Due diligence

From International cyber law: interactive toolkit
Revision as of 11:46, 19 September 2021 by Uncleistvan1BBB (talk | contribs) (added the Czech Republic; testing the note in the box)
Jump to navigation Jump to search

Definition

Due diligence
According to the traditional formulation by the ICJ in the Corfu Channel case, every State is under an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”.[1] In the cyber context, the UN General Assembly urged States already in 2000 to “ensure that their laws and practice eliminate safe havens for those who criminally misuse information technologies”.[2]

It is the matter of some controversy whether the principle of due diligence reflects a binding obligation applicable to cyber operations.[3] It has also been proposed that in the cyber context, it is preferable to construe due diligence as a standard of attribution rather than as a standalone primary rule of international law.[4] Nevertheless, the present analysis proceeds on the basis that as a matter of lex lata, due diligence constitutes a general international obligation for every State not to knowingly allow its territory to be used for internationally wrongful acts using cyber means.[5] This view has also been endorsed by several States, including Australia,[6] Czech Republic,[7] Estonia,[8] Finland,[9] France,[10] and the Netherlands.[11]

Due diligence does not entail a duty of prevention,[12] but rather an obligation of conduct.[13] A State breaches its due diligence obligation in the presence of the following cumulative elements:

  1. The existence of acts (by a non-State actor or a third State) contrary to the rights of a victim State,[14]
  2. which are conducted from or through the territory of the potentially responsible State (or from or through the territory or cyber infrastructure under its control),[15]
  3. which would have been unlawful if conducted by the potentially responsible State,[16]
  4. which have serious adverse consequences for the victim State,[17]
  5. with respect to which the potentially responsible State has actual or constructive knowledge,[18] and
  6. upon which the potentially responsible State can act, but fails to take all feasible measures.[19]

National positions

Australia

Czech Republic

Estonia

France

Germany

Israel

Japan

New Zealand

Norway: 2021

Key message
[..] A State may also be held responsible under international law if it possesses knowledge of a cyber operation that is being carried out from its territory and causing serious adverse consequences with respect to a right of the target State under international law, and fails to take reasonably available measures to terminate the cyber operation.

"[..] Even if a cyber operation is not conducted by someone acting directly or indirectly on behalf of a State, the State may nevertheless be held responsible under international law if it fails to take adequate measures against cyber operations that target third States from or via its territory".[20]

[...]

"[..]a State may be held responsible under international law if it knows or should have known that cyber operations that target third States are being carried out from or via its territory, and fails to take adequate measures.

As a consequence of the right to exercise sovereignty over cyber infrastructure located on its territory, States also have a corresponding obligation not to knowingly allow their territory to be used for acts causing significant harm to the rights of other States under international law. This customary international law obligation, often referred to as the due diligence principle, was recognised by the ICJ in the 1949 Corfu Channel judgment, and is reflected in numerous rules in specialised regimes of international law. Norway is of the view that the due diligence obligation applies in situations where there is a risk of transboundary harm from hazardous activities, regardless of the nature of the activity, and accordingly also applies to cyber operations.

Accordingly, if a State possesses knowledge of a cyber operation being carried out from or via its territory causing serious adverse consequences with respect to a right of the target State under international law, it is required to take adequate measures to address the situation.

The due diligence standard is the conduct that is generally considered to be appropriate and proportional to the degree of risk of transboundary harm in the particular instance. It is an obligation of conduct, not of result. Applied to cyber activities, what is required is for the State to take all reasonably available measures to terminate the cyber operation. A breach of the obligation consists not of failing to achieve the desired result, but of failing to take the necessary, diligent steps towards that end. It is irrelevant whether the cyber operation in question is conducted by a third State or a non-State actor. Likewise, it is irrelevant whether the cyber operation in question is conducted by an actor physically present on the State’s territory or by an actor making remote use of ICT infrastructure on the State’s territory.

In addition to actual knowledge of the use of cyber infrastructure within its territory for harmful cyber operations against another State, a State may also violate its due diligence obligation if it is in fact unaware of the activities in question but objectively should have known about them and fails to address the situation. Accordingly, knowledge also encompasses those situations in which a State in the normal course of events would have become aware that its territory was being used for harmful cyber operations. This implies that the criterion that a State ‘should have known’is more likely to be met if for instance the operation used publicly known and easily detected malware, as opposed to highly sophisticated and previously unknown malware.

There is currently no legal basis for a general obligation to prevent cyber operations, and States are consequently not under an obligation to monitor all cyber activities on their territories.

Norway considers the due diligence obligation to be of particular importance in a cyber context. In situations where a targeted State cannot directly attribute (technically and legally) a wrongful cyber operation – for instance election interference – to the State from whose territory it is being carried out, the territorial State may nevertheless still be held accountable on the basis of a breach of the due diligence obligation."[21]

Romania: 2021

"The due diligence principle entails that a State may be responsible for the effects of the conduct of private persons, if it failed to take necessary measures to prevent those effects.

