Due diligence

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition[edit | edit source]

Due diligence
According to the traditional formulation by the ICJ in the Corfu Channel case, every State is under an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”.[1] In the cyber context, the UN General Assembly urged States already in 2000 to “ensure that their laws and practice eliminate safe havens for those who criminally misuse information technologies”.[2]

It is the matter of some controversy whether the principle of due diligence reflects a binding obligation applicable to cyber operations.[3] Some States have framed it within their national positions as one of the "voluntary, non-binding norms of responsible State behaviour"[4] in cyberspace, including Israel,[5] New Zealand,[6] the United Kingdom[7] and Canada.[8]

It has also been proposed that in the cyber context, it is preferable to construe due diligence as a standard of attribution rather than as a standalone primary rule of international law.[9] Nevertheless, the present analysis proceeds on the basis that as a matter of lex lata, due diligence constitutes a general international obligation for every State not to knowingly allow its territory to be used for internationally wrongful acts using cyber means.[10] This view has also been endorsed by a growing number of States, including Australia,[11] Czech Republic,[12] Estonia,[13] Finland,[14] France,[15] Germany,[16] Italy,[17] Japan,[18] the Netherlands,[19] Norway,[20] Switzerland,[21] and Sweden.[22]

Due diligence does not entail a duty of prevention,[23] but rather an obligation of conduct.[24] A State breaches its due diligence obligation in the presence of the following cumulative elements:

  1. The existence of acts (by a non-State actor or a third State[25]) contrary to the rights of a victim State,[26]
  2. which are conducted from or through the territory of the potentially responsible State (or from or through the territory or cyber infrastructure under its control),[27]
  3. which would have been unlawful if conducted by the potentially responsible State,[28]
  4. which have serious adverse consequences for the victim State,[29]
  5. with respect to which the potentially responsible State has actual or constructive knowledge,[30] and
  6. upon which the potentially responsible State can act, but fails to take all feasible measures.[31]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Canada (2022) (2022), National position of the People's Republic of China (2021) (2021), National position of Costa Rica (2023) (2023), National position of the Czech Republic (2020) (2020), National position of Denmark (2023) (2023), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2021) (2021), National position of the United States of America (2021) (2021).

National positions[edit | edit source]

African Union (2024)[edit | edit source]

"18. As a corollary of territorial sovereignty, States shall protect, in accordance with the applicable rules of international law, especially international human rights law and, when applicable, international humanitarian law, natural and legal persons located on their territory against unlawful uses of ICTs in cyberspace that are attributable to foreign States or non-State actors. [...]

20. Due diligence performs an important role in the area of cyberspace. Given the technical challenges relating to establishing attribution for internationally wrongful acts committed through ICTs in cyberspace and the fact that such acts are often committed by non-State actors, due diligence provides an important tool to promote the openness, accessibility, safety, and security of cyberspace.

21. The African Union recognizes that due diligence is an obligation that operates in the context of other primary rules of international law. In this regard, the African Union affirms that by virtue of territorial sovereignty, every State is under an obligation, as stated by the International Court of Justice in the Corfu Channel Case, “not to allow knowingly its territory to be used for acts contrary to the rights of other states.” This principle, which is a corollary of sovereignty is also confirmed by other judicial precedents, including the Pulp Mills Case and the Island of Palmas arbitral decision.

22. The African Union considers that due diligence, as it applies in cyberspace, establishes an obligation of conduct, not an obligation of result. Therefore, due diligence does not require a State to guarantee that its territory or territory under its control or jurisdiction is not used to commit an internationally wrongful act. Rather, due diligence establishes an obligation to take necessary measures that are feasible to the extent of a State’s capacity and the means available to it to prevent or halt an internationally wrongful act that a State knows or should have known is undertaken using ICTs in its territory or in territory under its control or jurisdiction.

23. The due diligence obligation to take necessary measures, to the extent of the capacity available to the State, to prevent or halt an internationally wrongful act is triggered only if a State has knowledge that such an act is originating from or transiting through ICTs located on its territory or in territory under its control or jurisdiction. Knowledge, however, is not to be presumed simply by virtue of the fact of territorial sovereignty or control. Indeed, in the Corfu Channel Case, the International Court of Justice stated that “it cannot be concluded from the mere fact of the control exercised by a State over its territory and waters that that State necessarily knew, or ought to have known, of any unlawful act perpetrated therein, nor yet that it necessarily knew, or should have known.” Therefore, whether a State knows or has reason to know that an internationally wrongful act is originating from or transiting through ICTs located on its territory or in territory under its control or jurisdiction is a matter that has to be determined on a case-by-case basis in light of the information available to a State, the technical and institutional capabilities, and financial resources available to that State.

24. Due diligence also reinforces the obligation of States not to permit another State to use ICTs located within its territory or under its jurisdiction or control to commit internationally wrongful acts against another State.

25. The African Union also recognizes the unique challenges faced by developing countries in implementing due diligence measures due to resource constraints, and challenges related to technical expertise. The African Union emphasizes the importance of international cooperation and information sharing, including through Computer Emergency Response Teams (CERTs)/Computer Security Incident Response Teams (CSIRTs), to further enable States to fully uphold the obligation of due diligence. In this regard, the African Union underscores the importance of expanding international cooperation and capacity building as outlined in Section X, and further empowering and enabling the full participation of developing countries in policy making forums related to the governance of cyberspace. [...]

