State Responsibility and Cyberattacks: Defining Due Diligence Obligations
4(2) The Indonesian Journal of International and Comparative Law 191-260 (Forthcoming)
70 Pages Posted: 2 Feb 2017 Last revised: 22 Feb 2017
Date Written: January 30, 2017
Cyberattacks are proliferating. Live trackers record over 6 million cyberattacks daily. Information technology-dependent societies increasingly perceive cyber-threats as a destabilising force and citizens inevitably look to the State for protection. This paper concerns one form of State protection: whether States owe due diligence obligations in cyberspace under the laws of State responsibility.
Specifically, it re-examines the contents of such an obligation and the circumstances which could trigger it in light of cyberattacks’ peculiarities. A straightforward replication of due diligence models from international environmental law or law of the sea is not appropriate. But cyber-diligence should incorporate certain principles found within both models and channel ultimate responsibility for securing cyber-infrastructure onto private industry. Counter-terrorism obligations are the most useful body of law in which to seek an analogy.
This paper argues that a State’s cyber-diligence obligation is triggered, at a minimum, by: (1) constructive knowledge of a cyberattack, (2) which causes serious injury to an operating network. These contents and triggers define a cyber-diligence framework. Public pressure on the State and the market to intensify responses to transnational cyber-threats will drive the adoption of such principles.
Keywords: State Responsibility, Due Diligence, Cyberattacks, Non-State Actors
Suggested Citation: Suggested Citation