This principle (which implies a certain obligation of conduct on the part of States) was enunciated by the ICJ in its Corfu Channel judgment emphasizing that every State is under an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”.

The due diligence principle requires that States take action in respect of cyber activities if the following elements are cumulatively met:

  • the acts are conducted by a non-State actor or a third State) from or through the territory of the potentially responsible State (or from or through the territory or cyber infrastructure under its control);
  • the acts are contrary to the rights of a victim State and have serious adverse consequences for that State;
  • the State has actual or constructive knowledge of those acts."[22]

Singapore: 2021

"There is a need for more clarity on the scope and practical applications, if any, of due diligence in cyberspace. Issues such as the threshold required to trigger an obligation on States to act or respond, the degree of knowledge required of States, and the measures expected of a State from which the malicious cyber activity originates, are some examples of the questions that need to be further discussed and addressed among States."[23]

Switzerland

The Netherlands

United Kingdom: 2021

"UNGGE Norm 13(c) provides that States should not knowingly allow their territory to be used for internationally wrongful acts using information and communications technology. This norm provides guidance on what may be expected to constitute appropriate State behaviour. The UK recognises the importance of States taking appropriate, reasonably available, and practicable steps within their capacities to address activities that are acknowledged to be harmful in order to enhance the stability of cyberspace in the interest of all States. But the fact that States have referred to this as a non-binding norm indicates that there is not yet State practice sufficient to establish a specific customary international law rule of ‘due diligence’ applicable to activities in cyberspace."[24]

Appendixes

See also

Notes and references

  1. Corfu Channel Case (UK v Albania) (Merits) [1949] ICJ Rep 4, 22.
  2. UN GA Res 55/63 (4 December 2000), Doc A/RES/55/63, para 1(a).
  3. Cf. UN GGE 2015 report, paras 13(c) and 28(e) (using non-mandatory language to express the due diligence principle in the cyber context: “States should not knowingly allow their territory to be used for internationally wrongful acts using [cyber means]” and “States ... should seek to ensure that their territory is not used by non-State actors to commit such acts”, respectively) (emphases added).
  4. See Luke Chircop, ‘A Due Diligence Standard of Attribution in Cyberspace’ (2018) 67 ICLQ 643.
  5. See also Tallinn Manual 2.0, commentary to rule 6, para 4 (unanimously endorsing this view).
  6. Australia, ‘Australia’s International Cyber Engagement Strategy - Annex A: Australia’s Position on How International Law Applies to State Conduct in Cyberspace’ (October 2017) 91, stating that “if a state is aware of an internationally wrongful act originating from or routed through its territory, and it has the ability to put an end to the harmful activity, that state should take reasonable steps to do so consistent with international law”.
  7. Czech Republic, Comments submitted by the Czech Republic in reaction to the initial “pre-draft” report of the Open-Ended Working Group on developments in the field of information and telecommunications in the context of international security (undated), stating that “ICT-specific norms reflect a general principle of international law obliging States to ensure that territory and objects over which they enjoy sovereignty are not used to harm other States’ rights.”
  8. Estonia, ‘President of the Republic at the opening of CyCon 2019’ (29 May 2019), stating that “states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states.”
  9. Finland, ‘Statement by Ambassador Janne Taalas at the second session of the open-ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security’ (11 February 2020), stating that “States have an obligation not to knowingly allow their territory to be used for activities that cause serious harm to other States, whether using ICTs or otherwise.”
  10. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 6, stating that “In compliance with the due diligence requirement, [France] ensures that its territory is not used for internationally wrongful acts using ICTs. This is a customary obligation for States, which must (i) use cyberspace in compliance with international law, and in particular not use proxies to commit acts which, using ICTs, infringe the rights of other States, and (ii) ensure that their territory is not used for such purposes, including by non-state actors.”
  11. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘The Netherlands ... does regard the principle [of due diligence] as an obligation in its own right, the violation of which may constitute an internationally wrongful act.’
  12. Tallinn Manual 2.0, commentary to rule 6, para 5.
  13. Cf. Case Concerning Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgement) [2007] ICJ Rep 43, para 430; see further James Crawford, State Responsibility: The General Part (CUP 2013) 226–32 (on the distinction between due diligence and obligations of prevention); Rudiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in Mahnoush H Arsanjani et al, Looking to the Future: Essays on International Law in Honor of Michael Reisman (Brill 2010).
  14. Corfu Channel judgment, para 22; Tallinn Manual 2.0, commentary to rule 6, para 2 and 15.
  15. Tallinn Manual 2.0, rule 6.
  16. Tallinn Manual 2.0, commentary to rule 6, para 18-24.
  17. Tallinn Manual 2.0, rule 6.
  18. Tallinn Manual 2.0, commentary to rule 6, para 37-42.
  19. Tallinn Manual 2.0, commentary to rule 6, para 43; commentary to rule 7, para 2 and 18.
  20. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 70.
  21. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 71-72.
  22. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 76.
  23. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 84.
  24. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021

Bibliography and further reading

Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Due_diligence?oldid=2897"