Definition[edit | edit source]
| In the cyber context, the UN General Assembly urged States already in 2000 to “ensure that their laws and practice eliminate safe havens for those who criminally misuse information technologies”.
It is the matter of some controversy whether the principle of due diligence reflects a binding obligation applicable to cyber operations. It has also been proposed that in the cyber context, it is preferable to construe due diligence as a standard of attribution rather than as a standalone primary rule of international law. Nevertheless, the present analysis proceeds on the basis that as a matter of lex lata, due diligence constitutes a general international obligation for every State not to knowingly allow its territory to be used for internationally wrongful acts using cyber means. This view has also been unanimously endorsed by the drafters of the Tallinn Manual 2.0.
Appendixes[edit | edit source]
See also[edit | edit source]
- Scenario 05: State investigates and responds to cyber operations against private actors in its territory
- Scenario 06: Cyber countermeasures against an enabling State
- Scenario 07: Leak of State-developed hacking tools
- Scenario 14: Ransomware campaign
Notes and references[edit | edit source]
- Corfu Channel Case (UK v Albania) (Merits)  ICJ Rep 4, 22.
- UN GA Res 55/63 (4 December 2000), Doc A/RES/55/63, para 1(a).
- Cf. UN GGE 2015 report, paras 13(c) and 28(e) (using non-mandatory language to express the due diligence principle in the cyber context: “States should not knowingly allow their territory to be used for internationally wrongful acts using [cyber means]” and “States ... should seek to ensure that their territory is not used by non-State actors to commit such acts”, respectively) (emphases added).
- See Luke Chircop, ‘A Due Diligence Standard of Attribution in Cyberspace’ (2018) 67 ICLQ 643.
- Tallinn Manual 2.0, commentary to rule 6, para 4.
- Tallinn Manual 2.0, commentary to rule 6, para 5.
- Cf. Case Concerning Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgement)  ICJ Rep 43, para 430; see further James Crawford, State Responsibility: The General Part (CUP 2013) 226–32 (on the distinction between due diligence and obligations of prevention); Rudiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in Mahnoush H Arsanjani et al, Looking to the Future: Essays on International Law in Honor of Michael Reisman (Brill 2010).
- Corfu Channel judgment, para 22; Tallinn Manual 2.0, commentary to rule 6, para 2 and 15.
- Tallinn Manual 2.0, rule 6.
- Tallinn Manual 2.0, commentary to rule 6, para 18-24.
- Tallinn Manual 2.0, rule 6.
- Tallinn Manual 2.0, commentary to rule 6, para 37-42.
- Tallinn Manual 2.0, commentary to rule 6, para 43; commentary to rule 7, para 2 and 18.