I. INTRODUCTION
There is currently widespread agreement among States that, in principle, international law applies to State cyber operations. Three consensus reports endorsed by States participating in the United Nations (UN) Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE), comprising governmental experts from 25 States, have determined that international law, ‘in particular the Charter of the United Nations’, applies to cyber operations.Footnote 1 While the UN GGE reports themselves are non-binding, they contain references to both binding and non-binding norms. The 2015 report was subsequently welcomed and endorsed by the UN General Assembly (UNGA) by consensus.Footnote 2 The 2021 final report of the UN Open-Ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security, a parallel process open to all interested States, with participation from the private sector, non-governmental organizations (NGOs) and academia, adopted by consensus among State participants, reaffirmed that international law is applicable to cyber operations.Footnote 3 However, while there is broad agreement that international law applies in principle to cyber operations, both fora have encountered disagreements over the inclusion of specific language and references to the application of certain areas of law, for example, the right to self-defence, international humanitarian law and international human rights law.Footnote 4
In the cyber context, due diligence obligations have been discussed in relation to cyber operations which pass through or manifest on infrastructure on the territory of a State and may cause harm in the territory of another State. Despite the clear position of States on the matter in consensus UN GGE reports,Footnote 5 the existence and normative scope of binding due diligence obligations in relation to cyber operations is currently the subject of dispute in the literature.Footnote 6 Some commentators have sought to encourage the development of due diligence obligations in relation to cyber operations,Footnote 7 and others have even sought to assert that binding obligations exist for States as lex lata.Footnote 8 This article adopts a critical approach towards scholarship asserting that States are under binding due diligence obligations in relation to cyber operations based upon framing due diligence as a universal standalone source from which it is possible to derive binding obligations for all areas of activity. The article demonstrates, by reference to doctrine, the case law of the International Court of Justice (ICJ) and to the existence of areas of activity where only soft-law ‘obligations’ exist, that due diligence obligations are anchored in specific primary rules and are not a universal standalone source from which it is possible to derive binding obligations for all areas of activity. The article examines the position of States in UN fora that clearly determines that States do not consider themselves to be under such binding obligations, including the UN GGE that explicitly determined by consensus that due diligence in cyberspace constitutes a ‘voluntary, non-binding norm of responsible State behaviour’,Footnote 9 and individual state positions including those that have been influenced by these scholarly debates. The motivations and implications of literature that often encourages the development and/or recognition of binding obligations by States in cyberspace whilst simultaneously claiming that such obligations already exist as a matter of lex lata are also addressed. The article concludes that there is currently insufficient State practice and opinio juris to support the crystallization or development of a customary rule featuring binding due diligence obligations in cyberspace. Assertions of binding due diligence obligations in cyberspace therefore constitute lex ferenda.
The structure of the article is as follows. First, the article examines the status of due diligence obligations in international law to determine that due diligence obligations are anchored in primary rules and are not a universal standalone source from which it is possible to derive binding obligations for all areas of activity. Second, the article discusses the normative relationship between due diligence obligations and cyber operations in light of the position of States and relevant State practice to demonstrate that there is currently insufficient State practice and opinio juris to support the development of a customary rule containing binding due diligence obligations in cyberspace. Finally, the article addresses risks and implications associated with construing due diligence as a universal standalone source from which it is possible to derive binding obligations for all areas of activity.
II. STATUS OF DUE DILIGENCE OBLIGATIONS
In international law, the term due diligence is invoked in relation to expectations on a State to manage risks emanating from non-State actors on its territory in particular scenarios,Footnote 10 though risks may also originate from other causes such as a force of nature or activities of a third-party State.Footnote 11 In 2012, the International Law Association (ILA) established a Study Group to examine ‘the extent to which there is a commonality of understanding between the distinctive areas of international law in which the concept of due diligence is applied’.Footnote 12 The Study Group produced several reports and a resolution that was adopted by an ILA conference in August 2016Footnote 13 recognizing ‘the importance of due diligence as a relevant standard of conduct in many areas of international law’ and the ‘continued reliance on due diligence by international courts and tribunals’.Footnote 14
A. Doctrine and Due Diligence Obligations
Questions have risen about the nature of due diligence in terms of the inconsistent characterization of its status in international law.Footnote 15 The Max Planck Encyclopedia of Public International Law defines due diligence obligations as ‘primary obligations that require States … to endeavour to reach the result set out in the obligation’ where ‘[a] breach of these obligations consists not of failing to achieve the desired result but failing to take the necessary, diligent steps towards that end’.Footnote 16 Due diligence obligations have been addressed in a number of international courts and arbitral awardsFootnote 17 including the ICJFootnote 18 and the International Tribunal on the Law of the Sea (ITLOS).Footnote 19
Due diligence obligations have most commonly developed in treaties concerning international environmental lawFootnote 20 but they can be found in other branches of international law as well.Footnote 21 As Koivurova explains, ‘State practice has developed more precise rules and standards as to what due diligence requires of its subjects in certain areas of international relations’, where ‘[m]any fields of international law have seen the emergence of primary obligations that require States to exercise due diligence, that is, to endeavour to reach the result set out in the obligation’.Footnote 22
As demonstrated by its adverbial use, diligence may be understood as a qualifier of behaviour, whereby an actor can behave diligently or negligently.Footnote 23 Though the term due diligence has a ‘wide array of different meanings and fulfils diverging functions in hugely diverse legal regimes’,Footnote 24 it is perhaps most coherently invoked in relation to what was traditionally characterizedFootnote 25 as the no-harm rule and the allocation of accountability for human-made risks in relation to transboundary harm in international environmental law.Footnote 26
The identification of due diligence obligations based in rules of customary international law can be particularly difficult to ascertain and consequently international courts and tribunals have played a significant role in identifying the existence of such obligations in various fields of international law.Footnote 27 For instance, as established by international courts and tribunals,Footnote 28 and affirmed by other sources such as the 1992 Rio DeclarationFootnote 29 and the International Law Commission's (ILC's) 2001 Draft Articles on Prevention of Transboundary harm,Footnote 30 two rules of customary international law have developed in international environmental law.Footnote 31 First, that States have a duty to take appropriate measures to prevent, reduce and control transboundary pollution and environmental harm that results from activities within their jurisdiction or control. Second, States have a duty to cooperate in mitigating transboundary risks and emergencies through processes of notification, consultation, negotiation, and, where appropriate, environmental impact assessments. However, neither rule constitutes a complete prohibition on all transboundary harm,Footnote 32 and ‘it is erroneous (and deeply confusing) to refer to a “no harm” rule in this context’, as ‘[t]he obligation is one of conduct, not of result’.Footnote 33 Due diligence obligations do not require that harm to the interests of other States is totally prevented, only that States make best efforts to prevent or minimize such harm.Footnote 34 Due diligence obligations may be procedural in notifying or reporting certain events and in warning other States, or institutional in States being obliged to take legislative or administrative safeguard measures.Footnote 35
The work of the ILA encouraged further research on due diligence obligations and their status in international law, perhaps most substantially, a project at the Max Planck Institute for Comparative Public Law and International Law that sought to determine ‘whether a common understanding of due diligence throughout the different areas of international law and possibly across different types of legal persons (States, IOs [international organizations], other) can be traced and, if so, whether this warrants qualifying due diligence as an overarching principle of international law’,Footnote 36 resulting in several comprehensive publications on the subject.Footnote 37
The ambitious argument has been made that there exists a coherent general principle of due diligence that spans across all areas of international law.Footnote 38 Peters, Krieger and Kreuzer address the significance of a distinction between due diligence understood as a general principle, obligation or duty, or standard:
As a general principle, due diligence would also have to be read and construed in the light of other international legal principles, such as sovereignty or good neighbourliness. Understood as an ‘obligation’ or ‘duty’, the function and content of due diligence would likely remain more constrained by the specific norm to which it attaches. A ‘standard’ of due diligence would rather neutrally suggest a normative expectation.Footnote 39
However, the treatment of due diligence by international courts and tribunals clearly determines that there is no broad or ‘standalone’ rule of customary international law, nor general principle in the sense of Article 38(1)(c) of the ICJ Statute, requiring States to exercise due diligence that spans across all areas of international law.Footnote 40
B. Case Law and Due Diligence Obligations
