Harvard International Law Journal

The oldest and most-cited student-edited journal of international law, the Harvard International Law Journal covers a wide variety of topics in public and private international law.

Security and Human Rights Challenges of Cyber Due Diligence

Filed Under: Content, Online Scholarship, Perspectives

By: Adina Ponta

Editor’s Note: This article does not reflect the views of the American Society of International Law or its members.

Introduction

After states, international organizations, and international coordinating fora, including the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (“UN GGE”), endorsed application of international law to cyberspace, the debate shifted to questions of how existing principles, rights, and obligations should be interpreted in regard to cyber activities.

As reaffirmed by the Tallinn Manual 2.0, several principles and rules of conventional and customary international law derive from the international law principle of sovereignty, including the “corollary” principle of non-intervention. Although states and scholars have different views regarding the legal qualification of sovereignty—either as an international law principle or as a rule —it is accepted that in cyberspace, sovereignty reflects states’ exclusive legal authority over their cyber infrastructure and activity associated with it, as well as jurisdiction over the persons engaged in cyber activity, including control of non-state cyber operations launched from their territory.

The modern due diligence principle derives from the ancient maxim sic utere tuo ut alienum non laedas, meaning use your own property in such a manner as not to injure that of others. In 2019, the Estonian President noted that “[s]overeignty entails not only rights, but also obligations,” reaffirming views expressed by Australia, France, Germany, and the Netherlands. In this regard, a state may be held responsible for the conducts of private persons if (1) upon attribution, these acts are considered to be acts of the state itself, or (2) if a state has violated its obligation “not to allow knowingly its territory to be used for acts contrary to the rights of other States,” as emphasized by the International Court of Justice (“ICJ”) in the Corfu Channel case.

Cyber Due Diligence

Deriving the obligation of due diligence in cyberspace from the principle of equal state sovereignty, Rule 6 of the Tallinn Manual 2.0. notes states’ obligation to ensure that the territory or cyber infrastructure under their control is not used for cyber operations that affect the rights of, and produce serious adverse consequences for, other states. The due diligence principle covers remote operations and operations conducted from or through state territory that affect the legal rights, and not mere interests, of other states. As mentioned by the director of the Tallinn Manual Process, this includes, for example, the right to be free from intervention by another state.

In the environmental law context, due diligence has been recognized as a principle of customary international law by international tribunals, including the ICJ, and in treaties, such as the UN Framework Convention on Climate Change. However, under lex lata, cyber due diligence has no binding nature, therefore, its scope and consequences of non-compliance are still grey areas of international law, as reflected by the 2015 UN GGE report. The vague language might indicate a lack of state endorsement that the due diligence duty is reflective of customary international law. The rejection of a mandatory due diligence rule within the UN GGE, which might as well represent valid opinio juris, mainly underlies fears of burdensome oversight obligations such a rule would impose on states with massive technological capabilities.

In contrast to the absence of consensus which determine the general language used in the statements of international organizations, individual states often chose to assert more granular statements. Official endorsement of due diligence as a rule of international law, by the Netherlands, France, Germany, Estonia, and Finland, translates into accepting the consequences of internationally wrongful acts, such as political or diplomatic actions, including those implemented via the U.N. Security Council. In the French view, non-compliance with the due diligence rule, including failure to terminate operations which violate the sovereignty of another state, may be followed by non-forcible countermeasures. Due diligence could be especially valuable in the assessment of legitimate responses to actions committed by non-state actors, as countermeasures can be lawfully applied only against states. The answer to this dilemma could be another question: did the host state of those actors breach its due diligence obligation?

The Preventive Component of Due Diligence 

The application of the French maxim “Qui peut et n’empêche, pèche” (He who can and does not prevent, sins) in the cyber realm is very controversial. According to the International Law Commission (“ILC”), states are expected to employ vigilance on their territory, a duty that has developed in relation to their responsibility for private activities. Although it is agreed that due diligence is an obligation of conduct, there is no consensus on its content, nor on whether this duty also entails a preventive aspect, which in case of violation would constitute an internationally wrongful act. Prevention, the procedural component of due diligence, is reflected in the European Union (“EU”) General Data Protection Regulation (“GDPR”), and has been endorsed by the World Trade Organization (“WTO”), by the International Tribunal for the Law of the Sea (“ITLOS”), and, in the environmental context, by the ICJ. By analogy with international environmental law, states would have to assess the cyberactivities within their jurisdiction, similar to the obligation to conduct an environmental impact assessment, when there is a likelihood that transboundary harm would occur from these activities.

