Many such malicious cyber operations have been allegedly committed by state agencies or their proxies. Yet it is extremely difficult to officially attribute conduct to states in cyberspace, given the high legal threshold of ‘effective control’, and the technical challenges of tracing their origin. Anonymising and rerouting techniques, such as VPNs and other IP (Internet Protocol) spoofing software have compounded the attribution problem.
In this context, due diligence features as a promising route to hold states responsible for a failure to prevent, halt and/or remedy a range of cyber harms emanating from their territory, regardless of who caused them. In this spirit, Rule 6 of the Tallinn Manual 2.0 seems to contemplate a rule of cyber due diligence: ‘A State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other states.’
However, much confusion surrounds the legal basis, content and scope of due diligence generally and in cyberspace. Questions include:
Is due diligence a general principle, one or more standalone duties or a standard of conduct?
- Does it apply to cyberspace, and if so, is there a cyber-specific version of the rule/principle/standard?
- To what current cyber threats or harms does due diligence potentially apply?
- What are the other conditions for its application in the ICT environment, such as jurisdiction, the levels of harm and knowledge?
- What measures must states adopt when exercising due diligence in cyberspace?
This project, led by Dapo Akande, Talita Dias and Antonio Coco, and supported by the Government of Japan, sought to answer these and other relevant questions.