Rather than recognizing due diligence as a ‘free-standing’ concept in international law, the ICJ recognizes binding obligations upon a State to act with due diligence as part of an existing primary rule, or where the Court otherwise seeks to determine the content of treaty or customary law rules that may or may not explicitly refer to ‘due diligence’.Footnote 41 In other words, after first identifying the relevant rules of international law applicable to the situation in question, the Court then seeks to determine what standard of review the rule may require a State to undertake, either explicitly or implicitly, to act consistently with the rule. The Court's approach to due diligence obligations underlines that they require a primary rule in order for such obligations to arise and that the nature of a legal obligation to act with due diligence is specific to a particular context and so should not be universally transposable across one area of international law to another.Footnote 42
The term due diligence was used as far back as 1871 in a treaty between the United States (US) and United Kingdom (UK) that led to the Alabama Claims arbitration.Footnote 43 The resulting Alabama Arbitration Award of 1872, occasionally still cited in relation to the contemporary status of due diligence obligations in international law, concerned primary rules in the form of a treaty in relation to activities at sea,Footnote 44 though the arbitrators’ ruling on what constituted due diligence was never accepted internationally among States.Footnote 45 The term is also associated with the Trail Smelter arbitration,Footnote 46 an ad hoc arbitration implemented by the US and Canada in a 1935 bilateral treaty to settle a dispute concerning air pollution emanating from Canada into the US, the resulting awards of which are considered the ‘locus classicus and fons et origio’ within the area of international environmental law.Footnote 47
In 1949 in its first contentious case, Corfu Channel, the ICJ addressed obligations of due diligence, but only did so in relation to a corresponding primary rule of international law.Footnote 48 The case concerned an incident in 1946 in which British warships passing through Albanian territorial waters were severely damaged by naval mines, resulting in the loss of life of 44 sailors. The issue before the Court was not whether Albania had exercised due diligence, but rather which response was required having established actual knowledge of the mines under customary international law.Footnote 49 The Court elaborated in general terms on the nature of Albania's legal obligations in relation to the minefield within their territorial waters as follows:
The obligations incumbent upon the Albanian authorities consisted in notifying, for the benefit of shipping in general, the existence of a minefield in Albanian territorial waters and in warning the approaching British warships of the imminent danger to which the minefield exposed them. Such obligations are based … on certain general and well-recognized principles, namely: elementary considerations of humanity, even more exacting in peace than in war; the principle of the freedom of maritime communication; and every State's obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States.Footnote 50
The judgment of the Court clearly underlines that although Albania was under an obligation to act with due diligence in relation to the minefield, that legal obligation emanated from primary rules of international law in relation to that discrete context, specifically, the right of innocent passage and the concomitant obligation of the coastal States not to hamper this right.Footnote 51 As explained by Heathcote:
… when it comes to responsibility for wrongful acts, it is only in relation to established rights that an obligation of due diligence is owed by one State to another (in the Corfu Channel case, the right of innocent passage).Footnote 52
The Pulp Mills case concerned whether or not Uruguay had breached its primary obligations under the Statute of River Uruguay, a 1975 bilateral treaty that sought to govern the use by each State of those parts of the River Uruguay which formed a common border between them.Footnote 53 In interpreting the nature and extent of Uruguay's obligations under the bilateral treaty, the Court looked to other primary rules of customary international law in accordance with the Vienna Convention on the Law of Treaties.Footnote 54 The Court stated that ‘the principle of prevention, as a customary rule, has its origins in the due diligence that is required of a State in its territory’,Footnote 55 that ‘[t]his Court has established that this obligation “is now part of the corpus of international law relating to the environment”’, where this rule required a State to use ‘all the means at its disposal’ to avoid activities ‘which take place in its territory or in any area under its jurisdiction, causing significant damage to the environment of another State’.Footnote 56 Pulp Mills demonstrates that the ICJ identifies obligations of due diligence for States only to the extent that they exist within a specific primary treaty rule or rule of customary international law within the particular context of the scenario in question, in this instance, the field of international environmental law.
In Armed Activities,Footnote 57 the Court considered allegations filed by the Democratic Republic of Congo (DRC) that Uganda had ‘breached its obligation of vigilance incumbent upon it as an occupying Power by failing to enforce respect for human rights and international humanitarian law’ on its territory.Footnote 58 This ‘obligation of vigilance’ is, however, anchored in specific treaty provisions that were invoked by the DRC that claimed violations thereof through Uganda's occupation of its territory.Footnote 59 The findings of the Court that Uganda violated international law obligations ‘by its failure, as an occupying Power, to take measures to respect and ensure respect for human rights and international humanitarian law in Ituri district’Footnote 60 was based on the breach of such treaty provisions in relation to the exercise of control over the territory in question, and consequently the obligation to act with due diligence as per the treaty provisions.
Finally, the Court's approach in the Prevention and Punishment of the Crime of Genocide case provides a yet clearer explanation of the nature of due diligence obligations in international law.Footnote 61 The case concerned alleged violations of the Convention on the Prevention and Punishment of the Crime of Genocide, as well as various matters which Bosnia and Herzegovina claimed were connected therewith, including the allegation that under Article I Serbia failed in its duty to prevent genocide by not acting to prevent the Srebrenica massacre in 1995. The Court's treatment of due diligence clearly understands such obligations as being contained within primary rules in relation to the specific context of the situation in question. Indeed, the Court explicitly cautions against the transposition of due diligence obligations from one area of international law to another,Footnote 62 recognizing that similar ‘obligations to prevent’ existed in various treatiesFootnote 63 but that the content of the obligations to act with due diligence was not comparable between treaty regimes and different rules of customary international law.Footnote 64 In other words, the Court recognized that due diligence obligations are based in primary rules, warned against a generalization of due diligence obligations between different rules, and stated that the context and regime in which such obligations were developed by States are paramount:Footnote 65
The content of the duty to prevent varies from one instrument to another, according to the wording of the relevant provisions, and depending on the nature of the acts to be prevented … … The decision of the Court does not, in this case, purport to establish a general jurisprudence applicable to all cases where a treaty instrument, or other binding legal norm, includes an obligation for States to prevent certain acts.Footnote 66
In Border Area/Road, the Court was called upon to apply procedural and substantive rules of customary international law and treaty provisions, where in each case the Court examined the relevant primary rule(s) to determine whether obligations were applicable.Footnote 67 However, the Court concluded that Nicaragua had not proved that the construction of the road caused significant transboundary harm, and accordingly dismissed Nicaragua's claims on this point.Footnote 68
Critically, these cases also illustrate that States do not refer to a universal standalone source of due diligence obligations in international law in their pleadings before the ICJ; instead they invoke specific primary rules in the form of treaty law or custom that require a particular act or omission by other States that may include requiring a State to act with due diligence.Footnote 69 As Ollino notes, ‘[f]rom the perspective of due diligence … it does not appear that the court used due diligence per se as a free-standing source of obligations for states’.Footnote 70 The approach of the ICJ is first to identify relevant primary rules before considering any due diligence obligations required by those rules in the context of the particular scenario in question, where the nature of such obligations by reference to a specific rule will differ from case to case.Footnote 71 This approach is consistent with the findings of tribunals in other areas of law, for example, in the law of the sea it is clear that ‘[due diligence obligations apply] in all those cases in which a treaty provision or rule of customary international law requires a State “to ensure” a certain result or to reach a certain aim, be it the avoidance of a certain harm or the achievement of a certain result’.Footnote 72
As Crawford notes in his commentary to the ILC Articles on State Responsibility:
… different primary rules of international law impose different standards ranging from ‘due diligence’ to strict liability, and that breach of the correlative obligations gives rise to responsibility without any additional requirements. There does not appear to be any general principle or presumption about the role of fault in relation to any given primary rules, since it depends on the interpretation of that rule in the light of its object or purpose. Nor should there be, since the functions of different areas of the law, all underpinned by State responsibility, vary so widely.Footnote 73
C. Conclusion
