A Cyber Duty of Due Diligence: Gentle Civilizer or Crude Destabilizer?
95 Texas Law Review 1555 (2017)
BYU Law Research Paper No. 17-16
23 Pages Posted: 19 Jul 2017
Date Written: July 13, 2017
Abstract
Two of the most vexing issues in responding to malicious cyber activities include attribution of the harmful cyber activity and the pervasive participation of non-State actors. One potential solution to these problems is a response proxy – an entity against whom the response action is taken when action against a responsible party is not feasible. This article examines the potential of holding a State responsible, under the international law notion of State responsibility, for allowing harmful activities to emanate from its territory. Recognizing a cyber-specific obligation of due diligence to address emanation of such cyber harms might mitigate the attribution dilemma, particularly when attribution points to a non-State actor. That is, a primary rule of conduct requiring diligent management of territorial cyber infrastructure could give rise to responsibility on the part of nondiligent States as proxies for unidentified or unreachable malicious actors. Legal recognition of such breaches of diligence permits State victims of cyber harm to take action, including the use of countermeasures, to induce compliance and terminate harm without necessarily tracing attribution to the original, difficult-to-identify source.
Analysis of the principle of due diligence in cyberspace and its relationship to countermeasures illustrates an initially attractive solution to the attribution dilemma. But a complementary cautionary note identifies potential unintended consequences of due diligence-inspired countermeasures as an attempt to close the attribution gap. If aggressively applied, such proxy responses may prove counterproductive and lead to greater instability in the international system. Ultimately, due diligence could be an effective tool in justifying the use of countermeasures in the fight against the difficulties caused by the inability to attribute harmful cyber acts--but the cure may worsen the disease.
Keywords: cyber, warfare, armed conflict, countermeasures, due diligence, state responsibility
JEL Classification: K19, K33
Suggested Citation: Suggested Citation