‘Cyber Due Diligence in International Law,’ ELAC Project Report, March 2021, by Talita Dias and Antonio Coco.

While advancements in information and communication technologies (ICTs) have greatly improved the quality and efficiency of services and goods worldwide, they come with inherent vulnerabilities, risks and costs. Malicious activities in cyberspace have proliferated over the past years, now more than ever posing a risk to states’ security and other essential interests. Particularly vulnerable to such operations are critical infrastructures, such as power plants, water and sewage supply systems, healthcare facilities and banks. In times of COVID-19, the healthcare sector has become one of the main targets of cybercriminals and hackers seeking to exploit existing vulnerabilities and public distress. International law is key to ensuring peace and stability in this global environment.

Many such malicious cyber operations have been allegedly committed by state agencies or their proxies. Yet it is extremely difficult to officially attribute conduct to states in cyberspace, given the high legal threshold of ‘effective control’, and the technical challenges of tracing their origin. Anonymising and rerouting techniques, such as VPNs and other IP (Internet Protocol) spoofing software have compounded the attribution problem.

In this context, due diligence features as a promising route to hold states responsible for a failure to prevent, halt and/or remedy a range of cyber harms emanating from their territory, regardless of who caused them. In this spirit, Rule 6 of the Tallinn Manual 2.0 seems to contemplate a rule of cyber due diligence: ‘A State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other states.’

However, much confusion surrounds the legal basis, content and scope of due diligence generally and in cyberspace. Questions include:

• Is due diligence a general principle, one or more standalone duties or a standard of conduct?
• Does it apply to cyberspace, and if so, is there a cyber-specific version of the rule/principle/standard?
• To what current cyber threats or harms does due diligence potentially apply?
• What are the other conditions for its application in the ICT environment, such as jurisdiction, the levels of harm and knowledge?
• What measures must states adopt when exercising due diligence in cyberspace?

To answer these and other questions, the Oxford Institute for Ethics, Law and Armed Conflict (ELAC), with the support of the Government of Japan, launched the research project entitled ‘Cyber Due Diligence in International Law’.

The project was completed in March 2021 and its final report is available here.