Due diligence is therefore not a free-standing obligation but a ‘modality attached to a duty of care for someone or something else (including the duty to prevent and mitigate harm)’; indeed, ‘[o]ne might call it an ancillary obligation if one wants to use the language of obligation at all’.Footnote 74 As McDonald explains, ‘there is no “general principle of due diligence” in international law’, ‘a legal requirement to exercise due diligence may be a component part of a primary rule of international law, but this can only be determined by referring back to the primary rule in question’.Footnote 75 It is precisely in this manner that this article employs the term ‘obligations’ in relation to due diligence, that is, an ancillary obligation of conduct that forms a component part of a primary rule of international law.Footnote 76 Regardless over the confusion surrounding the status and use of various terminology invoked in referring to the status of due diligence obligations in international law, it is generally accepted that binding obligations are anchored in primary rules and that due diligence obligations are not an independent free-standing source of such obligations. For instance, Ollino considers that ‘due diligence is not a free-standing obligation that is, per se, a source of rights and duties for states. It is a notion that is necessarily “attached” to primary rules, whether customary or conventional, and that depends on these rules to be clearly defined’.Footnote 77 Similarly, for Peters, Krieger and Kreuzer, ‘[a]s a norm or standard, due diligence is a requirement to behave diligently. And this standard of due diligence is, in law, necessarily ancillary to some (other) legal obligation and no free-floating obligation itself’;Footnote 78 ‘due diligence cannot be characterised as a general principle of international law due to its diverse content in different fields of international law and its dependence on accompanying primary rules … [i]t is therefore immaterial whether due diligence is indeed sufficiently widespread in representative legal orders to qualify as a general principle in the sense of art 38(1)(c) of the ICJ Statute’.Footnote 79
The role and function of due diligence obligations differ from one area of international law to another where their inclusion in primary rules has been developed by States to apply to the specific attributes of each area.Footnote 80 International human rights law involves positive obligations to protect individuals, whereas international economic law involves ‘due diligence’ processes that are significantly divergent from ‘due diligence’ as a standard of behaviour in the context of the traditional no-harm rule that may involve conducting a legal, environmental and/or social audit prior to undertaking projects or other (legal) undertakings.Footnote 81 Indeed, even within particular areas of international law one must be careful drawing general conclusions about obligations from the limited context of certain precedents.Footnote 82 As McDonald concludes:
… due diligence within international law is something which requires a primary rule to be relevant. The ICJ also supports the idea that the nature of a legal obligation to act with due diligence in a given instance relies upon context, and due diligence obligations should thus not be read across from one area of international law to another.Footnote 83
Crawford supports this understanding, citing the ICJ in Pulp Mills, stating that:
[w]hile it is doubtful whether courts will be willing to impose responsibility for transboundary damage on States in the absence of an express obligation, specific regimes have been advanced for establishing different means of legal redress in the case of environmental harm.Footnote 84
Finally, in consideration of State practice it is important to note that States undertake what may be construed as activities related to performing due diligence, for example, by introducing policy guidance for their officials, some elements of which may be a consequence of a legal requirement and some of which may not, for instance where States perform such activities for policy reasons.Footnote 85 Such activities may be irrelevant as State practice in any attempt to identify a primary rule of customary international law encompassing due diligence obligations if the practice is not undertaken with the required conviction that a legal right or obligation is involved, that is, acceptance as law, or opinio juris.Footnote 86
III. DUE DILIGENCE OBLIGATIONS AND CYBER OPERATIONS
A. The Position of States in UN Fora
Following decades of debate on the application of international law to cyber operations, in the 2021 UN GGE Report adopted by consensus, States, including the five permanent members of the UN Security Council,Footnote 87 explicitly determined due diligence in cyberspace constitutes a ‘voluntary, non-binding norm of responsible State behaviour’ using non-mandatory language, including that ‘States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs’:
This norm reflects an expectation that if a State is aware of or is notified in good faith that an internationally wrongful act conducted using ICTs is emanating from or transiting through its territory it will take all appropriate and reasonably available and feasible steps to detect, investigate and address the situation. It conveys an understanding that a State should not permit another State or non-State actor to use ICTs within its territory to commit internationally wrongful acts.Footnote 88
This language is used in the explicit and deliberate context of a clear section on non-binding norms of responsible State behaviour, which is separate and distinct from the section of the report on binding international law and rules of international law. As the 2021 Report explains on the relationship and distinction between international law and voluntary, non-binding norms of responsible State behaviour:
The Group reaffirms with regard to the use of ICTs by States that voluntary, non-binding norms of responsible State behaviour can reduce risks to international peace, security and stability. Norms and existing international law sit alongside each other. Norms do not seek to limit or prohibit action that is otherwise consistent with international law. They reflect the expectations of the international community and set standards for responsible State behaviour …
Given the unique attributes of ICTs, the Group reaffirms the observation of the 2015 report that additional norms could be developed over time, and, separately, notes the possibility of future elaboration of additional binding obligations, if appropriate.Footnote 89
The previous consensus 2015 UN GGE Report also addressed due diligence as the basis for a voluntary, non-binding norm of responsible State behaviourFootnote 90 following State representatives in the UN GGE process reportedly resisting the development of binding due diligence obligations in cyberspace.Footnote 91 The 2015 report was subsequently welcomed and endorsed by the UNGA by consensus.Footnote 92
The 2021 consensus UN OEWG Final Report that was open to involvement from all States and which also featured extensive discussion of due diligence obligations was unable to agree on the inclusion of any such language, even in vague non-binding terms, with the reference to due diligence obligations that initially appeared in the zero draft of the report relegated to the Chair's Summary outlining issues deemed too controversial for the main text.Footnote 93 This further demonstrates that States do not consider binding due diligence obligations exist or have been developed in relation to cyber operations.
The precise language of consensus reports of the UN GGE and UN OEWG was fiercely contested by States and involved extensive discussion of applicable international law.Footnote 94
B. Attempts to Identify Binding Obligations
The idea that there might exist a primary standalone universal due diligence ‘rule’ of customary international law is at odds with the treatment of such obligations by the ICJ and established literature outside the context of cyber operations.Footnote 95 Several commentators have characterized due diligence as a broad general principle of international law and sought to make arguments highlighting the benefits of why States should recognize, or effectively develop, binding due diligence obligations for cyber operations.Footnote 96 Despite the clear position of States in UN fora to the contrary, several academic projects and commentators have even sought to argue that States are under binding due diligence obligations in relation to cyber operations that emanate on or transit through their territory as a matter of lex lata.Footnote 97 These authors have adopted various unconvincing and ultimately flawed approaches as a basis for such arguments that ultimately rely on construing due diligence as a universal standalone source from which it is possible to identify binding obligations applicable to all areas of activity based primarily on a misrepresentation of the Corfu Channel judgment. Recently, a project at the University of Oxford's Institute for Ethics, Law and Armed Conflict led by Akande, Dias and Coco, funded by the Japanese Government,Footnote 98 made allegedly distinct, but upon inspection ostensibly similar assertions, claiming States are under ‘a patchwork’ of protective binding due diligence obligations in relation to cyber operations on their territory.Footnote 99 In the light of clear evidence contradicting the status of due diligence as a universal standalone source that is directly transposable to different areas or regimes to identify binding obligations,Footnote 100 the main issue faced by those arguing that States are under due diligence obligations in relation to cyber operations is surmounting the issue of locating such obligations in a primary rule or rules.
1. Encouragement for the development of due diligence obligations
Kulesza, who made a comprehensive argument in a 2016 monograph that due diligence is a general principle of international law,Footnote 101 then suggested that we were heading ‘toward a due diligence standard for cyberspace’.Footnote 102 The argument by Kulesza appears to maintain that due diligence is a principle that is universally relevant to all areas of activity while at the same time claims that States are heading towards developing the content and scope of binding obligations in the context of cyber operations. Such an argument demonstrates exactly why States have developed primary rules containing due diligence obligations in relation to specific areas with unique attributes: the unique attributes in those discrete contexts inform the development of the content and scope of obligations in primary rules, as Kulesza explores in great detail in various areas where such obligations have been developed.Footnote 103 Indeed, Kulesza extensively details the difficult but necessary process required to develop the content of such obligations for cyber operations,Footnote 104 and the language of the argument clearly indicates that such binding obligations have not yet been recognized or developed by States. Kulesza goes on to argue that ‘[d]ue diligence in cyberspace offers a noteworthy alternative to the still arguable and strongly disputed military qualification of cyberattacks, attempting to view them as acts of armed aggression, possibly allowing an armed response’.Footnote 105 In this sense, the attempt to construe due diligence as a general principle in this manner has been adopted to provide a broader basis from which to recognize or develop primary rules containing binding due diligence obligations in areas where they have not yet been established.
