The global coronavirus crisis has produced many negative effects, including an increase in cybercrime that targets health organizations, such as hospitals and medical research centers. This has sparked global condemnation, including from the European Union (EU), which on April 30, 2020 called “upon every country to exercise due diligence and take appropriate actions against actors conducting such activities from its territory.” Using the term “due diligence” in its statement, the EU touched upon a sensitive question in international diplomatic deliberations on cyberspace: does due diligence apply to the digital realm or not?
The legal concept of due diligence means that states have the obligation to ensure that their territories are not being used to the detriment of other states. For example, this applies to non-state actors, such as terrorists, operating from within one state’s borders to harm another. If a state fails to meet its due diligence obligation, a victim state may resort to proportional countermeasures, such as legal actions, sanctions, and even military action, such as cyberattacks and conventional warfare, to neutralize the threat.
The EU statement points out that the need to exercise due diligence is “consistent with international law and the 2010, 2013, and 2015 consensus reports of the United Nations Groups of Governmental Experts (UNGGEs) in the field of Information and Telecommunications in the Context of International Security.” Due diligence was indeed described as a norm in the UNGGE report of 2015 (paragraph 13h [PDF]), but opinions on its implications and implementation differ. Moreover, various states resist the application of due diligence to cyberspace in practice because of the burden they fear the principle may impose on them.
Although rarely voiced publicly, there are a number of reasons why states have reservations about applying due diligence to cyberspace. All states face the risk of threat actors hijacking their domestic cyber infrastructure to launch attacks against other states, and, especially for highly digitalized states, it could be nearly impossible to scrutinize all cyber infrastructure within their territory and prevent it from being misused. Doing this effectively, if possible at all, will require huge investments of resources. In addition, the massive monitoring seemingly necessary for due diligence raises serious privacy concerns; how much direct access to communications that flow through cyber infrastructure should governments have? An obligation of due diligence could also be exploited by states that conduct “false flag” cyberattacks to demonstrate that their rivals are not doing enough to secure their infrastructure, possibly legitimizing aggressive retaliation. Last but not least, there are worries that some authoritarian states could use due diligence as a legal argument to exercise stronger regulatory control over privately held cyber infrastructure in their territory.
In practice, however, due diligence is not that problematic, as long as the state shows a modicum of goodwill. It is possible to detect domestic malicious activity without constantly monitoring all cyber infrastructure. Even if a state is unaware that its cyber infrastructure is being misused, a victim state can contact it and request its assistance. The legal obligations of due diligence would only be invoked if the state whose infrastructure is being misused is not willing to cooperate. This would give the victim state the right to take countermeasures. However, before doing so, it would have to publicly provide clear, unambiguous evidence to back up its accusations. Therefore, the burden for highly digitalized states would not increase dramatically due to the embrace of due diligence in cyberspace.
Invoking due diligence also offers states a non-escalatory policy tool in dealing with cyberattacks from abroad. Requesting a state to take action to stop cyberattacks launched from its territory does not automatically assume its involvement in the malicious activity.
The recent declaration by the EU members, many of which are among the most digitalized countries in the world, should create urgency to find common ground on the issue of due diligence in cyberspace. The EU could engage with other states, both through the member states’ cyber diplomatic efforts and the cyber dialogue mechanisms already maintained by the EU, encouraging states outside of the EU to openly announce what their position is on due diligence in cyberspace. Then, the current UNGGE 2019-2020 could create clear guidelines for how it should be implemented in practice. Parallel to the UNGGE, the UN Open Ended Working Group (OEWG) could also be a useful forum for states to reach a consensus on the issue, especially as its final weeklong meeting scheduled for July approaches. Regardless of which approach is taken, the coronavirus pandemic should serve as a valuable impetus for states to renew efforts to reach consensus on the application of due diligence in cyberspace. Hopefully, the opportunity will not go to waste.