45. [T]he African Union reiterates that, by virtue of their territorial sovereignty, all States are under an obligation to exercise due diligence as reflected in Section III above and to ensure that their territory is not knowingly used to violate the rights of other States through acts that constitute a threat or use of force, whether such acts are undertaken by organs of the State or non-State actors acting under the direction, control, or instruction of the State."[32]

Australia (2020)[edit | edit source]

"To the extent that a State enjoys the right to exercise sovereignty over objects and activities within its territory, it necessarily shoulders corresponding responsibilities to ensure those objects and activities are not used to harm other States. In this context, we note it may not be reasonable to expect (or even possible for) a State to prevent all malicious use of ICT infrastructure located within its territory. However, in Australia's view, if a State is aware of an internationally wrongful act originating from or routed through its territory, and it has the ability to put an end to the harmful activity, that State should take reasonable steps to do so consistent with international law."[33]

Canada (2022)[edit | edit source]

"26. No State should knowingly allow its territory to be used for acts contrary to the rights of other States.[34] This also applies in cyberspace. A State that has knowledge of a malicious cyber activity is expected to take all appropriate and reasonably available and feasible steps to stop ongoing or temporally imminent cyber activities that result or would result in significant harmful effects that impact the legal rights of another State.

27. The precise threshold that triggers this expectation will depend on the totality of the circumstances in that situation. This would include whether the State has knowledge of the wrongful acts, its technical and other capacities to detect and stop these acts, and what is reasonable in that case. For example, a State with limited technical capabilities would not likely be expected to respond if it failed to detect a malicious cyber activity emanating from or through cyber infrastructure on its territory. However, once aware, the State would be expected to respond."[35]

China (2021)[edit | edit source]

"No State shall knowingly allow its territory, or territory or ICT facilities, data and information under the control of its government, to be used for ICT activities that undermine national security or interests."[36]

Costa Rica (2023)[edit | edit source]

"26. In international law, ‘due diligence’ refers to a flexible standard of reasonable care against which State conduct can be assessed. This standard is found in different rules and regimes of international law, both general and specific. These rules usually require States to take action with a view to preventing, stopping or redressing different harms to certain protected persons or objects, irrespective of the author or source of the harmful act.

27. Under customary international law, States have a general obligation ‘not to allow knowingly its territory to be used for acts contrary to the rights of other States’. This duty is a corollary of State sovereignty and requires States to protect the rights of other States in their territory. It may be breached when a State knows or should have known that an act contrary to the rights of another State originates or transits through its territory, and yet fails to take reasonable action to stop or prevent it, and the harm materializes. This means that States must strive to prevent State or non-State actors, including cybercriminals, from conducting cyber operations against the rights of other States.

28. Costa Rica believes that this obligation applies online as it does offline. It covers acts that contravene the sovereign rights of another State, such as ransomware and cyber electoral interference, whether or not these are perpetrated by a State or a non-State actor. Though this does not entail a general monitoring obligation, States must exercise a reasonable degree of vigilance over their networks. They must also put in place certain basic protective measures in line with their capabilities and other obligations under international law. Examples of diligent behavior in the cyber context may include the enactment of cybercrime legislation, the notification of cyber incidents to the victim State, and the establishment of a Computer Emergency Response Team and National Points of Contact.

29. In Costa Rica’s view, States also have a general obligation to ‘take all appropriate measures to prevent significant transboundary harm or at any event to minimize the risk thereof’, where such harm originates from their territory or jurisdiction and significantly affects persons, property, or the environment in other States. This customary obligation applies to the physical consequences of significant transboundary harms beyond the ecological environment, whether or not the activity causing the harm is lawful or not under international law. Costa Rica also believes that this duty applies to non-physical harms to persons, property or the environment, including those caused through or to ICTs. Examples include instances of online incitement to violence, hostility or discrimination and disinformation campaigns causing harm to individuals, irrespective of whether they are contrary to a State’s sovereign or other rights.

30. A standard of due diligence is also found in certain obligations under international human rights law and international humanitarian law, addressed below".[37]

Czech Republic (2020)[edit | edit source]

As for ensuring cyber security worldwide, the Czech Republic would like to point out one very important element - application of due diligence to the use of ICTs. As already mentioned by some of my colleagues in the segment on international law, and as recognized by the Czech Republic, States have a legal obligation to act against unlawful and harmful cyber activities emanating from their territory or conducted through cyber infrastructure under their governmental control, provided that they are aware of, or should reasonably be expected to be aware of, such activities. This is not an obligation of result, but rather an obligation of conduct. And here lies the key problem and link to capacity building.

The Czech Republic recognizes that logically, State’s capacity to adequately exercise its due diligence obligation is intrinsically linked to that State’s cyber resilience capacities. Such factors should be taken into consideration when evaluating the particular measures taken by the acting State.[38]

Denmark (2023)[edit | edit source]

"Denmark is of the view that a State may bear international responsibility where a State fails to take adequate measures against a non-State actor - or third State - that conducts harmful cyber operations against another State from its territory or other cyber infrastructure under its effective control.