In a 2015 article, Schmitt, the director of the Tallinn Manual projects, openly acknowledged extensive ‘opposition [from States] to due diligence in international cyber law’ and discussed the ‘consequences of opposing the due diligence obligation’, with States being ‘conflicted’ over whether to commit to recognizing or developing specific due diligence obligations in the context of cyber, which he observed would serve to hamper their own operations as well as that of other actors, or to avoid such regulation and maintain operational freedom but allow others to do the same.Footnote 106 Schmitt argued that the benefits for States of recognizing binding due diligence obligations for cyber operations outweigh the risks of not doing so, in what is clearly a lex ferenda proposal demonstrating frustration over States having failed to do so:
On the one hand, if states build ‘normative firewalls’ by adopting interpretations of the existing law that restrict cyber operations, they will paradoxically also limit their own freedom of action in cyberspace. Alternatively, any interpretive crystallization that safeguards the margin of discretion enjoyed by state's vis-à-vis cyber activities necessarily leaves their cyber systems at risk. Since states accordingly find themselves conflicted when trying to make legal-policy decisions regarding cyber norms, virtually all in-depth work in the field has emerged from the academy. This is an unfortunate reality with deleterious consequences for international law making.Footnote 107
Notably, this publication by Schmitt that encourages States to recognize or develop binding due diligence obligations in relation to cyber operations and which identifies significant opposition from States to do so was published in 2015, only a year before the findings of the Tallinn Manual 2.0 were adopted in 2016 (published in 2017), which confidently asserts such binding obligations exist as lex lata, despite no significant progress or change in the positions of States. Furthermore, the original Tallinn Manual published in 2013 recognized significant disagreements among the Group of Experts relating to the application of due diligence obligations in the cyber context.Footnote 108
In each of these texts that were published prior to the Tallinn Manual 2.0, the mere fact that the authors encourage States to recognize or develop due diligence obligations for cyber operations is a testament that such obligations do not exist.
2. Assertions of obligations as lex lata
Specifically, the Tallinn Manual 2.0 contends that based upon the assertion that due diligence is a general principle of international law, ‘[a] [S]tate must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other States’.Footnote 109 While the underlying argument that due diligence should be recognized as a general principle of international law has been made in several ambitious academic publications,Footnote 110 such a position is clearly at odds with the status of due diligence obligations in international law, as recognized by international courts and tribunals discussed in the previous section of this article. It is certainly by no means an uncontroversial position, nor commonly accepted, and to present it as such is misleading and clearly has been carefully adopted to construct a foundation to assert that States are under binding due diligence obligations in relation to cyber operations on their territory.
The Manual refers to a ‘due diligence principle’, which it claims ‘is the term most commonly used with respect to the obligation of States to control activities on their territory’, though no specific citations are provided of the term used in this manner.Footnote 111 According to its text, ‘[due diligence] is a general principle that has been particularised in specialised regimes of international law’,Footnote 112 presumably in the sense of Article 38(1)(c) of the ICJ Statute. The assertion that due diligence is a general principle of international law and that ‘States must exercise due diligence in ensuring territory and objects over which they enjoy sovereignty are not used to harm other States’ appears to be based primarily on a misrepresentation of the ICJ's Corfu Channel judgment. As the Manual states:
A dictum in the International Court of Justice's Corfu Channel judgment, which observes that ‘it is every State's obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States’, sets forth the generally recognised contemporary definition of the due diligence principle.Footnote 113
Consequently, the Manual claims that ‘[p]roperly understood, due diligence is the standard of conduct expected of States when complying with this principle’, and that ‘[i]t is a principle that is reflected in the rules, and interpretation thereof, of numerous specialised regimes of international law’.Footnote 114 However, the very existence of a category of ‘general principles of law formed within the international legal system’ remains highly controversial in the ongoing work of the ILC on the topic of General principles of law, where significant concerns have been raised within the Commission and the Sixth Committee that the recognition of such a category risks undermining customary international law as a method of identifying primary rules by effectively serving as a ‘custom-lite’Footnote 115 without the requirement of opinio juris. Footnote 116 It is precisely this flexibility that the editors appear to seek to exploit in making such a claim, circumventing the lack of State practice and opinio juris for a rule of custom containing binding due diligence obligations in cyberspace.Footnote 117
As explained in the previous section of this article, in Corfu Channel the Court clearly identified that the legal obligation emanated from primary rules of international law in relation to that discrete context, specifically, the obligation to respect and not to hamper the right of innocent passage.Footnote 118 More importantly, this has since been reaffirmed in other cases where the Court has dealt with due diligence obligations, which as explained have confirmed that the approach of the Court is first to identify relevant primary rules before considering any due diligence obligations required by those rules in the context of the particular scenario in question. The Manual is correct that primary rules containing due diligence obligations exist in ‘specialised regimes’ where States have endeavoured to develop them in the context of those scenarios, but the key point is that, as confirmed by the approach of the Court, such obligations must be anchored in primary rules. The fact that those seeking to represent due diligence as a universal standalone source do so by taking advantage of the relatively open phrasing of the Corfu Channel judgment alone is revealing in their circumvention of the clearer subsequent judgments of the Court on the nature of due diligence obligations. The Manual's assertion that ‘[due diligence] is a principle that is reflected in the rules, and interpretation thereof, of numerous specialised regimes of international law’Footnote 119 does nothing to establish what primary rule such obligations are contained within in relation to cyber operations. Even the nature of due diligence obligations under any specific rule may vary from case to case.Footnote 120 For instance, in relation to due diligence obligations, the control of territory alone is not necessarily sufficient to establish the responsibility of a State for actions occurring therein.Footnote 121
Unlike traditional kinetic operations, cyber operations depend on the internet which is almost exclusively transmitted by terrestrial and undersea fibre-optic cables that pass through the territory of multiple States without regard for borders. Even mundane operations such as sending an email from one recipient to another will often pass through the territory of numerous States to be stored on servers on the territory of another State before a recipient requests that information from their location, which may again be located on yet another State's territory.Footnote 122 In addition to regular internet traffic, a large volume of malicious forms of cyber operations manifest on and pass through the territory of States at any given time as a result of these attributes, and States routinely conduct offensive cyber operations targeting systems on the territory of other States to achieve defensive and strategic objectives.Footnote 123 Although States with the technical capabilities to do so, often in partnership with the private sector that dominates monitoring and responding to malicious cyber operations, conduct cybersecurity activities to defend against offensive cyber operations on their territory, there are no known instances of such activities being carried out by States because they consider themselves to be under a legal obligation of due diligence.Footnote 124 Reflecting this practical reality, assertions that States are under binding due diligence obligations in relation to cyber operations involve very particular assumptions of the content and nature of those obligations in the cyber context without any legal authority.
It took years for binding due diligence obligations to be developed in primary rules in the field of international environmental law, and it is unreasonable to seek to transpose such obligations from this—or indeed any other field—in a universal manner to cyber operations without authority or consent from States in doing so, with demonstrably contrary State practice and insufficient opinio juris to identify such obligations and their content. Those seeking to assert that States are under binding due diligence obligations in relation to cyber operations on their territory have attempted to bypass or circumvent State positions as reflected in consensus reports of UN fora—in this case the explicit agreement in the UN GGE defining such obligations as a voluntary non-binding norm of responsible State behaviour and the UN OEWG's clear reluctance to recognize or develop binding due diligence obligations in relation to cyber operations—by characterizing cyber operations as mere ‘technological developments’, to which all rules, and obligations, of international law apply by default.Footnote 125
In 2021 Coco and Dias noted controversy over ‘whether states are bound by an obligation to behave diligently in cyberspace, an area of state activity that comprises information and communication technologies (ICTs) having a physical, logical and personal dimension’.Footnote 126 However, the authors state that while ‘on the one hand’ the UN GGE processes failed to confirm such legal obligations existed, though the UN GGE explicitly identifying due diligence as a voluntary, non-binding norm of responsible State behaviour for cyber operations (the UN OEWG which failed to include any such language is omitted), ‘on the other hand’, Rule 6 of the Tallinn Manual 2.0 states that ‘a general rule or principle of this kind already exists in customary international law, and is applicable in cyberspace’.Footnote 127 The authors state that ‘these views seem irreconcilable, and neither of them has gone unchallenged’.Footnote 128 However, these two opposing views are clearly not equivalent in status; indeed, such a premise unfairly implies opposing positions supported by comparable legal authority. The consensus Reports of the UN GGE explicitly determined that such obligations were ‘voluntary, non-binding norms of responsible State behaviour’,Footnote 129 and the consensus Final Report of the UN OEWG failed to include any language on due diligence obligations after much deliberation on the issue, which clearly demonstrate that States do not consider themselves to be under any binding due diligence obligations in relation to cyber operations as a matter of international law. Despite their significant influence on the debate, the Tallinn Manual publications suffer from a particular bias both in relation to their underlying approach and the composition of their Group of Experts.Footnote 130 The ‘Rules’ of the Tallinn Manual 2.0 are often cited in a manner disproportionate to their status,Footnote 131 and this is a clear example of that: a North Atlantic Treaty Organization (NATO) initiative academic publication that seeks to pursue a particular agenda in its approach and assertions surely is not equivalent to consensus reports from multiple UN processes wherein States have discussed and negotiated how international law should apply to State cyber operations over a number of decades.
