Articles
Abstract
The question of whether the due diligence rule applies in cyberspace has become a key issue in the cyber norms debate. Yet there is no consensus whether the rule is binding, and states lack clear guidance on what the norm requires them to do. This is not just unfortunate but also dangerous since a crisis caused by a cyber attack routed through a third state where the victim state and the third state have fundamentally different views as to which duties apply carries a serious escalation risk. While scholars have suggested adapting legal approaches from other successful due diligence regimes, these rules are not a good match for the crucial issue in cyber due diligence: what do states need to do to ensure that no state is attacked using their networks? This article suggests going back to the roots and implementing principles derived from the laws of neutrality, the field that originally brought the due diligence principle into international law. Designed to manage escalation risk at the fringes of international conflict, it is our best guide through the grey zone of due diligence in cyberspace. The classic cases such as Alabama and Corfu Channel were disputes related to armed conflicts but between states that were at peace with each other. Read closely, they offer clear guidance on how to develop a flexible, but reliable, due diligence standard for cyberspace that will help states manage expectations of responsible behaviour and thereby defuse future potential conflicts before they arise, while avoiding the need to formally attribute the original attack. The final section will seek to consolidate the historical, legal as well as technological developments discussed here to lay out what the due diligence rule in cyberspace is likely to look like soon.
Full text available in PDF format