20 Mar Unpacking Cyber Due Diligence in Practice: Detection, Mitigation, and Prevention
There is now little controversy in asserting that existing international law applies in cyberspace. The more important question is how existing norms can adapt to this new terrain and effectively regulate cyber operations. Importantly, there are also tremendous difficulties in establishing the attribution of harmful cyber operations to States. Thus, there is increasing scholarly confidence in “due diligence” norms that could attract State responsibility not just for harmful State actions, but also omissions to react against transboundary harm emanating from their jurisdiction.
However, most due diligence norms comprise obligations of conduct rather than result, requiring States to pursue their best possible efforts as opposed to succeeding in preventing cyber harm. With all States placed differently in respect of their technical wherewithal (and thus, their best possible efforts), how can their cyber law enforcement agencies practically understand the conduct expected of them? With threats like Botnets looming large, having affected hundreds of States at once already, can due diligence norms realistically hold promise in regulating cyberspace? How easily could an applicant State actually prove the violation of these best effort obligations before international fora? We address these questions and more in our recent paper for the International Journal of Law and Information Technology. In this blogpost, we highlight some of our main findings on the prospects of due diligence in cyberspace.
Conceptions of Due Diligence
Our first contribution is to remedy what we regard as confusion about the very conception of due diligence obligations. By this, we refer to the trigger-thresholds of the norms and the standard of conduct that States must satisfy once the thresholds for these obligations arising are met. Scholars are frequently citing due diligence norms in works concerning cyberspace, yet their understanding of these norms is far from consistent.
Many states and scholars focus on the Corfu Channel merits decision of the International Court of Justice (“ICJ”) where the Court articulated the “obligation [of a State] not to allow knowingly its territory to be used for acts contrary to the rights of other States.” Others highlight the ICJ’s case-law discussing obligations concerning the ‘prevention of significant transboundary harm’. These are obligations owed by the State where the harm originates (“State of origin”) towards the potentially affected State (“target State”).
The Corfu Channel understanding presupposes the existence and violation of a “right” of the affected State as a result of the transboundary cyber operation. The ‘prevention of harm’ principle looks at “harm” flexibly on the facts of each case. Of course, what amounts to “significant harm” in cyberspace is itself a complex debate, with some instances clearer than others. The important point here is that scholars — and States as well — sometimes cite only the first or the second principle, or sometimes both but while treating their thresholds as conjunctive. The latter treatment would ask that a transboundary activity both violate a State’s right and amount to risking “significant harm” for due diligence obligations to arise.
We propose reconceiving due diligence such that both these conceptions are unified, but their trigger-thresholds are considered co-existent. We argue that due diligence focuses on “significant harm” — where any potential violation of a target State’s right should be considered significant harm. Since due diligence obligations cannot impose undue burdens on States of origin, these obligations may not arise only in the rare event that an illegal activity poses inconsequential harm on a further factual assessment. Second, supposing the transboundary activity is not ipso facto illegal, the “significance” of its harmful effects would have to be measured on the facts of each case. This means that any obligations arising from the Corfu Channel and prevention of harm conceptions would together give rise to a spectrum of stages in which diligent conduct will be expected of States in cyberspace. This renewed clarity in articulating these norms can best equip law enforcement to appreciate the difference between diligent and non-diligent conduct. Seen this way, due diligence norms collectively have great potential in addressing cyber threats. However, our paper elaborates important cautions that will arise in the practical life of these norms.
Complexities in Due Diligence
While it is accepted that due diligence norms are obligations of best efforts, the actual implications of this in cyberspace are less discussed. Consider, as is our choice of focus, the particular threat of Botnets. Often characterized as the apex species of cybercrime, Botnets refer to a set of compromised devices (“bots”) that are remotely controlled by a ‘bot-master’ — who exploits the Botnet for carrying out a variety of cybercrime. Botnets are also notorious for the tremendous growth in the variety of their forms and technical architectures during the past two decades.
What this means is that we cannot infer that a State has the technical wherewithal to counteract, or even detect a bot-master operating a Botnet from their jurisdiction, simply because the State previously has successfully countered other Botnets. For example, some Botnets work with a central “command” server that communicates with all affected bots. If the command server is overtaken by a State’s law enforcement, then it could instead be used to reprogram or eliminate the Botnet. Such tactics are presently only accessible to a handful of developed States that have highly capable cyber infrastructure. However, some Botnets do not have command servers at all, and therefore, this procedure may not only be ineffective, but also obsolete against more modern Botnets. This means that the best possible efforts of some States would comprise potentially taking down Botnets, for others, this may be unreasonable to expect, and for some, the detection of Botnet-like threats in the first place might be beyond their technical capacities. Resultantly, the standard of ‘diligence’ demanded by these norms would be commensurate with the capacity of a particular State against particular cyber threats on the facts of a case.