Perhaps aware of the fundamental weaknesses in claiming due diligence is a general principle from which binding due diligence obligations may be universally derived for all areas of activity, and in light of the further solidified position of States in UN fora that clearly do not agree with the existence of such binding obligations for cyber operations, Coco and Dias contend that this ‘current debate misses the point by focusing too much on the meaning of “due diligence” and its applicability to cyberspace’, and lament these resulting ‘binary, “all-or-nothing” views’.Footnote 132 However, the fact remains that States are either under legally binding due diligence obligations in relation to cyber operations on their territory, or they are not. Seeking to distinguish themselves from other positions but still recognizing their foundation in primary rules, the authors propose:
… to shift the debate from label to substance. Rather than inquiring whether ‘due diligence’ applies in cyberspace, the question we should be asking is to what extent states have obligations to protect other states and individuals from cyber harms. In answering this question, we conclude that whether or not a general principle of due diligence applies to ICTs or a binding, cyber-specific ‘due diligence rule’ exists, states continue to be bound by a patchwork of duties to prevent, stop and redress harm applying by default to cyberspace. These ‘protective obligations’ are grounded in several primary rules of international law enshrining a standard of due diligence – that is, obligations that require states to exert their best efforts in preventing, halting and redressing a variety of harms, online and offline.Footnote 133
The benefits of States developing or recognizing due diligence obligations in cyberspace are promoted as follows:
In this context of great uncertainty and increased cyber threats, due diligence features as a promising route to accountability, peace and security in cyberspace: it requires states to employ their best efforts to prevent, halt and redress a range of known or foreseeable cyber harms emanating from or transiting through their territory, regardless of who or what caused them. For instance, during the COVID-19 pandemic, EU [European Union] member states have ‘call[ed] upon every country to exercise due diligence and take appropriate actions against actors conducting [malicious cyber operations] from its territory, consistent with international law’.Footnote 134
Note the language of ‘promising route’ that implies the necessary development or recognition of such obligations by States. The referenced press release made on behalf of EU Member States during the COVID-19 pandemic is not evidence or authority that due diligence obligations apply generally to any given scenario.Footnote 135 The press release neither speaks of obligations under international law, only of ‘[consistency] with international law’ as an additional clarifying point at the end of the quoted sentence, nor does it speak for all States in such a matter.Footnote 136 A more objective and thorough examination of due diligence obligations in relation to COVID-19 determines that ‘due diligence cannot be characterised as a general principle of international law due to its diverse content in different fields of international law and its dependence on accompanying primary rules’.Footnote 137
Building on the presentation of a paper advancing these arguments in workshops in 2020,Footnote 138 the 2021 article by Coco and Dias appears to portray significant uncertainty among the authors over the existence of a ‘general principle’ of due diligence, again presumably in the sense of Article 38(1)(c) of the ICJ Statute, from which it is possible to derive binding obligations for all areas of activity: ‘is there a general principle of due diligence in international law? Perhaps.’Footnote 139 Instead, the authors chose to rely upon an alternative ‘patchwork of protective obligations’ that have a purported basis in ‘several primary rules of international law’.Footnote 140
The core of their argument may be summarized as follows. First, the authors assert that ‘the entirety of international law’—including ‘protective’ obligations—applies by default to cyberspace, ‘in the absence of leges speciales to the contrary’,Footnote 141 a claim they state is supported by State practice and opinio juris.Footnote 142 Second, the authors identify ‘four sets of protective duties requiring states to prevent, halt or redress certain harms by behaving diligently in cyberspace’,Footnote 143 where the two main sources of these obligations ‘can be traced to primary obligations of general international law’.Footnote 144
The first point, that ‘the entirety of international law’—including ‘protective’ obligations—applies by default to cyberspace, ‘in the absence of leges speciales to the contrary’,Footnote 145 attempts to minimize the unique nature of the attributes of cyber operations and the challenges they present for the application of international law as a basis to affirm that certain rules and obligations apply to them without State practice and opinio juris, or indeed the consent of States. The consensus UN GGE reports explicitly recognize that challenges presented by the ‘unique attributes’ of cyber operations means ‘additional norms could be developed over time’,Footnote 146 and that ‘existing norms may be formulated for application to the ICT environment … where additional norms that take into account the complexity and unique attributes of ICTs may need to be developed’.Footnote 147 The final report of the UN OEWG also adopted by consensus, recognized that ‘additional norms could continue to be developed over time’, and that ‘the further development of norms, and the implementation of existing norms were not mutually exclusive but could take place in parallel’.Footnote 148
It is plainly not the case from the treatment of the ICJ and sources discussed in the previous section of this article that binding due diligence obligations automatically exist universally in any and all areas of activities unless a rule exists to the contrary. This assertion is contrary to positivism and the very involvement of States and their consent in the formation and development of international law, and ignores areas of activity where binding obligations do not exist, or where soft-law obligations exist that are not binding, for example, a failure to take adequate measures to prevent the collapse of a banking system which may lead to a global financial crisis, a field in which only soft-law obligations exist.Footnote 149 In certain areas, soft law beyond the formal sources of Article 38 of the ICJ Statute has played a role in shaping due diligence standards; however, the interchangeable reliance on sources of international law and soft law provides yet further confusion and has been criticized as such.Footnote 150 The ICJ clearly recognizes that due diligence obligations are based in primary rules, and has explicitly cautioned against the transposition of due diligence obligations from one area of international law to another.Footnote 151 Indeed, the authors extensively detail how due diligence obligations vary across the different ‘protective’ obligations where they have been developed by States in relation to the circumstances and fields in which they apply.Footnote 152
To the second point, the authors identify ‘four sets of protective duties requiring states to prevent, halt or redress certain harms by behaving diligently in cyberspace’:
Two of these can be traced to primary obligations of general international law: (i) the duty of states not to knowingly allow their territory to be used for acts that are contrary to the rights of third states, articulated in the Corfu Channel case, which we call the ‘Corfu Channel’ principle; and (ii) states’ duty to prevent and remedy significant transboundary harm, even if caused by lawful activities, known as the ‘no-harm’ principle. In addition, specific bodies of international law establish due diligence duties which also apply to cyberspace. Of particular relevance to ICTs are: (iii) the obligation of states to protect human rights within their jurisdiction; and (iv) states’ duties to ensure respect or international humanitarian law and to adopt precautionary measures against the effects of attacks in the event of an armed conflict. We locate the legal basis of each of those primary rules in customary or conventional international law, unpack the various standards of due diligence they enshrine and explore the extent to which they apply to states’ use of ICTs.Footnote 153
However, far from a ‘paradigm shift in the understanding and conceptualization of international law concerning diligent state behaviour in cyberspace’,Footnote 154 this ‘patchwork approach’ appears to constitute only a superficial attempt to distance itself from arguments that due diligence is a general principle in international law from which it is possible to derive binding obligations across all areas of State activities, but which ultimately relies upon the same flawed basis and therefore encounters the same problems as such arguments. Namely, due diligence obligations must be contained within primary rules, and second, due diligence, or its component parts, are not primary rules from which universally binding obligations may be identified across all areas of activity. Indeed, breaking the argument of a general principle of due diligence obligations down into separate composite principles does not serve to strengthen the argument; if anything, there is even less cumulative authority in support of a so-called ‘Corfu Channel principle’ and a ‘no-harm principle’. Such terms have not previously been employed by international courts or in literature to denote their status as primary rules from which it is possible to derive universal binding due diligence obligations for all areas of activity.
The third and fourth ‘protective duties’ are also misleading as they introduce other specific areas where due diligence obligations would be anchored in primary rules in an attempt to strengthen these general underlying normative ‘patchwork’ claims in the cyber context. The human rights context mirrors complications concerning the application of international law to cyberspace more broadly: the consequences of challenges presented by the unique nature of cyber operations result in the ‘radical reinterpretation of existing human rights norms, the emergence of new digital human rights, and the extension of human rights law to new right-holders and duty-holders’, where ‘developments relating to digital human rights are also contributing to, and are influenced by, broader changes in IHRL [international human rights law]’ including ‘the [ongoing] expansion of positive obligations relating to the conduct of private companies’.Footnote 155 While international humanitarian law faces similar normative issues in relation to the challenges presented by the unique nature of cyber operations, their scope is limited in that the vast majority of cyber operations consist of low-level intrusions that take place outside of armed conflict, where international humanitarian law is not implicated. Furthermore, actions undertaken by States that are performed for non-legal reasons in this area should not be taken as evidence of an overarching obligation,Footnote 156 and to the extent that due diligence obligations exist they would be more properly characterized as part of individual primary rules of international law.Footnote 157 In any case, the development or existence of binding obligations in these areas has no bearing on the claim that due diligence (or composite principles of due diligence) is a universal standalone source from which it is possible to derive binding obligations for all areas of activity. This conflation with obligations of conduct in other areas of law is particularly apparent in the recent positions of Costa Rica and Ireland, which appear to have been influenced by these arguments in citing the application of due diligence obligations in international human rights law and international humanitarian law.Footnote 158
Ultimately, like preceding attempts to identify binding due diligence obligations for cyber operations based upon construing due diligence as a general principle, the heavy lifting of these assertions rests on a fundamental misrepresentation of the Corfu Channel judgment (the ‘Corfu Channel principle’) and the traditional no-harm rule established in the field of international environmental law. The assertion that binding obligations for all areas of activity may be identified from a ‘Corfu Channel principle’ and a ‘no-harm principle’ are wholly at odds with the status and function of due diligence obligations and the treatment of such obligations by the ICJ as examined in the second part of this article, and the authors are unable to provide any authority beyond the Tallinn Manual 2.0 and like-minded cyber-specific literature in support of these assertions.
