Site Loader
Rock Street, San Francisco


Cyberattacks such as the one that temporarily
took down half the cyber-infrastructure of Estonia (2007), the attack against sites
of the Georgian government (2008), the Stuxnet virus that hit Iran’s nuclear
program (2009) and the attack on Sony by North Korea (2014), demonstrate that that
no one is immune and that threats arising from cyberspace present the most
serious challenge of the twenty first century. The speedy development of
technology and its malleable nature contribute to challenges in regulating the use
of cyberspace, risking the emergence of a potential ‘lawless area’ that is
prone to misuse. Scholars and policymakers tend to agree that cooperation among
states through a diverse portfolio of measures is paramount in preventing cyberattacks.
While states will do anything in their power to protect infrastructure and citizens
within their own defined territories, they equally will want to ensure that
other states take every feasible step to put an end to harmful cyber activities
launched from their own territory (Schmitt,
2015).  The need for states to
exercise due diligence over the cyber infrastructure located in their
territories has already been emphasized in scholarly discussions, however the
scope and scale of such obligations has yet to be met with clarity. Consequently,
the question arises ‘to what extent are states under a due diligence obligation
to proactively undertake measures to prevent cyber threats that originate from
their own territory but that target other states?’


and Rationale

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

Determining the extent of state
responsibility borders in a borderless environment such as cyberspace has
proved to be a challenging task, fostering a debate among policymakers and
international scholars. Initially it was debatable weather the existent law was
applicable in cyberspace at all. Due to the conventional view that
cyberspace “is not a physical place” and as such it defies measurements in any
physical dimension or time space continuum and is, therefore, unconstrained by the limitations that
these characteristics impose, commentators have claimed for years that the
existing legal framework does not apply to cyberspace (Johnson and Post, 1996), thus supporting Barrlow’s Declaration of the Independence of
Cyberspace. However, opponents of such theory have pointed out that cyberspace
requires a physical architecture to exist, and that the equipment constituting the
architecture is usually located within the territory of a state. Consequently, state sovereignty and international norms
that flow from it apply to the infrastructure within its territory (UN Doc, A/68/98, 2013). This view has
found wide support amongst scholars. Most recently, under NATO’s initiative, a group
of reputable experts gathered with the aim of setting guiding principles with
regard to the applicability of international law on cyberspace, and laid down
such norms in the Tallinn Manual. The
Manual though not binding by nature is the first comprehensive document with
regard to the discussion of the applicability of customary international law (CIL)
on cyberspace, establishing a principle that most countries and authors agree
on – that cyberspace is not a lawless environment and that basic principles of
international law govern it although there may be a need for a consensual
adaptation to the specific characteristics of cyberspace. As such, when
applying “old laws of war to new cyber-circumstances, it is important staying
faithful to enduring principles, while accounting for changing times and
technologies” (Hongju Koh, 2012).

Despite a general agreement on the
applicability of international law on cyberspace, defense against cyberattacks has
scholars divided in their view of what states’ rights and responsibilities are.
To date, majority of the research has focused on the attribution of
responsibility to states for their actions or omissions as one of the main
grounds for state responsibility, including discussion on attribution for non-state
actors and proxies. However, concerns have surfaced regarding the fact that the
attribution test in cyberspace makes it more difficult for the victim state to
trace cyberattacks from non-state actors, particularly in circumstances when they
are assisted by a state, while making it easier for the state behind the
cyberattacks to control such attacks. Therefore, recognizing the deficiencies
of the attribution test, as well as the risk of state territories being used as
a safe haven for non-state actors to conduct harmful cyber activities, a new
test of ‘virtual control’ has been suggested. According to this test, a state
must exercise due diligence not to allow its territory, infrastructure,
equipment, or funding to be used for a cyberattack against another State – and failing
to be duly diligent would entail state responsibility (Kittichaisaree, 2017; Tallin Manual Rule 5). Consequently, the requirement
of states to meet their due diligence duties by ensuring that their
infrastructure is used for cyberattacks against other states has become a
streamlined issue in the law in cyberspace discussions.

Nevertheless, the question of what the
state’s due diligence obligations in cyberspace entail —the extent to which states
are obliged to assert jurisdiction over cyberspace within its territorial
sovereignty, including the duty to monitor and regulate as means of prevention—require
further scholarly attention. In this context, the primary research question will
focus on determining the parameters of due diligence in cyberspace as an obligation
of states to actively undertake measures for preventing harmful cyber threats originating
from their territory.


