By: Adina Ponta<\/p>\n
Editor\u2019s Note: This article does not reflect the views of the American Society of International Law or its members.<\/em><\/p>\n After\u00a0states<\/a>, international<\/a> organizations<\/a>, and international\u00a0coordinating<\/a> fora, including the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (\u201cUN GGE<\/a>\u201d), endorsed application of international law to cyberspace, the debate shifted to questions of how existing principles, rights, and obligations should be interpreted in regard to cyber activities.<\/p>\n As\u00a0reaffirmed<\/a>\u00a0by the Tallinn Manual 2.0, several principles and rules of conventional and customary international law derive from the international law principle of sovereignty, including the \u201ccorollary<\/a>\u201d principle of non-intervention. Although states and scholars have different views regarding the legal qualification of sovereignty\u2014either as an international law principle or as a rule \u2014it is accepted that in cyberspace, sovereignty reflects states\u2019 exclusive legal authority over their cyber infrastructure and activity associated with it, as well as jurisdiction over the persons engaged in cyber activity, including control of non-state cyber operations launched from their territory.<\/p>\n The modern due diligence principle derives from the\u00a0ancient maxim\u00a0<\/a>sic utere tuo ut alienum non laedas<\/em>, meaning use your own property in such a manner as not to injure that of others. In 2019<\/a>, the Estonian President noted that \u201c[s]overeignty entails not only rights, but also obligations,\u201d reaffirming views expressed by Australia<\/a>, France<\/a>, Germany<\/a>, and the Netherlands<\/a>. In this regard, a state may be held responsible for the conducts of private persons if (1) upon attribution, these acts are considered<\/a> to be acts of the state itself, or (2) if a state has violated its obligation \u201cnot to allow knowingly its territory to be used for acts contrary to the rights of other States,\u201d as emphasized by the International Court of Justice (\u201cICJ\u201d) in the Corfu Channel<\/em><\/a> case.<\/p>\n Deriving the obligation of due diligence in cyberspace from the principle of equal state sovereignty, Rule 6 of the Tallinn Manual 2.0. notes states\u2019 obligation to ensure that the territory or cyber infrastructure under their control is not used for cyber operations that affect the rights of, and produce serious adverse consequences for, other states. The due diligence principle covers\u00a0remote operations<\/a>\u00a0and operations conducted from or through state territory that affect the legal rights<\/a>, and not mere interests, of other states. As mentioned by the director of the Tallinn Manual Process, this includes, for example, the\u00a0right to be free from intervention<\/a>\u00a0by another state.<\/p>\n In the environmental law context, due diligence has been\u00a0recognized<\/a>\u00a0as a principle of customary international law by international tribunals, including the\u00a0ICJ<\/a>, and in treaties, such as the UN Framework Convention on Climate Change<\/a>. However, under\u00a0lex lata,\u00a0<\/em>cyber due diligence has no binding nature, therefore, its scope and consequences of non-compliance are still grey areas of international law, as reflected by the 2015<\/a> UN GGE report. The vague language\u00a0might indicate<\/a>\u00a0a lack of state endorsement that the due diligence duty is reflective of\u00a0customary international law<\/a>. The rejection of a mandatory due diligence rule within the UN GGE, which might as well represent valid\u00a0opinio juris,\u00a0<\/em>mainly underlies fears of burdensome oversight obligations such a rule would impose on states with massive technological capabilities.<\/p>\n In contrast to the absence of consensus which determine the general language used in the statements of international organizations, individual states often chose to assert more granular statements<\/a>.\u00a0Official endorsement of due diligence as a rule of international law, by the Netherlands<\/a>, France<\/a>, Germany<\/a>, Estonia<\/a>, and Finland<\/a>, translates into accepting the consequences of internationally wrongful acts, such as political or diplomatic actions, including those implemented via the U.N. Security Council. In the\u00a0French<\/a>\u00a0view, non-compliance with the due diligence rule, including failure to terminate operations which violate the sovereignty of another state, may be followed by\u00a0non-forcible<\/a>\u00a0countermeasures. Due diligence could be especially valuable<\/a> in the assessment of legitimate responses to actions committed by non-state actors, as countermeasures can be lawfully applied only against states. The answer to this dilemma could be another question: did the host state of those actors breach its due diligence obligation?