As the ICJ Stated in the Corfu Channel Case[7], States are under an “obligation not to knowingly allow its territory to be used for acts contrary to the right of other States”. This obligation is a natural corollary of a State’s sovereignty over persons and cyber infrastructure on its territory.

As a general rule due diligence requires States to take all reasonable measures to prevent, eliminate and mitigate potentially significant harm to legally protected interests of another State, or the international community as a whole. The general principle of due diligence has developed with some variation in different fields of international law, including international environmental law, transboundary harm, and human rights. Similarly, Denmark believes that the precise contours of the due diligence obligation in cyberspace will continue to develop and crystalize in the coming years. It is, however, possible to set out some key features.

Due diligence is an obligation of conduct, not of result. A State is obliged to take all reasonable measures to stop or prevent a given cyber act from occurring. Not all harmful cyber operations emanating from another State’s territory entail due diligence obligations and corresponding rights of the target State. While there is still scope for State practice to clarify the precise threshold, Denmark subscribes to the view that the harm suffered must be significant and not merely amount to inconveniences or minor disruptions.

The lack of compliance with a State’s due diligence obligations may lead another State to take countermeasures if the conditions set out below in section 7 are fulfilled.[39]

Estonia (2019)[edit | edit source]

"[...] states must keep on strengthening their own resilience to cyber threats and disruptions, both individually and collectively. Therefore, states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states. They should strive to develop means to offer support when requested by the injured state in order to identify, attribute or investigate malicious cyber operations. This expectation depends on national capacity as well as availability, and accessibility of information. As I mentioned here last year, we have to also consider the capacities of different states to be able to control such operations that exploit their infrastructure or systems. Therefore, meeting this expectation should encompass taking all feasible measures, rather than achieving concrete results.

And this also means that further effort must go to cyber capacity building and development cooperation to increase states’ capacity to prevent and respond to cyber threats. I hope that Estonia can serve as a model in partnering with other countries, especially in assisting those that do not have robust enough cyber defence systems. Our attention so far has been to Georgia and Ukraine – countries that face constant malicious cyber operations. Because by the end of the day – our own cyber security also depends on this."[40]

Estonia (2021)[edit | edit source]

The due diligence obligation of a state not to knowingly allow its territory to be used for acts that adversely affect the rights of other states has its legal basis in existing international law and applies as such in cyberspace.

"The due diligence obligation derives from the principle of sovereignty. A state has the exclusive right to control activities within its territory. At the same time, this means that it is also obliged to act when its territory is used in a manner that adversely affects the rights of other states.

Without this obligation, international law would leave injured states defenceless in the face of malicious cyber activity that emanates from other states’ territories. This is particularly relevant when state responsibility cannot be established. Therefore, states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states. Such reasonable efforts are relative to national capacity as well as the availability of and access to information. Meeting this expectation encompasses taking all feasible measures in order to end the ongoing malicious cyber activity.

Estonia is at the position that the obligation of due diligence requires consideration of the technical, political and legal capacities of a state. In addition, due diligence is related to taking action by applying all lawful and feasible measures in order to halt an ongoing malicious cyber operation. States should strive to develop means to offer support, when requested by the injured state, to identify or attribute malicious cyber operations. These actions could for example include warning, cooperating and sharing relevant data pertaining to an incident, investigating the incident and prosecuting the perpetrators, assisting the victim state(s) or accepting assistance. The necessary measures depend on the incident and are applied on a case-by-case basis."[41]

France (2019)[edit | edit source]

"France exercises its sovereignty over the information systems located on its territory. In compliance with the due diligence requirement, it ensures that its territory is not used for internationally wrongful acts using ICTs. This is a customary obligation for States, which must (i) use cyberspace in compliance with international law, and in particular not use proxies to commit acts which, using ICTs, infringe the rights of other States, and (ii) ensure that their territory is not used for such purposes, including by non-state actors."[42]

"The failure by another State to comply with its due diligence requirement is not a sufficient ground for the use of force against it in the context of cyberattacks carried out from its territory.

In accordance with the due diligence principle, “States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs”, including acts that infringe the territorial integrity or sovereignty of another State. In addition, States must ensure that non-state actors do not use their territory to carry on such activities, and not use proxies to commit internationally wrongful acts using ICTs. The fact that a State fails to comply with its due diligence obligation can justify the taking of political and diplomatic measures that may include counter-measures or a referral to the UNSC. The fact that a State does not take all reasonable measures to stop wrongful acts against other States perpetrated from its territory by non-state actors, or is incapable of preventing them, cannot constitute an exception to the prohibition of the use of force.

