Due diligence

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition[edit | edit source]

Due diligence
According to the traditional formulation by the ICJ in the Corfu Channel case, every State is under an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”.[1] In the cyber context, the UN General Assembly urged States already in 2000 to “ensure that their laws and practice eliminate safe havens for those who criminally misuse information technologies”.[2]

It is the matter of some controversy whether the principle of due diligence reflects a binding obligation applicable to cyber operations.[3] It has also been proposed that in the cyber context, it is preferable to construe due diligence as a standard of attribution rather than as a standalone primary rule of international law.[4] Nevertheless, the present analysis proceeds on the basis that as a matter of lex lata, due diligence constitutes a general international obligation for every State not to knowingly allow its territory to be used for internationally wrongful acts using cyber means. This view has also been unanimously endorsed by the drafters of the Tallinn Manual 2.0.[5]

Due diligence does not entail a duty of prevention,[6] but rather an obligation of conduct.[7] A State breaches its due diligence obligation in the presence of the following cumulative elements:

  1. The existence of acts (by a non-State actor or a third State) contrary to the rights of a victim State,[8]
  2. which are conducted from or through the territory of the potentially responsible State (or from or through the territory or cyber infrastructure under its control),[9]
  3. which would have been unlawful if conducted by the potentially responsible State,[10]
  4. which have serious adverse consequences for the victim State,[11]
  5. with respect to which the potentially responsible State has actual or constructive knowledge,[12] and
  6. upon which the potentially responsible State can act, but fails to take all feasible measures.[13]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Corfu Channel Case (UK v Albania) (Merits) [1949] ICJ Rep 4, 22.
  2. UN GA Res 55/63 (4 December 2000), Doc A/RES/55/63, para 1(a).
  3. Cf. UN GGE 2015 report, paras 13(c) and 28(e) (using non-mandatory language to express the due diligence principle in the cyber context: “States should not knowingly allow their territory to be used for internationally wrongful acts using [cyber means]” and “States ... should seek to ensure that their territory is not used by non-State actors to commit such acts”, respectively) (emphases added).
  4. See Luke Chircop, ‘A Due Diligence Standard of Attribution in Cyberspace’ (2018) 67 ICLQ 643.
  5. Tallinn Manual 2.0, commentary to rule 6, para 4.
  6. Tallinn Manual 2.0, commentary to rule 6, para 5.
  7. Cf. Case Concerning Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgement) [2007] ICJ Rep 43, para 430; see further James Crawford, State Responsibility: The General Part (CUP 2013) 226–32 (on the distinction between due diligence and obligations of prevention); Rudiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in Mahnoush H Arsanjani et al, Looking to the Future: Essays on International Law in Honor of Michael Reisman (Brill 2010).
  8. Corfu Channel judgment, para 22; Tallinn Manual 2.0, commentary to rule 6, para 2 and 15.
  9. Tallinn Manual 2.0, rule 6.
  10. Tallinn Manual 2.0, commentary to rule 6, para 18-24.
  11. Tallinn Manual 2.0, rule 6.
  12. Tallinn Manual 2.0, commentary to rule 6, para 37-42.
  13. Tallinn Manual 2.0, commentary to rule 6, para 43; commentary to rule 7, para 2 and 18.

Bibliography and further reading[edit | edit source]