. States should strive to develop means to offer support, when requested by the injured state, to identify or attribute malicious cyber operations. These actions could for example include warning, cooperating and sharing relevant data pertaining to an incident, investigating the incident and prosecuting the perpetrators, assisting the victim state(s) or accepting assistance. The necessary measures depend on the incident and are applied on a case-by-case basis."[23]

France (2019)[edit | edit source]

"France exercises its sovereignty over the information systems located on its territory. In compliance with the due diligence requirement, it ensures that its territory is not used for internationally wrongful acts using ICTs. This is a customary obligation for States, which must (i) use cyberspace in compliance with international law, and in particular not use proxies to commit acts which, using ICTs, infringe the rights of other States, and (ii) ensure that their territory is not used for such purposes, including by non-state actors."[24]

"The failure by another State to comply with its due diligence requirement is not a sufficient ground for the use of force against it in the context of cyberattacks carried out from its territory.

In accordance with the due diligence principle, “States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs”, including acts that infringe the territorial integrity or sovereignty of another State. In addition, States must ensure that non-state actors do not use their territory to carry on such activities, and not use proxies to commit internationally wrongful acts using ICTs. The fact that a State fails to comply with its due diligence obligation can justify the taking of political and diplomatic measures that may include counter-measures or a referral to the UNSC. The fact that a State does not take all reasonable measures to stop wrongful acts against other States perpetrated from its territory by non-state actors, or is incapable of preventing them, cannot constitute an exception to the prohibition of the use of force.

Under these conditions, France does not recognise the extensive approach to self-defence expressed by a majority of the Tallinn Manual Group of Experts which allows a State that is victim of a large-scale cyberattack perpetrated by non-state actors from the territory of another State to use self-defence against that State, including if such a response is carried out in compliance with the principle of necessity, is the only means to counter the armed attack, and the territorial State is unwilling or unable to prevent the perpetration of such acts."[25]

Germany (2021)[edit | edit source]

"As a corollary to the rights conferred on States by the rule of territorial sovereignty, States are under an ‘obligation not to allow knowingly their territory to be used for acts contrary to the rights of other States’ – this generally applies to such use by State and non-State actors. The ‘due diligence principle’, which is widely recognized in international law, is applicable to the cyber context as well and gains particular relevance here because of the vast interconnectedness of cyber systems and infrastructures."[26]

"[..] a State may also become liable under international law in connection with another State’s or a non-State actor’s actions if the first State fails to abide by its obligations stemming from the ‘due diligence’ principle."[27]

Israel (2020)[edit | edit source]

"The concept of due diligence means that States should take reasonable measures to avoid or minimize harm to other States, and seems to be useful in fields such as international environmental law. In the 2015 UN GGE Report, the concept was addressed as the basis for a voluntary, non-binding norm of responsible State behavior, providing that States should not allow their territory to be used for the commission of international wrongful acts. There was wisdom in mentioning it in the chapter covering norms of responsible State behavior, as it does not, at this point in time, translate into a binding rule of international law in the cyber context. This was the position expressed by other States as well."[28]

"[..] we have to be careful in applying to the cyber domain rules that emerged in a different, distinct context. For instance, in the field of environmental law, where much of the focus and application of due diligence obligations has been in recent years, the acting State typically has control, or at least oversight, over the harmful activity (for example, regulating a polluting power plant). However, cyberspace is mostly private and decentralized.

The inherently different features of cyberspace—its decentralization and private characteristics—incentivize cooperation between States on a voluntary basis, such as with the case of national Computer Emergency Response Teams (CERTs). CERTs are already doing what could arguably fall into that category: exchanging information with one another, as well as cooperating with each other in mitigating incidents. However, we have not seen widespread State practice beyond this type of voluntary cooperation, and certainly not practice grounded in some overarching opinio juris, which would be indispensable for a customary rule of due diligence, or something similar to that, to form."[29]

Japan (2021)[edit | edit source]

"States have a due diligence obligation regarding cyber operations under international law. Norm 13(c) and (f) and the second half of paragraph 28(e) of the 2015 GGE report are related to this obligation.

In the Corfu Channel case (1949), the ICJ referred to the existence of "every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States". In relation to cyber operations, the due diligence obligation in this sense has significance."[30]

"The outer limit of the due diligence obligation of territorial States with respect to cyber operations is not necessarily clear. By reference to these judgements related to the concept of the due diligence obligation, it seems necessary to consider on a case-by-case-basis the scope of the obligation taking into account such factors as the seriousness of the cyber operations in question and the capacity of the territorial States to influence a person or group of persons conducting the attacks.