Under these conditions, France does not recognise the extensive approach to self-defence expressed by a majority of the Tallinn Manual Group of Experts which allows a State that is victim of a large-scale cyberattack perpetrated by non-state actors from the territory of another State to use self-defence against that State, including if such a response is carried out in compliance with the principle of necessity, is the only means to counter the armed attack, and the territorial State is unwilling or unable to prevent the perpetration of such acts."[43]

Germany (2021)[edit | edit source]

"As a corollary to the rights conferred on States by the rule of territorial sovereignty, States are under an ‘obligation not to allow knowingly their territory to be used for acts contrary to the rights of other States’ – this generally applies to such use by State and non-State actors. The ‘due diligence principle’, which is widely recognized in international law, is applicable to the cyber context as well and gains particular relevance here because of the vast interconnectedness of cyber systems and infrastructures."[44]

"[..] a State may also become liable under international law in connection with another State’s or a non-State actor’s actions if the first State fails to abide by its obligations stemming from the ‘due diligence’ principle."[45]

Ireland (2023)[edit | edit source]

"11. The principle of due diligence derives from the principle of sovereignty. International law requires that a state may not knowingly allow its territory to be used for acts contrary to the rights of other states.[6]

12. Ireland considers the due diligence principle to be a primary rule of international law. Therefore, a breach of this international obligation, which is attributable to a state, engages state responsibility. For instance, the ICJ in the Corfu Channel case held that “nothing was attempted by the Albanian authorities to prevent the disaster. These grave omissions involve the international responsibility of Albania”.[7] Similarly, in the Armed Activities on the Territory of the Congo case, the ICJ found that Uganda was responsible “for any lack of vigilance preventing violations of Human Rights and International Humanitarian Law by other actors present in the occupied territory, including rebel groups acting on their own account”.[8]

13. Due diligence is a standard of conduct and not of result. What the scope of the obligation might entail is context specific.[9] In the cyber context, the principle of due diligence requires at a minimum that a state take all measures that are feasible in the circumstances to put an end to cyber-operations conducted from its territory or by persons within its jurisdiction that affect a right of, and produce serious adverse consequences for, other states.[10] In determining what is feasible in the circumstances, relevant factors include the capacity of the state concerned, the seriousness of the operations as well as the extent to which the state concerned has knowledge of the operations. Ireland considers that constructive knowledge, often described as a situation where a state “ought to have been aware”, is capable of satisfying the knowledge component of the obligation of due diligence where this can be ascertained to an appropriate level.

14. A preventive element to the obligation of due diligence also arises in the cyber context. While a state cannot be expected to monitor all ICT activities within its territory, where for example a state is aware of an identifiable risk that actors within its jurisdiction intend to conduct cyber activities that are potentially harmful to the rights of, and potentially produce serious adverse consequences for, another state, the due diligence obligation requires that reasonable and feasible measures are taken to prevent such activities or mitigate their effects.

15. Much of the consideration of the principle of due diligence in international law has been in the context of environmental obligations. While its application to cyber-operations seems clear as a general principle, its more precise parameters in this context might benefit from further consideration. For instance, in what circumstances constructive knowledge (as distinct from actual knowledge) might suffice to breach an obligation of due diligence in the cyber context, the standard to be applied in respect of constructive knowledge, as well as the scope of a preventive element to the due diligence obligation, are all matters on which there appears to be a lack of shared understanding among states."[46]

Israel (2020)[edit | edit source]

"The concept of due diligence means that States should take reasonable measures to avoid or minimize harm to other States, and seems to be useful in fields such as international environmental law. In the 2015 UN GGE Report, the concept was addressed as the basis for a voluntary, non-binding norm of responsible State behavior, providing that States should not allow their territory to be used for the commission of international wrongful acts. There was wisdom in mentioning it in the chapter covering norms of responsible State behavior, as it does not, at this point in time, translate into a binding rule of international law in the cyber context. This was the position expressed by other States as well."[47]

"[..] we have to be careful in applying to the cyber domain rules that emerged in a different, distinct context. For instance, in the field of environmental law, where much of the focus and application of due diligence obligations has been in recent years, the acting State typically has control, or at least oversight, over the harmful activity (for example, regulating a polluting power plant). However, cyberspace is mostly private and decentralized.

The inherently different features of cyberspace—its decentralization and private characteristics—incentivize cooperation between States on a voluntary basis, such as with the case of national Computer Emergency Response Teams (CERTs). CERTs are already doing what could arguably fall into that category: exchanging information with one another, as well as cooperating with each other in mitigating incidents. However, we have not seen widespread State practice beyond this type of voluntary cooperation, and certainly not practice grounded in some overarching opinio juris, which would be indispensable for a customary rule of due diligence, or something similar to that, to form."[48]

Italy (2021)[edit | edit source]

"Italy considers that due diligence obligations apply in cyberspace as defined in the Corfu Channel case by the International Court of Justice (ICJ), according to which every State is under an ‘obligation not to knowingly allow its territory to be used for acts contrary to the right of other States’. Hence, due diligence requires States to take all reasonable measures concerning activities in cyberspace falling under their jurisdiction in order to prevent, eliminate or mitigate potentially significant harm to legally protected interests of another State, or of the international community as a whole. Italy deems that the due diligence obligation in question also encompasses, inter alia, human rights protection and the protection of international peace and security.

States are thus under the obligation not to allow their territory, or their Information and Communication Technology (ICT) infrastructure to be used for the conduct of wrongful cyber activities by State or non-State actors. State actors include governmental institutions as well as individuals or groups acting on behalf of or under the control of a State. The principle has been further developed over the years in different fields of international law, most prominently with regard to transboundary natural resources, the protection of the environment and human rights.

