Defining Cybersecurity Due Diligence Under International Law: Lessons from the Private Sector

Volume on Ethics and Policies for Cyber Warfare (Oxford University Press, 2015)

Kelley School of Business Research Paper No. 15-41

30 Pages Posted: 16 Apr 2015

See all articles by Scott Shackelford

Scott Shackelford

Indiana University - Kelley School of Business - Department of Business Law; Harvard Kennedy School Belfer Center for Science & International Affairs; Center for Applied Cybersecurity Research; Stanford Center for Internet and Society; Stanford Law School

Scott Russell

Indiana University Bloomington - Center for Applied Cybersecurity Research

Andreas Kuehn

Syracuse University, School of Information Studies; Stanford University, Center for International Security and Cooperation; EastWest Institute, Global Cooperation in Cyberspace Initiative

Date Written: April 14, 2015

Abstract

Although there has been a relative abundance of work done on exploring the contours of the law of cyber war, far less attention has been paid to defining a law of cyber peace applicable below the armed attack threshold. Among the most important unanswered questions is what exactly nations’ due diligence obligations are to their respective private sectors and to one another. The International Court of Justice (“ICJ”) has not explicitly considered the legality of cyber weapons to this point, though it has ruled in the Corfu Channel case that one country’s territory should not be “used for acts that unlawfully harm other States.” But what steps exactly do nations and companies under their jurisdiction have to take under international law to secure their networks, and what of the rights and responsibilities of transit states? This Article reviews the arguments surrounding the creation of a cybersecurity due diligence norm and argues for a proactive regime that takes into account the common but differentiated responsibilities of public- and private-sector actors in cyberspace. The analogy is drawn to cybersecurity due diligence in the private sector and the experience of the 2014 National Institute of Standards and Technology (“NIST”) Framework to help guide and broaden the discussion.

Suggested Citation

Shackelford, Scott J. and Russell, Scott and Kuehn, Andreas, Defining Cybersecurity Due Diligence Under International Law: Lessons from the Private Sector (April 14, 2015). Volume on Ethics and Policies for Cyber Warfare (Oxford University Press, 2015); Kelley School of Business Research Paper No. 15-41. Available at SSRN: https://ssrn.com/abstract=2594323

Scott J. Shackelford (Contact Author)

Indiana University - Kelley School of Business - Department of Business Law ( email )

Bloomington, IN 47405
United States

Harvard Kennedy School Belfer Center for Science & International Affairs ( email )

79 JFK Street
Cambridge, MA 02138
United States

Center for Applied Cybersecurity Research ( email )

Wylie Hall 105
100 South Woodlawn
Bloomington, IN 47405
United States

Stanford Center for Internet and Society ( email )

Palo Alto, CA
United States

Stanford Law School ( email )

Stanford, CA 94305
United States

Scott Russell

Indiana University Bloomington - Center for Applied Cybersecurity Research ( email )

Wylie Hall 105
100 South Woodlawn
Bloomington, IN 47405
United States

Andreas Kuehn

Syracuse University, School of Information Studies ( email )

Hinds Hall
Syracuse, NY 13244
United States

Stanford University, Center for International Security and Cooperation

Stanford, CA 94305
United States

EastWest Institute, Global Cooperation in Cyberspace Initiative

New York, NY 10017
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
358
Abstract Views
1,181
rank
82,831
PlumX Metrics