<\/p>\n The application of the French maxim \u201cQui peut et n\u2019emp\u00eache, p\u00e8che<\/em>\u201d (He who can and does not prevent, sins) in the cyber realm is very controversial. According to the International Law Commission (\u201cILC\u201d), states are expected to employ\u00a0vigilance<\/a>\u00a0on their territory, a duty that\u00a0has developed<\/a>\u00a0in relation to their responsibility for private activities. Although it is agreed that due diligence is an obligation of conduct, there is no consensus on its content, nor on whether this duty also entails a preventive aspect<\/a>, which in case of violation would constitute an internationally wrongful act. Prevention, the procedural component of due diligence, is reflected in the European Union (\u201cEU\u201d) General Data Protection Regulation (\u201cGDPR<\/a>\u201d), and has been endorsed by the World Trade Organization (\u201cWTO\u201d), by the International Tribunal for the Law of the Sea (\u201cITLOS<\/a>\u201d), and, in the environmental context, by the ICJ<\/a>. By analogy<\/a> with international environmental law, states would have to assess the cyberactivities within their jurisdiction, similar to the obligation to conduct an environmental impact assessment, when there is a likelihood that transboundary harm would occur from these activities.<\/p>\n The Netherlands<\/a>\u00a0does not include mandatory cyber hygiene or network monitoring obligations for prevention of misusing cyber infrastructure in the scope of the due diligence duty. This approach is endorsed by the\u00a0director<\/a>\u00a0of the Tallinn Manual Process, i.e. the due diligence principle would be\u00a0limited<\/a>\u00a0to contexts of ongoing hostile operations, and is violated\u00a0only<\/em>\u00a0if states have knowledge of the misuse of their sovereign territory. Some experts<\/a> admit that the rule can be expanded to operations which are not ongoing, but very imminent, while the results have not yet materialized.<\/p>\n A major challenge to an enforceable obligation to prevent is different<\/a> economic and technological state capabilities, although the fundamentals of state responsibilities are common. While the Estonian President<\/a> implied the existence of preventive obligations on states, she included the development of assistive means to support target states in the attribution and investigation of malicious activities in the scope of \u201creasonable efforts,\u201d depending on states\u2019 capacities. Moreover, if the duty to prevent is regarded as encompassing an affirmative state obligation to enact domestic legislation, due diligence might also comprise obligations of result. Consequently, due diligence could act as a\u00a0Trojan horse<\/a>\u00a0to justify mass surveillance that limits human rights and liberties, including the right to privacy.<\/p>\n States are not required to remedy all transboundary harm, but only the harm resulting in \u201cserious adverse consequences,\u201d a term borrowed from\u00a0international environmental case law<\/a>.\u00a0 Regarding the threshold of harm to trigger due diligence obligations, the Tallinn Manual 2.0. embraces the standard of \u201cserious adverse consequences,\u201d and specifies in Rule 4<\/a> distinct levels of harm which may result from a hostile cyberoperation. States\u2019 obligation to prevent transboundary harm is conditioned by\u00a0knowledge<\/em>\u00a0about the cyberoperations conducted using their territory or cyberinfrastructure. In line with the\u00a0Corfu Channel<\/em>\u00a0judgement, this is broken down into \u201cactual knowledge<\/a>\u201d delivered by domestic intelligence services or from warnings received from the target state, and\u00a0constructive<\/a>\u00a0knowledge, i.e., if the state, in the normal course of events, would or objectively should have known about the harm. The \u201cconstructive knowledge\u201d reflects the inherent characteristics of due diligence and good faith:\u00a0hypothetical<\/a>\u00a0reasonable limits and assessment depending on feasibility of means.<\/p>\n Due diligence is an objective principle of law, but its assessment represents a sliding scale based on different factors, such as knowledge, capabilities, risks, and consequences, which confer the necessary\u00a0flexibility and plasticity<\/a>\u00a0to evaluate whether the expected vigilance was met.\u00a0In some\u00a0views<\/a>, when the\u00a0standard of care<\/em>\u00a0is unclearly determined by a certain rule, states should resort to the\u00a0ILC Draft Articles on Responsibility of States for Internationally Wrongful Acts<\/a>\u00a0<\/strong>(\u201cDraft Articles\u201d), which suggests negligence as the standard of due diligence. According to the International Law Association\u00a0(\u201cILA\u201d) Study Group on Due Diligence in International Law<\/a>, this requires states to act with care that is \u201cgenerally considered to be appropriate and proportional to the degree of risk of transboundary harm in the particular instance.\u201d Therefore, the\u00a0standard of review<\/em>\u00a0should be\u00a0in abstracto<\/em>,\u00a0<\/em>i.e., whether another state would have reasonably known in similar circumstances. The main challenge remains to be the\u00a0standard of proof<\/em>\u00a0victims have to meet when demonstrating that a state was aware about the hostile cyber operations conducted on its territory, and will likely become\u00a0probatio diabolica<\/em><\/a>\u00a0for victims.<\/p>\n The concrete means employed by states to stop ongoing operations can be manifold. In the\u00a0Netherlands\u2019<\/a>\u00a0view, the target state may \u201cask the other country to shut down the servers, regardless of whether or not it has been established that a state is responsible for the cyberattack.