The International Legal Obligation of States to Exercise Due Diligence in Cyberspace

This report addresses the international “due diligence”-principle and its relevance and application in cyberspace. It is broadly acknowledged that states must exercise due diligence in not allowing their territory to be used for acts that violate the rights of other states and cause serious harm. This rule is commonly referred to as the “due diligence”-principle. While numerous international legal rules, including within specialized fields such as international human rights law and international humanitarian law, require states to exercise “due diligence” in various ways and under various circumstances, the general principle of “due diligence” is most clearly articulated in the International Court of Justice’s first ruling in the Corfu Channel-case from 1949.

In recent years, it has been a point of contention whether the “due diligence”-principle is applicable in cyberspace. Taking this question as its point of departure, the report reviews the origins and foundations of the principle and assesses the strength of the arguments for and against its application in cyberspace. The report concludes that the principle is a legally binding norm of general applicability – and thus domain neutral in nature. Therefore, the principle must be recognized also in relation to conflicts in cyberspace. This conclusion is in line with the dominant view among both experts and states.

The application of the “due diligence”-principle features prominently in the current legal debate on cyberspace. This has to do with the fact that it is relatively easy for the authors of hostile cyber operations to hide their identity online. Hence, it is often easier for a victim state to demonstrate that a host state has not exercised “due diligence” than it is provide the necessary evidence that specific acts are attributable to specific actors. There is a need, however, to clarify how the “due diligence”-principle should be interpreted and applied in the context of cyberspace. A particularly important question is whether the victim state must establish that the (suspected) host state was aware of that violations of international law emanated from its territory, or whether it is sufficient that the host state should have been aware of the violations.

On the basis of the presented legal analyses and strategic considerations, the report concludes that Denmark’s interests are best served through a continuous consolidation of the international legal regulation of cyberspace. Recognition of the applicability of general norms of international law in cyberspace, including the “due diligence”-principle, is an important step in the right direction. The report provides the following recommendations to Danish decision-makers:

  • Denmark should continue to support international processes that bolster the role of international law in cyberspace and ensure momentum in this regard.
  • Denmark should explicitly support the views expressed by most states and experts on the general applicability of the “due diligence”-principle across domains, including in cyberspace.
  • Denmark should contribute to the ongoing efforts to clarify how the particular elements of the “due diligence”-principle should be understood and applied in the context of cyberspace.