The discreet use of proxies by States renders it difficult to prove attribution to States under the existing rules of attribution. On the other hand, the due diligence principle, if applicable, does not require attribution but can lead to the invocation of State responsibility for cyber operations emanating from the territory of other States. In the Corfu Channel judgment the ICJ recognized “every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States,” and UN Member States agreed that existing international law applies to cyber operations. However, the UN Members have not yet agreed on whether the due diligence obligation applies to cyber operations. Considering jurisprudence relating to the concept of due diligence, it seems natural that (1) the "due" diligence principle imposes obligations proportionate to the seriousness of the risk, and that (2) the capacity to influence the perpetrator of acts contrary to the rights of other States entails an obligation to use it for stopping such acts. If these two elements are applied to cyber operations, the due diligence obligation seems likely to include a State’s obligation to use its existing influence over the activities of a person or group of persons, when the person or the group of persons is involved in cyber operations that emanate from its territory and seriously infringe upon other States’ rights and the State knows or should know the existence of the operations. The applicability and scope of the due diligence principle should be discussed further among States and scholars.
Communications Law Commons, International Humanitarian Law Commons, International Law Commons, National Security Law Commons, Transnational Law Commons