Notably, the legal obligation in Corfu Channel emanated from primary rules of international law in relation to that discrete context, specifically, the right of innocent passage and the concomitant obligation of the coastal States not to hamper this right.Footnote 159 The Court's conclusion was that ‘it is only in relation to established rights that an obligation of due diligence is owed by one State to another (in the Corfu Channel case, the right of innocent passage)’.Footnote 160 In this manner, it was the finding of the Court on innocent passage that was crucial for the outcome of the case.Footnote 161 This is consistent with the ICJ's treatment of due diligence obligations in later cases which underlines that they must be anchored in a primary rule in order to arise,Footnote 162 and the Court's explicit caution against the transposition of due diligence obligations from one area of international law to another.Footnote 163
The attempt to broaden the application of the customary no-harm rule developed in international environmental law to cyberspace is problematic because of these same reasons: in order to make such an argument, it is necessary both to misrepresent the character of the no-harm principle in international environmental law as possessing a far broader application, and to contradict the contrary treatment of such obligations in ICJ case law by claiming that such a universal standalone source exists from which it is possible to derive binding obligations for all areas of activity due to insufficient State practice and opinio juris in support of a customary rule for cyberspace.Footnote 164 However, even tracing the no-harm rule back to before the ICJ's treatment of due diligence obligations does not provide support for such an argument, where the statement of law relating to due diligence was addressed by international tribunals in Spanish Zone,Footnote 165 Island of Palmas Footnote 166 and Trail Smelter.Footnote 167 In 1925, in the Spanish Zone case, Max Huber stated that ‘[t]he responsibility for events which may affect international law and which occur in a given territory goes hand in hand with the right to exercise, to the exclusion of other States, the prerogatives of sovereignty’.Footnote 168 Similarly, in the 1928 Island of Palmas Award Huber stated that by virtue of their territorial sovereignty States have ‘the obligation to protect within the territory the rights of other States’.Footnote 169 Finally, in the Trail Smelter Award the tribunal stated that:
… under the principles of international law, as well as of the law of the United States, no State has the right to use or permit the use of its territory in such a manner as to cause injury by fumes in or to the territory of another or the properties or persons therein, when the case is of serious consequence and the injury is established by clear and convincing evidence.Footnote 170
This statement from Trail Smelter, along with the Corfu Channel case, is considered to form the cornerstone of international environmental law as reiterated in ICJ cases that followed. In its Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons, the ICJ affirmed for the first time that customary obligations had developed within international environmental law:
The existence of the general obligation of States to ensure that activities within their jurisdiction and control respect the environment of other states or of areas beyond national control is now part of the corpus of international law relating to the environment.Footnote 171
The status of this customary rule was clearly established in international environmental law, as affirmed by subsequent case law.Footnote 172 In light of the ICJ's recognition that due diligence obligations are based in primary rules and explicit cautioning against the transposition of due diligence obligations from one area of international law to another,Footnote 173 binding obligations do not automatically extend to activity in cyberspace. Even within the context of international environmental law where this rule crystallized,Footnote 174 ‘[c]ertainly not all instances of transboundary damage resulting from activities within a State's territory can be prevented or are unlawful’.Footnote 175 Beyond the above quoted statements in Spanish Zone, Island of Palmas and Trail Smelter that may be understood to constitute ‘really no more than statements of what sovereignty means’,Footnote 176 many arbitral awards prior to Corfu Channel also applied specific primary rules of due diligence relating to the protection of aliens and foreign State representatives.Footnote 177 Furthermore, the approach of the Court in Corfu Channel provides an additional demonstration that due diligence obligations are anchored in primary rules: the Hague Convention VIII of 1907 Relative to the Laying of Automatic Submarine Contact Mines was, contrary to UK pleadings, not held to be applicable because it was restricted to times of war.Footnote 178
Ollino summarizes the significance of Corfu Channel and Pulp Mills as follows:
In the Corfu Channel case, the ICJ judges inferred Albania's duty to exercise due diligence by way of notification from a combination of established rights (the right of innocent passage) and obligations (the alienum non laedas obligation). In Pulp Mills, the court appeared to invoke due diligence as a shorthand expression for identifying the no-harm rule and the underlying nature of the conduct that this obligation imposes on states. Both in the Corfu Channel and Pulp Mills decisions, the duty to exercise due diligence was indeed highly contextualised and construed in relation to the general principles and obligations (the primary rules) to which it applied.Footnote 179
Influenced by these assertions seeking to identify binding obligations in cyberspace, an increasing number of mostly European States have released statements on the application of international law to cyber operations that may be considered to provide support for due diligence obligations for cyber operations based upon these misrepresentations of the status and function of due diligence.Footnote 180 However, even States that endorse a binding rule of due diligence for cyber operations recognize clear disagreement over its existence and application,Footnote 181 or express the expectation that such obligations will develop and crystallize over time.Footnote 182 These States also maintain significant differences on what the content of such obligations should entail in cyberspace, in particular in relation to the level of knowledge that a State is required to have, the types of activity a State is required to carry out in accordance with their legal obligation, and the seriousness of the harm caused by the malicious cyber activity on the territory.Footnote 183 In practice, opinio juris is often difficult to ascertain because in their behaviour States may or may not be wilfully pursuing the objective of contributing to the creation, the modification, or the termination of a customary rule.Footnote 184 As such, in expressing views as to whether certain behaviours are legally obligatory or as to whether a particular rule of customary law exists, it is challenging to differentiate real expressions of belief (manifestations of opinio juris), from acts made with the purpose of influencing the formation, the modification or the termination of a customary rule.
In reaction to these claims, other States have expressed more accurate understandings of the status of due diligence obligations reflected in sources of international law, with some reasonably reiterating that references to due diligence activities in UN GGE Reports, adopted by consensus, were explicitly defined as voluntary, non-binding norms of responsible State behaviour:Footnote 185 namely, that such obligations develop as part of primary rules in particular contexts, and there is currently insufficient State practice and opinio juris for such a primary rule to crystallize containing binding due diligence obligations that apply to cyber operations.
Others have generally called for due diligence obligations to be developed if they are to become establishedFootnote 186 or make statements featuring non-mandatory language that are consistent with due diligence in relation to cyber operations as a voluntary non-binding norm of responsible State behaviour as reflected by State positions in UN fora consensus reports.Footnote 187 Notably, States with the most advanced cyber capabilities do not recognize binding due diligence obligations in relation to cyber operations.Footnote 188 Reports by Hollis for the Organization of American States on international law and State cyber operations which directly solicited State views on whether due diligence ‘[qualifies] as a rule of international law that States must follow’ in cyberspace determined that ‘at the global level there is no universal consensus among States on what existing general international laws apply to cyber operations, let alone how they do so’, noting reluctance, ‘outstanding controversy and confusion on whether certain existing international legal regimes apply to cyber operations, including … due diligence’.Footnote 189 Furthermore, there are sparse instances where States have invoked the language of international law to activities in cyberspace generally,Footnote 190 and no examples of State actions in cyberspace have been reported to have been performed in compliance with a legal due diligence obligation.
Israel explains the clear and deliberate reasoning behind the explicit and consensus agreement among States—including the permanent five members of the Security Council—to use language of ‘non-binding and voluntary’ (that was also expressed by other States) in the UN GGE Reports, following an approach compatible with the Court's position in the Prevention and Punishment of the Crime of Genocide in cautioning against applying rules developed in different contexts,Footnote 191 to cyberspace:
In the 2015 UN GGE Report, the concept [of due diligence] was addressed as the basis for a voluntary, non-binding norm of responsible State behavior, providing that States should not allow their territory to be used for the commission of international wrongful acts. There was wisdom in mentioning it in the chapter covering norms of responsible State behavior, as it does not, at this point in time, translate into a binding rule of international law in the cyber context. This was the position expressed by other States as well.