In light of the above, at the least, for example, when a State has received a credible notification from another State of the possibility that a person or group of persons located in its territory and receiving from it financial and other forms of support may be involved in a cyber operation that may cause serious adverse consequences, such as damage to a target State's critical infrastructure, the due diligence obligation owed by the informed State is presumed to include the obligation to exercise its capacity to influence the state-supported person or group of personsso as to prevent them from implementing such cyber operations.

One characteristic of cyber operations is the difficulty of making judgment as to attribution to a State. In this respect, the due diligence obligation may provide grounds for invoking the responsibility of the State from the territory of which a cyber operation not attributable to any State originated. It is possible at least to invoke the responsibility of such a State for a breach of its due diligence obligation, even if it is difficult to prove the attribution of a cyber operation to any State." [31]

Netherlands (2019)[edit | edit source]

"The due diligence principle holds that states are expected to take account of other states’ rights when exercising their own sovereignty. The principle is articulated by the International Court of Justice, for example, in its judgment in the Corfu Channel Case, in which it held that states have an obligation to act if they are aware or become aware that their territory is being used for acts contrary to the rights of another state. It should be noted that not all countries agree that the due diligence principle constitutes an obligation in its own right under international law. The Netherlands, however, does regard the principle as an obligation in its own right, the violation of which may constitute an internationally wrongful act.

In the context of cyberspace, the due diligence principle requires that states take action in respect of cyber activities:

  • carried out by persons in their territory or where use is made of items or networks that are in their territory or which they otherwise control;
  • that violate a right of another state; and
  • whose existence they are, or should be, aware of.

To this end a state must take measures which, in the given circumstances, may be expected of a state acting in a reasonable manner. It is not relevant whether the cyber activity in question is carried out by a state or non-state actor, or where this actor is located. If, for example, a cyberattack is carried out against the Netherlands using servers in another country, the Netherlands may, on the basis of the due diligence principle, ask the other country to shut down the servers, regardless of whether or not it has been established that a state is responsible for the cyberattack.

It is generally accepted that the due diligence principle applies only if the state whose right or rights have been violated suffers sufficiently serious adverse consequences. The precise threshold depends on the specific circumstances of the case. It is clear, however, that such adverse consequences do not necessarily have to include physical damage."[32]

New Zealand (2020)[edit | edit source]

"An agreed norm of responsible state behaviour provides that states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs. Whether this norm also reflects a binding legal obligation is not settled. Some states consider that, subject to certain knowledge and capacity requirements, customary international law requires states to take reasonable measures to put an end to malicious cyber activity which is conducted from, or routed through, their territory, if the activity is contrary to the rights of another state.

New Zealand is not yet convinced that a cyber-specific “due diligence” obligation has crystallised in international law. It is clear that states are not obliged to monitor all cyber activities on their territories or to prevent all malicious use of cyber infrastructure within their borders. If a legally binding due diligence obligation were to apply to cyber activities, New Zealand considers it should apply only where states have actual, rather than constructive, knowledge of the malicious activity, and should only require states to take reasonable steps within their capacity to bring the activity to an end."[33]

Norway (2021)[edit | edit source]

"[..] a State may be held responsible under international law if it knows or should have known that cyber operations that target third States are being carried out from or via its territory, and fails to take adequate measures.

As a consequence of the right to exercise sovereignty over cyber infrastructure located on its territory, States also have a corresponding obligation not to knowingly allow their territory to be used for acts causing significant harm to the rights of other States under international law. This customary international law obligation, often referred to as the due diligence principle, was recognised by the ICJ in the 1949 Corfu Channel judgment, and is reflected in numerous rules in specialised regimes of international law. Norway is of the view that the due diligence obligation applies in situations where there is a risk of transboundary harm from hazardous activities, regardless of the nature of the activity, and accordingly also applies to cyber operations.

Accordingly, if a State possesses knowledge of a cyber operation being carried out from or via its territory causing serious adverse consequences with respect to a right of the target State under international law, it is required to take adequate measures to address the situation.

The due diligence standard is the conduct that is generally considered to be appropriate and proportional to the degree of risk of transboundary harm in the particular instance. It is an obligation of conduct, not of result. Applied to cyber activities, what is required is for the State to take all reasonably available measures to terminate the cyber operation. A breach of the obligation consists not of failing to achieve the desired result, but of failing to take the necessary, diligent steps towards that end. It is irrelevant whether the cyber operation in question is conducted by a third State or a non-State actor. Likewise, it is irrelevant whether the cyber operation in question is conducted by an actor physically present on the State’s territory or by an actor making remote use of ICT infrastructure on the State’s territory.