In case of wrongful cyber activities that cause harm to another State, the State of origin is required to make its best efforts to prevent, eliminate, or mitigate all acts of wrongdoing. Although there is no general international obligation to do so, the State of origin should share any relevant information with the victim-State.

Due diligence is an obligation of conduct, not one of result. Accordingly, as long as it makes its best efforts, a State cannot be held liable if ultimately unable to prevent, mitigate, or terminate wrongful cyber activities launched from or in transit through its territory.

In addition, when considering whether a State is in breach of its due diligence obligations, due regard should be paid to the technological/financial resources and overall capabilities of the State in question.

Further discussions on thresholds and scenarios of cyber operations (not necessarily resulting in physical damage of property), that amount to a breach of due diligence obligations in cyberspace, could be conducive to a clearer understanding of the matter."[49]

Japan (2021)[edit | edit source]

"States have a due diligence obligation regarding cyber operations under international law. Norm 13(c) and (f) and the second half of paragraph 28(e) of the 2015 GGE report are related to this obligation.

In the Corfu Channel case (1949), the ICJ referred to the existence of "every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States". In relation to cyber operations, the due diligence obligation in this sense has significance."[50]

"The outer limit of the due diligence obligation of territorial States with respect to cyber operations is not necessarily clear. By reference to these judgements related to the concept of the due diligence obligation, it seems necessary to consider on a case-by-case-basis the scope of the obligation taking into account such factors as the seriousness of the cyber operations in question and the capacity of the territorial States to influence a person or group of persons conducting the attacks.

In light of the above, at the least, for example, when a State has received a credible notification from another State of the possibility that a person or group of persons located in its territory and receiving from it financial and other forms of support may be involved in a cyber operation that may cause serious adverse consequences, such as damage to a target State's critical infrastructure, the due diligence obligation owed by the informed State is presumed to include the obligation to exercise its capacity to influence the state-supported person or group of personsso as to prevent them from implementing such cyber operations.

One characteristic of cyber operations is the difficulty of making judgment as to attribution to a State. In this respect, the due diligence obligation may provide grounds for invoking the responsibility of the State from the territory of which a cyber operation not attributable to any State originated. It is possible at least to invoke the responsibility of such a State for a breach of its due diligence obligation, even if it is difficult to prove the attribution of a cyber operation to any State." [51]

Netherlands (2019)[edit | edit source]

"The due diligence principle holds that states are expected to take account of other states’ rights when exercising their own sovereignty. The principle is articulated by the International Court of Justice, for example, in its judgment in the Corfu Channel Case, in which it held that states have an obligation to act if they are aware or become aware that their territory is being used for acts contrary to the rights of another state. It should be noted that not all countries agree that the due diligence principle constitutes an obligation in its own right under international law. The Netherlands, however, does regard the principle as an obligation in its own right, the violation of which may constitute an internationally wrongful act.

In the context of cyberspace, the due diligence principle requires that states take action in respect of cyber activities:

  • carried out by persons in their territory or where use is made of items or networks that are in their territory or which they otherwise control;
  • that violate a right of another state; and
  • whose existence they are, or should be, aware of.

To this end a state must take measures which, in the given circumstances, may be expected of a state acting in a reasonable manner. It is not relevant whether the cyber activity in question is carried out by a state or non-state actor, or where this actor is located. If, for example, a cyberattack is carried out against the Netherlands using servers in another country, the Netherlands may, on the basis of the due diligence principle, ask the other country to shut down the servers, regardless of whether or not it has been established that a state is responsible for the cyberattack.

It is generally accepted that the due diligence principle applies only if the state whose right or rights have been violated suffers sufficiently serious adverse consequences. The precise threshold depends on the specific circumstances of the case. It is clear, however, that such adverse consequences do not necessarily have to include physical damage."[52]

New Zealand (2020)[edit | edit source]

"An agreed norm of responsible state behaviour provides that states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs. Whether this norm also reflects a binding legal obligation is not settled. Some states consider that, subject to certain knowledge and capacity requirements, customary international law requires states to take reasonable measures to put an end to malicious cyber activity which is conducted from, or routed through, their territory, if the activity is contrary to the rights of another state.

New Zealand is not yet convinced that a cyber-specific “due diligence” obligation has crystallised in international law. It is clear that states are not obliged to monitor all cyber activities on their territories or to prevent all malicious use of cyber infrastructure within their borders. If a legally binding due diligence obligation were to apply to cyber activities, New Zealand considers it should apply only where states have actual, rather than constructive, knowledge of the malicious activity, and should only require states to take reasonable steps within their capacity to bring the activity to an end."[53]

Norway (2021)[edit | edit source]

Key message
[..] A State may also be held responsible under international law if it possesses knowledge of a cyber operation that is being carried out from its territory and causing serious adverse consequences with respect to a right of the target State under international law, and fails to take reasonably available measures to terminate the cyber operation.

"[..] Even if a cyber operation is not conducted by someone acting directly or indirectly on behalf of a State, the State may nevertheless be held responsible under international law if it fails to take adequate measures against cyber operations that target third States from or via its territory".[54]

[...]