The Netherlands does not include mandatory cyber hygiene or network monitoring obligations for prevention of misusing cyber infrastructure in the scope of the due diligence duty. This approach is endorsed by the director of the Tallinn Manual Process, i.e. the due diligence principle would be limited to contexts of ongoing hostile operations, and is violated only if states have knowledge of the misuse of their sovereign territory. Some experts admit that the rule can be expanded to operations which are not ongoing, but very imminent, while the results have not yet materialized.

A major challenge to an enforceable obligation to prevent is different economic and technological state capabilities, although the fundamentals of state responsibilities are common. While the Estonian President implied the existence of preventive obligations on states, she included the development of assistive means to support target states in the attribution and investigation of malicious activities in the scope of “reasonable efforts,” depending on states’ capacities. Moreover, if the duty to prevent is regarded as encompassing an affirmative state obligation to enact domestic legislation, due diligence might also comprise obligations of result. Consequently, due diligence could act as a Trojan horse to justify mass surveillance that limits human rights and liberties, including the right to privacy.

States are not required to remedy all transboundary harm, but only the harm resulting in “serious adverse consequences,” a term borrowed from international environmental case law.  Regarding the threshold of harm to trigger due diligence obligations, the Tallinn Manual 2.0. embraces the standard of “serious adverse consequences,” and specifies in Rule 4 distinct levels of harm which may result from a hostile cyberoperation. States’ obligation to prevent transboundary harm is conditioned by knowledge about the cyberoperations conducted using their territory or cyberinfrastructure. In line with the Corfu Channel judgement, this is broken down into “actual knowledge” delivered by domestic intelligence services or from warnings received from the target state, and constructive knowledge, i.e., if the state, in the normal course of events, would or objectively should have known about the harm. The “constructive knowledge” reflects the inherent characteristics of due diligence and good faith: hypothetical reasonable limits and assessment depending on feasibility of means.

Due diligence is an objective principle of law, but its assessment represents a sliding scale based on different factors, such as knowledge, capabilities, risks, and consequences, which confer the necessary flexibility and plasticity to evaluate whether the expected vigilance was met. In some views, when the standard of care is unclearly determined by a certain rule, states should resort to the ILC Draft Articles on Responsibility of States for Internationally Wrongful Acts (“Draft Articles”), which suggests negligence as the standard of due diligence. According to the International Law Association (“ILA”) Study Group on Due Diligence in International Law, this requires states to act with care that is “generally considered to be appropriate and proportional to the degree of risk of transboundary harm in the particular instance.” Therefore, the standard of review should be in abstracto, i.e., whether another state would have reasonably known in similar circumstances. The main challenge remains to be the standard of proof victims have to meet when demonstrating that a state was aware about the hostile cyber operations conducted on its territory, and will likely become probatio diabolica for victims.

The concrete means employed by states to stop ongoing operations can be manifold. In the Netherlands’ view, the target state may “ask the other country to shut down the servers, regardless of whether or not it has been established that a state is responsible for the cyberattack.” Although the obligation of notification was clearly affirmed by the ICJ in the Corfu Channel case as a general principle of international law, according to the Tallinn Manual 2.0, it does not necessarily imply a specific obligation to notify the target state, as this would disclose the host state’s capabilities. The balance of interests is very delicate, if such a notification is the only means to end the ongoing hostile cyberoperation, or if the cyberoperation would harm fundamental human rights, as was the case during the recent cyberoperations against medical facilities. While in this case failure of notification could represent a breach of international human rights law, a reasonable accommodation of state interests and human rights shall be found in order for the states to comply with due diligence principle which is only breached by states when they are aware of certain harmful operations but are unwilling to end them.

