Cyber Due Diligence


While advancements in information and communication technologies have greatly improved the quality and efficiency of services and goods worldwide, they come with inherent vulnerabilities, risks and costs. Malicious activities in cyberspace have proliferated over the past years, now more than ever posing a risk to states’ security and other essential interests. Particularly vulnerable to such operations are critical infrastructures, such as power plants, water and sewage supply systems, healthcare facilities and banks. Just to cite a few examples, in 2017, the WannaCry ransomware affected 230,000 computers in 150 countries, including those of Spanish mobile company Telefónica and a third of NHS hospital trusts. Its consequences were disastrous, spanning from worldwide financial losses totalling US$ 4 billion to disruption of patient care. Also in 2017, the NotPetya malware affected several governmental agencies in Ukraine, including its National Bank, hospitals in the United States and several businesses around the world, causing over US$ 10 billion in total damages

In times of COVID-19, the healthcare sector has become one of the main targets of cybercriminals and hackers seeking to exploit existing vulnerabilities and public distress. Even more pressure is put on already overburdened hospitals treating sick patients and research facilities developing a vaccine and cure for the disease. Examples include the recent a) ransomware attacks against hospitals in the Czech Republic, France, Spain, the United States and Thailand; b) themed phishing or spyware campaigns targeting the World Health Organization as well as labs and pharmaceutical companies in Canada, Japan and South Korea, and c) attempted data breaches of vaccine clinical trial records of the University of Oxford and other research facilities in the UK.  At the same time, quarantine, social distancing and other measures to contain the spread of the disease have forced us to move significant parts of our lives online. These range from trivial activities like online shopping, banking and messaging, to parliamentary sessions, education, work meetings and medical appointments. This means that now more than ever cyberspace offers significant challenges but also incredible opportunities in the fight against this pandemic. Key to harnessing these capabilities whilst ensuring an open, secure and resilient cyberspace is respect for international law.

Many such malicious cyber operations have been allegedly committed by state agencies or their proxies. Yet it is extremely difficult to officially attribute conduct to states in cyberspace, given the high legal threshold of 'effective control', and the technical challenges of tracing their origin. Anonymising and rerouting techniques, such as VPNs and other IP (Internet Protocol) spoofing software have compounded the attribution problem. 

In this context, due diligence features as a promising route to hold states responsible for a failure to prevent, halt and/or remedy a range of cyber harms emanating from their territory, regardless of who caused them. In this spirit, Rule 6 of the Tallinn Manual 2.0 seems to contemplate a rule of cyber due diligence: 'A State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other states.'

However, much confusion surrounds the legal basis, content and scope of due diligence generally and in cyberspace. In particular, is due diligence a general principle, a duty or a standard of conduct? Is there a standalone rule of due diligence applying generally in international, and a specific cyber version thereof? Alternatively, is the term due diligence simply used as a short-hand, an umbrella term to refer to several different international obligations? What levels of harm and knowledge trigger these duties? What establishes the necessary link between harmful activities and the potential duty-bearer? What measures must states adopt to discharge such obligations? In this project, we have set out to clarify some of those questions, with the support of the Government of Japan.