… we have to be careful in applying to the cyber domain rules that emerged in a different, distinct context …
… we have not seen widespread State practice beyond this type of voluntary cooperation, and certainly not practice grounded in some overarching opinio juris, which would be indispensable for a customary rule of due diligence, or something similar to that, to form.Footnote 192
New Zealand takes a similar position and states that due diligence obligations in relation to cyber operations are yet to crystallize (into a primary rule of customary international law):
An agreed norm of responsible state behaviour provides that states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs. Whether this norm also reflects a binding legal obligation is not settled …
New Zealand is not yet convinced that a cyber-specific ‘due diligence’ obligation has crystallised in international law. It is clear that states are not obliged to monitor all cyber activities on their territories or to prevent all malicious use of cyber infrastructure within their borders. If a legally binding due diligence obligation were to apply to cyber activities, New Zealand considers it should apply only where states have actual, rather than constructive, knowledge of the malicious activity, and should only require states to take reasonable steps within their capacity to bring the activity to an end.Footnote 193
The UK further highlights the clear language of the 2021 UN GGE Report which explicitly defines due diligence obligations as a non-binding and voluntary norm of responsible State behaviour:
UNGGE Norm 13(c) provides that States should not knowingly allow their territory to be used for internationally wrongful acts using information and communications technology. This norm provides guidance on what may be expected to constitute appropriate State behaviour … the fact that States have referred to this as a non-binding norm indicates that there is not yet State practice sufficient to establish a specific customary international law rule of ‘due diligence’ applicable to activities in cyberspace.Footnote 194
The US adopts a similar position, citing the lack of State practice and opinio juris in relation to assertions of due diligence as a general obligation under international law in relation to cyber operations:
In recent public statements on how international law applies in cyberspace, a few States have referenced the concept of ‘due diligence’: that States have a general international law obligation to take steps to address activity emanating from their territory that is harmful to other States, and that such a general obligation applies more specifically, as a matter of international law, to cyber activities. The United States has not identified the State practice and opinio juris that would support a claim that due diligence currently constitutes a general obligation under international law.Footnote 195
Argentina has asserted that ‘under international law, there is no obligation of due diligence when it comes to cybersecurity’.Footnote 196 The Russian Federation provides further evidence that States do not consider themselves to be under binding due diligence obligations, explicitly questioning the ‘automatic’ extrapolation of international law to cyber operations and proposing the drafting of an international treatyFootnote 197 that has received significant support among States, establishing a UN process to draft a global ‘cybercrime’ treaty to govern cyber operations.Footnote 198
Even the Cyber Law Toolkit, a website affiliated with the same body responsible for creating the Tallinn Manual projects, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCoE), that maintains a collection of State positions on matters of international law related to cyber operations, currently acknowledges that ‘[i]t is the matter of some controversy whether the principle of due diligence reflects a binding obligation applicable to cyber operations’.Footnote 199
In the North Sea Continental Shelf cases the ICJ stated that State practice must be ‘both extensive and virtually uniform’, and that it must include the practice ‘of States whose interests are specially affected’.Footnote 200 While States that possess relatively modest or undeveloped cyber capabilities have yet to contribute to State practice through conducting operations in a manner that is easily identifiable from publicly available information, it is possible to identify a common trend of offensive practice in States conducting cyber operations which target systems on the territory of foreign States among those that possess the capabilities to conduct such operations.Footnote 201 The US (‘defend forward’),Footnote 202 the UK (‘active defence’),Footnote 203 Canada (‘active cyber’),Footnote 204 New Zealand (‘internationally active’ engagement)Footnote 205 and Australia (‘deter and respond’)Footnote 206 are examples of States that recognize the routine conduct of low-level cyber operations in official policy documents. These States clearly consider such operations to be in full compliance with their obligations under international law.Footnote 207 Furthermore, even States that endorse the recognition of binding due diligence obligations in cyberspace, such as France and the Netherlands, carry out offensive cyber operations on the territory of other States that may implicate such obligations of conduct.Footnote 208
IV. RISKS OF CONSTRUING DUE DILIGENCE AS UNIVERSAL STANDALONE SOURCE
Beyond the inherent difficulties in supporting such claims, there are many reasons why assertions that due diligence should be treated as a universal standalone source from which it is possible to identify binding obligations across all areas of activity create significant risks and are ill advised. Specifically, there are risks that such assertions will serve to dilute substantive obligations and undermine the effectiveness and legitimacy of international law.
The effective function of due diligence obligations requires development as a procedure in any particular context, where reliance on a general concept of due diligence invoked as a ‘buzzword’ that has not been fleshed out to account for those attributes risks powerful States defining what is ‘due’ in their best interests.Footnote 209 Attempts to frame due diligence as a universal standalone source in this manner as a broad (indeterminate) normative standard may ‘undermine the capacity of the law to govern behaviour, because the vague and blurry terms of those norms give plenty of leeway to those interpreting and applying them’, ‘[undermining] the international rule of law’.Footnote 210 Furthermore, the introduction of due diligence obligations where treaty regimes previously provided substantive standards may serve to dilute the strictness of such standards by introducing State discretion.Footnote 211
In the context of State cyber operations, some States such as Russia and China refer to the principle of sovereignty in relation to concerns over national security in an effort to justify restrictions on access to information and restrictions upon free speech and expression online.Footnote 212 Without development in relation to the unique attributes of cyberspace, a broad duty to monitor and prevent harmful activities in cyberspace may be used to legitimize such restrictions and even to disregard human rights violations, and may also offer further justifications in relation to disproportionate State surveillance programmes,Footnote 213 for example, the widespread mass-surveillance programmes conducted by the US.Footnote 214 At the same time, the further one goes in identifying the specific content of such obligations in prescribing appropriate measures tailored to the unique characteristics of cyberspace—for instance, suggesting States must establish certain technical bodies that perform particular cyber-related monitoring tasks—the harder it is to maintain that such content is possible to extrapolate through a process of ‘interpretation’ from a universal standalone source of due diligence from which it is claimed it is possible to derive binding obligations for all areas of activity without State consent.Footnote 215 Additionally, in the context of States undertaking activities as a matter of policy outside of legal obligations, such as activities related to cybersecurity, it is important to recognize that ‘pushing for a “general principle of due diligence” in international law … risks having a chilling effect on this positive legal/policy “due diligence” behaviour by States’.Footnote 216 In addition to their remote, prolific and continuous nature, monitoring and response to malicious cyber operations is almost exclusively carried out by companies in the private sector. As Israel notes:
The inherently different features of cyberspace—its decentralization and private characteristics—incentivize cooperation between States on a voluntary basis, such as with the case of national Computer Emergency Response Teams (CERTs). CERTs are already doing what could arguably fall into that category: exchanging information with one another, as well as cooperating with each other in mitigating incidents [where this practice is voluntary and not grounded in opinio juris].Footnote 217
A further consideration for States in deciding whether to develop binding due diligence obligations in cyberspace relates to the debate led by the editors of the Tallinn Manual 2.0 that promotes a ‘rule’ of sovereignty in cyberspace based on Rule 4 of the Manual.Footnote 218 States that do not recognize a ‘rule’ of sovereignty enjoy the operational freedom to conduct operations to defend and deter malicious cyber operations emanating from the territory of another State at its source (below the threshold of use of force and prohibited intervention). It would be reasonable to assume that States that acknowledge conducting offensive cyber operations to achieve defensive and strategic objectives consider that they currently provide a more efficient and effective means of addressing threats emanating from the territory of another State than forming specific binding due diligence obligations whose breach may give rise to the possibility to invoke countermeasures in limited circumstances where capabilities and response times are critical. States enjoy various means by which to engage in unfriendly acts and retorsion below the threshold of international wrongfulness.Footnote 219 Indeed, part of the reluctance of States in recognizing a ‘rule’ of sovereignty in cyberspace relates to concerns over limiting the freedom to conduct precisely these kinds of operations.Footnote 220 Furthermore, some States have expressed concern about the possibility of invoking countermeasures in cyberspace and it has been suggested that countermeasures may risk escalating disputes between States, especially where States maintain such divergent views over the existence of rules and their application in cyberspace.Footnote 221
Even if one ignores the many flaws raised by such assertions and assumes the premise that due diligence obligations are a freestanding source from which it is possible to derive binding obligations for all areas of activity, it is unclear how that argument is reconcilable with the many areas of activity where it is accepted that only soft-law non-binding obligations exist. Examples include failure to take adequate measures to prevent the collapse of a banking system which may lead to a global financial crisis,Footnote 222 harmful transmissions or broadcasts emanating from State territories,Footnote 223 or in the area of business and human rights where for decades scholars and NGOs have sought to promote the ‘hardening’ of soft law by developing binding due diligence obligations in primary rules and domestic law,Footnote 224 and in relation to similar campaigns concerning human rights due diligence obligations.Footnote 225 Indeed, States would surely be shocked to learn of the sudden existence of binding due diligence obligations in all areas of activity on their territories where previously only soft law existed without their consent. It would remain a mystery why States went to such great lengths in forming specific primary rules containing due diligence obligations for certain areas of activity in the first place, and why they have not relied on such universal obligations rather than specific primary rules in cases before the ICJ. Similarly, the current intergovernmental working group at the UN producing the draft of a new legally binding instrument on business and human rightsFootnote 226 would be relieved to learn that such obligations already exist. These examples demonstrate the absurdity of such arguments and the clear detachment this scholarship has to the reality of the status of due diligence obligations in international law. Due consideration does not appear to have been given to implications of these assertions outside the narrow confines of cyber operations, where they would effectively constitute a radical transformation of the international rules-based system, fundamentally altering the obligations of States under international law. For example, take the position of Romania which follows the unsound assertions addressed critically by this article:
The due diligence principle entails that a State may be responsible for the effects of the conduct of private persons, if it failed to take necessary measures to prevent those effects.