Questions and Building Blocks of the Research

Due diligence is a principle employed
under CIL to guarantee that states will undertake measures to prevent transboundary
harm originating from their territory. In areas such as Humanitarian and Environmental
Law, due diligence has been enshrined in treaty obligations that correspond to
the nature of the threats. As there is no international binding agreement
defining due diligence on cyberspace, merely a consensus on its applicability (Tallin Manual Rule 5), one has to look
at norms of customary international law to identify the obligations and
following that define the extent of its application in cyberspace. As such the
proposed research aims to determine whether due to the nature of cyberspace due
diligence entails a ‘duty’ of states to actively monitor and prevent harmful
activities originating from the cyber infrastructure under their effective
control. Thus a segment of the proposed research will evaluate the extent to which
the due diligence obligations need adjusting to accommodate the characteristics
of cyberspace. Moreover, as due diligence relies heavily on technological capacities,
based on the recent practice of states the research will aim to identify the
existence of an ‘objective standard’ that can be employed in international law
for failure of a state to meet its due diligence obligations. And lastly, depending
on the scale of the violation of the international law, define what responsive
measures victim states are entitled to.


Contextual framework of Due Diligence
under CIL

Although it has been a topic of
discussion in various international forums, including the UN, a worldwide
agreement on a binding interpretation of due diligence in cyberspace, has not
been reached and is unlikely in the short term (The UN summit in December 2015; UN Group of Governmental Experts (UN
GGE). Absent a robust treaty regime we must evaluate the existence of
obligations under CIL by analyzing practice and opinion iuris, prior to applying them in cyberspace. It should be
noted that due diligence derives from the principle of sovereignty, since a
corollary of sovereignty is the duty to protect within the territory the rights
of other states (Island of Palmas Case)
or to protect other states against injurious acts by individuals from within
their jurisdiction (Trail Smelter Case).
Therefore, the first segment of the proposed research will aim to define a
theoretical context or framework of due diligence obligations under customary international
law in general. In doing so we turn to the International Court of Justice (ICJ)
as the most authoritative body in interpreting CIL which has held that due
diligence entails the obligation of a state not
to allow knowingly its territory to be used for causing harm to other
states (Corfu Channel Case); and, to take appropriate steps to prevent
breaches of international law (Tehran
Hostages Case), or impose regulations on the state or people under its
jurisdiction (Trail Smelter Case). Scholars
have furthered the views of ICJ in concretizing the parameters of due diligence
in different fields, such as human rights law, humanitarian law, environmental
law (International Law Association (ILA)).
However, it has been held that due diligence is a standard that varies
according to context, accordingly it may not easily be described in precise terms
because it is a ‘variable’ that may change over time and ‘in relation to the
risks involved in the activity’ (Seabed
Mining Advisory Opinion). Therefore, building from the parameters set in
the contextual framework the goal is to define the scope of the application of
due diligence in cyberspace.


o   Due
Diligence as an obligation of States to undertake monitoring and regulatory

The proposed research will look at the application of due
diligence in cyberspace from a narrower approach, that of ‘the duty of states
to undertake regulatory and preventive measures’ to prevent cyber threats
arising from their territory, as an exercise of their objective and subjective
jurisdictional powers. By way of analogy, in the past, based on site’s
accessibility from within its territory (LICRA
v Yahoo; R v. Töben; R v. Perrin) or under the justification of being
specifically targeted (L’oreal SA and
others v. eBay international AG and Others) states have asserted their rights
to exercise jurisdiction, especially by subjecting objects and persons to
domestic legislation and to enforce them within their territory (Heinegg, 2013). Therefore, the question that rises is whether under the same
prerogatives that states assert jurisdiction to protect the people and
infrastructure within their territory, they can be subjected to an obligation
of due diligence to undertake the same measures to protect other states from
such harmful activities. Consequently, the pressing issue to be addressed is to
what extent are states under a duty to undertake regulatory and preventive
measures within their jurisdictional powers to prevent cyberattacks originating
from their territory? The answer to that question will be drawn from
interpreting and adjusting the due diligence obligations under CIL in the
context of cyberspace. The first step on that regard is defining what the term not
to allow ‘knowingly’ entails. Although
in the Corfu Channel, the underlying
principle was that states have a duty to warn other states of known or
foreseeable harm, latter the court in the Nicaragua
Case held that in some circumstances a State may be under a specific
obligation to use best efforts to gain knowledge of activity within its
territory or jurisdiction. Hence leaving unanswered the question whether
constructive knowledge suffices for establishing a breach of the obligation. The
research at hand will try to contribute in clarifying the standard of knowledge
applied in cyberspace.

Determining the said parameter goes hand in hand with
determining what appropriate steps a
state is allowed or obliged to undertake. It has been contended that due
diligence requires from a state to employ its ‘best possible efforts’ or to
take all means reasonable available to prevent or minimize the risk of a
wrongful act occurring (ILA Study Group).
Consequently, the segment at hand will elaborate what ‘appropriate steps’ states are under an obligation to undertake in
the context of cyberspace. In doing so we must apply the reasonable test, which
varies according to the importance of the interests that requires protection. While
a high standard of duty to prevent may apply in preventing genocide, a lower
standard may be applicable in the prevention of property or financial
interests. By analyzing the various standards of due diligence to which states
have been held accountable to in different fields of law, such as human rights
law, investment law, environmental law (ILA
Study group), one can conclude that the standard of ‘best effort’ or ‘appropriate
steps’ has evolved through time, and as such the obligation must meet the
requirements and characteristics of the object of defense and nature of
threats. It has been recognized that such characteristics do not pose an
obstacle in exercising territorial sovereignty and jurisdiction, but increase
the difficulty of doing so (Heinegg, 2013).
Therefore, an adjacent segment of the research will focus on the peculiarities
of cyberspace such as its trans-boundary existence and multi jurisdictional
impact, in order to determine what are the areas that could result in a
difficulty when attempting to apply international law and accordingly attempt
to lay out the reasonable measures that a state must undertake.