In addition to actual knowledge of the use of cyber infrastructure within its territory for harmful cyber operations against another State, a State may also violate its due diligence obligation if it is in fact unaware of the activities in question but objectively should have known about them and fails to address the situation. Accordingly, knowledge also encompasses those situations in which a State in the normal course of events would have become aware that its territory was being used for harmful cyber operations. This implies that the criterion that a State ‘should have known’is more likely to be met if for instance the operation used publicly known and easily detected malware, as opposed to highly sophisticated and previously unknown malware.

There is currently no legal basis for a general obligation to prevent cyber operations, and States are consequently not under an obligation to monitor all cyber activities on their territories.

Norway considers the due diligence obligation to be of particular importance in a cyber context. In situations where a targeted State cannot directly attribute (technically and legally) a wrongful cyber operation – for instance election interference – to the State from whose territory it is being carried out, the territorial State may nevertheless still be held accountable on the basis of a breach of the due diligence obligation."[34]

Romania (2021)[edit | edit source]

"The due diligence principle entails that a State may be responsible for the effects of the conduct of private persons, if it failed to take necessary measures to prevent those effects.

This principle (which implies a certain obligation of conduct on the part of States) was enunciated by the ICJ in its Corfu Channel judgment emphasizing that every State is under an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”.

The due diligence principle requires that States take action in respect of cyber activities if the following elements are cumulatively met:

  • the acts are conducted by a non-State actor or a third State) from or through the territory of the potentially responsible State (or from or through the territory or cyber infrastructure under its control);
  • the acts are contrary to the rights of a victim State and have serious adverse consequences for that State;
  • the State has actual or constructive knowledge of those acts."[35]

Singapore (2021)[edit | edit source]

"There is a need for more clarity on the scope and practical applications, if any, of due diligence in cyberspace. Issues such as the threshold required to trigger an obligation on States to act or respond, the degree of knowledge required of States, and the measures expected of a State from which the malicious cyber activity originates, are some examples of the questions that need to be further discussed and addressed among States."[36]

Switzerland (2021)[edit | edit source]

"The principle of due diligence has evolved over a long period of time. Switzerland views due diligence as part of customary international law and applicable to cyberspace. The ICJ describes the concept of due diligence as a standard of conduct meaning "every State's obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States." The doctrine of due diligence reflects fundamental principles of international law (including state sovereignty, equality, territorial integrity and non-interference).

The principle of due diligence is also applicable to cyberspace. Consequently, a state that is or should be aware of cyber incidents that violate the rights of another state is obliged to take all reasonable measures that are appropriate to stop or minimise the risks of such incidents. Due diligence is a variable standard and depends on the capacities and capabilities of a state as well as the particular circumstances of each case. Territorial states are obliged to use all reasonable means to prevent serious harm being caused to another state by activities taking place within their territory or in an area under their effective control. This makes due diligence an obligation of conduct, not of result. If the aforementioned conditions exist, the state in question is obliged under international law to close any loopholes immediately and assist in intercepting and tracing the incident.

Due diligence applies in particular to actions by private individuals that violate the rights of other states (e.g. hackers) and cannot be (clearly) attributed to the state in accordance with the rules of attribution (see section 6.1). If the aforementioned conditions exist and the state in question fails to fulfil due diligence requirements, the injured state may take countermeasures in accordance with the rules governing state responsibility in order to induce the responsible state to meet its obligations. Possible countermeasures outlined above may be taken both outside and inside the cyber domain. The responsible state may also be required to make reparations."[37]

United Kingdom (2021)[edit | edit source]

"UNGGE Norm 13(c) provides that States should not knowingly allow their territory to be used for internationally wrongful acts using information and communications technology. This norm provides guidance on what may be expected to constitute appropriate State behaviour. The UK recognises the importance of States taking appropriate, reasonably available, and practicable steps within their capacities to address activities that are acknowledged to be harmful in order to enhance the stability of cyberspace in the interest of all States. But the fact that States have referred to this as a non-binding norm indicates that there is not yet State practice sufficient to establish a specific customary international law rule of ‘due diligence’ applicable to activities in cyberspace."[38]

United States of America (2021)[edit | edit source]

