Due Diligence and the Gray Zones of International Cyberspace Laws

Olivia Hankinson
Vol. 39 Associate Editor

With ever-changing and developing technology, a growing concern in the field of international law stems from cyberspace security.[1] In an effort to combat and alleviate this growing concern, a group of international law experts joined together to produce the Tallinn Manuals.[2] The Tallinn Manual 2.0 is the most updated and current manual, and it focuses on the more common, daily cyber incidents, those that do not meet use of force or armed conflict thresholds.[3] The mission statement of the Tallinn Manual 2.0 is to “enhance the capability, cooperation and information sharing among NATO, NATO nations and partners in cyber defence by virtue of education, research and development, lessons learned and consultation.”[4]   Though the Tallinn Manuals have proven to be useful in lessening some of the confusion inherent in international cyberspace law, the lack of consensus among the experts has created substantial gray zones.[5] The concerns about these zones have become even more publicized as a result of the recent Russian cyber interference in the 2016 presidential election, in which a gray zone of international cyberspace law was successfully exploited.[6] Though there are multiple “critical grey zones of international law that are susceptible to exploitation when conducting cyber operations,”[7] I have chosen to focus on the gray zones accompanying the application of cyber due diligence. Due diligence is a concept that is by no means new to the arena of international law. In fact, it is well known to be a general principle of international law.[8] The original idea of due diligence was derived from the ancient maxim sic utero tuo ut alienum non laedas, meaning use your own property in such a manner as not to injure that of another.[9] But more recently, dictum in the International Court of Justice’s Corfu Channel decision has been used to define due diligence in the cyber context.[10] The court noted “every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States.”[11] As elaborated upon in the Tallinn Manual 2.0, this principle of due diligence is applicable to cyber operations, and moreover, it is the standard of conduct expected.[12] The first hint of a gray zone arises here, resulting from the lack of general consensus regarding when and to what extent that standard must be applied. Rule 6 of the Tallinn Manual 2.0 declares, “A State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other States.”[13] But, the Manual does not further elaborate on the definition or identify a bright line threshold for what qualifies as “serious adverse consequences.” The Manual does, however, explain that the due diligence principle does not encompass a requirement to take preventative action, as this would likely require States to adopt onerous practices that would still not be adequate to fully guarantee impenetrable protection.[14] To further explain what was not envisioned, the experts in the Manual agreed that “merely affecting the interests of the target State, as in the case of causing inconvenience, minor disruption, or negligible expense, is not the type of harm envisaged; thus, not every use of a State’s territory that produces negative effects for a target State implicates the due diligence principle.”[15] Noticeably, the Tallinn Manual 2.0 lacks a clear and concise explanation as to which actions spur the due diligence principle. A large contributing factor to these gray zones is the fact that not all States have readily accepted cyber due diligence as customary and because of this, there is a hesitation to “accord the rule lex lata status.”[16] Perhaps one solution, then, is to heavily encourage the States to accept cyber due diligence as a customary practice, and immediately afford the rule lex lata status, punishing those in violation of the requirements. Another potential solution to alleviate some of the gray zones created, would be to have the Manual set a minimum standard of due diligence against which to measure compliance.[17] By doing so, the experts would present States with real, workable standards.[18] Currently, “the widely accepted formula for State responsibility, echoed in the ILC [United Nations International Law Commission] Articles, is: (1) a breach of an international obligation and (2) attribution to a State under international law. To establish State responsibility, an act must not only be harmful, it must also amount to a breach of the offending State’s international legal obligations.”[19] Simply elaborating a bit on the meanings within this formula could have the effect of eliminating a large amount of the vagueness associated with not knowing when or to what extent the standards should be applied. However, “it is not clear that more precise or more refined norms of due diligence would produce the stability desired.”[20] While the inclination to attempt to fix the issue by simply defining the bright line threshold for “serious adverse consequences” or to produce a definitive answer to what extent the standard must apply is an attractive one, it could turn into a grave mistake.[21] “Although development of primary rules of conduct in international law is generally thought to increase stability and cooperation, recognition and refinement of a duty of cyber due diligence might impose significant costs to security, stability, and even to international law compliance.”[22] The aforementioned solutions might be beneficial short term, but could result in destabilizing effects in the long term, such as a State’s reliance on countermeasures.[23] Before any conclusive solutions can be presented, much more research will need to be dedicated to the subject of due diligence in international cyberspace law. Specifically, the Tallinn Manuals should be revised to further define exactly when and what circumstances due diligence standards apply. In order to do so, researchers will need to study the effects of certain due diligence standards to see how they might affect the overall stability of the State in question.   [1] See Ian Yuying Liu, State Responsibility and Cyberattacks: Defining Due Diligence Obligations, IV Indon. J. Int’l. & Comp. L. 191, 191 (2017) (“Cyberattacks are proliferating … public pressure on the State and the market to intensify responses to transnational cyber-threats will drive the adoption of such principles”), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2907662. [2] Tallinn Manual: Research, NATO Cooperative Cyber Def. Ctr. of Excellence, https://ccdcoe.org/research.html (last visited Oct. 31, 2017). [3] See id. [4] See id. [5] Michael N. Schmitt, Grey Zones in the International Law of Cyberspace, 42 Yale J. Int’l. L. Online 1, 3 (2017), https://campuspress.yale.edu/yjil/files/2017/08/Schmitt_Grey-Areas-in-the-International-Law-of-Cyberspace-1cab8kj.pdf. [6] See id. at 1 (DNC servers were hacked during the 2016 election by hackers affiliated with the Russian government). [7] Id. at 3. [8] Liu, supra note 1, at 199. [9] Eric Talbot Jensen & Sean Watts, A Cyber Duty of Due Diligence: Gentle Civilizer or Crude Destabilizer? 95 Tex. L. Rev. 1555, 1565 (2017), http://www.texaslrev.com/wp-content/uploads/2017/09/Jensen.Watts_..pdf. [10] Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. Rep. 4, at 22 (Apr. 9); see also Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 1, 31 (Michael N. Schmitt & Liis Vihul eds., 2d ed. 2017). [11] Jenson & Watts, supra note 9, at 1565. [12] Tallinn Manual 2.0, supra note 10, at 30. [13] Id. at 30 [14] Liu, supra note 1, at 200. [15] Tallinn Manual 2.0, supra note 10, at 37. [16] See Schmitt, supra note 5 (“The Tallinn Manual 2.0 acknowledges a view by which the premise of applicability is lex ferenda (what the law should be), rather than lex lata (current law)”). [17] Liu, supra note 1, at 217. [18] Id. [19] Jensen & Watts, supra note 9, at 1560. [20] Id. at 1574. [21] See Schmitt, supra note 5, at 12. [22] Jensen & Watts, supra note 9, at 1558. [23] Id. at 1572.