Capacities of states as a factor in
determining the fulfilment of due diligence obligations

Further on, as contended in the Pulp Mills case, due diligence entails not only an obligation for
states to adopt appropriate rules and measures but also a certain level of
vigilance in their enforcement with purpose of acquiring knowledge of events or
of risks, which could include monitoring infrastructure and activities; good
quality intelligence and information; as well as mechanisms and processes for
good analysis and evaluation of such information. As such due diligence
requires not only that institutional structures be constructed but it also needs
sophisticated capabilities in information and communications technology. It
transpires from the above that the obligation of due diligence is a variable
obligation, that depends on capacity as well as on technological developments
of the states themselves (Tsagourias,
2015). Absence of such technical capacities can result in failure to enact
legislation and undertake other preventive means for cyber attackers. Hence
making lack of capacities of states to meet their obligations an important
segment of the research at hand.

It is well-established that less developing States may not
be able to control the activities in their territory in a similar manner to
developed States, thus risk becoming safe heavens for criminal and terrorist
groups and that this can effect the evaluation of whether they have breached
their due diligence obligation (ILA Study
group). For that purpose, the research will look into the application of
diligence in different countries like US, UK, Germany, which have undertaken
extensive regulatory measures and streamlining due diligence in their
cybersecurity strategies, in order to determine the existence of an “objective
standard” employed in international law for failure of a state to meet its due
diligence obligations in cyberspace. In alternative elaborate on the
difficulties of meeting an ‘objective standard’ of due diligence as a result of
lack of capacities. 


Responses for failure to meet Due
Diligence obligations

By establishing that states are under a duty
to terminate an ongoing cyber operation mounted from their territory against
another state, and doing so is practical and reasonable in the circumstances,
failure of the state to do so would result in an internationally wrongful act,
which would give rise to responses from the victim state (Schmitt, 2015; Tallin Manual
Rules 5,9,13). Hence the last segment of the research will focus on the responses
that states can legally employ against cyber threats, be it use of force in
self defense or countermeasures. It should be noted that in the past use of
force in self defense and countermeasures have by law been unavailable as a
direct response to cyber operations by non-state actors, if such actions are
not attributable to the state. However, recent state practice appears to extend
the right of self-defense in case of attacks launched by non-state actors such
as a transnational terrorist groups. Such was the case of the 9/11 attacks by
Al Qaeda on the United States, which were characterized as an armed attack
triggering the inherent right of self-defense. Moreover, under same
justification US employed actions against Afghanistan, by invoking
responsibility for hosting Al-Qaida and failure to prevent its actions. To the
interest of the research at hand, the significance of the 9/11 attacks is that
it set a practice that state responsibility may be implied based on a state’s
failure to fulfill its international duty to prevent non-state actors from
using its territory to attack other states.

As such while the proposed research will
refrain from entering the global discussion on the threshold of use of force
and armed attack, it will borrow from this discussion only as far as necessary
to determine the means a victim state can employ in response ty cyber attacks, when
a state fails to meet its due diligence obligations, namely the use of force in
self defense for cyber attacks that amount to armed attacks, or countermeasures
for threats that fall beneath that threshold.


Methodology and Added Value

As the proposed research aims at identifying and clarifying
the application of existent norms to a newly emerging global context, the
primary research methodology used will be the doctrinal approach. This implies conducting
a critical and conceptual analysis of the relevant norms of law including
legislation and case law related to the due diligence principle in general and
applying them to cyberspace. In addition, a positivistic method of inquiry will
be used as a tool to define the extent of the application of due diligence
based on current state practice.

With regards to the added value of the proposed research, as
indicated throughout the proposal, law of cyberspace is a prominent topic of
discussion in law. While in particular areas there has been more progress and
scholarly contribution, including issues of attribution of responsibility for
actions amounting to cyber warfare, due diligence in cyberspace is yet to be
explored. The doctrine developed up to date has merely identified the questions
surrounding due diligence and its application to cyberspace. Therefore, the
research at hand aims to provide a more in-depth study on the extent to which the
due diligence principle can be imposed on states as a duty to monitor and
prevent cyberattacks originating from the cyber infrastructure that is under
their effective control. Such research will contribute to the body of law and
the wider attempt of scholars to impose greater responsibility to states for
the territory under their jurisdiction, and it attempts to also contribute to
future prevention of violations with grave outcomes.  



Post Author: admin


I'm Eunice!

Would you like to get a custom essay? How about receiving a customized one?

Check it out