\u201d Although the obligation of notification was clearly affirmed by the ICJ in the\u00a0Corfu Channel <\/em>case\u00a0as a general principle of international law, according to the Tallinn Manual 2.0, it does not necessarily\u00a0imply<\/a>\u00a0a specific obligation to notify the target state, as this would disclose the host state\u2019s capabilities. The balance of interests is very delicate, if such a notification is the only means to end the ongoing hostile cyberoperation, or if the cyberoperation would harm fundamental human rights, as was the case during the recent<\/a> cyberoperations<\/a> against medical facilities. While in this case failure of notification could represent a breach of international human rights law, a reasonable accommodation of state interests and human rights shall be found in order for the states to comply with due diligence principle which is only breached by states when they are aware of certain harmful operations but are unwilling to end them.<\/p>\n States\u2019 obligations to safeguard human rights apply in relation to individuals located on their territory, and to states\u2019 obligations under international law to prevent transboundary harm. Although application of international human rights law(\u201cIHRL\u201d) to cyberspace is widely recognized, the majority<\/a> of states don\u2019t regard the geographic scope of human rights treaty obligations as being \u201cextraterritorial,\u201d and consider themselves to have affirmative obligations to prevent and respond to human rights violations only<\/em> on their territory. Transboundary obligations<\/a> only arise when a state exercises real or de facto control and authority over another territory.\u00a0I have argued\u00a0before<\/a>\u00a0the complexity of establishing states\u2019 responsibility to the hospitalized individuals who were injured or lost their lives as a consequence of a cyber act that could have been prevented. In relation to their own citizens, states\u2019 obligation to provide cybersecurity will have to be integrated within the scope of the right to life, the right to health, and the right to freedom and security, in order to further trigger the relevant reparation mechanisms provided by regional and international human rights instruments. The right to health is safeguarded by the International Covenant on Economic, Social and Cultural Rights (\u201cICESCR\u201d), which the United States has not ratified to date.<\/p>\n Human rights bodies have attached to the due diligence principle a duty to investigate<\/a> and to prevent.<\/a> Although the majority view<\/a> is that this principle does not impose on states a general obligation of prevention, IHRL safeguards a specific duty of prevention, including the duty to limit and prevent human rights violations in cyberspace. Addressing the right to health, the UN Committee on Economic, Social, and Cultural Rights (\u201cCESCR\u201d)\u00a0noted<\/a>\u00a0that \u201cStates parties [to the <\/em>ICESCR<\/em>] have to respect the enjoyment of the right to health in other countries.\u201d Moreover, according to the\u00a0Maastricht Principles<\/a>\u00a0on the Extra-Territorial Obligations of States in the area of Economic, Social and Cultural Rights, states should be held accountable for violating human rights of people outside of their own territories. Although this article does not intend to analyze the legal effects of the CESCR language, this logic implies that even if states do not recognize the application of the due diligence principle and its preventive component, their obligation to prevent transboundary harm, including the harm resulting from hostile cyberoperations on medical and testing facilities, could be derived from transboundary IHRL obligations, or the universality of human rights.<\/p>\n The theory that these positive duties under IHRL, including a reasonable due care requirement,\u00a0can and should arise<\/a>\u00a0under international law in extraterritorial circumstances has already been discussed in other contexts, especially related to international law applicable to the environment. While reaching a balance between protection of individual rights and national security is very complex, states\u2019 operational choices to comply with their obligations shall consider national resources, without derogating from absolute human rights. According to the\u00a0\u00a0European Court of Human Rights<\/a>, this positive obligation to take preventive operational measures shall \u201cnot impose an impossible or disproportionate burden on the authorities.\u201d Rule 36 of the Tallinn Manual 2.0. notes states\u2019 affirmative obligation to ensure respect for human rights and to protect human rights from abuse by third parties. If the due diligence obligation will be interpreted as including a governmental duty to ensure backup power generators to medical facilities or testing databases, the scope of human rights in the artificial intelligence era will expand exponentially.<\/p>\nIntroduction<\/strong><\/h1>\n
Cyber Due Diligence <\/strong><\/h1>\n
The Preventive Component of Due Diligence<\/strong>\u00a0<\/strong><\/h1>\n
Intersections with Human Rights Law<\/strong><\/h1>\n
Conclusion<\/strong><\/h1>\n