"In recent public statements on how international law applies in cyberspace, a few States have referenced the concept of “due diligence”: that States have a general international law obligation to take steps to address activity emanating from their territory that is harmful to other States, and that such a general obligation applies more specifically, as a matter of international law, to cyber activities. The United States has not identified the State practice and opinio juris that would support a claim that due diligence currently constitutes a general obligation under international law. We do believe, however, that if a State is notified of harmful activity emanating from its territory it must take reasonable steps to address such activity."[39]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Corfu Channel Case (UK v Albania) (Merits) [1949] ICJ Rep 4, 22.
  2. UN GA Res 55/63 (4 December 2000), Doc A/RES/55/63, para 1(a).
  3. Cf. UN GGE 2015 report, paras 13(c) and 28(e) (using non-mandatory language to express the due diligence principle in the cyber context: “States should not knowingly allow their territory to be used for internationally wrongful acts using [cyber means]” and “States ... should seek to ensure that their territory is not used by non-State actors to commit such acts”, respectively) (emphases added).
  4. See Luke Chircop, ‘A Due Diligence Standard of Attribution in Cyberspace’ (2018) 67 ICLQ 643.
  5. See also Tallinn Manual 2.0, commentary to rule 6, para 4 (unanimously endorsing this view).
  6. Australia, ‘Australia’s International Cyber Engagement Strategy - Annex A: Australia’s Position on How International Law Applies to State Conduct in Cyberspace’ (October 2017) 91, stating that “if a state is aware of an internationally wrongful act originating from or routed through its territory, and it has the ability to put an end to the harmful activity, that state should take reasonable steps to do so consistent with international law”.
  7. Czech Republic, Comments submitted by the Czech Republic in reaction to the initial “pre-draft” report of the Open-Ended Working Group on developments in the field of information and telecommunications in the context of international security (undated), stating that “ICT-specific norms reflect a general principle of international law obliging States to ensure that territory and objects over which they enjoy sovereignty are not used to harm other States’ rights.”
  8. Estonia, ‘President of the Republic at the opening of CyCon 2019’ (29 May 2019), stating that “states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states.”
  9. Finland, ‘Statement by Ambassador Janne Taalas at the second session of the open-ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security’ (11 February 2020), stating that “States have an obligation not to knowingly allow their territory to be used for activities that cause serious harm to other States, whether using ICTs or otherwise.”
  10. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 6, stating that “In compliance with the due diligence requirement, [France] ensures that its territory is not used for internationally wrongful acts using ICTs. This is a customary obligation for States, which must (i) use cyberspace in compliance with international law, and in particular not use proxies to commit acts which, using ICTs, infringe the rights of other States, and (ii) ensure that their territory is not used for such purposes, including by non-state actors.”
  11. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘The Netherlands ... does regard the principle [of due diligence] as an obligation in its own right, the violation of which may constitute an internationally wrongful act.’
  12. Tallinn Manual 2.0, commentary to rule 6, para 5.
  13. Cf. Case Concerning Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgement) [2007] ICJ Rep 43, para 430; see further James Crawford, State Responsibility: The General Part (CUP 2013) 226–32 (on the distinction between due diligence and obligations of prevention); Rudiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in Mahnoush H Arsanjani et al, Looking to the Future: Essays on International Law in Honor of Michael Reisman (Brill 2010).
  14. Corfu Channel judgment, para 22; Tallinn Manual 2.0, commentary to rule 6, para 2 and 15.
  15. Tallinn Manual 2.0, rule 6.
  16. Tallinn Manual 2.0, commentary to rule 6, para 18-24.
  17. Tallinn Manual 2.0, rule 6.
  18. Tallinn Manual 2.0, commentary to rule 6, para 37-42.
  19. Tallinn Manual 2.0, commentary to rule 6, para 43; commentary to rule 7, para 2 and 18.
  20. Australian Government, Australia's position on how international law applies to State conduct in cyberspace
  21. Richard Kadlčák, Statement of the Special Envoy for Cyberspace and Director of Cybersecurity Department of the Czech Republic, 13 February 2020, 2
  22. President of Estonia: international law applies also in cyber space, 29 May 2019
  23. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 26.
  24. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 6.
  25. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 9-10.
  26. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 3.
  27. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 11.
  28. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  29. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  30. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 5
  31. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 5
  32. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 4-5.
  33. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 3.
  34. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 71-72.
  35. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 76.
  36. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 84.
  37. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 7
  38. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  39. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 141.

Bibliography and further reading[edit | edit source]