This principle (which implies a certain obligation of conduct on the part of States) was enunciated by the ICJ in its Corfu Channel judgment emphasizing that every State is under an ‘obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States’.Footnote 227
The consequences of recognizing such an overarching broad universal standalone source of due diligence from which binding obligations derive that apply to all areas of activity (including cyberspace), encompassing the conduct of private persons, is extraordinary and contrary to the many areas of activity where only soft law exists: do we then assume that Romania considers itself and others to be under binding obligations for all areas of activity including the conduct of non-State actors, for instance, the activities of corporations concerning the area of business and human rights?
Finally, concerns have been raised that a normative consideration against establishing due diligence as a general principle would be that ‘it would not be adequate as a fallback rule’.Footnote 228 According to Peters, Krieger and Kreuzer, ‘[t]urning the due diligence standard into an overarching obligation to behave diligently in international relations would imply that due diligence is normatively more desirable than other standards (such as absolute harm prevention on the one side or mere avoidance of gross recklessness on the other side) [that] would create an additional legal argumentative burden for States when they intend to apply a different liability standard [and] restrict the States’ freedom to work out the most appropriate allocation of accountability’.Footnote 229
V. CONCLUSION
Contrary to assertions advanced in scholarship claiming that due diligence is a standalone universal source from which binding obligations may be derived for all areas of activity, States have developed binding due diligence obligations in particular areas of activity encompassed within primary rules tailored to those discrete contexts. The ICJ's treatment of due diligence obligations clearly underlines that they must be anchored in a primary rule in order to arise and that the nature of a legal obligation to act with due diligence is specific to a particular context. Indeed, the Court has explicitly cautioned against the transposition of due diligence obligations from one area of international law to another, recognizing that similar ‘obligations to prevent’ exist in various treaties but that the content of the obligations to act with due diligence was not comparable between treaty regimes and different rules of customary international law.Footnote 230
There is currently insufficient State practice and opinio juris to support the crystallization of a rule of customary international law containing binding due diligence obligations in cyberspace. Indeed, there is a significant body of offensive State practice of cyber operations targeting systems on the territory of foreign States that is inconsistent with the existence of a primary rule containing binding due diligence obligations in cyberspace.Footnote 231 Furthermore, there is no known practice of States taking action in compliance with a legal obligation to do so in relation to cyber operations emanating from their territory. Consensus reports of the UN GGE explicitly define due diligence obligations in relation to cyber operations as a ‘non-binding voluntary norm of responsible State behaviour’, and the UN OEWG was unable to agree on the inclusion of any language relating to due diligence obligations at all, even in a non-binding context. While some commentators have sought to encourage the recognition or development of binding due diligence obligations in relation to cyber operations, others have made unprecedented assertions that States are already under such obligations by construing due diligence as a universal standalone source from which it is possible to derive binding obligations applicable to all areas of activity based primarily on a misrepresentation of the ICJ's Corfu Channel judgment.
An increasing number of mostly European States have since supported these ambitious assertions and encouraged the development of such obligations for activity in cyberspace, though even States that endorse binding due diligence obligations in cyberspace recognize clear disagreement over their existence and application. In response, other States have expressed more accurate understandings of the status of due diligence obligations in international law, arguing that there is currently insufficient State practice and opinio juris to establish a specific customary international law rule of ‘due diligence’ applicable to cyber operations. Some of these States have referred to the deliberate explicit definition of due diligence as a non-binding norm of responsible State behaviour in consensus UN GGE Reports after extensive discussion of such issues, which reflects that States do not consider themselves to be under any binding due diligence obligations in relation to cyber operations. If anything, the position of States in UN fora serves to demonstrate what is clear from the treatment of due diligence obligations by the ICJ and numerous areas of activities where only soft-law obligations exist, that assertions of due diligence being a universal standalone source from which it is possible to automatically identify binding obligations for any area of activities is incorrect as a matter of law, and it is for States to decide whether to establish primary rules containing due diligence obligations in relation to the attributes of those specific contexts.
This conclusion does not preclude binding obligations from developing in the future should sufficient State practice and opinio juris emerge for a rule containing such obligations in cyberspace to crystallize. Indeed, the statements by an increasing number of States encouraging or endorsing binding due diligence obligations in relation to cyber operations may indicate the early stages of such a process. This would be in line with consensus UN GGE reports which explicitly recognize that challenges presented by the ‘unique attributes’ of cyber operations means ‘additional norms could be developed over time’,Footnote 232 and that ‘existing norms may be formulated for application to the ICT environment … where additional norms that take into account the complexity and unique attributes of ICTs may need to be developed’.Footnote 233 Similarly, the final report of the UN OEWG, also adopted by consensus, recognized that ‘additional norms could continue to be developed over time’.Footnote 234 The ICJ may also play an important role in the development of custom through the method of assertion in recognizing rules as being of customary status.Footnote 235 Another attempt to bypass insufficient State practice and opinio juris for a customary rule containing due diligence obligations in cyberspace is by claiming there exists a general principle of due diligence in the sense of Article 38(1)(c) of the ICJ Statute.Footnote 236 However, this assertion is particularly difficult to maintain given the controversial nature of the existence of a category of ‘general principles of law formed within the international legal system’Footnote 237 in addition to the contrary treatment of such obligations in ICJ case law outlined in this article.
Nonetheless, the role of scholarship that has sought to misrepresent lex ferenda as lex lata in encouraging such a development should be understood as remarkable for the reasons outlined in this article. If assertions that due diligence is a universal standalone source from which it is possible to derive binding obligations for all areas of activity as promoted in academic projects as a basis to identify binding obligations in cyberspace receives widespread acceptance from States, this would constitute a radical transformation of the international rules-based system, broadening obligations of conduct for States in an unprecedented manner beyond the cyber context. Not only are assertions of binding due diligence obligations in cyberspace resulting from a supposed universal standalone source of due diligence as lex lata disingenuous in that they contradict the case law of the ICJ and lack supporting legal authority outside of cyber-specific literature, but they also contradict the position of States in UN fora and State practice in cyberspace. Moreover, their presentation as such serves to misrepresent and distort dangerously the status of fundamental legal principles, rules and obligations of conduct in international law, and undermine any stability and support that they provide outside of the cyber context. As d'Aspremont notes, ‘legal scholars have continuously found in the theory of customary international law a convenient instrument to vindicate the progressive development of international law and its expansion in areas which they perceive as being insufficiently regulated by it’.Footnote 238 Such claims, carefully crafted to avoid the obstacles of insufficient State practice and opinio juris, are best understood as a form of interventionism, that is, an attempt to intervene in the problems of the world by stretching existing legal frameworks to address what they perceive to be dangerous legal gaps,Footnote 239 openly seeking to provide States with recourse to countermeasures in spite of the contrary position of the ICJ and States on the existence of such rules. Perhaps such concerns over the interventionist role of scholars informed the unfortunate veto by States to block further engagement of groups including the Oxford Institute for Ethics, Law and Armed Conflict in the UN OEWG.Footnote 240
Acknowledgements
The author would like to thank Professor Catherine Redgwell (University of Oxford) and Dr Efthymios Papastavridis (University of Oxford) for their comments and suggestions on the doctoral thesis chapter on which this article was based.