Intersections with Human Rights Law

States’ obligations to safeguard human rights apply in relation to individuals located on their territory, and to states’ obligations under international law to prevent transboundary harm. Although application of international human rights law(“IHRL”) to cyberspace is widely recognized, the majority of states don’t regard the geographic scope of human rights treaty obligations as being “extraterritorial,” and consider themselves to have affirmative obligations to prevent and respond to human rights violations only on their territory. Transboundary obligations only arise when a state exercises real or de facto control and authority over another territory. I have argued before the complexity of establishing states’ responsibility to the hospitalized individuals who were injured or lost their lives as a consequence of a cyber act that could have been prevented. In relation to their own citizens, states’ obligation to provide cybersecurity will have to be integrated within the scope of the right to life, the right to health, and the right to freedom and security, in order to further trigger the relevant reparation mechanisms provided by regional and international human rights instruments. The right to health is safeguarded by the International Covenant on Economic, Social and Cultural Rights (“ICESCR”), which the United States has not ratified to date.

Human rights bodies have attached to the due diligence principle a duty to investigate and to prevent. Although the majority view is that this principle does not impose on states a general obligation of prevention, IHRL safeguards a specific duty of prevention, including the duty to limit and prevent human rights violations in cyberspace. Addressing the right to health, the UN Committee on Economic, Social, and Cultural Rights (“CESCR”) noted that “States parties [to the ICESCR] have to respect the enjoyment of the right to health in other countries.” Moreover, according to the Maastricht Principles on the Extra-Territorial Obligations of States in the area of Economic, Social and Cultural Rights, states should be held accountable for violating human rights of people outside of their own territories. Although this article does not intend to analyze the legal effects of the CESCR language, this logic implies that even if states do not recognize the application of the due diligence principle and its preventive component, their obligation to prevent transboundary harm, including the harm resulting from hostile cyberoperations on medical and testing facilities, could be derived from transboundary IHRL obligations, or the universality of human rights.

The theory that these positive duties under IHRL, including a reasonable due care requirement, can and should arise under international law in extraterritorial circumstances has already been discussed in other contexts, especially related to international law applicable to the environment. While reaching a balance between protection of individual rights and national security is very complex, states’ operational choices to comply with their obligations shall consider national resources, without derogating from absolute human rights. According to the  European Court of Human Rights, this positive obligation to take preventive operational measures shall “not impose an impossible or disproportionate burden on the authorities.” Rule 36 of the Tallinn Manual 2.0. notes states’ affirmative obligation to ensure respect for human rights and to protect human rights from abuse by third parties. If the due diligence obligation will be interpreted as including a governmental duty to ensure backup power generators to medical facilities or testing databases, the scope of human rights in the artificial intelligence era will expand exponentially.

Conclusion

Although due diligence is not widely endorsed as a binding rule of international law, there is currently widespread support of this non-binding norm of responsible state behavior. There are still concerns that its clarification offers opportunities for states to allege more breaches of international law and increase the frequency of countermeasures, which ultimately hamper stabilization of this international law principle in cyberspace. Fortunately, for the purpose of protecting their national security, most states would act with due diligence simply because it is in their domestic and foreign policy interest. The challenge remains of how to legally address transboundary human rights violations of hostile cyberoperations in the absence of a unitary approach on transboundary effects of states’ human rights obligations and given the non-binding nature of due diligence. Customary international law, including parts of the Draft Articles, might be the answer in case of unlawful and attributable state actions, although their application to the cyber domain is also disputed.

Given the fact that the principle of sovereignty is under most pressure in this domain, and due diligence is one of the main means of applying pressure, development of state practice over the next few years is crucial. Cyberoperations are a reality the international community needs to face, and as there are no means of returning to the old status quo, it needs to find a modus vivendi with all implications of the new realities. For increased stability and accountability in cyberspace, and for a widespread understanding and agreement regarding the applicability and interpretation of lex lata, it is critical that states not only affirm the general applicability of international law in cyberspace, but also expressly label hostile cyber operations as violations of specific international law rules and principles, such as due diligence.

Executive Editor: Yixian Sun

Adina Ponta

Adina Ponta is currently the Detlev F. Vagts International Law Fellow at the American Society of International Law in Washington, D.C. Prior to that, she worked in the legal offices of two NATO headquarters, where she advised on the lawful conduct of armed forces during conflict and peacetime military operations. She has an LL.M. in international law and a Ph.D. in business and technology law.