"[..]a State may be held responsible under international law if it knows or should have known that cyber operations that target third States are being carried out from or via its territory, and fails to take adequate measures.

As a consequence of the right to exercise sovereignty over cyber infrastructure located on its territory, States also have a corresponding obligation not to knowingly allow their territory to be used for acts causing significant harm to the rights of other States under international law. This customary international law obligation, often referred to as the due diligence principle, was recognised by the ICJ in the 1949 Corfu Channel judgment, and is reflected in numerous rules in specialised regimes of international law. Norway is of the view that the due diligence obligation applies in situations where there is a risk of transboundary harm from hazardous activities, regardless of the nature of the activity, and accordingly also applies to cyber operations.

Accordingly, if a State possesses knowledge of a cyber operation being carried out from or via its territory causing serious adverse consequences with respect to a right of the target State under international law, it is required to take adequate measures to address the situation.

The due diligence standard is the conduct that is generally considered to be appropriate and proportional to the degree of risk of transboundary harm in the particular instance. It is an obligation of conduct, not of result. Applied to cyber activities, what is required is for the State to take all reasonably available measures to terminate the cyber operation. A breach of the obligation consists not of failing to achieve the desired result, but of failing to take the necessary, diligent steps towards that end. It is irrelevant whether the cyber operation in question is conducted by a third State or a non-State actor. Likewise, it is irrelevant whether the cyber operation in question is conducted by an actor physically present on the State’s territory or by an actor making remote use of ICT infrastructure on the State’s territory.

In addition to actual knowledge of the use of cyber infrastructure within its territory for harmful cyber operations against another State, a State may also violate its due diligence obligation if it is in fact unaware of the activities in question but objectively should have known about them and fails to address the situation. Accordingly, knowledge also encompasses those situations in which a State in the normal course of events would have become aware that its territory was being used for harmful cyber operations. This implies that the criterion that a State ‘should have known’is more likely to be met if for instance the operation used publicly known and easily detected malware, as opposed to highly sophisticated and previously unknown malware.

There is currently no legal basis for a general obligation to prevent cyber operations, and States are consequently not under an obligation to monitor all cyber activities on their territories.

Norway considers the due diligence obligation to be of particular importance in a cyber context. In situations where a targeted State cannot directly attribute (technically and legally) a wrongful cyber operation – for instance election interference – to the State from whose territory it is being carried out, the territorial State may nevertheless still be held accountable on the basis of a breach of the due diligence obligation."[55]

Poland (2022)[edit | edit source]

"States should exercise due care to ensure that the IT infrastructure located within their territory is not used for unauthorised actions targeted at third countries. The same applies to persons staying within the territory of the state. An assessment of whether the state exercised due care or not should be contingent upon its technological advancement, expertise/resources and knowledge about actions in cyberspace initiated within its territory."[56]

Romania (2021)[edit | edit source]

"The due diligence principle entails that a State may be responsible for the effects of the conduct of private persons, if it failed to take necessary measures to prevent those effects.

This principle (which implies a certain obligation of conduct on the part of States) was enunciated by the ICJ in its Corfu Channel judgment emphasizing that every State is under an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”.

The due diligence principle requires that States take action in respect of cyber activities if the following elements are cumulatively met:

  • the acts are conducted by a non-State actor or a third State) from or through the territory of the potentially responsible State (or from or through the territory or cyber infrastructure under its control);
  • the acts are contrary to the rights of a victim State and have serious adverse consequences for that State;
  • the State has actual or constructive knowledge of those acts."[57]

Singapore (2021)[edit | edit source]

"There is a need for more clarity on the scope and practical applications, if any, of due diligence in cyberspace. Issues such as the threshold required to trigger an obligation on States to act or respond, the degree of knowledge required of States, and the measures expected of a State from which the malicious cyber activity originates, are some examples of the questions that need to be further discussed and addressed among States."[58]

Sweden (2022)[edit | edit source]

"As a corollary to their sovereignty, States have an obligation to not knowingly allow their territory to be used for acts contrary to the rights of other States. This well-established rule of international law, described by the ICJ in the Corfu Channel case, also applies to cyber operations. A State’s obligation to ensure that its territory is not used to harm other States has often been referred to as an obligation of due diligence.

Due diligence is a standard of conduct and not of result, requiring a State to act responsibly and to do anything feasible to fulfil this obligation. States must use all reasonable means to prevent its territory to be used for acts causing serious adverse consequences to other states.

The difficulties involved in discovering cyber activities by non-state actors may affect what a State knows or should have known about such activities. Taking these difficulties into account, Sweden believes that this obligation, in principle, includes situations in which a State should have known about harmful activities taking place from its territory."[59]

Switzerland (2021)[edit | edit source]

"The principle of due diligence has evolved over a long period of time. Switzerland views due diligence as part of customary international law and applicable to cyberspace. The ICJ describes the concept of due diligence as a standard of conduct meaning "every State's obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States." The doctrine of due diligence reflects fundamental principles of international law (including state sovereignty, equality, territorial integrity and non-interference).

