While advancements in information and communication technologies (ICTs) have greatly improved the quality and efficiency of services and goods worldwide, they come with inherent vulnerabilities, risks and costs. Malicious activities in cyberspace have proliferated over the past years, now more than ever posing a risk to states’ security and other essential interests. Particularly vulnerable to such operations are critical infrastructures, such as power plants, water and sewage supply systems, healthcare facilities and banks. In times of COVID-19, the healthcare sector has become one of the main targets of cybercriminals and hackers seeking to exploit existing vulnerabilities and public distress. International law is key to ensuring peace and stability in this global environment.
Many such malicious cyber operations have been allegedly committed by state agencies or their proxies. Yet it is extremely difficult to officially attribute conduct to states in cyberspace, given the high legal threshold of ‘effective control’, and the technical challenges of tracing their origin. Anonymising and rerouting techniques, such as VPNs and other IP (Internet Protocol) spoofing software have compounded the attribution problem.
In this context, due diligence features as a promising route to hold states responsible for a failure to prevent, halt and/or remedy a range of cyber harms emanating from their territory, regardless of who caused them. In this spirit, Rule 6 of the Tallinn Manual 2.0 seems to contemplate a rule of cyber due diligence: ‘A State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other states.’