Articles

‘Cyber Due Diligence’: A Patchwork of Protective Obligations in International Law

Abstract

With a long history in international law, the concept of due diligence has recently gained traction in the cyber context, as a promising avenue to hold states accountable for harmful cyber operations originating from, or transiting through, their territory, in the absence of attribution. Nonetheless, confusion surrounds the nature, content and scope of due diligence. It remains unclear whether it is a general principle of international law, a self-standing obligation or a standard of conduct, and whether there is a specific rule requiring diligent behaviour in cyberspace. This has created an ‘all-or-nothing’ discourse: either states have agreed to a rule or principle of ‘cyber due diligence’, or no obligation to behave diligently would exist in cyberspace. We propose to shift the debate from label to substance, asking whether states have duties to protect other states and individuals from cyber harms. By revisiting traditional cases, as well as surveying recent state practice, we contend that – whether or not there is consensus on ‘cyber due diligence’ – a patchwork of different protective obligations already applies, by default, in cyberspace. At their core is a flexible standard of diligent behaviour requiring states to take reasonable steps to prevent, halt and/or redress a range of online harms.

 Full text available in PDF format
The free viewer (Acrobat Reader) for PDF file is available at the Adobe Systems