This adaptability certainly indicates that due diligence would be appealing for cyberspace, a domain that is ever-changing in many regards, and given the differential technical capacities among States. It has its positives in that as a State’s capacity grows, so would the rigour of diligence expected of it, and in its assurance of an equitable burden on differently placed States. Yet the same features might make it demanding to prove violations of these norms in litigations. When evidence about cyber operations is already difficult to come by, further expecting target States to show that a State of origin had the capacity to address a particular cyber threat is possibly a precarious burden. The fact that standards of conduct could vary so much between States might also mean that due diligence norms could fail to illuminate any rigour that all or most States could be expected to demonstrate uniformly. Although some authors argue that basic tasks such as establishing cyberspace regulatory agencies should be seen as diligent conduct that is accessible to all States, even such exercises might be difficult for States lacking cybersecurity expertise. Does the current confidence in due diligence, then, lack ground?
Spectrum of Obligations
We think that pessimism about due diligence owing to these complexities would be premature. First, States have only recently begun clearly elaborating their positions on the contents of these norms in cyberspace. It is likely that some consensus will slowly emerge about conduct that could be reasonably expected of all States under the norms. In any case, even intuitively, the flexibility with which due diligence norms can adapt to any novel threats in cyberspace make it more reliable in regulating cyber operations than other existing norms. Further, other norms such as the principle of non-intervention are also in a state of contestation as to their thresholds, demands, and limits in cyberspace. The challenges posed to due diligence in this regard are thus not unique. To reiterate, due diligence norms are also among the set of obligations that could trigger State responsibility for omissions and actions both, rather than actions alone. Thus, by their design, these norms have great strategic benefits in addressing cyber threats.
Most importantly, as we conceive it, the set of due diligence norms comprise many unique obligations. While it may be difficult to prove a violation of some due diligence obligations for target States, other obligations could more easily become the basis of a claim seeking reparations. For example, States of origin should attempt to prevent or minimize the risk of significant transboundary harm to target States once the former gain knowledge of such risks. However, if one cannot show a State’s (actual or constructive) knowledge about a “significant” risk of harm, responsibility cannot ensue for failures to prevent or minimize transboundary harm to target States. Nonetheless, there may be situations where there is some apparent risk of harm, although its significance is unclear. In that case, as the ICJ found in Nicaragua v. Costa Rica, States of origin can be held responsible at least for their failure to conduct an “impact assessment” as to the risks posed by a transboundary activity. Thus, States of origin that fail to conduct a cyber impact assessment about their own cyber operations or of a private actor in their jurisdiction could be put to scrutiny through this metric.
Similarly, as we argue and illustrate by reference to Botnets in the paper, States are under a continuous due diligence obligation to pursue ‘cyber capacity building’. This means that States should attempt to build cyber infrastructure and institutions like national or sectoral cyber response teams to be in a position to discharge their other due diligence obligations. This particular obligation can also facilitate better compliance with other norms in cyberspace as it will increase the technical wherewithal of States gradually. In sum, the spectrum of demands under due diligence offers immense potential in the regulation of transboundary cyber operations and activities. Yet this potential can only be realized if discussions about the everyday operation of these norms gain traction, especially through a record of best practices from States and private actors alike. It is our hope that our paper contributes to encouraging this renewed focus in cybersecurity discourse.
Due diligence norms carry many complexities, especially in their application to as complicated a context as cyberspace. Despite this, these norms can effectively regulate harmful cyber operations in meaningful ways given their adaptability as well as their focus on different stages of transboundary activities. Moving forward, it is important that debates concerning these norms seek the engagement of cybersecurity experts and law enforcement officials, so as to increase legal literacy among them, and help clarify the contents of the norms in practice. Hopefully, more nuanced discussion will also gradually develop in such regards between States vocal about how international law applies in cyberspace. Although due diligence norms seek to optimize cooperation among States, it is only in exchanges that prioritize cooperation over suspicion in the first place that these norms could fully realize their potential.