The principle of due diligence is also applicable to cyberspace. Consequently, a state that is or should be aware of cyber incidents that violate the rights of another state is obliged to take all reasonable measures that are appropriate to stop or minimise the risks of such incidents. Due diligence is a variable standard and depends on the capacities and capabilities of a state as well as the particular circumstances of each case. Territorial states are obliged to use all reasonable means to prevent serious harm being caused to another state by activities taking place within their territory or in an area under their effective control. This makes due diligence an obligation of conduct, not of result. If the aforementioned conditions exist, the state in question is obliged under international law to close any loopholes immediately and assist in intercepting and tracing the incident.

Due diligence applies in particular to actions by private individuals that violate the rights of other states (e.g. hackers) and cannot be (clearly) attributed to the state in accordance with the rules of attribution (see section 6.1). If the aforementioned conditions exist and the state in question fails to fulfil due diligence requirements, the injured state may take countermeasures in accordance with the rules governing state responsibility in order to induce the responsible state to meet its obligations. Possible countermeasures outlined above may be taken both outside and inside the cyber domain. The responsible state may also be required to make reparations."[60]

United Kingdom (2021)[edit | edit source]

"UNGGE Norm 13(c) provides that States should not knowingly allow their territory to be used for internationally wrongful acts using information and communications technology. This norm provides guidance on what may be expected to constitute appropriate State behaviour. The UK recognises the importance of States taking appropriate, reasonably available, and practicable steps within their capacities to address activities that are acknowledged to be harmful in order to enhance the stability of cyberspace in the interest of all States. But the fact that States have referred to this as a non-binding norm indicates that there is not yet State practice sufficient to establish a specific customary international law rule of ‘due diligence’ applicable to activities in cyberspace."[61]

United States of America (2021)[edit | edit source]

"In recent public statements on how international law applies in cyberspace, a few States have referenced the concept of “due diligence”: that States have a general international law obligation to take steps to address activity emanating from their territory that is harmful to other States, and that such a general obligation applies more specifically, as a matter of international law, to cyber activities. The United States has not identified the State practice and opinio juris that would support a claim that due diligence currently constitutes a general obligation under international law. We do believe, however, that if a State is notified of harmful activity emanating from its territory it must take reasonable steps to address such activity."[62]


Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Corfu Channel Case (UK v Albania) (Merits) [1949] ICJ Rep 4, 22.
  2. UN GA Res 55/63 (4 December 2000), Doc A/RES/55/63, para 1(a).
  3. Cf. UN GGE 2015 report, paras 13(c) and 28(e) (using non-mandatory language to express the due diligence principle in the cyber context: “States should not knowingly allow their territory to be used for internationally wrongful acts using [cyber means]” and “States ... should seek to ensure that their territory is not used by non-State actors to commit such acts”, respectively) (emphases added); See also UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, A/76/135 (14 July 2021) paras 29-30.
  4. Dapo Akande, Antonio Coco and Talita de Souza Dias, ‘Old Habits Die Hard: Applying Existing International Law in Cyberspace and Beyond’, EJIL Talk! (5 January 2021)
  5. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations (8 December 2020) 403-4. The position states that "we have not seen widespread State practice beyond this type of voluntary cooperation, and certainly not practice grounded in some overarching opinio juris, which would be indispensable for a customary rule of due diligence, or something similar to that, to form".
  6. New Zealand Foreign Affairs and Trade, ‘The Application of International Law to State Activity in Cyberspace’ (1 December 2020) 3. According to the position, "An agreed norm of responsible state behaviour provides that states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs. Whether this norm also reflects a binding legal obligation is not settled".
  7. United Kingdom Foreign, Commonwealth & Development Office, ‘Application of international law to states’ conduct in cyberspace: UK statement’ (3 June 2021) para 12. According to the position: "the fact that States have referred to this as a non-binding norm indicates that there is not yet State practice sufficient to establish a specific customary international law rule of ‘due diligence’ applicable to activities in cyberspace".
  8. Government of Canada, International Law applicable in cyberspace (April 2022) para. 26. According to the position, this does not "precludes the recognition of a binding legal rule of due diligence under customary international law. Canada continues to study this matter".
  9. See Luke Chircop, ‘A Due Diligence Standard of Attribution in Cyberspace’ (2018) 67 ICLQ 643.
  10. See also Tallinn Manual 2.0, commentary to rule 6, para 4 (unanimously endorsing this view).
  11. Australia, ‘Australia’s International Cyber Engagement Strategy - Annex A: Australia’s Position on How International Law Applies to State Conduct in Cyberspace’ (October 2017) 91, stating that “if a state is aware of an internationally wrongful act originating from or routed through its territory, and it has the ability to put an end to the harmful activity, that state should take reasonable steps to do so consistent with international law”.
  12. Czech Republic, Comments submitted by the Czech Republic in reaction to the initial “pre-draft” report of the Open-Ended Working Group on developments in the field of information and telecommunications in the context of international security (undated), stating that “ICT-specific norms reflect a general principle of international law obliging States to ensure that territory and objects over which they enjoy sovereignty are not used to harm other States’ rights.”
  13. Estonia, ‘President of the Republic at the opening of CyCon 2019’ (29 May 2019), stating that “states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states.”
  14. Finland, ‘Statement by Ambassador Janne Taalas at the second session of the open-ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security’ (11 February 2020), stating that “States have an obligation not to knowingly allow their territory to be used for activities that cause serious harm to other States, whether using ICTs or otherwise.”
  15. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 6, stating that “In compliance with the due diligence requirement, [France] ensures that its territory is not used for internationally wrongful acts using ICTs. This is a customary obligation for States, which must (i) use cyberspace in compliance with international law, and in particular not use proxies to commit acts which, using ICTs, infringe the rights of other States, and (ii) ensure that their territory is not used for such purposes, including by non-state actors.”
  16. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 3.
  17. Italian Ministry for Foreign Affairs and International Cooperation, ‘Italian position paper on International law and cyberspace’ (2021) 6-7.
  18. Ministry of Foreign Affairs of Japan, ‘Basic Position of the Government of Japan on International Law Applicable to Cyber Operations’ (28 May 2021) 5.
  19. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘The Netherlands ... does regard the principle [of due diligence] as an obligation in its own right, the violation of which may constitute an internationally wrongful act.’
  20. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States’ UNODA, A/76/136 (August 2021) 71-2.
  21. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 7.
  22. Government Offices of Sweden, ‘Position Paper on the Application of International Law in Cyberspace’ (July 2022) 4.
  23. Tallinn Manual 2.0, commentary to rule 6, para 5.
  24. Cf. Case Concerning Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgement) [2007] ICJ Rep 43, para 430; see further James Crawford, State Responsibility: The General Part (CUP 2013) 226–32 (on the distinction between due diligence and obligations of prevention); Rudiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in Mahnoush H Arsanjani et al, Looking to the Future: Essays on International Law in Honor of Michael Reisman (Brill 2010).
  25. While, in general, it is States, not individuals or private entities, which are able to violate international law, cyber operations carried out by individuals or private entities that nevertheless result in serious adverse consequences fall within a State’s due diligence obligation. See Tallinn Manual 2.0, commentary to rule 6, para 21.
  26. Corfu Channel judgment, para 22; Tallinn Manual 2.0, commentary to rule 6, para 2 and 15.
  27. Tallinn Manual 2.0, rule 6.
  28. Tallinn Manual 2.0, commentary to rule 6, para 18-24.
  29. Tallinn Manual 2.0, rule 6.
  30. Tallinn Manual 2.0, commentary to rule 6, para 37-42.
  31. Tallinn Manual 2.0, commentary to rule 6, para 43; commentary to rule 7, para 2 and 18.
  32. African Union Peace and Security Council, "Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace" (29 January 2024) 3-4, 7.
  33. Australian Government, Australia's position on how international law applies to State conduct in cyberspace
  34. Government of Canada, International Law applicable in cyberspace, April 2022, See Footnote [20], See the discussion of the voluntary, non-binding UN GGE norms in the 2021 UN GGE Report, supra note 3 at 29-30, 42-46. Canada does not consider that the UN GGE consensus in 2015, and subsequently, on voluntary, non-binding norms touching on this matter precludes the recognition of a binding legal rule of due diligence under customary international law. Canada continues to study this matter.
  35. Government of Canada, International Law applicable in cyberspace, April 2022
  36. China’s Views on the Application of the Principle of Sovereignty in Cyberspace, Ministry of Foreign Affairs of the People's Republic of China, p. 1-2.
  37. Ministry of Foreign Affairs of Costa Rica, "Costa Rica's Position on the Application of International Law in Cyberspace" (21 July 2023) 8-9 (footnotes omitted).
  38. Richard Kadlčák, Statement of the Special Envoy for Cyberspace and Director of Cybersecurity Department of the Czech Republic, 13 February 2020, 2
  39. Government of Denmark, "Denmark’s Position Paper on the Application of International Law in Cyberspace"(4 July 2023) 7-8. See footnote [7]: United Kingdom of Great Britain and Northern Ireland v. Albania (merits), p. 22.
  40. President of Estonia: international law applies also in cyber space, 29 May 2019
  41. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 26.
  42. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 6.
  43. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 9-10.
  44. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 3.
  45. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 11.
  46. Irish Department of Foreign Affairs, Position Paper on the Application of International Law in Cyberspace (6 July 2023) 3-4. See Footnote [6]: Corfu Channel Case (UK v Albania) ICJ Reports 1949, p.22; See Footnote [7]: Corfu Channel, p. 23; See Footnote [8]: Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda), Judgment, ICJ Reports 2005, p. 168, [179]; See Footnote [9]: See: Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) Judgment (2007) ICJ Rep 43, [429]; See Footnote [10]: Tallinn Manual 2.0, Rule 7.
  47. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  48. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  49. Italian position paper on "International law and cyberspace", Italian Ministry for Foreign Affairs and International Cooperation.,6-7.
  50. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 5
  51. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 5
  52. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 4-5.
  53. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 3.
  54. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 70.
  55. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 71-72.
  56. The Republic of Poland’s position on the application of international law in cyberspace, Ministry of Foreign Affairs of Poland, 29 December 2022, 4.
  57. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 76.
  58. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 84.
  59. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace, July 2022,4-5
  60. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 7.
  61. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  62. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 141.

Bibliography and further reading[edit | edit source]